fix: rootless AWF install uses $HOME/.local and exports $GITHUB_PATH#41310
Conversation
- Retarget AWF_INSTALL_DIR/AWF_LIB_DIR to $HOME/.local/{bin,lib/awf} in
rootless mode so standard GitHub-hosted runners (root-owned /usr/local)
work without pre-chowning or sudo
- Replace the erroring rootless preflight with mkdir+verify so user dirs
are created on demand
- Fix bundle wrapper to use ${AWF_LIB_DIR} instead of hardcoded
/usr/local/lib/awf so the wrapper finds awf-bundle.js in the right place
- Export $GITHUB_PATH after rootless install so the bare awf invocation in
later steps resolves correctly
- Update comment in copilot_engine_installation.go to reflect new behavior
Closes #41309
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
The export PATH line in rootless mode was redundant: GitHub Actions
subsequent steps inherit PATH additions only via $GITHUB_PATH (not shell
exports), and the --version check at the end of the script already uses
the full path ${AWF_INSTALL_DIR}/${AWF_INSTALL_NAME} directly.
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR fixes rootless AWF installation on standard ubuntu-latest runners by moving install targets from root-owned /usr/local/... to user-writable $HOME/.local/... and persisting the install directory via $GITHUB_PATH, ensuring later workflow steps can invoke awf without a full path.
Changes:
- Updates
install_awf_binary.sh --rootlessto install into$HOME/.local/{bin,lib/awf}and to create/validate those directories instead of failing on/usr/localpermissions. - Fixes the bundle wrapper to execute the bundle from
${AWF_LIB_DIR}rather than a hardcoded/usr/local/lib/awf/...path. - Updates the workflow generator comment to reflect the new rootless install behavior and
$GITHUB_PATHusage.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/copilot_engine_installation.go | Updates inline documentation for the generated AWF installation step to match new rootless install semantics. |
| actions/setup/sh/install_awf_binary.sh | Implements rootless install path changes, updated preflight behavior, bundle wrapper path fix, and $GITHUB_PATH export. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 3
|
@copilot run pr-finisher skill |
|
✅ Design Decision Gate 🏗️ completed the design decision gate check. No ADR enforcement needed: PR #41310 does not have the 'implementation' label and has only 3 new lines of code in business logic directories (≤100 threshold). Both enforcement conditions are false. |
|
✅ PR Code Quality Reviewer completed the code quality review. |
|
✅ Test Quality Sentinel completed test quality analysis. |
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
🧪 Test Quality Sentinel Report⏭️ No test files were modified in this PR — analysis skipped.
Verdict
|
…paths Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Done. All three reviewer threads addressed in 8062dec:
Local |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Skills-Based Review 🧠
Applied /diagnose and /tdd — approving with minor suggestions.
📋 Key Themes & Highlights
Key Themes
- Unquoted path in generated wrapper (line 184):
${AWF_LIB_DIR}expands unquoted inside the heredoc, so a$HOMEwith spaces would produce a broken wrapper at runtime. Low-probability in practice, but trivially fixable. - Missing regression test: All neighbouring shell scripts have a
_test.shcounterpart;install_awf_binary.shis the only one that doesn't. The rootless dir-override andGITHUB_PATHexport are both unit-testable without network access. - Silent
GITHUB_PATHskip: WhenGITHUB_PATHis unset (local dev / non-GHA), the install quietly drops the PATH update — a one-line informational message would save future debugging.
Positive Highlights
- ✅ Root cause correctly addressed: hardcoded
/usr/localpaths and the overly strict preflight are both fixed in a single, coherent changeset. - ✅
AWF_USER_PREFIXintermediate variable keeps the two user-dir paths DRY without over-engineering. - ✅ Verification step (line 284) correctly uses the full
${AWF_INSTALL_DIR}/...path, so in-step verification works without relying onGITHUB_PATH(which only takes effect in subsequent steps). - ✅ Go comment updated in sync — the call-site documentation accurately reflects the new
--rootlesscontract.
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 64.5 AIC · ⌖ 9.08 AIC · ⊞ 6.5K
| maybe_sudo tee "${AWF_INSTALL_DIR}/${AWF_INSTALL_NAME}" > /dev/null <<WRAPPER | ||
| #!/bin/bash | ||
| exec ${node_bin} /usr/local/lib/awf/awf-bundle.js "\$@" | ||
| exec ${node_bin} ${AWF_LIB_DIR}/awf-bundle.js "\$@" |
There was a problem hiding this comment.
[/diagnose] The generated wrapper script has ${AWF_LIB_DIR} unquoted — on a runner where $HOME contains spaces the wrapper will fail at runtime with argument-splitting errors.
