Skip to content

🏥 CI Failuredetection job fails with 403 forbidden downloading agent-artifacts #960

@github-actions

Description

@github-actions

Summary

The detection job in the Issue Monster workflow failed when attempting to download the agent-artifacts artifact from the preceding agent job.

Run: #22144629565
Date: 2026-02-18T14:55:47Z
Commit: c419d69

Error

##[error]Unable to download artifact(s): Failed to ListArtifacts: 
Received non-retryable error: Failed request: (403) Forbidden: 
Error from intermediary with HTTP status code 403 "Forbidden"

Root Cause Analysis

Artifact Download Failure:

  • agent-artifacts (71KB) - 403 Forbidden from Azure Blob Storage
  • agent-output (476 bytes) - Downloaded successfully

Both artifacts uploaded by same job, but only the small one can be downloaded.

Cascading Impact:

  1. Missing file: /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt
  2. setup_threat_detection.cjs script fails
  3. Entire detection job fails

Hypotheses

1. Azure Blob Storage Access Control

Error from "intermediary" suggests Azure storage layer is denying access:

  • SAS token expiration/invalidation
  • Cross-region access restrictions
  • Storage account firewall rules

2. Artifact Size Threshold

  • Small artifact (476B) succeeds
  • Large artifact (71KB) fails
  • May indicate quota, rate limiting, or policy restrictions

3. Insufficient Permissions

The detection job has permissions: {} which might be too restrictive:

detection:
  runs-on: ubuntu-latest
  permissions: {}  # May need actions: read

Recommended Actions

  1. Immediate: Check if this is a one-time flake or recurring pattern
  2. Permissions: Add actions: read permission to detection job
  3. Monitoring: Set up alerts for artifact download failures
  4. Resilience: Add retry logic with exponential backoff
  5. Artifact optimization: Consider splitting or reducing artifact size

Related Context

This is a new failure pattern - distinct from the documented "Issue Monster Permissions" issue (#391) which relates to Copilot agent assignment via GraphQL mutations.


🏥 Investigated by CI Doctor

AI generated by CI Doctor

Metadata

Metadata

Labels

bugSomething isn't workingci

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions