issue-arborist: `gh issue list` fails under DIFC proxy because /meta returns 403

[Evangelink]

Summary

The Fetch issues data step in workflows/issue-arborist.md uses gh issue list, which fails immediately on any GitHub Enterprise / DIFC-proxied runner because the gh CLI hits the /meta endpoint on startup and gets HTTP 403 from the proxy.

Repro

Run the unmodified workflow in a repo whose runners are behind GitHub's corporate DIFC proxy (localhost:18443 redirect for GITHUB_API_URL / GITHUB_GRAPHQL_URL, with a custom CA). The step fails on the first gh invocation:

HTTP 403: 403 Forbidden (https://localhost:18443/api/v3/meta)
##[error]Process completed with exit code 1.

Because this step runs before the MCP server starts, the rest of the job collapses with a misleading downstream symptom:

ERR_SYSTEM: rpc-messages.jsonl is present but zero bytes — MCP telemetry capture failed
(server may not have started or crashed before any RPC)

Example failed run from microsoft/testfx: https://github.com/microsoft/testfx/actions/runs/26294701799

Root cause

gh CLI always probes /meta to verify the host before any subcommand. In DIFC-proxied environments the proxy blocks /meta, so every gh command fails — regardless of whether the actual GraphQL/REST endpoint would have worked.

Suggested fix

Replace the gh issue list invocation in workflows/issue-arborist.md with a direct REST API call via curl to GITHUB_API_URL/search/issues, which doesn't trigger the /meta probe. We've been carrying this patch downstream since #8185 in microsoft/testfx and just had to re-apply it in microsoft/testfx#8507 after re-syncing to upstream.

The drop-in replacement (preserves the same JSON shape so the agent prompt is unchanged):

- name: Fetch issues data
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    GH_AW_ORIGINAL_GITHUB_API_URL: ${{ github.api_url }}
    GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
  run: |
    mkdir -p /tmp/gh-aw/issues-data

    echo "⬇ Downloading the last 100 open issues (excluding sub-issues)..."

    # Use REST API directly to avoid gh CLI /meta check blocked by DIFC proxy.
    # State is normalized to uppercase (OPEN/CLOSED) to match gh CLI GraphQL output format.
    curl -s \
      -H "Authorization: Bearer ${GITHUB_TOKEN}" \
      -H "Accept: application/vnd.github+json" \
      --get \
      --data-urlencode "q=repo:${GH_AW_GITHUB_REPOSITORY} is:issue is:open -is:sub-issue" \
      --data-urlencode "sort=created" \
      --data-urlencode "order=desc" \
      --data-urlencode "per_page=100" \
      "${GH_AW_ORIGINAL_GITHUB_API_URL}/search/issues" \
      | jq '.items // [] | map({
          number: .number,
          title: .title,
          author: {login: .user.login},
          createdAt: .created_at,
          state: (.state | ascii_upcase),
          url: .html_url,
          body: .body,
          labels: [.labels[] | {name: .name}],
          updatedAt: .updated_at,
          closedAt: .closed_at,
          milestone: (if .milestone != null then {title: .milestone.title} else null end),
          assignees: [.assignees[] | {login: .login}]
        })' \
      > /tmp/gh-aw/issues-data/issues.json \
      || echo '[]' > /tmp/gh-aw/issues-data/issues.json

    echo "✓ Issues data saved to /tmp/gh-aw/issues-data/issues.json"
    echo "Total issues fetched: $(jq 'length' /tmp/gh-aw/issues-data/issues.json)"

Scope

Any agentic workflow that shells out to gh <subcommand> for prefetch (rather than going through the MCP server) will hit this same /meta 403. issue-arborist is the one biting us today, but it'd be worth auditing the others in the same way and either swapping them to curl or routing prefetches through the MCP server.

Happy to send a PR if useful.

[lpcox]

@Evangelink which version of gh-aw caused this problem? try re-running with the latest gh-aw. A fix for handling /meta was introduced in mcpg v0.3.12 and your example appears to be using v0.3.9 (current version is v0.3.19).