fix: ensure .copilot directory permissions before Copilot CLI install

[Mossaka]

Summary

• Smoke Chroot workflow has been failing since the revert: remove Squid intercept mode and all cascading fixes #541 revert with EACCES: permission denied, mkdir '/home/runner/.copilot/pkg'
• The chroot version tests run with sudo -E awf which can create /home/runner/.copilot as root. The subsequent Copilot CLI install (running as runner user) then fails to create subdirectories.
• Add mkdir -p /home/runner/.copilot && sudo chown -R runner:runner /home/runner/.copilot before the Copilot CLI install step in both the .md source and .lock.yml

Test plan

• Smoke Chroot CI passes on this PR (the Copilot CLI install step should succeed)
• All other CI checks pass (build, lint, tests unaffected)

🤖 Generated with Claude Code

/cc @copilot for review

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.11%	82.11%	➡️ +0.00%
Statements	82.15%	82.15%	➡️ +0.00%
Functions	81.95%	81.95%	➡️ +0.00%
Branches	75.44%	75.44%	➡️ +0.00%

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR fixes a permission issue in the Smoke Chroot workflow that arose after the revert in #541. The issue occurs when sudo -E awf --enable-chroot creates /home/runner/.copilot as root, causing the subsequent Copilot CLI installation (running as the runner user) to fail with EACCES: permission denied when trying to create subdirectories.

Changes:

• Add a step to ensure proper ownership of the .copilot directory before Copilot CLI installation
• Apply the fix in both the .md source file and the compiled .lock.yml workflow file

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/smoke-chroot.md	Add permission fix step in setup job before agent job begins
.github/workflows/smoke-chroot.lock.yml	Add permission fix step in agent job before Copilot CLI install, and in detection job before Copilot CLI install

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Deno Build Test Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

All Deno tests passed successfully.

AI generated by Build Test Deno

[github-actions]

Smoke Test Results

Last 2 merged PRs:

• fix: bypass Squid for host.docker.internal MCP gateway traffic #543: fix: bypass Squid for host.docker.internal MCP gateway traffic
• fix: pass BUN_INSTALL to chroot to prevent Bun core dump #546: fix: pass BUN_INSTALL to chroot to prevent Bun core dump

Tests:

• ✅ GitHub MCP: Retrieved PRs successfully
• ✅ Playwright: GitHub page title verified
• ✅ File Write: Created /tmp/gh-aw/agent/smoke-test-copilot-21735300031.txt
• ✅ Bash Tool: File read confirmed

Status: PASS 🎉

cc @Mossaka @Copilot

AI generated by Smoke Copilot

[github-actions]

Node.js Build Test Results

Project	Install	Tests	Status
clsx	✅	PASS	PASS
execa	✅	PASS	PASS
p-limit	✅	PASS	PASS

Overall: PASS ✅

All Node.js projects successfully installed dependencies and passed their test suites.

AI generated by Build Test Node.js

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS ✅

All C++ projects built successfully.

AI generated by Build Test C++

[github-actions]

Go Build Test Results

Project	Download	Tests	Status
color	✅	1/1	PASS
env	✅	1/1	PASS
uuid	✅	1/1	PASS

Overall: PASS ✅

All Go projects built and tested successfully.

AI generated by Build Test Go

[github-actions]

Smoke Test Results: PASS ✅

Last 2 Merged PRs:

• fix: pass BUN_INSTALL to chroot to prevent Bun core dump #546: fix: pass BUN_INSTALL to chroot to prevent Bun core dump
• fix: mount /etc/hosts in chroot mode for localhost resolution #545: fix: mount /etc/hosts in chroot mode for localhost resolution

Test Results:

• ✅ GitHub MCP: Retrieved recent PRs
• ✅ Playwright: Navigated to github.com, title verified
• ✅ File Write: Created test file successfully
• ✅ Bash Tool: Verified file content

Status: PASS

AI generated by Smoke Claude

[github-actions]

❌ Build Test: Java - FAILED

Status: FAILED - Missing build tools

Issue

Java and Maven build tools are not accessible in the AWF container environment:

• Java binaries from host ($JAVA_HOME) cannot execute in chroot mode
• Maven fails with: cannot execute binary file: Exec format error
• No Java/Maven packages installed in container itself

Test Status

Project	Compile	Tests	Status
gson	⏸️	N/A	NOT RUN
caffeine	⏸️	N/A	NOT RUN

Overall: FAILED

Root Cause

The AWF agent container is running in chroot mode but lacks Java/Maven installations. Host binaries referenced by environment variables like $JAVA_HOME cannot be executed due to library/interpreter mismatches in the containerized environment.

Resolution

The AWF agent container needs to have Java (OpenJDK 11+) and Maven pre-installed to run Java build tests. Alternative: Run build tests outside the AWF container if build tools are only needed on the host.

AI generated by Build Test Java

[github-actions]

Build Test: Bun - FAILED ❌

Error: Bun package manager is not compatible with the test environment.

Test Results

Project	Install	Tests	Status
elysia	❌	N/A	FAILED
hono	❌	N/A	FAILED

Overall: FAIL

Details

• ✅ Bun installed successfully (v1.3.8)
• ✅ Repository cloned successfully
• ❌ bun install fails with "NotDir" error in all directories
• ❌ Issue affects test projects, fresh projects, and allowed directories

Error Message

error: An internal error occurred (NotDir)

This is an environment compatibility issue, not a project configuration problem. The Bun runtime cannot execute package installation in this GitHub Actions environment.

Recommended Actions

1. Use official oven-sh/setup-bun action instead of curl installer
2. Verify system requirements (kernel version, glibc compatibility)
3. Consider testing with Docker-based Bun runtime

AI generated by Build Test Bun

[github-actions]

Chroot Version Comparison Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌ NO
Node.js	v24.13.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall Result: ❌ FAILED - Not all runtime versions match between host and chroot environment.

The chroot mode successfully accessed host binaries for Go, but Python and Node.js versions differ between the host and chroot container.

AI generated by Smoke Chroot

[github-actions]

Build Test: Rust - Results

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: PASS

All Rust projects built and tested successfully.

AI generated by Build Test Rust