Skip to content

fix: add set -eo pipefail to all bash steps in pipeline templates and generated steps #494

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Copilot wants to merge 1 commit into from
Closed

fix: add set -eo pipefail to all bash steps in pipeline templates and generated steps #494

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions src/compile/common.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1113,6 +1113,7 @@ pub fn generate_integrity_check(skip: bool) -> String {

// Indentation is handled by replace_with_indent at the call site.
r#"- bash: |
set -eo pipefail
AGENTIC_PIPELINES_PATH="$(Pipeline.Workspace)/agentic-pipeline-compiler/ado-aw"
chmod +x "$AGENTIC_PIPELINES_PATH"
$AGENTIC_PIPELINES_PATH check "{{ pipeline_path }}"
Expand Down Expand Up @@ -1147,6 +1148,7 @@ pub fn generate_debug_pipeline_replacements(debug: bool) -> Vec<(String, String)
# step, a broken backend (e.g., npx timeout) only surfaces as a silent
# missing-tool error during the agent run.
- bash: |
set -eo pipefail
echo "=== Probing MCP backends ==="
PROBE_FAILED=false
for server in $(jq -r '.mcpServers | keys[]' /tmp/awf-tools/mcp-config.json); do
Expand Down Expand Up @@ -2302,6 +2304,7 @@ pub fn generate_awf_path_step(awf_paths: &[String]) -> String {
format!(
"\
- bash: |
set -eo pipefail
AWF_PATH_FILE=\"/tmp/awf-tools/ado-path-entries\"
cat > \"$AWF_PATH_FILE\" << AWF_PATH_EOF
{path_lines}
Expand Down
1 change: 1 addition & 0 deletions src/compile/extensions/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -732,6 +732,7 @@ pub fn wrap_prompt_append(content: &str, display_name: &str) -> Result<String> {

Ok(format!(
r#"- bash: |
set -eo pipefail
cat >> "/tmp/awf-tools/agent-prompt.md" << '{delimiter}'
{indented_content}
{delimiter}
Expand Down
1 change: 1 addition & 0 deletions src/compile/extensions/trigger_filters.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@ impl CompilerExtension for TriggerFiltersExtension {
let mut steps = Vec::new();
steps.push(format!(
r#"- bash: |
set -eo pipefail
mkdir -p /tmp/ado-aw-scripts
curl -fsSL "{RELEASE_BASE_URL}/v{version}/checksums.txt" -o /tmp/ado-aw-scripts/checksums.txt
curl -fsSL "{RELEASE_BASE_URL}/v{version}/scripts.zip" -o /tmp/ado-aw-scripts/scripts.zip
Expand Down
31 changes: 26 additions & 5 deletions src/data/1es-base.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ extends:
{{ engine_install_steps }}

- bash: |
set -eo pipefail
COMPILER_VERSION="{{ compiler_version }}"
DOWNLOAD_DIR="$(Pipeline.Workspace)/agentic-pipeline-compiler"
DOWNLOAD_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/ado-aw-linux-x64"
Expand All @@ -79,6 +80,7 @@ extends:
{{ integrity_check }}

- bash: |
set -eo pipefail
mkdir -p "$(Agent.TempDirectory)/staging"

# Generate MCPG API key early so it's available as an ADO secret variable
Expand Down Expand Up @@ -106,6 +108,7 @@ extends:
displayName: "Prepare MCPG config"

- bash: |
set -eo pipefail
mkdir -p /tmp/awf-tools/staging

echo "HOME: $HOME"
Expand All @@ -128,6 +131,7 @@ extends:
displayName: "Prepare tooling"

- bash: |
set -eo pipefail
# Write agent instructions to /tmp so it's accessible inside AWF container
cat > "/tmp/awf-tools/agent-prompt.md" << 'AGENT_PROMPT_EOF'
{{ agent_content }}
Expand Down Expand Up @@ -180,6 +184,7 @@ extends:

# Start SafeOutputs HTTP server on host (MCPG proxies to it)
- bash: |
set -eo pipefail
SAFE_OUTPUTS_PORT=8100
SAFE_OUTPUTS_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
echo "##vso[task.setvariable variable=SAFE_OUTPUTS_PORT]$SAFE_OUTPUTS_PORT"
Expand Down Expand Up @@ -220,6 +225,7 @@ extends:

# Start MCP Gateway (MCPG) on host
- bash: |
set -eo pipefail
# Substitute runtime values into MCPG config
MCPG_CONFIG=$(cat /tmp/awf-tools/staging/mcpg-config.json \
| sed "s|\${SAFE_OUTPUTS_PORT}|$(SAFE_OUTPUTS_PORT)|g" \
Expand Down Expand Up @@ -323,7 +329,7 @@ extends:

# Network isolation via AWF (Agentic Workflow Firewall)
- bash: |
set -o pipefail
set -eo pipefail

AGENT_OUTPUT_FILE="$(Agent.TempDirectory)/staging/logs/agent-output.txt"
mkdir -p "$(Agent.TempDirectory)/staging/logs"
Expand Down Expand Up @@ -368,6 +374,7 @@ extends:
{{ engine_env }}

- bash: |
set -eo pipefail
# Copy safe outputs from /tmp back to staging for artifact publish
mkdir -p "$(Agent.TempDirectory)/staging"
cp -r /tmp/awf-tools/staging/* "$(Agent.TempDirectory)/staging/" 2>/dev/null || true
Expand All @@ -377,6 +384,7 @@ extends:
condition: always()

- bash: |
set -eo pipefail
# Stop MCPG container
echo "Stopping MCPG..."
docker stop mcpg 2>/dev/null || true
Expand All @@ -394,6 +402,7 @@ extends:
{{ finalize_steps }}

- bash: |
set -eo pipefail
# Copy all logs to output directory for artifact upload
mkdir -p "$(Agent.TempDirectory)/staging/logs"
if [ -d "{{ engine_log_dir }}" ]; then
Expand Down Expand Up @@ -433,6 +442,7 @@ extends:
{{ engine_install_steps }}

- bash: |
set -eo pipefail
COMPILER_VERSION="{{ compiler_version }}"
DOWNLOAD_DIR="$(Pipeline.Workspace)/agentic-pipeline-compiler"
DOWNLOAD_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/ado-aw-linux-x64"
Expand Down Expand Up @@ -487,11 +497,13 @@ extends:
displayName: "Pre-pull AWF container images (v{{ firewall_version }})"

- bash: |
set -eo pipefail
mkdir -p {{ working_directory }}/safe_outputs
cp -a "$(Pipeline.Workspace)/agent_outputs_$(Build.BuildId)/." {{ working_directory }}/safe_outputs
displayName: "Prepare safe outputs for analysis"

- bash: |
set -eo pipefail
# Write threat analysis prompt to /tmp (accessible inside AWF container)
cat > "/tmp/awf-tools/threat-analysis-prompt.md" << 'THREAT_ANALYSIS_EOF'
{{ threat_analysis_prompt }}
Expand All @@ -502,12 +514,13 @@ extends:
displayName: "Prepare threat analysis prompt"

- bash: |
set -eo pipefail
AGENTIC_PIPELINES_PATH="$(Pipeline.Workspace)/agentic-pipeline-compiler/ado-aw"
chmod +x "$AGENTIC_PIPELINES_PATH"
displayName: "Setup agentic pipeline compiler"

- bash: |
set -o pipefail
set -eo pipefail

# Run threat analysis with AWF network isolation
THREAT_OUTPUT_FILE="$(Agent.TempDirectory)/threat-analysis-output.txt"
Expand All @@ -534,6 +547,7 @@ extends:
GITHUB_READ_ONLY: 1

- bash: |
set -eo pipefail
# Create analyzed outputs directory with original safe outputs and analysis
mkdir -p "$(Agent.TempDirectory)/analyzed_outputs"

Expand All @@ -547,7 +561,7 @@ extends:

# Extract JSON from THREAT_DETECTION_RESULT line in threat analysis output
if [ -f "$(Agent.TempDirectory)/threat-analysis-output.txt" ]; then
RESULT_LINE=$(grep "THREAT_DETECTION_RESULT:" "$(Agent.TempDirectory)/threat-analysis-output.txt" | tail -1)
RESULT_LINE=$(grep "THREAT_DETECTION_RESULT:" "$(Agent.TempDirectory)/threat-analysis-output.txt" | tail -1 || true)
if [ -n "$RESULT_LINE" ]; then
# Extract JSON after the prefix
JSON_CONTENT=$(echo "$RESULT_LINE" | sed 's/.*THREAT_DETECTION_RESULT://')
Expand All @@ -567,6 +581,7 @@ extends:
condition: always()

- bash: |
set -eo pipefail
SAFE_TO_PROCESS="false"
JSON_FILE="$(Agent.TempDirectory)/analyzed_outputs/threat-analysis.json"

Expand Down Expand Up @@ -596,6 +611,7 @@ extends:
condition: always()

- bash: |
set -eo pipefail
# Copy all logs to analyzed outputs for artifact upload
mkdir -p "$(Agent.TempDirectory)/analyzed_outputs/logs"
if [ -d "{{ engine_log_dir }}" ]; then
Expand Down Expand Up @@ -635,6 +651,7 @@ extends:
artifact: analyzed_outputs_$(Build.BuildId)

- bash: |
set -eo pipefail
COMPILER_VERSION="{{ compiler_version }}"
DOWNLOAD_DIR="$(Pipeline.Workspace)/agentic-pipeline-compiler"
DOWNLOAD_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/ado-aw-linux-x64"
Expand All @@ -653,18 +670,21 @@ extends:
displayName: "Download agentic pipeline compiler (v{{ compiler_version }})"

- bash: |
set -eo pipefail
ls -la "$(Pipeline.Workspace)/agentic-pipeline-compiler"
chmod +x "$(Pipeline.Workspace)/agentic-pipeline-compiler/ado-aw"
echo "##vso[task.prependpath]$(Pipeline.Workspace)/agentic-pipeline-compiler"
displayName: Add agentic compiler to path

- bash: |
set -eo pipefail
mkdir -p "$(Agent.TempDirectory)/staging"
displayName: "Prepare output directory"

- bash: |
ado-aw execute --source "{{ source_path }}" --safe-output-dir "$(Pipeline.Workspace)/analyzed_outputs_$(Build.BuildId)" --output-dir "$(Agent.TempDirectory)/staging"
EXIT_CODE=$?
set -eo pipefail
ado-aw execute --source "{{ source_path }}" --safe-output-dir "$(Pipeline.Workspace)/analyzed_outputs_$(Build.BuildId)" --output-dir "$(Agent.TempDirectory)/staging" \
&& EXIT_CODE=0 || EXIT_CODE=$?
if [ $EXIT_CODE -eq 2 ]; then
echo "##vso[task.complete result=SucceededWithIssues;]Executor completed with warnings"
exit 0
Expand All @@ -675,6 +695,7 @@ extends:
{{ executor_ado_env }}

- bash: |
set -eo pipefail
# Copy all logs to output directory for artifact upload
mkdir -p "$(Agent.TempDirectory)/staging/logs"
# Copy agent output log from analyzed_outputs for optimisation use
Expand Down
Loading