From 4435a37658068454fdb6f121edf83c44d5959677 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 17:51:08 +0000 Subject: [PATCH 1/4] Initial plan From 555b84a31df3302d871c085e0f0afbb2f695ccfa Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 18:01:56 +0000 Subject: [PATCH 2/4] Add network access to agentic-workflows MCP server container Enable --network host for agentic-workflows stdio container to allow GitHub API access for CLI commands (audit, logs, compile). The container needs to reach api.github.com to execute gh CLI commands. Updated: - mcp_config_builtin.go: Add --network host to Docker args - Documentation: Updated comments to explain network requirement - Tests: Updated test expectations for new args format Fixes issue where daily-cli-tools-tester workflow couldn't access agentic-workflows MCP tools due to network isolation. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../workflows/daily-cli-tools-tester.lock.yml | 2 +- pkg/workflow/mcp_config_builtin.go | 27 ++++++++++------- pkg/workflow/mcp_config_refactor_test.go | 30 +++++++++---------- pkg/workflow/mcp_renderer_test.go | 6 ++-- 4 files changed, 35 insertions(+), 30 deletions(-) diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index f81e10c2283..3eade1c4dcb 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -475,7 +475,7 @@ jobs: "type": "stdio", "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "\${GITHUB_TOKEN}" diff --git a/pkg/workflow/mcp_config_builtin.go b/pkg/workflow/mcp_config_builtin.go index e7f41029db1..5bbb262f47c 100644 --- a/pkg/workflow/mcp_config_builtin.go +++ b/pkg/workflow/mcp_config_builtin.go @@ -26,10 +26,11 @@ // // 2. Agentic-workflows MCP server: // - Transport: stdio (runs in Docker container) -// - Container: Alpine Linux with gh-aw binary mounted -// - Entrypoint: /opt/gh-aw/gh-aw mcp-server -// - Purpose: Enables workflow compilation, validation, and execution -// - Tools: compile, validate, list, status, run, etc. +// - Container: Alpine Linux with gh-aw binary mounted (or localhost/gh-aw:dev in dev mode) +// - Entrypoint: /opt/gh-aw/gh-aw mcp-server (release mode) or container default (dev mode) +// - Network: Enabled via --network host for GitHub API access (api.github.com) +// - Purpose: Enables workflow compilation, validation, and execution via gh aw CLI +// - Tools: compile, validate, list, status, audit, logs, add, update, fix // // HTTP vs stdio transport: // - HTTP: Server runs on host, accessible via HTTP URL with authentication @@ -57,10 +58,12 @@ // // Agentic-workflows configuration: // Agentic-workflows runs in a stdio container and requires: -// - Mounted gh-aw binary from /opt/gh-aw +// - Mounted gh-aw binary from /opt/gh-aw (release mode) or baked into image (dev mode) +// - Mounted gh CLI binary for GitHub API access (release mode) or baked into image (dev mode) // - Mounted workspace for workflow files // - Mounted temp directory for logs // - GITHUB_TOKEN for GitHub API access +// - Network access enabled via --network host for api.github.com // // Related files: // - mcp_renderer.go: Main renderer that calls these functions @@ -226,9 +229,10 @@ func renderAgenticWorkflowsMCPConfigWithOptions(yaml *strings.Builder, isLast bo } yaml.WriteString("],\n") - // Add Docker runtime args to set working directory to workspace - // This ensures .github/workflows folder resolves correctly to workspace/.github/workflows - yaml.WriteString(" \"args\": [\"-w\", \"${{ github.workspace }}\"],\n") + // Add Docker runtime args: + // - --network host: Enables network access for GitHub API calls (gh CLI needs api.github.com) + // - -w: Sets working directory to workspace for .github/workflows folder resolution + yaml.WriteString(" \"args\": [\"--network\", \"host\", \"-w\", \"${{ github.workspace }}\"],\n") // Note: tools field is NOT included here - the converter script adds it back // for Copilot. This keeps the gateway config compatible with the schema. @@ -334,9 +338,10 @@ func renderAgenticWorkflowsMCPConfigTOML(yaml *strings.Builder, actionMode Actio } yaml.WriteString("]\n") - // Add Docker runtime args to set working directory to workspace - // This ensures .github/workflows folder resolves correctly to workspace/.github/workflows - yaml.WriteString(" args = [\"-w\", \"${{ github.workspace }}\"]\n") + // Add Docker runtime args: + // - --network host: Enables network access for GitHub API calls (gh CLI needs api.github.com) + // - -w: Sets working directory to workspace for .github/workflows folder resolution + yaml.WriteString(" args = [\"--network\", \"host\", \"-w\", \"${{ github.workspace }}\"]\n") // Use env_vars array to reference environment variables instead of embedding secrets yaml.WriteString(" env_vars = [\"DEBUG\", \"GITHUB_TOKEN\"]\n") diff --git a/pkg/workflow/mcp_config_refactor_test.go b/pkg/workflow/mcp_config_refactor_test.go index 95509bae691..82d95a9c3e7 100644 --- a/pkg/workflow/mcp_config_refactor_test.go +++ b/pkg/workflow/mcp_config_refactor_test.go @@ -105,11 +105,11 @@ func TestRenderAgenticWorkflowsMCPConfigWithOptions(t *testing.T) { expectedContent: []string{ `"agenticworkflows": {`, `"type": "stdio"`, - `"container": "localhost/gh-aw:dev"`, // Dev mode uses locally built image - `"${{ github.workspace }}:${{ github.workspace }}:rw"`, // workspace mount (read-write) - `"/tmp/gh-aw:/tmp/gh-aw:rw"`, // temp directory mount (read-write) - `"args": ["-w", "${{ github.workspace }}"]`, // Docker working directory - `"DEBUG": "*"`, // Literal value for debug logging + `"container": "localhost/gh-aw:dev"`, // Dev mode uses locally built image + `"${{ github.workspace }}:${{ github.workspace }}:rw"`, // workspace mount (read-write) + `"/tmp/gh-aw:/tmp/gh-aw:rw"`, // temp directory mount (read-write) + `"args": ["--network", "host", "-w", "${{ github.workspace }}"]`, // Network access + working directory + `"DEBUG": "*"`, // Literal value for debug logging `"GITHUB_TOKEN": "\${GITHUB_TOKEN}"`, ` },`, }, @@ -134,11 +134,11 @@ func TestRenderAgenticWorkflowsMCPConfigWithOptions(t *testing.T) { `"container": "alpine:latest"`, `"entrypoint": "/opt/gh-aw/gh-aw"`, `"entrypointArgs": ["mcp-server"]`, - `"/opt/gh-aw:/opt/gh-aw:ro"`, // gh-aw binary mount (read-only) - `"/usr/bin/gh:/usr/bin/gh:ro"`, // gh CLI binary mount (read-only) - `"${{ github.workspace }}:${{ github.workspace }}:rw"`, // workspace mount (read-write) - `"/tmp/gh-aw:/tmp/gh-aw:rw"`, // temp directory mount (read-write) - `"args": ["-w", "${{ github.workspace }}"]`, // Docker working directory + `"/opt/gh-aw:/opt/gh-aw:ro"`, // gh-aw binary mount (read-only) + `"/usr/bin/gh:/usr/bin/gh:ro"`, // gh CLI binary mount (read-only) + `"${{ github.workspace }}:${{ github.workspace }}:rw"`, // workspace mount (read-write) + `"/tmp/gh-aw:/tmp/gh-aw:rw"`, // temp directory mount (read-write) + `"args": ["--network", "host", "-w", "${{ github.workspace }}"]`, // Network access + working directory `"DEBUG": "*"`, `"GITHUB_TOKEN": "\${GITHUB_TOKEN}"`, ` },`, @@ -156,10 +156,10 @@ func TestRenderAgenticWorkflowsMCPConfigWithOptions(t *testing.T) { actionMode: ActionModeDev, expectedContent: []string{ `"agenticworkflows": {`, - `"container": "localhost/gh-aw:dev"`, // Dev mode uses locally built image - `"${{ github.workspace }}:${{ github.workspace }}:rw"`, // workspace mount (read-write) - `"/tmp/gh-aw:/tmp/gh-aw:rw"`, // temp directory mount (read-write) - `"args": ["-w", "${{ github.workspace }}"]`, // Docker working directory + `"container": "localhost/gh-aw:dev"`, // Dev mode uses locally built image + `"${{ github.workspace }}:${{ github.workspace }}:rw"`, // workspace mount (read-write) + `"/tmp/gh-aw:/tmp/gh-aw:rw"`, // temp directory mount (read-write) + `"args": ["--network", "host", "-w", "${{ github.workspace }}"]`, // Network access + working directory // Environment variables `"DEBUG": "*"`, // Literal value for debug logging `"GITHUB_TOKEN": "$GITHUB_TOKEN"`, @@ -302,7 +302,7 @@ func TestRenderAgenticWorkflowsMCPConfigTOML(t *testing.T) { expectedContent := []string{ `[mcp_servers.agenticworkflows]`, tt.expectedContainer, - `args = ["-w", "${{ github.workspace }}"]`, // Docker working directory + `args = ["--network", "host", "-w", "${{ github.workspace }}"]`, // Network access + working directory `env_vars = ["DEBUG", "GITHUB_TOKEN"]`, } expectedContent = append(expectedContent, tt.expectedMounts...) diff --git a/pkg/workflow/mcp_renderer_test.go b/pkg/workflow/mcp_renderer_test.go index a5561e08546..6f3793a89da 100644 --- a/pkg/workflow/mcp_renderer_test.go +++ b/pkg/workflow/mcp_renderer_test.go @@ -213,9 +213,9 @@ func TestRenderAgenticWorkflowsMCP_JSON_Copilot(t *testing.T) { if !strings.Contains(output, `"GITHUB_TOKEN"`) { t.Error("Expected GITHUB_TOKEN in env vars") } - // Should have working directory args - if !strings.Contains(output, `"args": ["-w", "${{ github.workspace }}"]`) { - t.Error("Expected args with working directory set to workspace") + // Should have network access and working directory args + if !strings.Contains(output, `"args": ["--network", "host", "-w", "${{ github.workspace }}"]`) { + t.Error("Expected args with network access and working directory set to workspace") } } From 006945c549cc261d01c70431d76461dbd8267332 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 18:02:44 +0000 Subject: [PATCH 3/4] Recompile all workflows with agentic-workflows network access All workflows using agentic-workflows tool now include --network host Docker arg to enable GitHub API access from the MCP server container. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/agent-performance-analyzer.lock.yml | 2 +- .github/workflows/agent-persona-explorer.lock.yml | 2 +- .github/workflows/audit-workflows.lock.yml | 2 +- .github/workflows/cloclo.lock.yml | 2 +- .github/workflows/daily-firewall-report.lock.yml | 2 +- .github/workflows/daily-observability-report.lock.yml | 2 +- .github/workflows/daily-safe-output-optimizer.lock.yml | 2 +- .github/workflows/deep-report.lock.yml | 2 +- .github/workflows/dev-hawk.lock.yml | 2 +- .github/workflows/example-workflow-analyzer.lock.yml | 2 +- .github/workflows/mcp-inspector.lock.yml | 2 +- .github/workflows/metrics-collector.lock.yml | 2 +- .github/workflows/portfolio-analyst.lock.yml | 2 +- .github/workflows/prompt-clustering-analysis.lock.yml | 2 +- .github/workflows/python-data-charts.lock.yml | 2 +- .github/workflows/q.lock.yml | 2 +- .github/workflows/safe-output-health.lock.yml | 2 +- .github/workflows/security-review.lock.yml | 2 +- .github/workflows/smoke-claude.lock.yml | 2 +- .github/workflows/smoke-copilot.lock.yml | 2 +- .github/workflows/static-analysis-report.lock.yml | 2 +- .github/workflows/workflow-normalizer.lock.yml | 2 +- 22 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index b36cc0735ac..c3e8eca20a7 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -578,7 +578,7 @@ jobs: "type": "stdio", "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "\${GITHUB_TOKEN}" diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index c220e25daa4..b32425d1449 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -472,7 +472,7 @@ jobs: "type": "stdio", "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "\${GITHUB_TOKEN}" diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 9ef6b2e2990..5dcfe6bc08d 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -539,7 +539,7 @@ jobs: "agenticworkflows": { "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "$GITHUB_TOKEN" diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 41e9f82c94b..c9013b3f772 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -586,7 +586,7 @@ jobs: "agenticworkflows": { "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "$GITHUB_TOKEN" diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 1d0dac7ccec..1189dc92ff1 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -525,7 +525,7 @@ jobs: "type": "stdio", "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "\${GITHUB_TOKEN}" diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 78b72ee5be8..17a5e9a23bd 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -552,7 +552,7 @@ jobs: "agenticworkflows": { "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "$GITHUB_TOKEN" diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 8697c0c3d51..cbc698a358d 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -505,7 +505,7 @@ jobs: "agenticworkflows": { "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "$GITHUB_TOKEN" diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 53979ab8895..ce86ddb37f7 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -626,7 +626,7 @@ jobs: "agenticworkflows": { "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "$GITHUB_TOKEN" diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index cc8511bfe47..2b1d6c843d6 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -446,7 +446,7 @@ jobs: "type": "stdio", "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "\${GITHUB_TOKEN}" diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 18a329072b0..7d399b2685b 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -462,7 +462,7 @@ jobs: "agenticworkflows": { "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "$GITHUB_TOKEN" diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 76fcfcda567..82dd45e7602 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -540,7 +540,7 @@ jobs: "type": "stdio", "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "\${GITHUB_TOKEN}" diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 633addca83a..77f0693c104 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -243,7 +243,7 @@ jobs: "type": "stdio", "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "\${GITHUB_TOKEN}" diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 6adf69423ba..c5017b2def8 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -532,7 +532,7 @@ jobs: "type": "stdio", "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "\${GITHUB_TOKEN}" diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 2fe4d1865da..abab7bdc613 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -529,7 +529,7 @@ jobs: "agenticworkflows": { "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "$GITHUB_TOKEN" diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index ea8a41f546d..8f95cd23291 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -520,7 +520,7 @@ jobs: "type": "stdio", "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "\${GITHUB_TOKEN}" diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index e782c649d10..0a1c6c8c909 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -569,7 +569,7 @@ jobs: "type": "stdio", "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "\${GITHUB_TOKEN}" diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index f78d33e817d..3e02a316b97 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -481,7 +481,7 @@ jobs: "agenticworkflows": { "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "$GITHUB_TOKEN" diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 887960bb93e..54402bac9a6 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -560,7 +560,7 @@ jobs: "type": "stdio", "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "\${GITHUB_TOKEN}" diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 667c5e36d8b..ac3e4d18114 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1163,7 +1163,7 @@ jobs: "agenticworkflows": { "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "$GITHUB_TOKEN" diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index e8ed1804b63..d8b526d3312 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1152,7 +1152,7 @@ jobs: "type": "stdio", "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "\${GITHUB_TOKEN}" diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 183b928d2a1..0dd85fd6be4 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -480,7 +480,7 @@ jobs: "agenticworkflows": { "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "$GITHUB_TOKEN" diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 331e4528358..553da85d786 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -479,7 +479,7 @@ jobs: "type": "stdio", "container": "localhost/gh-aw:dev", "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "args": ["-w", "${{ github.workspace }}"], + "args": ["--network", "host", "-w", "${{ github.workspace }}"], "env": { "DEBUG": "*", "GITHUB_TOKEN": "\${GITHUB_TOKEN}" From e3c5c062338f055697c7ae70e2644ca9420eb732 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 18:05:17 +0000 Subject: [PATCH 4/4] Fix remaining test expectations for network args Updated test assertions in mcp_config_compilation_test.go and importable_tools_test.go to expect --network host flag in args. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/importable_tools_test.go | 4 ++-- pkg/workflow/mcp_config_compilation_test.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/workflow/importable_tools_test.go b/pkg/workflow/importable_tools_test.go index b818e1486f7..879083f91cd 100644 --- a/pkg/workflow/importable_tools_test.go +++ b/pkg/workflow/importable_tools_test.go @@ -264,8 +264,8 @@ Uses imported agentic-workflows tool. } // Verify working directory args are present - if !strings.Contains(workflowData, `"args": ["-w", "${{ github.workspace }}"]`) { - t.Error("Expected args with working directory") + if !strings.Contains(workflowData, `"args": ["--network", "host", "-w", "${{ github.workspace }}"]`) { + t.Error("Expected args with network access and working directory") } } diff --git a/pkg/workflow/mcp_config_compilation_test.go b/pkg/workflow/mcp_config_compilation_test.go index 153045fdc88..5c53a636d75 100644 --- a/pkg/workflow/mcp_config_compilation_test.go +++ b/pkg/workflow/mcp_config_compilation_test.go @@ -325,8 +325,8 @@ This workflow tests that agentic-workflows uses the correct container in dev mod } // Verify working directory args are present - if !strings.Contains(string(lockContent), `"args": ["-w", "${{ github.workspace }}"]`) { - t.Error("Expected args with working directory in dev mode") + if !strings.Contains(string(lockContent), `"args": ["--network", "host", "-w", "${{ github.workspace }}"]`) { + t.Error("Expected args with network access and working directory in dev mode") } } })