Skip to content

feat: add container.mounts to AWF config file schema#5755

Merged
lpcox merged 3 commits into
mainfrom
copilot/add-volume-mounts-to-awf-config
Jul 1, 2026
Merged

feat: add container.mounts to AWF config file schema#5755
lpcox merged 3 commits into
mainfrom
copilot/add-volume-mounts-to-awf-config

Conversation

Copilot AI commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

The --mount/-v CLI flag had no config-file equivalent, forcing security-sensitive mount specs (e.g., ARC/DinD ro-base + rw-overlay patterns) to be passed as positional CLI arguments rather than through validated stdin config.

Changes

  • docs/awf-config.schema.json + src/awf-config-schema.json — Add container.mounts property: array of strings validated against ^[^:]+:[^:]+(:(ro|rw))?$
  • src/config-file.ts — Add mounts?: string[] to the container interface
  • src/config-mapper.ts — Map container.mountsmount CLI option (picked up by the existing agent-options.ts array validator)
  • Tests — Schema validation tests for valid/invalid mount entries; mapper round-trip tests

Usage

{
  "container": {
    "mounts": [
      "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro",
      "${RUNNER_TEMP}/gh-aw/home:${RUNNER_TEMP}/gh-aw/home:rw",
      "${RUNNER_TEMP}/gh-aw/sandbox/agent:${RUNNER_TEMP}/gh-aw/sandbox/agent:rw"
    ]
  }
}

CLI precedence is preserved — explicit --mount flags still override config values.

Copilot AI linked an issue Jul 1, 2026 that may be closed by this pull request
Copilot AI changed the title [WIP] Add volumeMounts to AWF config file schema feat: add container.mounts to AWF config file schema Jul 1, 2026
Copilot AI requested a review from lpcox July 1, 2026 18:35
Copilot finished work on behalf of lpcox July 1, 2026 18:35
@lpcox lpcox requested a review from Copilot July 1, 2026 18:56

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a config-file equivalent for the existing --mount/-v CLI flag by introducing container.mounts in the AWF config schema and wiring it through config parsing/mapping so mount specs can be validated and provided via --config/stdin.

Changes:

  • Extend the AWF JSON Schema (src + docs) with container.mounts (array of strings) and add schema validation tests.
  • Extend the config-file TypeScript interface with container.mounts?: string[].
  • Map container.mounts into the CLI options object as mount, with mapper tests.
Show a summary per file
File Description
src/schema.test.ts Adds schema validation tests for container.mounts.
src/config-mapper.ts Maps container.mounts → CLI option mount.
src/config-file.ts Extends AwfFileConfig.container with mounts?: string[].
src/config-file-mapping.test.ts Adds tests verifying container.mounts mapping behavior.
src/awf-config-schema.json Introduces container.mounts schema definition (runtime validation source).
docs/awf-config.schema.json Mirrors schema change for external consumers/documentation.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 6/6 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment thread src/awf-config-schema.json Outdated
Comment on lines +611 to +617
"mounts": {
"type": "array",
"items": {
"type": "string",
"pattern": "^[^:]+:[^:]+(:(ro|rw))?$"
},
"description": "Custom volume mounts for the agent container. Format: \"host_path:container_path[:ro|rw]\". In chroot mode, container paths are automatically prefixed with /host."
Comment thread src/schema.test.ts
Comment on lines +247 to +257
it('accepts valid container.mounts array', () => {
expect(validate({ container: { mounts: ['/tmp/gh-aw:/tmp/gh-aw:ro'] } })).toBe(true);
expect(validate({ container: { mounts: ['/tmp/gh-aw:/tmp/gh-aw:rw', '/data:/data'] } })).toBe(true);
expect(validate({ container: { mounts: [] } })).toBe(true);
});

it('rejects invalid container.mounts entries', () => {
expect(validate({ container: { mounts: ['invalid-no-colon'] } })).toBe(false);
expect(validate({ container: { mounts: ['/src:/dst:invalid-mode'] } })).toBe(false);
expect(validate({ container: { mounts: 'not-an-array' } })).toBe(false);
});
@lpcox

lpcox commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

@copilot address review feedback

@lpcox lpcox marked this pull request as ready for review July 1, 2026 19:17

Copilot AI commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

@copilot address review feedback

Done in the latest commit. Both schema files now use ^/[^:]+:/[^:]+(:(ro|rw))?$ (requires a leading / on both host and container paths), and the schema tests now include cases that reject relative paths (relative/path:/container/dst, /host/src:relative/container, ./relative:/container/dst:ro).

Copilot finished work on behalf of lpcox July 1, 2026 19:19
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Documentation Preview

Documentation build failed for this PR. View logs.

