From 6b0679a34b705f9f8c2501d3ae66b8da1c5138d9 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 22 Apr 2026 22:16:40 +0000
Subject: [PATCH 1/4] Initial plan


From 24477ca569798274eac3a743b5b12ac1675674c7 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 22 Apr 2026 22:27:08 +0000
Subject: [PATCH 2/4] fix: retry awf startup on api-proxy unhealthy error

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/596920a6-3a87-4dfb-9f45-762e54d420ac

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 actions/setup/sh/install_awf_binary.sh | 88 +++++++++++++++++++++++---
 1 file changed, 78 insertions(+), 10 deletions(-)

diff --git a/actions/setup/sh/install_awf_binary.sh b/actions/setup/sh/install_awf_binary.sh
index 4373012165b..0d74cebcbd7 100755
--- a/actions/setup/sh/install_awf_binary.sh
+++ b/actions/setup/sh/install_awf_binary.sh
@@ -32,6 +32,7 @@ AWF_REPO="github/gh-aw-firewall"
 AWF_INSTALL_DIR="/usr/local/bin"
 AWF_INSTALL_NAME="awf"
 AWF_LIB_DIR="/usr/local/lib/awf"
+AWF_REAL_PATH="${AWF_LIB_DIR}/awf-real"
 
 if [ -z "$AWF_VERSION" ]; then
   echo "ERROR: AWF version is required"
@@ -108,6 +109,71 @@ has_node_20() {
   return 1
 }
 
+install_awf_wrapper() {
+  sudo tee "${AWF_INSTALL_DIR}/${AWF_INSTALL_NAME}" > /dev/null <<'WRAPPER'
+#!/usr/bin/env bash
+set -euo pipefail
+
+AWF_REAL="/usr/local/lib/awf/awf-real"
+RETRY_PATTERN="dependency failed to start: container awf-api-proxy is unhealthy"
+MAX_RETRIES="${AWF_API_PROXY_START_RETRIES:-1}"
+RETRY_DELAY_SECONDS="${AWF_API_PROXY_RETRY_DELAY_SECONDS:-5}"
+
+# Validate optional retry settings to avoid arithmetic/sleep errors.
+case "$MAX_RETRIES" in
+  ''|*[!0-9]*) MAX_RETRIES=1 ;;
+esac
+case "$RETRY_DELAY_SECONDS" in
+  ''|*[!0-9]*) RETRY_DELAY_SECONDS=5 ;;
+esac
+
+if [ ! -x "$AWF_REAL" ]; then
+  echo "ERROR: AWF runtime not found at $AWF_REAL" >&2
+  exit 127
+fi
+
+run_awf() {
+  local output_file
+  output_file=$(mktemp)
+  local status
+
+  set +e
+  "$AWF_REAL" "$@" 2>&1 | tee "$output_file"
+  status=${PIPESTATUS[0]}
+  set -e
+
+  AWF_RETRYABLE_FAILURE=0
+  if [ "$status" -ne 0 ] && grep -Fq "$RETRY_PATTERN" "$output_file"; then
+    AWF_RETRYABLE_FAILURE=1
+  fi
+  rm -f "$output_file"
+
+  return "$status"
+}
+
+attempt=0
+while true; do
+  set +e
+  run_awf "$@"
+  status=$?
+  set -e
+
+  if [ "$status" -eq 0 ]; then
+    exit 0
+  fi
+
+  if [ "${AWF_RETRYABLE_FAILURE:-0}" -ne 1 ] || [ "$attempt" -ge "$MAX_RETRIES" ]; then
+    exit "$status"
+  fi
+
+  attempt=$((attempt + 1))
+  echo "[awf-wrapper] awf-api-proxy was unhealthy; retrying startup (${attempt}/${MAX_RETRIES}) after ${RETRY_DELAY_SECONDS}s..." >&2
+  sleep "$RETRY_DELAY_SECONDS"
+done
+WRAPPER
+  sudo chmod +x "${AWF_INSTALL_DIR}/${AWF_INSTALL_NAME}"
+}
+
 install_bundle() {
   local bundle_name="awf-bundle.js"
   local bundle_url="${BASE_URL}/${bundle_name}"
@@ -135,15 +201,13 @@ install_bundle() {
   sudo mkdir -p "${AWF_LIB_DIR}"
   sudo cp "${TEMP_DIR}/${bundle_name}" "${AWF_LIB_DIR}/${bundle_name}"
 
-  # Create wrapper script using the absolute path to node.
-  # Using an unquoted heredoc (<<WRAPPER) so that ${node_bin} is expanded
-  # at wrapper-creation time, while \$@ is left as the literal $@ for
-  # runtime argument forwarding.
-  sudo tee "${AWF_INSTALL_DIR}/${AWF_INSTALL_NAME}" > /dev/null <<WRAPPER
+  # Create an executable runtime entrypoint for the bundle using the absolute
+  # node path so it works when invoked via sudo.
+  sudo tee "${AWF_REAL_PATH}" > /dev/null <<WRAPPER
 #!/bin/bash
 exec ${node_bin} /usr/local/lib/awf/awf-bundle.js "\$@"
 WRAPPER
-  sudo chmod +x "${AWF_INSTALL_DIR}/${AWF_INSTALL_NAME}"
+  sudo chmod +x "${AWF_REAL_PATH}"
 
   echo "✓ Installed awf bundle to ${AWF_LIB_DIR}/${bundle_name}"
 }
@@ -164,9 +228,10 @@ install_linux_binary() {
   # Verify checksum
   verify_checksum "${TEMP_DIR}/${awf_binary}" "${awf_binary}"
 
-  # Make binary executable and install
+  # Make binary executable and install as the real AWF runtime entrypoint.
   chmod +x "${TEMP_DIR}/${awf_binary}"
-  sudo mv "${TEMP_DIR}/${awf_binary}" "${AWF_INSTALL_DIR}/${AWF_INSTALL_NAME}"
+  sudo mkdir -p "${AWF_LIB_DIR}"
+  sudo mv "${TEMP_DIR}/${awf_binary}" "${AWF_REAL_PATH}"
 }
 
 install_darwin_binary() {
@@ -189,9 +254,10 @@ install_darwin_binary() {
   # Verify checksum
   verify_checksum "${TEMP_DIR}/${awf_binary}" "${awf_binary}"
 
-  # Make binary executable and install
+  # Make binary executable and install as the real AWF runtime entrypoint.
   chmod +x "${TEMP_DIR}/${awf_binary}"
-  sudo mv "${TEMP_DIR}/${awf_binary}" "${AWF_INSTALL_DIR}/${AWF_INSTALL_NAME}"
+  sudo mkdir -p "${AWF_LIB_DIR}"
+  sudo mv "${TEMP_DIR}/${awf_binary}" "${AWF_REAL_PATH}"
 }
 
 install_platform_binary() {
@@ -220,6 +286,8 @@ else
   install_platform_binary
 fi
 
+install_awf_wrapper
+
 # Verify installation by running --version with sudo.
 # Use sudo to match how awf is invoked in subsequent steps (sudo -E awf ...).
 # On GPU runners (e.g. aw-gpu-runner-T4), /usr/local/bin may be inaccessible

From d86967762c8b0336a43d176b69476bd9bc2933fa Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 22 Apr 2026 22:28:54 +0000
Subject: [PATCH 3/4] chore: harden awf wrapper temp-file handling

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/596920a6-3a87-4dfb-9f45-762e54d420ac

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 actions/setup/sh/install_awf_binary.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/actions/setup/sh/install_awf_binary.sh b/actions/setup/sh/install_awf_binary.sh
index 0d74cebcbd7..db1513a76f2 100755
--- a/actions/setup/sh/install_awf_binary.sh
+++ b/actions/setup/sh/install_awf_binary.sh
@@ -135,6 +135,7 @@ fi
 run_awf() {
   local output_file
   output_file=$(mktemp)
+  chmod 600 "$output_file"
   local status
 
   set +e
@@ -143,7 +144,7 @@ run_awf() {
   set -e
 
   AWF_RETRYABLE_FAILURE=0
-  if [ "$status" -ne 0 ] && grep -Fq "$RETRY_PATTERN" "$output_file"; then
+  if [ "$status" -ne 0 ] && grep -Fqm1 "$RETRY_PATTERN" "$output_file"; then
     AWF_RETRYABLE_FAILURE=1
   fi
   rm -f "$output_file"
@@ -159,6 +160,9 @@ while true; do
   set -e
 
   if [ "$status" -eq 0 ]; then
+    if [ "$attempt" -gt 0 ]; then
+      echo "[awf-wrapper] Retry succeeded on attempt ${attempt}" >&2
+    fi
     exit 0
   fi
 

From cae79aad5e0a5af46083df67e15301eeac8f2fcc Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 22 Apr 2026 22:30:27 +0000
Subject: [PATCH 4/4] chore: secure retry wrapper temp file creation

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/596920a6-3a87-4dfb-9f45-762e54d420ac

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 actions/setup/sh/install_awf_binary.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/actions/setup/sh/install_awf_binary.sh b/actions/setup/sh/install_awf_binary.sh
index db1513a76f2..d397c19d5de 100755
--- a/actions/setup/sh/install_awf_binary.sh
+++ b/actions/setup/sh/install_awf_binary.sh
@@ -134,8 +134,7 @@ fi
 
 run_awf() {
   local output_file
-  output_file=$(mktemp)
-  chmod 600 "$output_file"
+  output_file=$(umask 077 && mktemp)
   local status
 
   set +e