[awf] Docker Manager: GOROOT not propagated into agent container despite --env-all

[lpcox]

Problem

GOROOT is not present in the agent container environment even when actions/setup-go runs before the agent step and awf is invoked with --env-all. This breaks Go toolchain version selection inside the container.

Context

Original report: github/gh-aw#25946

GOTOOLCHAIN (set via $GITHUB_ENV) is forwarded correctly, but GOROOT (set directly in the runner's process environment by actions/setup-go) is not. The spec (§8.5) explicitly requires GOROOT to be captured.

Root Cause

In src/docker-manager.ts, the function readGitHubEnvEntries() (around line 262) reads from $GITHUB_ENV to capture env vars set by previous steps. However, actions/setup-go sets GOROOT directly in the runner's process environment (via core.exportVariable which also writes to $GITHUB_ENV), while GOTOOLCHAIN=auto is re-set by the user via echo "GOTOOLCHAIN=auto" >> $GITHUB_ENV.

The likely issue: GOROOT is being filtered out by the PROXY_ENV_VARS exclusion list or another filter in buildAgentEnv() (around line 626), OR it is in $GITHUB_ENV but the parsing of multiline/complex values in parseGitHubEnvFile() (around line 858) drops it. A secondary possibility: GOROOT is set in the process env but not in $GITHUB_ENV, and --env-all only picks up $GITHUB_ENV entries, not all process env vars.

Proposed Solution

1. Audit buildAgentEnv() in src/docker-manager.ts: Confirm whether GOROOT appears in the collected env and, if it is being filtered, add an explicit allow-list exception for GOROOT, GOPATH, GOMODCACHE, GOCACHE.
2. Check parseGitHubEnvFile() in src/docker-manager.ts: Ensure the file parser handles all GitHub Actions env encoding formats (heredoc delimiters like <<EOF) correctly.
3. Explicit toolchain var capture: In readGitHubEnvEntries(), if GOROOT is missing from $GITHUB_ENV entries, fall back to reading it from process.env directly when --env-all is active (similar to how JAVA_HOME, CARGO_HOME, etc. are recovered from $GITHUB_ENV per the existing readGitHubEnvEntries logic at src/docker-manager.ts:262-358).
4. Add a test in src/docker-manager.test.ts covering GOROOT propagation with a mock $GITHUB_ENV file.

Generated by Firewall Issue Dispatcher · ● 2.1M · ◷

[github-actions]

👋 Hello! I noticed this issue might be related to an existing issue:

• [awf] docker-manager: GOROOT not propagated to agent container despite --env-all #1958 — [awf] docker-manager: GOROOT not propagated to agent container despite --env-all (closed as completed on 2026-04-14)

Both issues describe the same root cause: GOROOT not being forwarded into the agent container when using --env-all, due to sudo stripping environment variables exported via $GITHUB_ENV by actions/setup-go.

Issue #1958 was closed as completed, which may mean a fix was already merged. It's possible this is either a regression, or the fix hasn't been released yet in the version you're using.

If the fix from #1958 doesn't address your scenario, please clarify how your situation differs (e.g., AWF version, exact reproduction steps) so this can be tracked separately.

This is an automated message from the issue duplication detector.

Generated by Issue Duplication Detector for issue #2008 · ● 212.3K · ◷

[lpcox]

Fixed by #1977 (recover toolchain env vars from $GITHUB_ENV file). Merged to main.