Built from commit 2d9abb9

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

Contribution guidelines review complete for PR #5755: all applicable CONTRIBUTING.md requirements are satisfied based on the provided PR metadata, diff, and CONTRIBUTING.md context. No comment needed.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 98.65% 98.68% 📈 +0.03%
Statements 98.53% 98.57% 📈 +0.04%
Functions 99.55% 99.55% ➡️ +0.00%
Branches 94.46% 94.46% ➡️ +0.00%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/workdir-setup.ts 92.7% → 94.5% (+1.82%) 92.7% → 94.5% (+1.82%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API status ✅ PASS
GH check ✅ PASS
File status ✅ PASS

Overall result: PASS

Generated by Smoke Claude for #5755 · 52.2 AIC · ⊞ 6.1K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) Mode ✅ PASS

Tests:

  • ✅ GitHub MCP: Retrieved merged PRs
  • ✅ GitHub.com: HTTP 200
  • ✅ File Write/Read: Marker created & verified
  • ✅ BYOK Inference: Running in direct mode (COPILOT_PROVIDER_API_KEY via api-proxy → api.githubcopilot.com)

Mode: Direct BYOK (agent → api-proxy sidecar → api.githubcopilot.com)
Author: @Copilot | Assignees: @lpcox, @Copilot

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔬 Smoke Test Results

PR: feat: add container.mounts to AWF config file schema
Author: @Copilot | Assignees: @lpcox @Copilot

Test Status
GitHub MCP connectivity
GitHub.com HTTP connectivity ✅ (200)
File write/read ⚠️ pre-step vars unsubstituted

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

  1. GitHub MCP Testing: ❌ (Tools not found)
  2. GitHub.com Connectivity: ❌ (SSL error 000)
  3. File Writing Testing: ✅
  4. Bash Tool Testing: ✅

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: PAT Auth — FAIL ❌

Test Result
GitHub MCP connectivity ✅ Listed PRs successfully
GitHub.com HTTP ❌ Pre-step data not substituted
File write/read ❌ Pre-step data not substituted

Overall: FAIL — template variables (steps.smoke-data.outputs.*) were not expanded; pre-computed test data unavailable.

@lpcox @Copilot — Auth mode: PAT (COPILOT_GITHUB_TOKEN)

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔍 Smoke Test: API Proxy OTEL Tracing

Scenario Result Notes
1. Module Loading otel.js loads and exports 7 public functions: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled
2. Test Suite otel.test.js — 39 tests across 9 describe blocks (module init, header parsing, span creation, token attrs, budget attrs, span lifecycle, OTLP serialization, exporters, shutdown)
3. Env Var Forwarding src/services/api-proxy-env-config.ts forwards all 5 OTEL vars via pickEnvVars(): GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID + OTEL_SERVICE_NAME
4. Token Tracker Integration token-tracker-http.js exposes onUsage callback; proxy-request.js calls otel.startRequestSpan / setTokenAttributes / endSpan / endSpanError
5. OTEL Diagnostics Graceful degradation confirmed: FileSpanExporter fallback writes spans to /var/log/api-proxy/otel.jsonl when no OTLP endpoint is configured

All 5 scenarios pass. OTEL integration is complete and functional.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@Copilot @lpcox

  • GitHub MCP: ✅
  • GitHub.com connectivity: ✅
  • File write/read: ✅
  • Direct BYOK inference: ✅

Running in direct BYOK mode via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra.

Overall status: PASS

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Chroot Version Comparison Results

Runtime Host Version Chroot Version Match?
Python Python 3.12.13 Python 3.12.3 ❌ NO
Node.js v24.18.0 v22.23.1 ❌ NO
Go go1.22.12 go1.22.12 ✅ YES

Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color ok ✅ PASS
Go env ok ✅ PASS
Go uuid ok ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx all passed ✅ PASS
Node.js execa all passed ✅ PASS
Node.js p-limit all passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for #5755 · 44.3 AIC · ⊞ 7.8K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: GitHub Actions Services Connectivity

Check Result
Redis PING ❌ timeout (no response)
PostgreSQL pg_isready no response
PostgreSQL SELECT 1 ❌ timeout (no response)

Overall: ❌ FAILhost.docker.internal services unreachable from this environment.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Merged PR titles:

  • fix: tighten container.mounts schema pattern to require absolute paths
  • feat: add container.mounts to AWF config file schema

Checks:

  • GitHub reads: ✅
  • Browser title: ✅
  • Smoke file: ✅
  • Build: ✅
    Overall: PASS

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

fix: ensure chmod runs even when chown fails in rootless permission repair — ✅
refactor: split 309-line generateDockerCompose into focused phases — ✅

GitHub.com connectivity — ✅
File I/O test — ✅
BYOK inference test — ✅

Overall: PASS

cc @lpcox @Copilot

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@lpcox lpcox merged commit ecfc288 into main Jul 1, 2026
89 checks passed
@lpcox lpcox deleted the copilot/add-volume-mounts-to-awf-config branch July 1, 2026 20:00
github-actions Bot added a commit that referenced this pull request Jul 2, 2026
Add missing container.mounts CLI mapping entry to awf-config-spec.md.

PR #5755 added container.mounts to the JSON schema, TypeScript types,
and config-file.ts mapping, but the Section 5 CLI mapping table in
docs/awf-config-spec.md was not updated.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
lpcox added a commit that referenced this pull request Jul 2, 2026
* fix: propagate config fields to all layers

Add missing container.mounts CLI mapping entry to awf-config-spec.md.

PR #5755 added container.mounts to the JSON schema, TypeScript types,
and config-file.ts mapping, but the Section 5 CLI mapping table in
docs/awf-config-spec.md was not updated.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Landon Cox <landon.cox@microsoft.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add volumeMounts to AWF config file schema

3 participants