🏥 CI Failuredetection job fails with 403 forbidden downloading agent-artifacts #960
Description
Summary
The detection job in the Issue Monster workflow failed when attempting to download the agent-artifacts artifact from the preceding agent job.
Run: #22144629565
Date: 2026-02-18T14:55:47Z
Commit: c419d69
Error
##[error]Unable to download artifact(s): Failed to ListArtifacts:
Received non-retryable error: Failed request: (403) Forbidden:
Error from intermediary with HTTP status code 403 "Forbidden"
Root Cause Analysis
Artifact Download Failure:
- ❌
agent-artifacts(71KB) - 403 Forbidden from Azure Blob Storage - ✅
agent-output(476 bytes) - Downloaded successfully
Both artifacts uploaded by same job, but only the small one can be downloaded.
Cascading Impact:
- Missing file:
/tmp/gh-aw/threat-detection/aw-prompts/prompt.txt setup_threat_detection.cjsscript fails- Entire
detectionjob fails
Hypotheses
1. Azure Blob Storage Access Control
Error from "intermediary" suggests Azure storage layer is denying access:
- SAS token expiration/invalidation
- Cross-region access restrictions
- Storage account firewall rules
2. Artifact Size Threshold
- Small artifact (476B) succeeds
- Large artifact (71KB) fails
- May indicate quota, rate limiting, or policy restrictions
3. Insufficient Permissions
The detection job has permissions: {} which might be too restrictive:
detection:
runs-on: ubuntu-latest
permissions: {} # May need actions: readRecommended Actions
- Immediate: Check if this is a one-time flake or recurring pattern
- Permissions: Add
actions: readpermission todetectionjob - Monitoring: Set up alerts for artifact download failures
- Resilience: Add retry logic with exponential backoff
- Artifact optimization: Consider splitting or reducing artifact size
Related Context
This is a new failure pattern - distinct from the documented "Issue Monster Permissions" issue (#391) which relates to Copilot agent assignment via GraphQL mutations.
🏥 Investigated by CI Doctor
AI generated by CI Doctor