From e19a38e203ac83817edbbd0469b126197fa24bbd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 27 Jan 2026 00:09:39 +0000 Subject: [PATCH 1/5] Initial plan From 13de9d85d6c620efd49e6920a0eaa6f70a02133a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 27 Jan 2026 00:15:07 +0000 Subject: [PATCH 2/5] Start audit of /usr/bin utilities for agent container Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com> --- .github/workflows/jsweep.lock.yml | 2 +- .github/workflows/smoke-claude.lock.yml | 2 +- .github/workflows/smoke-codex.lock.yml | 2 +- .github/workflows/smoke-copilot.lock.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 8a95bddd92..24cf4b250c 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -873,7 +873,7 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\n' ':')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 0de9ff4468..c2c927ef73 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1714,7 +1714,7 @@ jobs: timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,mcp.tavily.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,mcp.tavily.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,playwright.download.prss.microsoft.com,ppa.launchpad.net,proxy.golang.org,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- /bin/bash -c 'NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -mindepth 1 -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --max-turns 15 --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools '\''Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users,mcp__playwright__browser_click,mcp__playwright__browser_close,mcp__playwright__browser_console_messages,mcp__playwright__browser_drag,mcp__playwright__browser_evaluate,mcp__playwright__browser_file_upload,mcp__playwright__browser_fill_form,mcp__playwright__browser_handle_dialog,mcp__playwright__browser_hover,mcp__playwright__browser_install,mcp__playwright__browser_navigate,mcp__playwright__browser_navigate_back,mcp__playwright__browser_network_requests,mcp__playwright__browser_press_key,mcp__playwright__browser_resize,mcp__playwright__browser_select_option,mcp__playwright__browser_snapshot,mcp__playwright__browser_tabs,mcp__playwright__browser_take_screenshot,mcp__playwright__browser_type,mcp__playwright__browser_wait_for,mcp__tavily'\'' --debug --verbose --permission-mode bypassPermissions --output-format json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index e67afb4559..dccccd4191 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1519,7 +1519,7 @@ jobs: set -o pipefail INSTRUCTION="$(cat "$GH_AW_PROMPT")" mkdir -p "$CODEX_HOME/logs" - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,mcp.tavily.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,mcp.tavily.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,playwright.download.prss.microsoft.com,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -mindepth 1 -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && codex ${GH_AW_MODEL_AGENT_CODEX:+-c model="$GH_AW_MODEL_AGENT_CODEX" }exec --full-auto --skip-git-repo-check --sandbox danger-full-access "$INSTRUCTION" \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index a381e01b64..0cc55f39d0 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1441,7 +1441,7 @@ jobs: timeout-minutes: 5 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,playwright.download.prss.microsoft.com,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\n' ':')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: From 61e1fc108654b5bbf89f002693933069da8f5638 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 27 Jan 2026 00:20:05 +0000 Subject: [PATCH 3/5] Add specs/agent-container-utilities.md with comprehensive utility audit Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com> --- specs/agent-container-utilities.md | 381 +++++++++++++++++++++++++++++ 1 file changed, 381 insertions(+) create mode 100644 specs/agent-container-utilities.md diff --git a/specs/agent-container-utilities.md b/specs/agent-container-utilities.md new file mode 100644 