Skip to content

🩺 Runner Doctor UpdateRunner Doctor update: A15 fixed in PR #5963 (rootless artifact permission repair on ARC/DinD) #5968

Description

@github-actions

Summary


Proposed knowledge-base changes

File: .github/workflows/shared/self-hosted-failure-modes.md

1. Update A15 β€” flip status from Open to Fixed, add #5963 citation

Current A15 Fix column:

**Open β€” fix in progress** (PR github/gh-aw-firewall#5817): workaround β€” run `chmod -R a+rX` inside the squid container before `docker compose down` while it still owns the log volume; or configure squid to write logs as runner UID

Replace with:

**Fixed in PR github/gh-aw-firewall#5963**: `fixArtifactPermissionsForRootless()` now calls `applyHostPathPrefixToVolumes()` so the repair container bind mount is correctly translated for the DinD daemon. Upgrade AWF to the version that includes #5963. Workaround (older AWF): run `chmod -R a+rX` inside the squid container before `docker compose down`.

Current Citations column for A15:

github/gh-aw-firewall#5816

Replace with:

github/gh-aw-firewall#5816, github/gh-aw-firewall#5817, github/gh-aw-firewall#5963

2. Remove A15 from "Known unresolved items"

Remove this line:

- A15 / github/gh-aw-firewall#5816 β€” rootless artifact permission repair on ARC/DinD: `fixArtifactPermissionsForRootless()` does not apply `dockerHostPathPrefix` to repair step bind mount; fix tracked in PR github/gh-aw-firewall#5817

Proposed doctor changes

File: .github/workflows/self-hosted-runner-doctor.md

No changes needed to the playbook itself. The diagnostic step that maps Rootless artifact permission repair failed β†’ A15 remains correct; only the status of A15 changes.


Proposed portable agent changes

File: .github/agents/self-hosted-runner-doctor.md

This file embeds its own copy of the catalog and must be updated to match.

1. Update A15 Fix column

Replace (in the embedded A15 table row):

**Open β€” fix in progress** (PR github/gh-aw-firewall#5817): workaround β€” run `chmod -R a+rX` inside the squid container before `docker compose down` while it still owns the log volume; or configure squid to write logs as runner UID

With:

**Fixed in PR github/gh-aw-firewall#5963**: `fixArtifactPermissionsForRootless()` now calls `applyHostPathPrefixToVolumes()` so the repair container bind mount is correctly translated for the DinD daemon. Upgrade AWF to the version that includes #5963. Workaround (older AWF): run `chmod -R a+rX` inside the squid container before `docker compose down`.

2. Update A15 Citations

Change github/gh-aw-firewall#5816 β†’ github/gh-aw-firewall#5816, github/gh-aw-firewall#5817, github/gh-aw-firewall#5963

3. Remove A15 from "Known unresolved items"

Remove:

- A15 / github/gh-aw-firewall#5816 β€” rootless artifact permission repair on ARC/DinD: `fixArtifactPermissionsForRootless()` does not apply `dockerHostPathPrefix` to repair step bind mount; fix tracked in PR github/gh-aw-firewall#5817

Source issues and PRs

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Runner Doctor Updater Β· 179.1 AIC Β· ⊞ 11.4K Β· β—·

  • expires on Aug 5, 2026, 7:34 PM UTC

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions