fix(#2143): add pre-flight GitHub API connectivity check in sandbox#2144
Conversation
Add a pre-flight connectivity check that runs inside the sandbox after bootstrap but before agent execution. The check sources the sandbox .env file and calls `gh api /rate_limit` to validate that api.github.com is reachable through the proxy. When the proxy blocks the CONNECT tunnel (HTTP 403), the check fails fast with a clear diagnostic message instead of letting the agent burn its entire timeout on doomed API calls. The check is generic — it runs for all agents, not just retro — since any agent with GH_TOKEN needs GitHub API access. The check gracefully skips when GH_TOKEN is not set or gh is not available in the sandbox, so agents that don't need GitHub API access are unaffected. New files: - internal/cli/preflight_github.go: connectivity check logic - internal/cli/preflight_github_test.go: unit tests Note: pre-commit could not run due to Go module cache permission issues in the sandbox (gitleaks hook failed to install). The post-script runs authoritative pre-commit on the runner. Closes #2143
Site previewPreview: https://a6e11ee3-site.fullsend-ai.workers.dev Commit: |
|
🤖 Finished Review · ✅ Success · Started 9:18 PM UTC · Completed 9:28 PM UTC |
ReviewFindingsMedium
Low
|
|
🤖 Finished Retro · ✅ Success · Started 2:26 PM UTC · Completed 2:31 PM UTC |
Retro: PR #2144 — Pre-flight GitHub API connectivity checkTimeline
AnalysisThe core issue is a fix agent dispatch routing bug that sent the wrong PR number in the payload. Because the fix never ran and no notification was posted on the PR, the medium-severity findings (especially the shallow tests that only check struct values without exercising Existing coverageAll improvement opportunities identified are already covered by open issues:
No new proposals filed — all identified improvements already have open tracking issues. |
Add a pre-flight connectivity check that runs inside the sandbox after bootstrap but before agent execution. The check sources the sandbox .env file and calls
gh api /rate_limitto validate that api.github.com is reachable through the proxy.When the proxy blocks the CONNECT tunnel (HTTP 403), the check fails fast with a clear diagnostic message instead of letting the agent burn its entire timeout on doomed API calls. The check is generic — it runs for all agents, not just retro — since any agent with GH_TOKEN needs GitHub API access.
The check gracefully skips when GH_TOKEN is not set or gh is not available in the sandbox, so agents that don't need GitHub API access are unaffected.
New files:
Note: pre-commit could not run due to Go module cache permission issues in the sandbox (gitleaks hook failed to install). The post-script runs authoritative pre-commit on the runner.
Closes #2143
Post-script verification
agent/2143-preflight-github-api-check)a20c44f4d3f7f21c934cbd58bd255c1cf2420d24..HEAD)