index 0000000000..652a5f70cc --- /dev/null +++ b/specs/agent-container-utilities.md @@ -0,0 +1,381 @@ +# Agent Container Utilities Audit + +**Last Updated**: 2026-01-27 +**Related Issue**: #11970 + +This document provides a comprehensive audit of `/usr/bin` utilities used in agentic workflows, with recommendations for mounting into the agent container. + +## Overview + +The agent container currently mounts only three utilities from `/usr/bin`: +- `/usr/bin/date` - Date/time operations +- `/usr/bin/gh` - GitHub CLI +- `/usr/bin/yq` - YAML processor + +This audit identifies additional utilities commonly used in workflows and provides categorized recommendations for container mounting. + +## Methodology + +The audit analyzed: +1. **184 workflow files** in `.github/workflows/*.md` +2. **Usage frequency** of common utilities via pattern matching +3. **Lock file analysis** to identify current mounts +4. **Ubuntu runner image** available utilities (from `specs/ubuntulatest.md`) + +## Usage Frequency Analysis + +The following table shows utility usage frequency in workflow markdown files: + +| Utility | Usage Count | Category | Currently Mounted | +|---------|-------------|----------|-------------------| +| `file` | 666* | Optional | ❌ | +| `date` | 344 | Essential | ✅ | +| `jq` | 253 | Essential | ❌ | +| `find` | 172 | Common | ❌ | +| `git` | 160 | Essential | ❌ (via PATH) | +| `grep` | 155 | Essential | ❌ | +| `cat` | 147 | Essential | ❌ | +| `which` | 89 | Common | ❌ | +| `mkdir` | 66 | Common | ❌ | +| `wc` | 60 | Common | ❌ | +| `head` | 53 | Common | ❌ | +| `sort` | 45 | Common | ❌ | +| `diff` | 41 | Common | ❌ | +| `cp` | 37 | Common | ❌ | +| `curl` | 35 | Essential | ❌ | +| `ls` | 23 | Common | ❌ | +| `yq` | 17 | Essential | ✅ | +| `awk` | 15 | Common | ❌ | +| `rm` | 13 | Optional | ❌ | +| `sed` | 10 | Common | ❌ | +| `cut` | 10 | Common | ❌ | +| `chmod` | 8 | Optional | ❌ | +| `zip` | 7 | Optional | ❌ | +| `tail` | 6 | Common | ❌ | +| `mv` | 6 | Optional | ❌ | +| `stat` | 4 | Optional | ❌ | +| `tee` | 4 | Optional | ❌ | +| `ln` | 4 | Optional | ❌ | +| `xargs` | 3 | Optional | ❌ | +| `wget` | 3 | Optional | ❌ | +| `touch` | 3 | Optional | ❌ | +| `unzip` | 2 | Optional | ❌ | +| `base64` | 1 | Optional | ❌ | +| `tr` | 1 | Optional | ❌ | + +## Categorized Recommendations + +### Essential Utilities (Required for Most Workflows) + +These utilities are fundamental to workflow operation and should be mounted. + +#### 1. `jq` - JSON Processor +- **Path**: `/usr/bin/jq` +- **Usage**: 253 references, 231 direct command invocations +- **Purpose**: JSON parsing, transformation, and filtering +- **Security**: Low risk - processes data, no network access +- **Recommendation**: **MOUNT** - Critical for API response processing + +#### 2. `grep` - Pattern Matcher +- **Path**: `/usr/bin/grep` +- **Usage**: 155 references +- **Purpose**: Text searching and filtering +- **Security**: Low risk - read-only pattern matching +- **Recommendation**: **MOUNT** - Essential for log analysis and text processing + +#### 3. `cat` - File Concatenation +- **Path**: `/usr/bin/cat` +- **Usage**: 147 references +- **Purpose**: Reading and displaying file contents +- **Security**: Low risk - read-only file access +- **Recommendation**: **MOUNT** - Basic file reading capability + +#### 4. `curl` - HTTP Client +- **Path**: `/usr/bin/curl` +- **Usage**: 35 references +- **Purpose**: HTTP requests, API calls, file downloads +- **Security**: **Medium risk** - network access capability +- **Mitigations**: + - Already controlled by network firewall rules + - Workflows define allowed domains in `network.allowed` +- **Recommendation**: **MOUNT** - Required for API integrations + +#### 5. `find` - File Search +- **Path**: `/usr/bin/find` +- **Usage**: 172 references +- **Purpose**: Locating files by name, type, or attributes +- **Security**: Low risk - filesystem traversal only +- **Recommendation**: **MOUNT** - Essential for file discovery + +#### 6. `git` - Version Control +- **Path**: `/usr/bin/git` +- **Usage**: 160 references +- **Purpose**: Source control operations +- **Security**: **Medium risk** - can fetch from/push to remotes +- **Mitigations**: + - Network access controlled by firewall + - Credentials passed via environment +- **Recommendation**: **MOUNT** - Critical for code operations +- **Note**: May already be available via `/opt/hostedtoolcache` mount + +### Common Utilities (Frequently Used) + +These utilities are commonly used but workflows can function without them. + +#### 7. `which` - Command Location +- **Path**: `/usr/bin/which` +- **Usage**: 89 references +- **Purpose**: Finding executable paths +- **Security**: Low risk - PATH inspection only +- **Recommendation**: **MOUNT** - Useful for tool detection + +#### 8. `mkdir` - Directory Creation +- **Path**: `/usr/bin/mkdir` +- **Usage**: 66 references +- **Purpose**: Creating directories +- **Security**: Low risk - filesystem write (sandboxed) +- **Recommendation**: **MOUNT** - Common file operations + +#### 9. `wc` - Word Count +- **Path**: `/usr/bin/wc` +- **Usage**: 60 references +- **Purpose**: Counting lines, words, bytes +- **Security**: Low risk - read-only counting +- **Recommendation**: **MOUNT** - Useful for metrics and validation + +#### 10. `head` / `tail` - File Preview +- **Path**: `/usr/bin/head`, `/usr/bin/tail` +- **Usage**: 53 (head), 6 (tail) references +- **Purpose**: Viewing file beginning/end +- **Security**: Low risk - partial file reading +- **Recommendation**: **MOUNT** - Log and output inspection + +#### 11. `sort` - Line Sorting +- **Path**: `/usr/bin/sort` +- **Usage**: 45 references +- **Purpose**: Sorting text lines +- **Security**: Low risk - data transformation +- **Recommendation**: **MOUNT** - Data processing + +#### 12. `diff` - File Comparison +- **Path**: `/usr/bin/diff` +- **Usage**: 41 references +- **Purpose**: Comparing files, detecting changes +- **Security**: Low risk - read-only comparison +- **Recommendation**: **MOUNT** - Change detection + +#### 13. `cp` - File Copy +- **Path**: `/usr/bin/cp` +- **Usage**: 37 references +- **Purpose**: Copying files and directories +- **Security**: Low risk - filesystem write (sandboxed) +- **Recommendation**: **MOUNT** - File management + +#### 14. `ls` - Directory Listing +- **Path**: `/usr/bin/ls` +- **Usage**: 23 references +- **Purpose**: Listing directory contents +- **Security**: Low risk - read-only listing +- **Recommendation**: **MOUNT** - Basic filesystem inspection + +#### 15. `sed` / `awk` - Stream Editors +- **Path**: `/usr/bin/sed`, `/usr/bin/awk` +- **Usage**: 10 (sed), 15 (awk) references +- **Purpose**: Text transformation and processing +- **Security**: Low risk - data transformation +- **Recommendation**: **MOUNT** - Advanced text processing + +#### 16. `cut` - Column Extraction +- **Path**: `/usr/bin/cut` +- **Usage**: 10 references +- **Purpose**: Extracting text columns +- **Security**: Low risk - text parsing +- **Recommendation**: **MOUNT** - Data extraction + +### Optional Utilities (Specialized Use Cases) + +These utilities are used in specific workflows and can be mounted on-demand. + +#### 17. `file` - File Type Detection +- **Path**: `/usr/bin/file` +- **Usage**: 666 references* (most are variable names like `file_path`, actual command usage is minimal) +- **Purpose**: Detecting file types by content +- **Security**: Low risk - metadata inspection +- **Recommendation**: **OPTIONAL** - Specialized file analysis (low actual command usage) + +#### 18. `rm` - File Removal +- **Path**: `/usr/bin/rm` +- **Usage**: 13 references +- **Purpose**: Deleting files and directories +- **Security**: **Medium risk** - destructive operation +- **Mitigations**: Sandboxed to workspace directory +- **Recommendation**: **MOUNT** - Cleanup operations + +#### 19. `chmod` - Permission Modifier +- **Path**: `/usr/bin/chmod` +- **Usage**: 8 references +- **Purpose**: Changing file permissions +- **Security**: Low risk - permission changes (sandboxed) +- **Recommendation**: **OPTIONAL** - Script execution prep + +#### 20. `zip` / `unzip` - Compression +- **Path**: `/usr/bin/zip`, `/usr/bin/unzip` +- **Usage**: 7 (zip), 2 (unzip) references +- **Purpose**: Creating and extracting archives +- **Security**: Low risk - file compression +- **Recommendation**: **OPTIONAL** - Artifact handling + +#### 21. `mv` - File Move +- **Path**: `/usr/bin/mv` +- **Usage**: 6 references +- **Purpose**: Moving/renaming files +- **Security**: Low risk - filesystem reorganization (sandboxed) +- **Recommendation**: **OPTIONAL** - File management + +#### 22. `wget` - File Download +- **Path**: `/usr/bin/wget` +- **Usage**: 3 references +- **Purpose**: Downloading files from URLs +- **Security**: **Medium risk** - network access +- **Mitigations**: Network firewall rules apply +- **Recommendation**: **OPTIONAL** - curl usually preferred + +#### 23. `touch` - Timestamp Modifier +- **Path**: `/usr/bin/touch` +- **Usage**: 3 references +- **Purpose**: Creating empty files, updating timestamps +- **Security**: Low risk - minimal filesystem impact +- **Recommendation**: **OPTIONAL** - File creation + +#### 24. `xargs` - Argument Builder +- **Path**: `/usr/bin/xargs` +- **Usage**: 3 references +- **Purpose**: Building command lines from input +- **Security**: **Medium risk** - command execution +- **Recommendation**: **OPTIONAL** - Advanced scripting + +#### 25. `base64` - Encoding +- **Path**: `/usr/bin/base64` +- **Usage**: 1 reference +- **Purpose**: Base64 encoding/decoding +- **Security**: Low risk - data encoding +- **Recommendation**: **OPTIONAL** - Data encoding + +#### 26. `tar` - Archive Tool +- **Path**: `/usr/bin/tar` +- **Usage**: Referenced in documentation +- **Purpose**: Creating and extracting tar archives +- **Security**: Low risk - file archiving +- **Recommendation**: **OPTIONAL** - Large artifact handling + +#### 27. `tee` - Output Splitter +- **Path**: `/usr/bin/tee` +- **Usage**: 4 references +- **Purpose**: Writing to file and stdout simultaneously +- **Security**: Low risk - output duplication +- **Recommendation**: **OPTIONAL** - Logging + +#### 28. `stat` - File Status +- **Path**: `/usr/bin/stat` +- **Usage**: 4 references +- **Purpose**: Displaying file/filesystem status +- **Security**: Low risk - metadata reading +- **Recommendation**: **OPTIONAL** - File inspection + +## Security Considerations + +### Risk Categories + +| Risk Level | Description | Examples | +|------------|-------------|----------| +| **Low** | Read-only or sandboxed operations | `cat`, `grep`, `wc`, `jq` | +| **Medium** | Network access or command execution | `curl`, `wget`, `git`, `xargs` | +| **High** | System modification, privilege escalation | `sudo`, `chown`, system utilities | + +### Mitigation Strategies + +1. **Read-Only Mounts**: All `/usr/bin` mounts use `:ro` (read-only) +2. **Network Firewall**: Workflows define allowed domains, blocking unauthorized network access +3. **Workspace Sandboxing**: File operations are restricted to the workspace directory +4. **Environment Control**: Sensitive data passed via environment variables, not command arguments + +### Utilities NOT Recommended for Mounting + +| Utility | Reason | +|---------|--------| +| `sudo` | Privilege escalation risk | +| `chown` | Ownership manipulation | +| `mount` | Filesystem manipulation | +| `passwd` | User credential modification | +| `ssh` | Direct remote access (use gh CLI instead) | +| `nc`/`netcat` | Raw network access | +| `dd` | Low-level disk operations | + +## Implementation Recommendations + +### Immediate (Priority 1) + +Add these utilities to `copilot_engine_execution.go`: + +```go +// Essential utilities for most workflows +awfArgs = append(awfArgs, "--mount", "/usr/bin/jq:/usr/bin/jq:ro") +awfArgs = append(awfArgs, "--mount", "/usr/bin/grep:/usr/bin/grep:ro") +awfArgs = append(awfArgs, "--mount", "/usr/bin/cat:/usr/bin/cat:ro") +awfArgs = append(awfArgs, "--mount", "/usr/bin/curl:/usr/bin/curl:ro") +awfArgs = append(awfArgs, "--mount", "/usr/bin/find:/usr/bin/find:ro") +``` + +### Short Term (Priority 2) + +Add commonly used utilities: + +```go +// Common utilities for file operations +awfArgs = append(awfArgs, "--mount", "/usr/bin/which:/usr/bin/which:ro") +awfArgs = append(awfArgs, "--mount", "/usr/bin/mkdir:/usr/bin/mkdir:ro") +awfArgs = append(awfArgs, "--mount", "/usr/bin/wc:/usr/bin/wc:ro") +awfArgs = append(awfArgs, "--mount", "/usr/bin/head:/usr/bin/head:ro") +awfArgs = append(awfArgs, "--mount", "/usr/bin/tail:/usr/bin/tail:ro") +awfArgs = append(awfArgs, "--mount", "/usr/bin/sort:/usr/bin/sort:ro") +awfArgs = append(awfArgs, "--mount", "/usr/bin/diff:/usr/bin/diff:ro") +awfArgs = append(awfArgs, "--mount", "/usr/bin/cp:/usr/bin/cp:ro") +awfArgs = append(awfArgs, "--mount", "/usr/bin/ls:/usr/bin/ls:ro") +awfArgs = append(awfArgs, "--mount", "/usr/bin/sed:/usr/bin/sed:ro") +awfArgs = append(awfArgs, "--mount", "/usr/bin/cut:/usr/bin/cut:ro") +``` + +### Long Term (Priority 3) + +Consider a configuration-based approach allowing workflows to specify required utilities: + +```yaml +--- +engine: copilot +sandbox: + utilities: + - jq + - curl + - tar + - zip +--- +``` + +## Summary + +This audit identifies **28 utilities** commonly used in agentic workflows: +- **6 Essential**: `jq`, `grep`, `cat`, `curl`, `find`, `git` +- **10 Common**: `which`, `mkdir`, `wc`, `head`, `tail`, `sort`, `diff`, `cp`, `ls`, `sed`, `awk`, `cut` +- **12 Optional**: `file`, `rm`, `chmod`, `zip`, `unzip`, `mv`, `wget`, `touch`, `xargs`, `base64`, `tar`, `tee`, `stat` + +The current configuration (only `date`, `gh`, `yq`) is insufficient for most workflows. Adding the essential and common utilities would significantly improve workflow compatibility while maintaining security through read-only mounts and existing network controls. + +## References + +- [Ubuntu Runner Image Analysis](./ubuntulatest.md) - Available utilities on Ubuntu runner +- [Copilot Engine Execution](../pkg/workflow/copilot_engine_execution.go) - Current mount implementation +- Related Issue: #11970 + +--- + +*Note: Some usage counts include variable names and text references, not just command invocations. The categorization is based on actual command usage analysis.* From 42d02112b7eac731c928c8e7772e04aa32611efe Mon Sep 17 00:00:00 2001 From: "Jiaxiao (mossaka) Zhou" Date: Tue, 27 Jan 2026 17:18:07 +0000 Subject: [PATCH 4/5] Regenerate workflows after merge with main Co-Authored-By: Claude Opus 4.5 --- .../workflows/security-alert-burndown.campaign.lock.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security-alert-burndown.campaign.lock.yml b/.github/workflows/security-alert-burndown.campaign.lock.yml index ac27199a7b..f3361ce2b9 100644 --- a/.github/workflows/security-alert-burndown.campaign.lock.yml +++ b/.github/workflows/security-alert-burndown.campaign.lock.yml @@ -454,7 +454,13 @@ jobs: "description": "Dispatch the 'security-fix-pr' workflow with workflow_dispatch trigger. This workflow must support workflow_dispatch and be in the same repository.", "inputSchema": { "additionalProperties": false, - "properties": {}, + "properties": { + "security_url": { + "default": "", + "description": "Security alert URL (e.g., https://github.com/owner/repo/security/code-scanning/123)", + "type": "string" + } + }, "type": "object" }, "name": "security_fix_pr" From 8e81896c87c9ecf49194c593e9234c2b197177e4 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 27 Jan 2026 17:22:15 +0000 Subject: [PATCH 5/5] Add changeset [skip-ci] --- .changeset/patch-document-agent-container-utilities.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .changeset/patch-document-agent-container-utilities.md diff --git a/.changeset/patch-document-agent-container-utilities.md b/.changeset/patch-document-agent-container-utilities.md new file mode 100644 index 0000000000..65dbedac87 --- /dev/null +++ b/.changeset/patch-document-agent-container-utilities.md @@ -0,0 +1,4 @@ +--- +"gh-aw": patch +--- +Document which `/usr/bin` utilities should be mounted inside the agent container and summarize the audit findings for security and frequency usage.