Skip to content

fix: propagate runner config fields to all layers#5716

Merged
lpcox merged 3 commits into
mainfrom
fix/runner-config-spec-propagation-573d8e8ac479cce2
Jun 30, 2026
Merged

fix: propagate runner config fields to all layers#5716
lpcox merged 3 commits into
mainfrom
fix/runner-config-spec-propagation-573d8e8ac479cce2

Conversation

@github-actions

Copy link
Copy Markdown
Contributor

Config Consistency Fixes

Automated audit of PRs merged in the last 7 days found that runner.topology and runner.sysrootImage — introduced in PRs #5696 and #5697 — were not propagated to the spec documentation.

From PR #5696 — "build(docker): add build-tools sysroot image and runner.topology config for arc-dind"

From PR #5697 — "Add ARC-DinD runner topology with sysroot-stage build-tools image"

Field Layer Status Before Fix Applied
runner (top-level object) Section 4 Data Model table in docs/awf-config-spec.md ❌ Missing ✅ Added row
runner.topology Section 5 CLI Mapping in docs/awf-config-spec.md ❌ Missing ✅ Added entry (config-only)
runner.sysrootImage Section 5 CLI Mapping in docs/awf-config-spec.md ❌ Missing ✅ Added entry (config-only)

Layers already correctly populated (no action needed)

Layer Status
src/awf-config-schema.json ✅ Present
docs/awf-config.schema.json ✅ Present (identical to src schema)
src/types/runner-options.ts RunnerOptions interface with both fields
src/types/wrapper-config.ts & RunnerOptions included
src/config-file.ts runner? block with topology and sysrootImage
src/config-mapper.ts runner.topologyrunnerTopology, runner.sysrootImagesysrootImage

Security classification

Both fields are non-sensitive (topology name string, container image reference) — correctly placed in the stdin config mapping, not env vars.

Verification

  • TypeScript compiles (tsc --noEmit)
  • Config-file-mapping tests pass (npm test -- config-file-mapping)
  • Schema validation tests pass (npm test -- schema.test)

Generated by Config Consistency Auditor · 79 AIC · ⊞ 6.6K ·

Add missing `runner` section to the Section 4 Data Model table and
add Section 5 CLI Mapping entries for `runner.topology` and
`runner.sysrootImage` in docs/awf-config-spec.md.

These fields were introduced in PRs #5696 and #5697 and correctly
propagated to src/awf-config-schema.json, docs/awf-config.schema.json,
src/types/runner-options.ts, src/types/wrapper-config.ts,
src/config-file.ts, and src/config-mapper.ts — but the spec doc was
not updated.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lpcox lpcox marked this pull request as ready for review June 30, 2026 13:40
Copilot AI review requested due to automatic review settings June 30, 2026 13:40

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the AWF config spec documentation to reflect newly introduced runner configuration fields (runner.topology, runner.sysrootImage) so the spec matches the schema/types/mapping layers already in the codebase.

Changes:

  • Adds runner as a top-level config object in the data model table.
  • Adds config-only CLI-mapping entries for runner.topology and runner.sysrootImage in the normative mapping section.
Show a summary per file
File Description
docs/awf-config-spec.md Documents the runner config object and its config-only mapping entries so the written spec includes the runner topology/sysroot fields.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment thread docs/awf-config-spec.md Outdated
Comment thread docs/awf-config-spec.md Outdated
- `rateLimiting.bytesPerMinute` → `--rate-limit-bytes-pm`
- `platform.type` → *(config-only; maps to `AWF_PLATFORM_TYPE`)*
- `runner.topology` → *(config-only; sets runner deployment model — `standard` or `arc-dind`; activates sysroot staging, network isolation defaults, and tool cache validation when `arc-dind`)*
- `runner.sysrootImage` → *(config-only; sysroot init-container image for `arc-dind` topology; defaults to `ghcr.io/github/gh-aw-firewall/build-tools:<imageTag>`)*
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@lpcox

lpcox commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

@copilot address review feedback

@github-actions

Copy link
Copy Markdown
Contributor Author

✅ Copilot review passed with no inline comments.

@github-actions[bot] Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Documentation Preview

Documentation build failed for this PR. View logs.

Built from commit 3e86621

Copilot AI commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

@copilot address review feedback

Fixed in the latest commit. Updated the runner.sysrootImage description to reflect that it defaults to <container.imageRegistry>/build-tools:<container.imageTag>, noting that container.imageRegistry defaults to ghcr.io/github/gh-aw-firewall when not overridden.

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Smoke Claude passed

Copilot finished work on behalf of lpcox June 30, 2026 13:56
Copilot AI requested a review from lpcox June 30, 2026 13:56
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Smoke Gemini completed. All facets verified. 💎

Gemini Smoke Test Complete

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

🔑 Smoke Copilot PAT reports failed. PAT auth path may have issues...

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

Copy link
Copy Markdown
Contributor Author

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Contribution Check completed successfully!

Contribution guidelines review complete for PR #5716: all applicable CONTRIBUTING.md requirements are satisfied; no comment needed.

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Build Test Suite completed successfully!

@github-actions

Copy link
Copy Markdown
Contributor Author

Smoke Test: Claude Engine Validation

Check Status
API ✅ PASS
GH ✅ PASS
File ✅ PASS

Overall result: PASS

Generated by Smoke Claude for #5716 · 30.9 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor Author

🔒 Smoke Test: Copilot BYOK (Direct) Mode — PASS ✅

  • ✅ GitHub MCP connectivity verified
  • ✅ GitHub.com connectivity verified (HTTP 200)
  • ✅ File write/read test passed
  • ✅ BYOK inference path working (agent → api-proxy sidecar → api.githubcopilot.com)

Mode: Direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy → api.githubcopilot.com

Overall: PASS ✅

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor Author

🤖 Copilot Smoke Test Results

PR: fix: propagate runner config fields to all layers
Author: @github-actions[bot] | Reviewer: @lpcox

Test Result
GitHub MCP connectivity ✅ PASS
GitHub.com HTTP ⚠️ Pre-step data unavailable
File write/read ⚠️ Pre-step data unavailable

Overall: ⚠️ INCONCLUSIVE — MCP passed; pre-computed step outputs were not injected (template vars unresolved).

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor Author

Smoke Test Results:

  • MCP PR list: ✅
  • GitHub.com connectivity: ✅
  • File write/read: ✅
  • BYOK inference: ✅

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall: PASS
@lpcox

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor Author

🔥 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Result Notes
1. Module Loading ✅ Pass otel.js loads cleanly; exports 14 symbols (startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled, + internal helpers); isEnabled()true
2. Test Suite ✅ Pass 59 tests / 0 failures across 2 suites (otel.test.js, otel-fanout.test.js) — spans, token attrs, budget attrs, exporters, serialization, shutdown all covered
3. Env Var Forwarding ✅ Pass src/services/api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME into the api-proxy container
4. Token Tracker Integration ✅ Pass onUsage callback present in token-tracker-http.js (line 324) — invoked after normalized usage extracted; wires token data onto OTEL span via setTokenAttributes
5. OTEL Diagnostics ✅ Pass No active container in this environment (expected for PR smoke); fallback mode writes spans to /var/log/api-proxy/otel.jsonl when no OTLP endpoint is configured — graceful degradation confirmed

All 5 scenarios pass. OTEL tracing integration is healthy.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor Author

Merged PRs:

  • fix: update test assertions for gh-aw-actions v0.82.0 and github-mcp-server v1.5.0
  • chore: upgrade gh-aw extension to latest pre-release (v0.82.0)

PR query:

  • fix: pass host-gateway IP to iptables-init container for NAT bypass
  • docs: sync schemas and specs with source changes

Checks:

  • PR reads: ❌
  • GitHub page title: ✅
  • Smoke file write/read: ✅
  • Discussion lookup: ✅
  • Build: ❌

Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor Author

🔬 Chroot Version Comparison Results

Runtime Host Version Chroot Version Match?
Python Python 3.12.13 Python 3.12.3 ❌ NO
Node.js v24.17.0 v22.23.0 ❌ NO
Go go1.22.12 go1.22.12 ✅ YES

Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor Author

Smoke Test: GitHub Actions Services Connectivity

Check Result
Redis PING ❌ Timeout (no response on port 6379)
PostgreSQL pg_isready ❌ No response on port 5432
PostgreSQL SELECT 1 ❌ Skipped (pg_isready failed)

Overall: FAILhost.docker.internal is not reachable from this runner environment. Service containers appear to not be running or are not accessible.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor Author

Gemini Engine Smoke Test Results\n\nGitHub MCP Testing\n- fix: update test assertions for gh-aw-actions v0.82.0 and github-mcp-server v1.5.0\n- chore: upgrade gh-aw extension to latest pre-release (v0.82.0)\n\nTest Results\n1. GitHub MCP: ✅\n2. GitHub Connectivity: ✅\n3. File Writing: ✅\n4. Bash Tool Testing: ✅\n\nOverall status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor Author

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color passed ✅ PASS
Go env passed ✅ PASS
Go uuid passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx passed ✅ PASS
Node.js execa passed ✅ PASS
Node.js p-limit passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for #5716 · 53.1 AIC · ⊞ 7.8K ·
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor Author

@lpcox
fix: pass host-gateway IP to iptables-init container for NAT bypass: ✅
docs: sync schemas and specs with source changes: ✅
GitHub MCP connectivity: ✅
GitHub.com connectivity: ✅
File I/O test: ✅
BYOK inference: ✅
Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)
Overall: PASS

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@lpcox lpcox merged commit 0f0aa81 into main Jun 30, 2026
80 of 81 checks passed
@lpcox lpcox deleted the fix/runner-config-spec-propagation-573d8e8ac479cce2 branch June 30, 2026 15:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants