Skip to content

[aw-failures] GitHub MCP Structural Analysis false-red — github MCP "failed to launch" after run completes; firewall denies awmg [Content truncated due to length] #41711

Description

@github-actions

Fix

Stop marking the run a failure on a post-completion github-MCP relaunch — in §28238231936 the agent ran all 34 turns, created the discussion, and persisted the cache, yet the job is red because ERR_API: MCP server(s) failed to launch: github fires after the work is done. This is a false-red that masks real failures.

Affected workflows & runs

Triage the recurrence — this daily workflow has failed two consecutive days after two green days, and is untracked by any open agentic-workflows issue.

Run Workflow Created (UTC) Conclusion
§28238231936 (representative) GitHub MCP Structural Analysis 2026-06-26T12:32 failure (false-red)
§28170585840 GitHub MCP Structural Analysis 2026-06-25T12:37 failure
§28098801795 (comparator) GitHub MCP Structural Analysis 2026-06-24T12:34 success

Probable root cause

Unblock the managed-gateway connection — audit-diff (base=28238231936 failed vs compare=28098801795 success) shows the only firewall delta that matters: awmg-mcpg:8080 was denied (blocked:1, status:denied) in the failed run and absent in the green run.

  • The agent used the github MCP successfully throughout the run (it sampled 9 toolsets via the HTTP MCP endpoint), so github MCP was healthy during execution.
  • The terminal failed to launch: github therefore comes from a late relaunch/health-probe of the github MCP through the managed gateway (awmg-mcpg:8080), which the firewall denied once — producing a non-zero exit and a red run despite all work succeeding.
Evidence — error tail (§28238231936) + audit-diff firewall delta
[52] ◆ Analysis complete. ... Created discussion "MCP Structural Analysis - 2026-06-26"
Statistics: Turns: 34 | Duration: 6m 2s | Tools: 31/33 succeeded | Cost: $2.5239
##[error]ERR_API: MCP server(s) failed to launch: github
audit-diff removed_domains:
  { "domain": "awmg-mcpg:8080", "run1_blocked": 1, "run1_status": "denied", "run2_blocked": 0 }
summary: has_anomalies=false  (firewall counters do not flag the single deny as an anomaly)

Proposed remediation

  1. Treat a post-completion MCP relaunch/health-probe failure as non-fatal — once the engine reports the run completed and safe-outputs succeeded, do not overwrite the conclusion with ERR_API: MCP server(s) failed to launch.
  2. Absorb a transient firewall deny of awmg-mcpg:8080 the same way [aw-failures] AWF firewall startup fails — getaddrinfo EAI_AGAIN awmg-cli-proxy, managed-gateway DNS not resolvable, agent never [Content truncated due to length] #41455 proposes absorbing the awmg-cli-proxy DNS race — retry/backoff the managed-gateway connection instead of failing the run on a single deny.
  3. Flag a single managed-gateway deny that occurs after work completion in the audit summary (currently has_anomalies=false), so this false-red is detectable.

Success criteria

  • A run where the agent completes all turns and safe-outputs succeed concludes success even if a late github-MCP relaunch is denied.
  • GitHub MCP Structural Analysis returns to green on its next scheduled cycle, or fails with a real, distinct signature.
  • audit surfaces the awmg-mcpg:8080 deny as an anomaly rather than swallowing it.

Relationship to existing issues

Linked as a sub-issue of #41455 (same managed-gateway firewall family). Distinct because: (a) here the agent runs to completion and the run is a false-red, vs #41455 where the agent is never invoked (100% lost); (b) different host/mode — firewall deny of awmg-mcpg:8080 vs DNS EAI_AGAIN on awmg-cli-proxy:18443.
Related to #41455

Generated by 🔍 [aw] Failure Investigator (6h) · 110.5 AIC · ⌖ 43.7 AIC · ⊞ 5.3K ·

  • expires on Jul 3, 2026, 5:35 AM UTC-08:00

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions