Skip to content

Use deterministic pre-step for re-quarantine detection to bypass DIFC filtering#66707

Merged
wtgodbe merged 8 commits into
dotnet:mainfrom
wtgodbe:wtgodbe/fix-difc-requarantine
May 17, 2026
Merged

Use deterministic pre-step for re-quarantine detection to bypass DIFC filtering#66707
wtgodbe merged 8 commits into
dotnet:mainfrom
wtgodbe:wtgodbe/fix-difc-requarantine

Conversation

@wtgodbe

@wtgodbe wtgodbe commented May 17, 2026

Copy link
Copy Markdown
Member

Summary

The quarantine workflow's MCP search_pull_requests tool applies a DIFC integrity filter that silently removes PRs authored by external contributors (author_association=CONTRIBUTOR). This caused re-quarantine PRs like #49307 to be invisible to the agent, leading to incorrect unquarantine decisions.

Changes

  • Pre-activation step: Adds a deterministic on.steps: step in the gh-aw frontmatter that runs a Python script using GITHUB_TOKEN to fetch all merged re-quarantine PRs (by label or title) and their diffs via the GitHub REST API
  • Symbol-level matching: The pre-step stores the actual added source lines containing [QuarantinedTest (not just filenames), enabling the agent to match at method/class/assembly level
  • Fail-closed behavior: If the patch is truncated by GitHub's API, the whole file is treated as re-quarantined. If the JSON file is missing or unparseable, the agent must skip all unquarantines
  • Agent instructions updated: Agent reads /tmp/requarantine-prs.json instead of using MCP search tools

Why not MCP search?

The MCP search_pull_requests tool silently filters results based on the author's association with the repository. PRs from users with CONTRIBUTOR association (external contributors who have had PRs merged) are excluded. Since the quarantine process predates the workflow, many quarantine issues and PRs were created by humans who may be external contributors. The deterministic pre-step bypasses this filter entirely.

The MCP search_pull_requests tool applies a DIFC integrity filter that
silently removes PRs authored by external contributors (e.g.,
author_association=CONTRIBUTOR). This caused PR dotnet#49307 (re-quarantine
of SetsTlsHandshakeFeatureForHttps by captainsafia) to be invisible,
leading to the test being incorrectly unquarantined repeatedly.

Switch to curl/python3 with the GitHub Search API for the re-quarantine
check only. The bash tools are not subject to DIFC filtering.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 17, 2026 02:51
@wtgodbe wtgodbe requested a review from a team as a code owner May 17, 2026 02:51
@github-actions github-actions Bot added the needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically label May 17, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the test quarantine agent instructions so re-quarantine detection uses direct GitHub REST API calls instead of the MCP search tool, avoiding integrity-filtered search results.

Changes:

  • Adds explicit guidance to use curl/python3 for re-quarantine PR searches.
  • Provides GitHub Search API examples for label/title-based re-quarantine lookup.
  • Adds deduplication and PR file-fetching guidance for matching changed test files.
Comments suppressed due to low confidence (1)

.github/workflows/test-quarantine.md:227

  • This request only reads the first page of changed files for each PR. The pull request files endpoint is paginated, so a re-quarantine PR touching more than 100 files could hide the relevant test file on a later page and be missed. Please add pagination here as well before deciding that a PR did not re-quarantine the test.
     curl -s "https://api.github.com/repos/dotnet/aspnetcore/pulls/{PR_NUMBER}/files?per_page=100"

Comment thread .github/workflows/test-quarantine.md Outdated
Comment thread .github/workflows/test-quarantine.md Outdated
wtgodbe and others added 4 commits May 16, 2026 19:54
The agent needs to check the diff (patch field) for added lines
containing [QuarantinedTest], not just whether the file was touched.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Use GITHUB_TOKEN auth header to avoid rate limits
- Follow pagination via Link header for all searches
- If any API call fails, skip ALL unquarantine actions (fail-safe)
- Fix unclosed bracket: [QuarantinedTest -> [QuarantinedTest]
- Switch from curl to python3/urllib for consistency

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Read GITHUB_TOKEN from os.environ in python3, never pass it on the
command line where it would appear in agent logs. Removed Authorization
header from the example snippets since they're just URL references now.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Move the re-quarantine PR search into a pre-activation step that runs
with the workflow's GITHUB_TOKEN before the agent starts. This:

1. Bypasses DIFC integrity filtering (the root cause of the bug)
2. Eliminates any risk of token leakage in agent logs
3. Writes results to /tmp/requarantine-prs.json for the agent to read

The agent now just reads a JSON file instead of making API calls.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

Comment thread .github/workflows/test-quarantine.md
Comment thread .github/workflows/test-quarantine.md
Comment thread .github/workflows/test-quarantine.md Outdated
…n, fail-closed

- Store added_lines (not just filenames) in JSON for method/class/assembly matching
- Match [QuarantinedTest (without closing bracket) to catch parameterized forms
- Handle truncated patches by failing closed (treat whole file as re-quarantined)
- Add fail-closed instruction: if JSON is missing/unparseable, skip all unquarantines

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@wtgodbe wtgodbe changed the title Use curl for re-quarantine search to bypass DIFC integrity filter Use deterministic pre-step for re-quarantine detection to bypass DIFC filtering May 17, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Comment thread .github/workflows/test-quarantine.md
Comment thread .github/workflows/test-quarantine.md
@github-actions github-actions Bot added area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework and removed needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically labels May 17, 2026
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@wtgodbe wtgodbe merged commit 177610a into dotnet:main May 17, 2026
10 checks passed
@dotnet-policy-service dotnet-policy-service Bot added this to the 11.0-preview5 milestone May 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants