Use AWF --enable-chroot mode and remove unnecessary --mount and --env flags #13576
Conversation
…lags - Add --enable-chroot flag to AWF invocations for transparent host access - Remove unnecessary --mount flags for host binaries (replaced by chroot mode) - Remove --env-all and mirrored environment variable flags (inherited by chroot) - Remove tool bins setup command (not needed with chroot mode) - Update tests to verify new chroot mode behavior - Recompile all workflow files with simplified AWF commands Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This pull request adopts AWF v0.13.1's new --enable-chroot feature to significantly simplify workflow commands by eliminating unnecessary mount and environment variable flags. The chroot mode provides transparent access to host binaries and environment while maintaining network isolation.
Changes:
- Added
--enable-chrootflag to AWF invocations, enabling transparent host filesystem access - Removed 17+ individual binary mounts (cat, curl, gh, jq, yq, etc.) and system directory mounts that are now unnecessary
- Removed
--env-alland individual--envflags since chroot inherits the host environment - Updated tests to verify chroot mode behavior instead of checking for individual mounts
Reviewed changes
Copilot reviewed 139 out of 139 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| pkg/workflow/sandbox_mounts_test.go | Updated tests to verify --enable-chroot flag presence instead of checking for standard mounts |
| pkg/workflow/firewall_args_test.go | Updated tests to verify chroot mode and confirm individual binary mounts are no longer used |
| .github/workflows/*.lock.yml (100+ files) | All compiled workflow files updated with simplified AWF commands using --enable-chroot instead of explicit mount/env flags |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰 |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident... |
|
PR titles:
|
|
@copilot This PR only adds Please also update:
to use |
Bumps gh-aw-firewall from v0.13.1 to v0.13.2 which includes the fix for --enable-chroot with preset agent images (PR #459). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰 |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
Agent Container Tool Check
Result: 10/12 tools fully functional ✅ Note: Java and .NET binaries are present on the filesystem at expected paths but cannot be executed due to a shell environment issue. This appears to be a runtime configuration problem rather than missing tools. The core development tools (bash, git, node, python, go) and utilities (jq, yq, curl, gh) are all working correctly.
|
Smoke Test Results
Status: @Mossaka
|
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
🔍 PR Triage ResultsCategory: feature | Risk: high | Priority: 75/100 Scores Breakdown
📋 Recommended Action: fast_trackThis is a critical infrastructure change that simplifies the AWF integration and affects all engines. The PR has been actively worked on with 25 commits and 102 comments. Despite CI being blocked, the quality of work (comprehensive checklist, test coverage, issue fix) and importance warrant fast-track review once CI passes. The PR addresses a fundamental improvement in how workflows are generated. Triaged by PR Triage Agent on 2026-02-04T00:35:56Z
|
…handling
AWF with --enable-chroot and --env-all already handles PATH correctly:
1. Captures host PATH → AWF_HOST_PATH (correct ordering from actions/setup-*)
2. Passes ALL host env vars including JAVA_HOME, DOTNET_ROOT, GOROOT
3. entrypoint.sh exports PATH="${AWF_HOST_PATH}" and tool-specific vars
4. Container inherits complete, correctly-ordered environment
Changes:
- copilot_engine_execution.go: Remove GetToolBinsSetup, GetHostedToolcachePathSetup,
and /bin/bash -c wrapper - pass command directly via shellEscapeArg
- claude_engine.go: Remove PATH setup from both firewall and non-firewall modes,
keep bash wrapper only for && chains
- codex_engine.go: Remove PATH setup, keep INSTRUCTION reading inside container
to avoid Docker Compose interpolation issues
This simplifies the generated workflows by ~150 lines across all lock files.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
AWF's native PATH handling (AWF_HOST_PATH) doesn't include npm global bin directories. Claude and Codex are installed via `npm install -g` which puts binaries in hostedtoolcache node bin directory. Added GetNpmBinPathSetup() helper that adds hostedtoolcache bin directories to PATH. This is simpler than the previous GetHostedToolcachePathSetup() because it doesn't include GH_AW_TOOL_BINS - AWF already handles tool-specific paths (GOROOT, JAVA_HOME, etc.) natively. Copilot doesn't need this because it uses an absolute path (/usr/local/bin/copilot). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Agent Container Tool Check ✅All required development tools are available in the agent container:
Result: 12/12 tools available ✅ Status: PASS - All required tools are accessible in the container environment.
|
Smoke Test Results
Overall: cc @Mossaka
|
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
AWF v0.13.4 fixes an issue where the Go version from actions/setup-go was not being found in chroot mode. The entrypoint now prepends $GOROOT/bin to PATH when AWF_GOROOT is provided, ensuring the correct Go version is used. This fixes the smoke-copilot test failure: "Build: ❌ (Go 1.24.12 < required 1.25.0)" Also updates the constants_test.go expectation from v0.13.1 to v0.13.4. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
--enable-chrootflag to AWF invocations for Copilot engine--mountflags for host binaries (Copilot engine)Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.
Changeset
--enable-chrootmode so agent runs inherit the host binaries and environment without manually mounting each tool.Changeset
--env-allis passed to AWF to even receive the host vars.