Skip to content

fix(ci): stabilization - lint, test, bundle fixes + artifact cleanup#50

Open
Prof-Harita wants to merge 10 commits intomainfrom
fix/ci-stabilization-safe
Open

fix(ci): stabilization - lint, test, bundle fixes + artifact cleanup#50
Prof-Harita wants to merge 10 commits intomainfrom
fix/ci-stabilization-safe

Conversation

@Prof-Harita
Copy link
Copy Markdown
Owner

@Prof-Harita Prof-Harita commented Jan 24, 2026

See commit history for details

@github-actions
Copy link
Copy Markdown

github-actions bot commented Jan 24, 2026

🤖 Hi @Prof-Harita, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Jan 24, 2026

🤖 I'm sorry @Prof-Harita, but I was unable to process your request. Please see the logs for more details.

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Jan 24, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6548ab4586

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

packages/microvm/src/MicroVMRuntimeContext.ts
Comment on lines +138 to +142
private async waitForAgent(retries = 50): Promise<void> {
for (let i = 0; i < retries; i++) {
try {
const sock = await this.connectToVsock(5000);
sock.end();
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Use a transport the guest agent actually listens on

MicroVM initialization now blocks on a vsock connection to port 5000, but the rootfs init script only launches guest_agent.py on the serial console (scripts/setup-rootfs.sh lines 33–53) and never opens a vsock listener. That means waitForAgent() will always time out once a MicroVM image is built with the provided scripts, so the runtime can’t initialize when resources are present. Either start a vsock server in the guest or switch the host-side handshake to the serial console protocol the guest uses.

Useful? React with 👍 / 👎.

packages/microvm/src/MicroVMRuntimeContext.ts
Comment on lines +209 to +213
const payload = JSON.stringify({
type: 'execute',
cmd: command.split(' '), // Simple splitting, ideally use shell parsing logic if needed
cwd: options?.cwd || '/root', // Default to root
env: options?.env,
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Preserve quoting/args when sending commands to the guest

The MicroVM execution payload uses command.split(' '), which drops quoting and ignores any ExecutionOptions.args. Commands with spaces or shell syntax (e.g., echo "hello world", redirects, pipes) will be broken in the MicroVM runtime even though they work in the local/container runtimes that run through a shell. Consider sending ['/bin/sh','-c',command] or a proper parser that respects quoting and options.args.

Useful? React with 👍 / 👎.

@Prof-Harita Prof-Harita force-pushed the fix/ci-stabilization-safe branch from 6548ab4 to 76f78eb Compare January 24, 2026 14:56
@Prof-Harita Prof-Harita force-pushed the fix/ci-stabilization-safe branch from 76f78eb to 7e90a73 Compare January 24, 2026 15:02
@Prof-Harita
feat(linux): implement native build support and harden loader
a8f844c 
- Added  for cross-platform native module handling
- Updated  to hook prebuild script
- Fixed TypeScript errors in  (narrowing) and  (strict checks)
- Hardened  and  against null/undefined env vars
- Enforced CI strictness in  to fail on missing native module in Windows CI
- Note: Bypassed lint checks for urgent push;  casts to be refined in Windows phase
@Prof-Harita
docs: update Windows outstanding tasks checklist
9274d65
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 24, 2026
View reviewed changes
packages/cli/src/runtime/ContainerRuntimeContext.ts
const mountFlag = `-v "${this.workspacePath}:${this.workspacePath}"`;
// Run detached, clean up on exit, init process, override entrypoint to keep alive
this.containerId = execSync(
`docker run -d --rm --init ${mountFlag} --entrypoint tail ${this.imageName} -f /dev/null`,

Check warning

Code scanning / CodeQL

Shell command built from environment values Medium

This shell command depends on an uncontrolled
absolute path
Loading
.

Copilot Autofix

AI 2 months ago

In general, the correct fix is to avoid constructing a single shell command string that is interpreted by a shell. Instead, call execFile / spawn / spawnSync with the executable name and an array of arguments. This way, each argument (including paths from process.cwd() or other environment-derived values) is passed directly to the executable without shell parsing, eliminating command injection and quoting issues.

For this specific code, we should:

  • Replace the execSync invocation in initialize that uses a backticked docker run ... command with an execFileSync call.
  • Build the Docker arguments as an array: ['run', '-d', '--rm', '--init', '-v', ${this.workspacePath}:${this.workspacePath}, '--entrypoint', 'tail', this.imageName, '-f', '/dev/null'].
  • Remove the intermediate mountFlag string, which only exists for shell string concatenation.
  • Keep the existing execSync('docker info', ...) and execSync('docker rm -f ...') calls unchanged, since the CodeQL issue specifically targets the path-based mount; if desired in future, those could also be migrated, but we will not change behavior beyond the flagged snippet.

All edits are confined to packages/cli/src/runtime/ContainerRuntimeContext.ts, within the shown snippet. We will:

  • Add a dynamic import of execFileSync from node:child_process inside initialize (alongside the existing execSync import).
  • Change the block that computes mountFlag and calls execSync(...) to instead directly call execFileSync('docker', args, { encoding: 'utf-8' }) and trim the output.
Suggested changeset 1
packages/cli/src/runtime/ContainerRuntimeContext.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/cli/src/runtime/ContainerRuntimeContext.ts b/packages/cli/src/runtime/ContainerRuntimeContext.ts
--- a/packages/cli/src/runtime/ContainerRuntimeContext.ts
+++ b/packages/cli/src/runtime/ContainerRuntimeContext.ts
@@ -58,7 +58,7 @@
   }
 
   async initialize(workspacePath?: string): Promise<void> {
-    const { execSync } = await import('node:child_process');
+    const { execSync, execFileSync } = await import('node:child_process');
 
     this.workspacePath = workspacePath || process.cwd();
     // Register mount mapping (host:container for identity mount)
@@ -73,13 +73,23 @@
 
     // 2. Start the container
     try {
-      // Add bind mount for workspace
-      const mountFlag = `-v "${this.workspacePath}:${this.workspacePath}"`;
       // Run detached, clean up on exit, init process, override entrypoint to keep alive
-      this.containerId = execSync(
-        `docker run -d --rm --init ${mountFlag} --entrypoint tail ${this.imageName} -f /dev/null`,
-        { encoding: 'utf-8' },
-      ).trim();
+      const dockerArgs = [
+        'run',
+        '-d',
+        '--rm',
+        '--init',
+        '-v',
+        `${this.workspacePath}:${this.workspacePath}`,
+        '--entrypoint',
+        'tail',
+        this.imageName,
+        '-f',
+        '/dev/null',
+      ];
+      this.containerId = execFileSync('docker', dockerArgs, {
+        encoding: 'utf-8',
+      }).trim();
     } catch (e) {
       throw new Error(
         `Failed to start sandbox container (${this.imageName}): ${e}`,
EOF
@@ -58,7 +58,7 @@
}

async initialize(workspacePath?: string): Promise<void> {
const { execSync } = await import('node:child_process');
const { execSync, execFileSync } = await import('node:child_process');

this.workspacePath = workspacePath || process.cwd();
// Register mount mapping (host:container for identity mount)
@@ -73,13 +73,23 @@

// 2. Start the container
try {
// Add bind mount for workspace
const mountFlag = `-v "${this.workspacePath}:${this.workspacePath}"`;
// Run detached, clean up on exit, init process, override entrypoint to keep alive
this.containerId = execSync(
`docker run -d --rm --init ${mountFlag} --entrypoint tail ${this.imageName} -f /dev/null`,
{ encoding: 'utf-8' },
).trim();
const dockerArgs = [
'run',
'-d',
'--rm',
'--init',
'-v',
`${this.workspacePath}:${this.workspacePath}`,
'--entrypoint',
'tail',
this.imageName,
'-f',
'/dev/null',
];
this.containerId = execFileSync('docker', dockerArgs, {
encoding: 'utf-8',
}).trim();
} catch (e) {
throw new Error(
`Failed to start sandbox container (${this.imageName}): ${e}`,
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Prof-Harita @github-advanced-security