💡 Suggested fix
The outer "..." are written literally into the wrapper file (the \$@ is already handled this way), so quoting the path in the heredoc produces a safe generated script:
exec ${node_bin} "${AWF_LIB_DIR}/awf-bundle.js" "\$@"This is a low-probability failure in practice (runner $HOME paths almost never contain spaces), but it costs nothing to guard against.
There was a problem hiding this comment.
Already addressed — 8062dec quotes both "${node_bin}" and "${AWF_LIB_DIR}/awf-bundle.js" in the wrapper heredoc, which is more defensive than the suggested single-quote fix.
| # In rootless mode, install into the user's home directory instead of /usr/local | ||
| # so that standard GitHub-hosted runners (where /usr/local is root-owned) work | ||
| # without requiring any pre-chowning or sudo. | ||
| if [ "$ROOTLESS" = "true" ]; then |
There was a problem hiding this comment.
[/tdd] This is the only script in actions/setup/sh/ that fixes a real regression but has no _test.sh counterpart — every neighbouring script (e.g. sanitize_path_test.sh, configure_gh_for_ghe_test.sh) has one.
💡 What a minimal test file could cover
A install_awf_binary_test.sh using the same pattern as siblings could include:
- Rootless dir override — source the flag-parsing + override block in a subshell, assert
AWF_INSTALL_DIRis$HOME/.local/binandAWF_LIB_DIRis$HOME/.local/lib/awf. - Non-rootless unchanged — assert
AWF_INSTALL_DIRstays/usr/local/binwhen--rootlessis not passed. - GITHUB_PATH export — with a temp file as
GITHUB_PATH, assert the install dir line is written after a rootless install.
These tests would have caught the original regression and will guard against future drift.
There was a problem hiding this comment.
Added install_awf_binary_test.sh in 60f4c4a — covers all three cases suggested: rootless dir override, non-rootless unchanged, GITHUB_PATH export, and the new GITHUB_PATH-unset warning.
| # In rootless mode, add the install dir to PATH for subsequent steps. | ||
| # $GITHUB_PATH is the mechanism for persisting PATH additions across steps in GitHub Actions. | ||
| if [ "$ROOTLESS" = "true" ]; then | ||
| if [ -n "${GITHUB_PATH:-}" ]; then |
There was a problem hiding this comment.
[/diagnose] When GITHUB_PATH is unset (local dev, non-GHA CI), the PATH update silently does nothing — a developer running --rootless locally will have awf in ~/.local/bin with no hint that $PATH needs updating.
💡 Consider a fallback hint
Emitting a message when outside GHA costs nothing and removes a head-scratcher:
if [ -n "${GITHUB_PATH:-}" ]; then
echo "${AWF_INSTALL_DIR}" >> "${GITHUB_PATH}"
else
echo "info: awf installed to ${AWF_INSTALL_DIR} — add it to PATH manually outside GitHub Actions" >&2
fiThere was a problem hiding this comment.
Fixed in 60f4c4a — added an else branch that emits a WARNING to stderr when $GITHUB_PATH is unset so the developer gets an actionable message rather than silent nothing.
There was a problem hiding this comment.
REQUEST_CHANGES — Three open threads from the prior reviewer plus one new issue found here block this merge.
Blocking themes
1. Unquoted paths in the generated wrapper (existing, unfixed — line 185)
${node_bin} and ${AWF_LIB_DIR} are expanded unquoted in the exec line written into the wrapper script. On any system where $HOME contains a space (macOS usernames with spaces, non-standard environments), the wrapper will silently word-split the path and fail at runtime for every awf invocation after install. Fix: quote both in the heredoc body — exec "${node_bin}" "${AWF_LIB_DIR}/awf-bundle.js" "$@".
2. Suppressed mkdir stderr in rootless preflight (existing, unfixed — lines 77–84)
Both preflight checks use mkdir -p ... 2>/dev/null, which silently drops all filesystem-level errors (permission denied, read-only FS, quota exceeded). When mkdir fails the only visible output is the generic error message; the actual OS error is gone. Drop the 2>/dev/null redirects so the raw failure reason appears in CI logs.
3. Silent GITHUB_PATH skip when unset in rootless mode (new — lines 266–269)
See inline comment. The guard [ -n "${GITHUB_PATH:-}" ] silently does nothing when $GITHUB_PATH is absent, leaving awf installed but not on PATH — a deferred, opaque failure in every downstream step.
🔎 Code quality review by PR Code Quality Reviewer · 74 AIC · ⌖ 7.91 AIC · ⊞ 5.2K
| if [ -n "${GITHUB_PATH:-}" ]; then | ||
| echo "${AWF_INSTALL_DIR}" >> "${GITHUB_PATH}" | ||
| fi | ||
| fi |
There was a problem hiding this comment.
Silent success-with-broken-install when GITHUB_PATH is unset: if $GITHUB_PATH is absent (non-Actions environment, misconfigured runner, or future executor that uses a different PATH mechanism), the install completes with exit 0 but awf is unreachable from every subsequent step — producing a cryptic command not found rather than an actionable error here.
💡 Suggested fix
Add a warning (or error) when the guard condition is not met:
if [ "$ROOTLESS" = "true" ]; then
if [ -n "${GITHUB_PATH:-}" ]; then
echo "${AWF_INSTALL_DIR}" >> "${GITHUB_PATH}"
else
echo "WARNING: --rootless install complete but \$GITHUB_PATH is unset; add ${AWF_INSTALL_DIR} to PATH manually" >&2
fi
fiIf rootless mode outside GitHub Actions is not a supported use case, promote the warning to exit 1 so the failure is explicit rather than deferred to a mystery downstream failure.
There was a problem hiding this comment.
Fixed in 60f4c4a — the else warning branch is now in place. Since --rootless outside GitHub Actions is not a tested use case (and $GITHUB_PATH is always set in a real Actions runner), the warning is surfaced as >&2 rather than a hard exit, giving a clear hint without breaking local invocations that may stub the script.
|
@copilot run pr-finisher skill |
|
@copilot review all comments and address unresolved review feedback.
|
|
@copilot refresh this branch from main and rerun checks.
|
|
📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing... |
|
✅ GitHub MCP Testing Overall Status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
|
Smoke test FAIL
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "proxy.golang.org"See Network Configuration for more information.
|
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
Caution agentic threat detected DetailsThe threat detection engine failed to produce results. Review the workflow run logs for details. Smoke Test: Codex - 28136014851 Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
|
Caution agentic threat detected DetailsThe threat detection engine failed to produce results. Review the workflow run logs for details. Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
|
Smoke tests results: Overall: PASS
|
github-actions
Bot
added
smoke-copilot-aoai-apikey
needs-review
and removed
smoke
labels
|
Caution agentic threat detected DetailsThe threat detection engine failed to produce results. Review the workflow run logs for details. Pull request created: #41321
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 5 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
Smoke review tooling check complete.
Warning
Firewall blocked 5 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot · 291.6 AIC · ⌖ 12 AIC · ⊞ 19.2K
🤖 Smoke Test: Claude — Run 28136014835Core #1-12: 1✅ 2✅ 3✅ 4✅ 5❌(Tavily no tools) 6✅ 7✅ 8✅ 9✅ 10✅ 11✅ 12✅ Overall: FAIL (Tavily MCP exposes no tools) Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · 110.3 AIC · ⌖ 37.2 AIC · ⊞ 8.7K
| SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" | ||
|
|
||
| TESTS_PASSED=0 | ||
| TESTS_FAILED=0 |
There was a problem hiding this comment.
Nice helper functions — consider also printing a final summary count to make CI failures easier to scan.
| # Test 5: GITHUB_PATH export — install dir is written when GITHUB_PATH is set | ||
| echo "Test 5: AWF_INSTALL_DIR is appended to GITHUB_PATH in rootless mode..." | ||
| FAKE_GITHUB_PATH=$(mktemp) | ||
| bash -c ' |
There was a problem hiding this comment.
Good coverage of the GITHUB_PATH export path. Using mktemp here is the right call for isolation.
|
Caution agentic threat detected DetailsPotential security threats were detected in the agent output. Review the workflow run logs for details. Smoke tests run 28136048826: 1✅ 2✅ 3❌ 4❌ 5✅ 6✅ 8✅ 9❌ 10✅ 11✅ 12❌ 13✅ 14✅ 15✅. Overall: FAIL.
|
install_awf_binary.sh --rootlesshard-coded/usr/local/{bin,lib/awf}as install targets and aborted when those root-owned dirs weren't writable — breaking every network-isolation workflow on standardubuntu-latestrunners.actions/setup/sh/install_awf_binary.sh$HOME/.local/{bin,lib/awf}after flag parsing — always writable, no pre-chown or sudo required:/usr/localand erroring, create the user dirs withmkdir -pand verify they're writable/usr/local/lib/awf/awf-bundle.jspath with${AWF_LIB_DIR}/awf-bundle.js${AWF_INSTALL_DIR}to$GITHUB_PATHso the bareawfinvocation in later steps resolves without full pathpkg/workflow/copilot_engine_installation.gogenerateAWFInstallationStepreflecting that--rootlessnow targets$HOME/.localand exports$GITHUB_PATH✨ PR Review Safe Output Test - Run 28136014835
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.