Skip to content

Add volumeMounts to AWF config file schema #5754

Description

@lpcox

Summary

The --mount / -v CLI option for custom volume mounts has no equivalent in the AWF config file schema (awf-config.json). This forces the gh-aw compiler to pass security-sensitive mount specifications as CLI arguments rather than through the stdin config.

For ARC/DinD workflows, the mount strategy is security-critical (ro base + rw overlays to protect safe-outputs config and audit logs from agent tampering). Passing these via config enables:

  • Validation via JSON Schema before execution
  • Centralized configuration (one place to audit)
  • Consistent with the principle that security-sensitive params should use config/env, not positional CLI args

Proposed Schema Addition

{
  "container": {
    "mounts": {
      "type": "array",
      "items": {
        "type": "string",
        "pattern": "^[^:]+:[^:]+(:(ro|rw))?$"
      },
      "description": "Custom volume mounts for the agent container. Format: 'host_path:container_path[:ro|rw]'. In chroot mode, container paths are automatically prefixed with /host."
    }
  }
}

Context

The gh-aw compiler for topology: arc-dind needs to specify:

--mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro"
--mount "${RUNNER_TEMP}/gh-aw/home:${RUNNER_TEMP}/gh-aw/home:rw"
--mount "${RUNNER_TEMP}/gh-aw/sandbox/agent:${RUNNER_TEMP}/gh-aw/sandbox/agent:rw"

These should instead be:

{
  "container": {
    "mounts": [
      "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro",
      "${RUNNER_TEMP}/gh-aw/home:${RUNNER_TEMP}/gh-aw/home:rw",
      "${RUNNER_TEMP}/gh-aw/sandbox/agent:${RUNNER_TEMP}/gh-aw/sandbox/agent:rw"
    ]
  }
}

Other options already in config

For reference, these related options are already available in config and do NOT need changes:

  • logging.proxyLogsDir (maps to --proxy-logs-dir)
  • logging.auditDir (maps to --audit-dir)
  • container.containerWorkDir (maps to --container-workdir)
  • environment.envAll / environment.excludeEnv

Related

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions