You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
create_pull_request in the safeoutputs MCP server (running inside the agent job via MCP gateway) fails with Git's dubious ownership check when the agent has already created a feature branch and committed locally. The workflow completes with report_incomplete; labels/comments safe outputs may still apply, but no PR is opened and no branch is pushed.
This is the same failure mode reported in #39660 (observed on github/gh-aw itself). Reporting from a consumer org workflow with additional reproduction detail and documented workarounds that do not fix the agent-time failure.
Pattern: single-repo workflow — agent edits workspace, commits on <feature-branch>, then calls safeoutputs-create_pull_request
Symptom
Every create_pull_request attempt fails during branch pinning (before bundle/patch generation):
Failed to pin branch '<feature-branch>' before bundle generation:
ERR_SYSTEM: fatal: detected dubious ownership in repository at '/home/runner/work/<repo>/<repo>'
To add an exception for this directory, call:
git config --global --add safe.directory /home/runner/work/<repo>/<repo>
The agent retries multiple times, then calls report_incomplete. The safe_outputs job may succeed afterward but has nothing to push (PR intent was never recorded as a bundle). Branch content remains only on the ephemeral runner workspace.
Root cause (as understood)
actions/checkout leaves the workspace owned by the runner user (typically UID 1001 on ubuntu-latest).
The safeoutputs MCP server runs in a container (ghcr.io/github/gh-aw-node via MCP gateway) with a different UID.
Git 2.35+ rejects operations on repos whose directory owner does not match the current user, unless the path is listed in a trustedsafe.directory config.
Trusted locations for cross-user access are effectively /etc/gitconfig (system) or configs readable under the container user's home — not the runner's ~/.gitconfig written in pre-steps on the host.
The workspace is bind-mounted (${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw), but repo-local .git/config entries written by host pre-steps are not sufficient for the container's git process (still fails with dubious ownership).
Workarounds attempted (all ineffective for agent-time create_pull_request)
1. pre-agent-steps on the workflow (after checkout, before MCP gateway)
pre-agent-steps:
- name: Configure git safe.directory for safeoutputs MCPrun: | git config --global --add safe.directory '*' if [ -d .git ]; then git config --local --add safe.directory '*' git config --local --add safe.directory "$(pwd)" fi
2. jobs.safe_outputs.pre-steps (same commands after checkout)
Fixes git in the safe_outputs job host context only. That job never receives a bundle because pinning failed in the agent job.
3. Earlier attempt: jobs.agent.pre-steps
Runs before checkout — too early; removed.
None of the above prevent the safeoutputs container from hitting dubious ownership when pinning the branch.
What does work (partially)
Agent can read/write files, create branches, and commit on the host.
Other safeoutputs tools (add_labels, add_comment, report_incomplete) work via API paths that do not invoke git in the mounted workspace.
Only git operations inside the safeoutputs container against the bind-mounted repo fail.
Suggested fixes (platform)
Any of these would unblock consumer workflows that open PRs from agent-authored branches:
MCP gateway / safeoutputs container startup: write a system gitconfig (e.g. mount or create /etc/gitconfig) with safe.directory=* or the workspace path before starting the safeoutputs server process.
Forward GIT_CONFIG_SYSTEM or GIT_CONFIG_GLOBAL from the agent job environment into the safeoutputs container ( [aw] Linter Miner reported incomplete result #39660 notes these were set on the host but not forwarded).
Run safeoutputs git as the same UID as the workspace owner, or chown the workspace in a controlled pre-step visible to the container.
Document that workflow-level git config pre-steps cannot fix this, so consumers do not spend cycles on dead-end workarounds.
Impact
Any agentic workflow whose agent commits locally and relies on create_pull_request safe output is blocked on standard GitHub-hosted runners. Manual recovery is not possible after the job ends because branch content is not pushed and bundle transport never succeeds.
Related
[aw] Linter Miner reported incomplete result #39660 — same error on github/gh-aw Linter Miner workflow (create_pull_request failed 3×; agent documented GIT_CONFIG_GLOBAL / GIT_CONFIG_SYSTEM not forwarded)
Summary
create_pull_requestin the safeoutputs MCP server (running inside the agent job via MCP gateway) fails with Git's dubious ownership check when the agent has already created a feature branch and committed locally. The workflow completes withreport_incomplete; labels/comments safe outputs may still apply, but no PR is opened and no branch is pushed.This is the same failure mode reported in #39660 (observed on
github/gh-awitself). Reporting from a consumer org workflow with additional reproduction detail and documented workarounds that do not fix the agent-time failure.Environment
github/gh-aw-actions/setup@v0.80.1ghcr.io/github/gh-aw-firewall/{agent,api-proxy,squid}:0.27.4ghcr.io/github/gh-aw-mcpg:v0.3.26copilot(Copilot CLI 1.0.63)<feature-branch>, then callssafeoutputs-create_pull_requestSymptom
Every
create_pull_requestattempt fails during branch pinning (before bundle/patch generation):From
mcp-logs/safeoutputs.log:The agent retries multiple times, then calls
report_incomplete. Thesafe_outputsjob may succeed afterward but has nothing to push (PR intent was never recorded as a bundle). Branch content remains only on the ephemeral runner workspace.Root cause (as understood)
actions/checkoutleaves the workspace owned by the runner user (typically UID 1001 onubuntu-latest).ghcr.io/github/gh-aw-nodevia MCP gateway) with a different UID.safe.directoryconfig./etc/gitconfig(system) or configs readable under the container user's home — not the runner's~/.gitconfigwritten in pre-steps on the host.${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw), but repo-local.git/configentries written by host pre-steps are not sufficient for the container's git process (still fails with dubious ownership).Workarounds attempted (all ineffective for agent-time
create_pull_request)1.
pre-agent-stepson the workflow (after checkout, before MCP gateway)2.
jobs.safe_outputs.pre-steps(same commands after checkout)Fixes git in the safe_outputs job host context only. That job never receives a bundle because pinning failed in the agent job.
3. Earlier attempt:
jobs.agent.pre-stepsRuns before checkout — too early; removed.
None of the above prevent the safeoutputs container from hitting dubious ownership when pinning the branch.
What does work (partially)
add_labels,add_comment,report_incomplete) work via API paths that do not invoke git in the mounted workspace.Suggested fixes (platform)
Any of these would unblock consumer workflows that open PRs from agent-authored branches:
/etc/gitconfig) withsafe.directory=*or the workspace path before starting the safeoutputs server process.GIT_CONFIG_SYSTEMorGIT_CONFIG_GLOBALfrom the agent job environment into the safeoutputs container ( [aw] Linter Miner reported incomplete result #39660 notes these were set on the host but not forwarded).chownthe workspace in a controlled pre-step visible to the container.git configpre-steps cannot fix this, so consumers do not spend cycles on dead-end workarounds.Impact
Any agentic workflow whose agent commits locally and relies on
create_pull_requestsafe output is blocked on standard GitHub-hosted runners. Manual recovery is not possible after the job ends because branch content is not pushed and bundle transport never succeeds.Related
github/gh-awLinter Miner workflow (create_pull_requestfailed 3×; agent documentedGIT_CONFIG_GLOBAL/GIT_CONFIG_SYSTEMnot forwarded)