Skip to content

feat: add build-tools to SHA digest pinning infrastructure#5986

Merged
lpcox merged 2 commits into
mainfrom
copilot/add-build-tools-to-sha-digest-pinning
Jul 8, 2026
Merged

feat: add build-tools to SHA digest pinning infrastructure#5986
lpcox merged 2 commits into
mainfrom
copilot/add-build-tools-to-sha-digest-pinning

Conversation

Copilot AI commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

build-tools (the sysroot-stage init container for ARC/DinD) was excluded from digest pinning: --image-tag rejected build-tools=sha256:... as an invalid key, and buildSysrootStageService() constructed its image ref directly as a template string, bypassing the pinning helpers entirely.

Changes

  • src/image-tag.ts — add 'build-tools' to IMAGE_DIGEST_KEYS; export ParsedImageTag interface
  • src/services/sysroot-service.ts — replace imageTag: string param with parsedTag: ParsedImageTag in SysrootServiceParams; use buildRuntimeImageRef(registry, 'build-tools', parsedTag) so the @sha256:... suffix is appended when a digest is present; update resolveSysrootImage() similarly so diagnostics reflect the digest
  • src/services/optional-services.ts — pass imageConfig.parsedTag (full object) instead of imageConfig.parsedTag.tag to assembleSysrootService()

After this change, passing --image-tag 0.28.0,build-tools=sha256:<digest> produces:

# sysroot-stage service in generated docker-compose.yml
image: ghcr.io/github/gh-aw-firewall/build-tools:0.28.0@sha256:<digest>

- Add 'build-tools' to IMAGE_DIGEST_KEYS in src/image-tag.ts so that
  build-tools=sha256:<digest> is accepted as a valid key in --image-tag
- Export ParsedImageTag interface from src/image-tag.ts
- Refactor buildSysrootStageService() in src/services/sysroot-service.ts
  to accept ParsedImageTag instead of a raw imageTag string, and use
  buildRuntimeImageRef() so the @sha256:... suffix is appended when a
  digest is present
- Update resolveSysrootImage() to parse imageTag via parseImageTag() and
  use buildRuntimeImageRef() so diagnostics also reflect the digest
- Update assembleSysrootService() in optional-services.ts to pass the
  full parsedTag object instead of parsedTag.tag
- Update tests in image-tag.test.ts and sysroot-service.test.ts to
  cover the new key and digest-pinning behaviour

Closes #5985
Copilot AI changed the title [WIP] Add build-tools to SHA digest pinning infrastructure feat: add build-tools to SHA digest pinning infrastructure Jul 7, 2026
Copilot finished work on behalf of lpcox July 7, 2026 14:02
Copilot AI requested a review from lpcox July 7, 2026 14:02
@lpcox lpcox marked this pull request as ready for review July 7, 2026 14:03
Copilot AI review requested due to automatic review settings July 7, 2026 14:03

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR integrates the build-tools image (used by the ARC/DinD sysroot-stage init container) into the existing --image-tag digest pinning infrastructure, so build-tools=sha256:... is accepted and the generated image reference correctly appends @sha256:... when provided.

Changes:

  • Extend --image-tag parsing/validation to recognize build-tools as a supported digest key and export the parsed tag type.
  • Route sysroot-stage image resolution through buildRuntimeImageRef(...) so digest suffixes are applied consistently (and diagnostics reflect the pinned digest).
  • Update optional service assembly and unit tests to pass and validate the full parsed tag object (including digests).
Show a summary per file
File Description
src/image-tag.ts Adds build-tools to supported digest keys and exports ParsedImageTag for downstream typing.
src/image-tag.test.ts Adds coverage for build-tools digest/no-digest image ref construction.
src/services/sysroot-service.ts Switches sysroot-stage image resolution to buildRuntimeImageRef(...) and updates diagnostics to include digests.
src/services/sysroot-service.test.ts Adds/updates tests to verify sysroot image refs include @sha256:... when configured.
src/services/optional-services.ts Passes the full parsed image tag object into sysroot service assembly.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 5/5 changed files
  • Comments generated: 0
  • Review effort level: Low

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

Smoke test complete. Results: PR Review ✅, Connectivity ✅, File Writing ✅, Bash Tools ✅. Overall: PASS.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 99.00% 99.00% ➡️ +0.00%
Statements 98.95% 98.95% ➡️ +0.00%
Functions 99.72% 99.72% ➡️ +0.00%
Branches 95.44% 95.41% 📉 -0.03%

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API Status ✅ PASS
GH Check ✅ PASS
File Status ✅ PASS

Overall Result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #5986 · 35 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK Direct Mode ✅ PASS

  • ✅ GitHub.com connectivity (HTTP 200)
  • ✅ File write/read test
  • ✅ BYOK inference mode active (COPILOT_API_KEY set)
  • ✅ Running in direct BYOK mode via api-proxy → api.githubcopilot.com

All smoke tests passed.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🔥 Smoke Test: Copilot PAT Auth

Test Result
GitHub.com connectivity ✅ HTTP 200
File write/read ✅ Verified
GitHub MCP ✅ Connected

Overall: PASS | Auth mode: PAT (COPILOT_GITHUB_TOKEN)

cc @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Services Connectivity

  • Redis PING: ❌ Network is unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network is unreachable

Overall: FAILhost.docker.internal (172.17.0.1) is unreachable from this environment. Service containers may not be running or not accessible from this sandbox.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke test passed

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke test summary:\n- 5982 chore: upgrade gh-aw to v0.82.3 pre-release and recompile workflows ✅\n- 5971 Update Runner Doctor A15 status to reflect merged ARC/DinD permission-repair fix ✅\n- GitHub reads ✅\n- Playwright title ✅\n- File write ✅\n- Build ✅\nOverall status: PASS

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • awmgmcpg
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🔬 Smoke Test Results

Test Result
GitHub MCP connectivity ⚠️ N/A
GitHub.com HTTP ⚠️ N/A
File write/read ⚠️ N/A

Overall: ⚠️ INDETERMINATE — workflow template variables were not substituted; pre-computed test data unavailable.

CC @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Chroot Version Comparison Results

Runtime Host Version Chroot Version Match?
Python Python 3.12.13 Python 3.12.3 ❌ NO
Node.js v24.18.0 v22.23.1 ❌ NO
Go go1.22.12 go1.22.12 ✅ YES

Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Tested by Smoke Chroot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Result Notes
1. Module Loading otel.js loads successfully; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled
2. Test Suite 59 tests passed, 0 failed across otel.test.js + otel-fanout.test.js
3. Env Var Forwarding api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
4. Token Tracker Integration onUsage callback present in token-tracker-http.js (lines 283/324) — OTEL hook point confirmed
5. OTEL Diagnostics Graceful degradation confirmed — falls back to FileSpanExporter writing /var/log/api-proxy/otel.jsonl when no OTLP endpoint configured

All scenarios passed. OTEL tracing integration is functioning correctly.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

@lpcox

  • MCP connectivity: ✅
  • GitHub.com connectivity: ✅
  • File I/O: ✅
  • BYOK inference: ✅

Running direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

@lpcox

  • PR list validated via pre-fetched data ✅
  • GitHub.com connectivity ✅
  • File write/read ✅
  • BYOK inference ✅
    Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra
    Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx All passed ✅ PASS
Node.js execa All passed ✅ PASS
Node.js p-limit All passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Note (Java): The default ~/.m2 directory was owned by root, preventing Maven from creating a local repository. This was resolved by specifying a custom writable local repository path (-Dmaven.repo.local) and ensuring the proxy settings referenced squid-proxy:3128 for Maven Central access via the AWF Squid proxy.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #5986 · 50.5 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@lpcox lpcox merged commit cc32133 into main Jul 8, 2026
90 of 91 checks passed
@lpcox lpcox deleted the copilot/add-build-tools-to-sha-digest-pinning branch July 8, 2026 00:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add build-tools to SHA digest pinning infrastructure

3 participants