Skip to content

fix: ensure chmod runs even when chown fails in rootless permission repair#5766

Merged
lpcox merged 1 commit into
mainfrom
fix/rootless-permission-repair-chmod
Jul 1, 2026
Merged

fix: ensure chmod runs even when chown fails in rootless permission repair#5766
lpcox merged 1 commit into
mainfrom
fix/rootless-permission-repair-chmod

Conversation

@lpcox

@lpcox lpcox commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Problem

In rootless Docker, the fixArtifactPermissionsForRootless() function fails to repair file permissions because chown fails due to user namespace UID remapping, and the && operator prevents the subsequent chmod from running.

Root cause: In rootless Docker, UID 1001 inside the container maps to a subordinate UID on the host (not the actual host UID 1001). So chown -R "$TUID:$TGID" /fix either fails outright or produces the wrong ownership. Because the command was joined with &&, the chmod -R a+rwX /fix (which would actually solve the problem) never executed.

This results in:

[WARN] Rootless artifact permission repair failed for /tmp/gh-aw/sandbox/firewall/logs (exit 1)
[WARN] Rootless artifact permission repair failed for /tmp/gh-aw/sandbox/firewall/audit (exit 1)
[WARN] Rootless artifact permission repair failed for /tmp/awf-...-chroot-home (exit 1)
[WARN] Failed to remove chroot home directory after permission repair: EACCES

Fix

Change && to ; so chmod -R a+rwX always runs regardless of whether chown succeeds. Also suppress chown stderr since the failure is expected in rootless mode.

- 'chown -R "$TUID:$TGID" /fix && chmod -R a+rwX /fix'
+ 'chown -R "$TUID:$TGID" /fix 2>/dev/null; chmod -R a+rwX /fix'

The chown still runs first (works in rootful Docker), but chmod always follows as a fallback (sufficient for rootless since world-readable permissions allow the host user to access files regardless of ownership).

Observed in

https://github.com/github/gh-aw/actions/runs/28487107941/job/84435983514#step:35:1

…epair

In rootless Docker, chown to the host user's UID fails because of user
namespace UID remapping — the target UID inside the container maps to a
subordinate UID on the host, not to the actual host UID. Because the
command used &&, the subsequent chmod (which would actually fix the
problem by making files world-readable) never executed.

Change && to ; so chmod -R a+rwX always runs regardless of whether
chown succeeds. Suppress chown stderr to avoid noisy warnings since the
failure is expected in rootless mode.

Observed in: github/gh-aw/actions/runs/28487107941

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 1, 2026 18:55

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes rootless Docker artifact permission repair by ensuring chmod still runs even when chown fails due to UID/GID remapping behavior in user namespaces. This improves cleanup reliability (e.g., deleting the chroot home directory) and avoids leaving behind unreadable/unremovable artifact directories.

Changes:

  • Replace chown ... && chmod ... with chown ...; chmod ... so chmod always executes.
  • Suppress chown stderr (2>/dev/null) to avoid expected noise in rootless scenarios.
Show a summary per file
File Description
src/artifact-permissions.ts Ensures permission repair runs chmod even when chown fails in rootless mode, improving artifact cleanup reliability.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 0
  • Review effort level: Low

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 98.65% 98.68% 📈 +0.03%
Statements 98.53% 98.57% 📈 +0.04%
Functions 99.55% 99.55% ➡️ +0.00%
Branches 94.46% 94.46% ➡️ +0.00%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/workdir-setup.ts 92.7% → 94.5% (+1.82%) 92.7% → 94.5% (+1.82%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

Contribution guidelines review complete for PR #5766. No important guideline issues found in the provided PR metadata, diff, and CONTRIBUTING.md context; no comment needed.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API status ✅ PASS
gh check ✅ PASS
File status ✅ PASS

Overall result: PASS

Generated by Smoke Claude for #5766 · 30.2 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔐 Smoke Test: Copilot PAT Auth — PASS

