Skip to content

fix: reinforce no-script-execution constraint in devops-health-check#845

Open
AbhitejJohn wants to merge 2 commits into
mainfrom
abhitejjohn/fix-devops-health-check-script-hallucina
Open

fix: reinforce no-script-execution constraint in devops-health-check#845
AbhitejJohn wants to merge 2 commits into
mainfrom
abhitejjohn/fix-devops-health-check-script-hallucina

Conversation

@AbhitejJohn

Copy link
Copy Markdown
Collaborator

Summary

Strengthens the prompt in the DevOps Daily Health Check workflow to explicitly tell the agent that python, python3, and node are NOT in the bash allowlist and will be blocked by the security policy.

Problem

The Copilot agent was hallucinating Python script creation (python3 -c "import json,...") to process JSON data, which was correctly blocked by the bash tool's security policy. Despite existing instructions saying "don't create scripts," the agent interpreted inline python3 -c as a command rather than a script, and retried multiple times - burning token budget.

Failed run: https://github.com/dotnet/skills/actions/runs/28311460592

Fix

Made the efficiency guideline explicitly state that script interpreters are not available, directing the agent to use jq for all JSON processing.

Note: The .lock.yml needs recompilation via gh aw compile after merge since strict:true checks the body hash.

Fixes #841

Copilot AI review requested due to automatic review settings June 29, 2026 23:21
@github-actions

Copy link
Copy Markdown
Contributor

Skill Coverage Report

Plugin Skill Covered Coverage
dotnet-msbuild extension-points 0/1 0%
dotnet-blazor author-component 0/1 0%
dotnet-blazor collect-user-input 0/4 0%
dotnet-blazor configure-auth 0/3 0%
dotnet-blazor coordinate-components 0/2 0%
dotnet-blazor fetch-and-send-data 1/5 20%
dotnet-blazor plan-ui-change 0/1 0%
dotnet-blazor support-prerendering 0/3 0%
dotnet-blazor use-js-interop 0/2 0%
⚠️ dotnet csharp-scripts 13/22 59.1%
dotnet dotnet-pinvoke 6/28 21.4%
dotnet setup-local-sdk 3/8 37.5%
dotnet-advanced `` error
Uncovered: dotnet-msbuild/extension-points
  • [CodePattern] [MSBuild] (line 184)
Uncovered: dotnet-blazor/author-component
  • [CodePattern] [Parameter] (line 31)
Uncovered: dotnet-blazor/collect-user-input
  • [CodePattern] [SupplyParameterFromForm] (line 31)
  • [CodePattern] [CascadingParameter] (line 162)
  • [CodePattern] [Required] (line 135)
  • [CodePattern] [Range] (line 135)
Uncovered: dotnet-blazor/configure-auth
  • [CodePattern] [CascadingParameter] (line 51)
  • [CodePattern] [Authorize] (line 101)
  • [CodePattern] [ExcludeFromInteractiveRouting] (line 152)
Uncovered: dotnet-blazor/coordinate-components
  • [CodePattern] readonly (line 137)
  • [CodePattern] [CascadingParameter] (line 63)
Uncovered: dotnet-blazor/fetch-and-send-data
  • [CodePattern] [Parameter] (line 159)
  • [CodePattern] [PersistentState] (line 84)
  • [CodePattern] [StreamRendering] (line 74)
  • [CodePattern] [SupplyParameterFromQuery] (line 159)
Uncovered: dotnet-blazor/plan-ui-change
  • [CodePattern] [Parameter] (line 64)
Uncovered: dotnet-blazor/support-prerendering
  • [CodePattern] [ExcludeFromInteractiveRouting] (line 148)
  • [CodePattern] [PersistentState] (line 39)
  • [CodePattern] [CascadingParameter] (line 159)
Uncovered: dotnet-blazor/use-js-interop
  • [CodePattern] readonly (line 118)
  • [CodePattern] sealed (line 118)
Uncovered: dotnet/csharp-scripts
  • [Validation] dotnet --version reports 10.0 or later (or fallback path is used) (line 274)
  • [Validation] The app compiles without errors (can be checked explicitly with dotnet build <file>.cs) (line 276)
  • [Validation] App files and cached artifacts are cleaned up after the session (line 279)
  • [Pitfall] #:package without a version (line 286)
  • [Pitfall] #:property with wrong syntax (line 287)
  • [Pitfall] Directives placed after C# code (line 288)
  • [Pitfall] Reflection-based JSON serialization fails (line 293)
  • [WorkflowStep] Step 5: Clean up (line 199)
  • [CodePattern] [MSBuild] (line 93)
Uncovered: dotnet/dotnet-pinvoke
  • [Validation] Calling convention specified if targeting Windows x86; omitted otherwise (line 416)
  • [Validation] String encoding is explicit — no reliance on defaults or CharSet.Auto (line 417)
  • [Validation] Memory ownership is documented and matched (who allocates, who frees, with what) (line 418)
  • [Validation] SafeHandle used for all native handles (no raw IntPtr escaping the interop layer) (line 419)
  • [Validation] Delegates passed as callbacks are rooted to prevent GC collection (line 420)
  • [Validation] SetLastError/SetLastPInvokeError set for APIs that use OS error codes (line 421)
  • [Validation] Struct layout matches native (packing, alignment, field order) (line 422)
  • [Validation] CLong/CULong used for C long/unsigned long in cross-platform code (line 423)
  • [Validation] If using CLong/CULong with LibraryImport, [assembly: DisableRuntimeMarshalling] is applied (line 424)
  • [Validation] No bool without explicit MarshalAs — always specify UnmanagedType.Bool (4-byte) or UnmanagedType.U1 (1-byte) to ensure normalization across the language boundary. (line 425)
  • [WorkflowStep] Step 5: Establish Memory Ownership (line 168)
  • [WorkflowStep] Step 6: Use SafeHandle for Native Handles (line 224)
  • [WorkflowStep] Step 7: Handle Errors (line 261)
  • [CodePattern] [256] (line 176)
  • [CodePattern] [LibraryImport] (line 101)
  • [CodePattern] [UnmanagedCallConv] (line 111)
  • [CodePattern] [UnmanagedFunctionPointer] (line 300)
  • [CodePattern] [MarshalAs] (line 144)
  • [CodePattern] [UnmanagedCallersOnly] (line 281)
  • [CodePattern] sealed (line 228)
  • [CodePattern] [DllImport] (line 93)
  • [CodePattern] [Out] (line 144)
Uncovered: dotnet/setup-local-sdk
  • [Pitfall] paths ignored (line 382)
  • [Pitfall] dotnet app.dll wrong runtime (line 386)
  • [CodePattern] [ordered] (line 301)
  • [CodePattern] [pscustomobject] (line 301)
  • [CodePattern] [guid] (line 104)

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the DevOps Daily Health Check agent instructions to more explicitly avoid attempts at script execution (e.g., python3 -c ...) that are blocked by the bash allowlist/security policy. It also introduces Claude marketplace/plugin-manifest changes for the dotnet-msbuild plugin.

Changes:

  • Strengthen devops-health-check guidance to state script interpreters (python/node) are not available and to use jq for JSON parsing.
  • Add plugins/dotnet-msbuild/.claude-plugin/plugin.json for Claude-specific plugin metadata.
  • Extend .claude-plugin/marketplace.json with an mcpServers definition for dotnet-msbuild.
Show a summary per file
File Description
plugins/dotnet-msbuild/.claude-plugin/plugin.json Adds a Claude plugin manifest for dotnet-msbuild (but currently uses likely-incorrect relative paths).
.github/workflows/devops-health-check.md Clarifies that python/node interpreters are not in the bash allowlist and directs JSON processing to jq.
.claude-plugin/marketplace.json Adds an mcpServers entry for dotnet-msbuild in the Claude marketplace manifest.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 3/3 changed files
  • Comments generated: 2

Comment thread plugins/dotnet-msbuild/.claude-plugin/plugin.json Outdated
Comment thread .claude-plugin/marketplace.json Outdated
@github-actions github-actions Bot added the waiting-on-author PR state label label Jun 29, 2026
The agent was hallucinating Python script creation (run_analysis2.py)
and attempting to execute it, which was correctly blocked by the bash
allowlist security policy. Strengthen the efficiency guideline to
explicitly state that python/python3/node are NOT in the bash
allowlist and will be blocked, directing the agent to use jq instead.

Fixes #841

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@AbhitejJohn AbhitejJohn force-pushed the abhitejjohn/fix-devops-health-check-script-hallucina branch from 541c543 to 04abecd Compare June 29, 2026 23:45
Copilot AI review requested due to automatic review settings June 29, 2026 23:45
@AbhitejJohn AbhitejJohn force-pushed the abhitejjohn/fix-devops-health-check-script-hallucina branch from 04abecd to 45c6faf Compare June 29, 2026 23:45

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot's findings

  • Files reviewed: 1/1 changed files
  • Comments generated: 1

Comment thread .github/workflows/devops-health-check.md Outdated
@github-actions

Copy link
Copy Markdown
Contributor

👋 @AbhitejJohn — this PR has 3 unresolved review thread(s). When you're ready, please address the feedback and push an update; the triage bot will pick up the next state automatically. (Add the no-stale label to silence further pings.)

Addresses review feedback: 'any script interpreter' was too broad since
jq/sed are technically interpreters but ARE in the allowlist.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions github-actions Bot added waiting-on-review PR state label and removed waiting-on-author PR state label labels Jun 30, 2026
@github-actions

Copy link
Copy Markdown
Contributor

✅ Evaluation passed for 2919181. cc @ViktorHofer @JanKrivanek — please review.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

✅ Evaluation passed for 2919181. cc @ViktorHofer @JanKrivanek — please review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

waiting-on-review PR state label

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[aw] DevOps Daily Health Check is missing required tool

2 participants