Test Result
GitHub MCP connectivity
GitHub.com HTTP ✅ 200
File write/read ⚠️ N/A (template vars unsubstituted)

PR: fix: ensure chmod runs even when chown fails in rootless permission repair
Author: @lpcox | Assignees: none
Auth mode: PAT (COPILOT_GITHUB_TOKEN)

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

  • GitHub MCP Testing: ❌ (Tools not found)
  • GitHub.com Connectivity: ❌ (HTTP 000, SSL Error 35)
  • File Writing Testing: ✅
  • Bash Tool Testing: ✅

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke test: PASS

  • fix: sysroot filter should not drop workspace custom mounts ✅
  • fix: filter split-fs-invisible mounts when sysroot-stage is active (arc-dind) ✅
  • Browser title check ✅
  • File write/read ✅
  • Build ✅
    Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions github-actions Bot mentioned this pull request Jul 1, 2026
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

✅ Smoke Test Results (Direct BYOK Mode)

  1. MCP Connectivity: ✅ (2 merged PRs retrieved)
  2. HTTP (github.com): ✅ (HTTP 200)
  3. File Write/Read: ✅ (Created and read test file)
  4. BYOK Inference: ✅ (Running in direct mode via api-proxy)

Mode: Direct BYOK (COPILOT_PROVIDER_API_KEY) → api-proxy → api.githubcopilot.com
Status: PASS

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@lpcox

  • GitHub MCP: ✅
  • github.com connectivity: ✅
  • File I/O test: ✅
  • BYOK inference: ✅

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall: PASS

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Chroot Version Comparison Results

Runtime Host Version Chroot Version Match?
Python Python 3.12.13 Python 3.12.3 ❌ NO
Node.js v24.17.0 v22.23.0 ❌ NO
Go go1.22.12 go1.22.12 ✅ YES

Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔍 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Result Detail
1. Module Loading ✅ Pass otel.js loads cleanly; exports startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled + internals
2. Test Suite ✅ Pass 59 tests, 0 failuresotel.test.js: 39 passed; otel-fanout.test.js: 20 passed
3. Env Var Forwarding ✅ Pass src/services/api-proxy-env-config.ts forwards OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, OTEL_SERVICE_NAME, and variant headers to the api-proxy container
4. Token Tracker Integration ✅ Pass onUsage callback present in token-tracker-http.js (lines 283, 324, 374) — invoked after normalized usage extraction as the OTEL hook point
5. OTEL Diagnostics ✅ Pass 1 span exported to /tmp/gh-aw/otel.jsonl during this run — gh-aw.agent.setup span with traceId 1b733f6fe4a95988c3c1c1d884e9c26d, OTLP endpoint active

All 5 scenarios passed. OTEL tracing integration is working correctly.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color passed ✅ PASS
Go env passed ✅ PASS
Go uuid passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx All passed ✅ PASS
Node.js execa All passed ✅ PASS
Node.js p-limit All passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for #5766 · 54 AIC · ⊞ 7.8K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Services Connectivity

Check Result
Redis PING (host.docker.internal:6379) ❌ No response
PostgreSQL pg_isready (host.docker.internal:5432) ❌ No response
PostgreSQL SELECT 1 ❌ No response

Overall: FAIL

host.docker.internal resolves to 172.17.0.1 but both ports are unreachable from within the AWF sandbox (agent IP: 172.30.0.20). The AWF iptables rules block database ports (Redis 6379, PostgreSQL 5432) by design.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

fix: ensure chmod runs even when chown fails in rootless permission repair — ✅
refactor: split 309-line generateDockerCompose into focused phases — ✅
GitHub.com connectivity — ✅ | File I/O — ✅ | BYOK inference — ✅
Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)
@lpcox PASS

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔥 Smoke Test Results — PASS

Test Result
GitHub MCP connectivity
GitHub.com HTTP ✅ 200
File write/read

PR: fix: ensure chmod runs even when chown fails in rootless permission repair
Author: @lpcox

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants