Skip to content

fix(arc-dind): mount workspace correctly and unify artifact roots#43222

Merged
lpcox merged 2 commits into
mainfrom
fix/arc-dind-workspace-mount
Jul 3, 2026
Merged

fix(arc-dind): mount workspace correctly and unify artifact roots#43222
lpcox merged 2 commits into
mainfrom
fix/arc-dind-workspace-mount

Conversation

@lpcox

@lpcox lpcox commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Summary

Fixes two ARC/DinD runtime bugs (gh-aw#34896) that caused the agent to see an empty workspace and artifact downloads to fail.

Changes

Bug A — Empty workspace (dockerHostPathPrefix removed)

BuildAWFConfigJSON previously set container.DockerHostPathPrefix = awfArcDindRootPathExpr for the arc-dind topology so the DinD daemon could resolve runner paths. With the sysroot-stage now active, the Docker daemon accesses the workspace through the shared work volume (/home/runner/_work/), system binaries through the sysroot named volume, and kernel VFS from the daemon's own kernel. Setting the prefix incorrectly translated the workspace bind-mount source (e.g. /prefix/home/runner/_work/repo) to a non-existent path, causing the agent to see an empty workspace.

pkg/workflow/awf_config.go — removes the dockerHostPathPrefix assignment for arc-dind; updated comment explains why it must remain unset.

pkg/workflow/awf_config_test.go — test updated to assert dockerHostPathPrefix is absent from the generated config JSON.

Bug B — Broken artifact downloads (unified artifact root)

On ARC/DinD, agent output files (agent_output.json, safe_outputs.ndjson, aw-prompts/, patches, MCP logs) are written to /tmp/gh-aw/ during execution, but firewall logs land under ${{ runner.temp }}/gh-aw/. When both roots were passed to upload-artifact, it computed / as the common ancestor and created a nested directory layout that broke downstream artifact downloads.

pkg/workflow/arc_dind_artifacts.go (new file) — adds two helpers:

  • rewriteTmpGhAwPathsForArcDind(paths): rewrites /tmp/gh-aw/... artifact paths to ${{ runner.temp }}/gh-aw/... so upload-artifact sees a single root.
  • (*Compiler).generateArcDindArtifactConsolidationStep: emits a Consolidate artifacts for ARC/DinD workflow step (if: always()) that copies files from /tmp/gh-aw/ into ${RUNNER_TEMP}/gh-aw/ using cp -a --no-clobber (with fallback), merging agent outputs with firewall logs before upload.

pkg/workflow/compiler_yaml_main_job.go — integrates both helpers:

  • collectArtifactPaths: calls rewriteTmpGhAwPathsForArcDind on collected paths when the topology is arc-dind.
  • generatePostAgentCollectionAndUpload: emits the consolidation step before the artifact upload step when the topology is arc-dind.

pkg/workflow/arc_dind_artifacts_test.go (new file) — unit tests for rewriteTmpGhAwPathsForArcDind covering prefix rewrite, passthrough for existing runner.temp paths, and passthrough for unrelated paths.

Affected topology

arc-dind only. Standard hosted-runner and ARC non-DinD topologies are unaffected.

Testing

  • Unit tests added for rewriteTmpGhAwPathsForArcDind (3 subtests).
  • Existing BuildAWFConfigJSON test updated to assert absence of dockerHostPathPrefix.

Generated by PR Description Updater for #43222 · 58.7 AIC · ⌖ 6.94 AIC · ⊞ 4.7K ·

Bug A: The agent sees an empty workspace because dockerHostPathPrefix
translates the workspace mount source to a non-existent path. With
sysroot-stage active, the Docker daemon can see all needed paths via:
  - Shared work volume (/home/runner/_work/) for workspace & RUNNER_TEMP
  - Sysroot named volume for system binaries
  - Kernel VFS for /dev, /sys
Remove dockerHostPathPrefix from the AWF config — it's unnecessary and
harmful when sysroot provides all system paths.

Bug B: The agent artifact upload spans two path roots (/tmp/gh-aw/ and
${{ runner.temp }}/gh-aw/), causing upload-artifact to compute '/' as
the common ancestor. This creates a nested directory layout that breaks
downstream artifact downloads (detection job can't find agent_output.json).
Fix by:
  1. Rewriting all /tmp/gh-aw/ artifact paths to ${{ runner.temp }}/gh-aw/
  2. Adding a consolidation step that copies /tmp/gh-aw/ contents to the
     runner.temp location before upload

Fixes: gh-aw#34896
Copilot AI review requested due to automatic review settings July 3, 2026 15:33

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request fixes ARC/DinD runtime issues by (1) stopping emission of dockerHostPathPrefix in the AWF config (avoids translating the workspace mount source to a non-existent host path), and (2) unifying agent artifact roots by rewriting /tmp/gh-aw/... artifact paths to ${{ runner.temp }}/gh-aw/... and adding a consolidation step prior to upload.

Changes:

  • Removed dockerHostPathPrefix emission for ARC/DinD AWF config generation, and updated the corresponding unit test.
  • Added ARC/DinD artifact-path rewriting (/tmp/gh-aw/...${{ runner.temp }}/gh-aw/...) to ensure a single artifact root.
  • Added an ARC/DinD consolidation step to copy /tmp/gh-aw/ contents into ${RUNNER_TEMP}/gh-aw/ before unified artifact upload, plus unit tests for the rewrite helper.
Show a summary per file
File Description
pkg/workflow/compiler_yaml_main_job.go Rewrites ARC/DinD artifact paths to a single root and emits a consolidation step before the unified upload.
pkg/workflow/awf_config.go Stops emitting dockerHostPathPrefix for ARC/DinD to prevent empty-workspace behavior.
pkg/workflow/awf_config_test.go Updates ARC/DinD test expectation to assert dockerHostPathPrefix is not present.
pkg/workflow/arc_dind_artifacts.go Introduces ARC/DinD artifact path rewrite helper and YAML emission for consolidation step.
pkg/workflow/arc_dind_artifacts_test.go Adds unit tests validating ARC/DinD path rewrite behavior.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 5/5 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread pkg/workflow/arc_dind_artifacts.go
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🎬 THE ENDSmoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🌑 The shadows whisper... Smoke Codex failed to deliver outputs. The oracle requires further meditation...

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧

Smoke test completed; created issue summary. PR comment/label skipped because workflow lacks triggering PR context for safeoutputs despite pull-request-number metadata.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing...

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing...

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Agent Container Tool Check

Tool Status Version
bash 5.2.21
sh available
git 2.54.0
jq 1.7
yq 4.53.3
curl 8.5.0
gh 2.95.0
node 22.23.1
python3 3.11.15
go 1.24.13
java 21.0.11
dotnet 10.0.301

Result: 12/12 tools available ✅

Overall Status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔧 Tool validation by Agent Container Smoke Test · 10.9 AIC · ⌖ 5.89 AIC · ⊞ 4.7K ·
Comment /smoke-test-tools to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

  • GitHub MCP Testing: ✅
  • Web Fetch Testing: ✅
  • File Writing Testing: ✅
  • Bash Tool Testing: ✅
  • Build gh-aw: ❌

Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

Smoke Gemini — Powered by Gemini ·
Comment /smoke-gemini to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Caution

agentic threat detected
Threat detection flagged this output in warn mode. Manual review is REQUIRED before any follow-up automation.

Details

The threat detection engine failed to produce results.

Review the workflow run logs for details.

Pull request created: #43228

Generated by Changeset Generator · 2.4 AIC · ⊞ 13.8K

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Comment Memory

Smoke test hums clean
GitHub page and build report
Quiet tools align

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · 3.59 AIC · ⌖ 5.23 AIC · ⊞ 12.7K ·
Comment /smoke-codex to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke test results for PR 43222:

  1. Github PR review: ❌
  2. mcpscripts-gh PR list: ❌
  3. Serena find_symbol: ❌
  4. Playwright navigation & screenshot: ❌
  5. Web fetch: ❌
  6. File creation & read: ✅
  7. Discussion interaction: ❌
  8. Build: ❌
  9. Artifact upload: ❌
  10. Discussion create: ❌
  11. Workflow dispatch: ❌
  12. PR review tools: ❌
  13. Comment memory: ❌
  14. Sub-agent file-summarizer: ❌
  15. Check run creation: ❌

Overall Status: FAIL

📰 BREAKING: Report filed by Smoke Copilot - AOAI (apikey) · 11.6 AIC · ⌖ 3.08 AIC · ⊞ 17.9K ·
Comment /smoke-copilot-aoai-apikey to run again
Add label smoke to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💥 Automated smoke test review - all systems nominal!

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 94.2 AIC · ⌖ 31.4 AIC · ⊞ 8.7K
Comment /smoke-claude to run again

// artifact upload. This prevents upload-artifact from computing "/" as the common
// ancestor (which happens when paths span both /tmp/gh-aw/ and the runner.temp tree),
// causing a nested directory layout that breaks downstream artifact downloads.
func rewriteTmpGhAwPathsForArcDind(paths []string) []string {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice helper — the doc comment clearly explains why the single-root rewrite is needed. Consider a table-driven test for edge cases like empty input.

yaml.WriteString(" if: always()\n")
yaml.WriteString(" shell: bash\n")
yaml.WriteString(" run: |\n")
// Use rsync-like cp to merge /tmp/gh-aw/ into ${RUNNER_TEMP}/gh-aw/ without

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The --no-clobber fallback chain is pragmatic. A brief inline note on why cp is preferred over rsync (availability) would help future readers.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke tests summary:

  1. GitHub CLI merged PRs: ✅
  2. mcpscripts-gh PR list: ❌
    Overall Status: FAIL

📰 BREAKING: Report filed by Smoke Copilot - AOAI (Entra) · 18.4 AIC · ⌖ 3.03 AIC · ⊞ 17.6K ·
Comment /smoke-copilot-aoai-entra to run again
Add label smoke to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke

PR: fix(arc-dind): mount workspace correctly and unify artifact roots
1❌ 2❌ 3✅ 4✅ 5❌ 6✅ 7❌ 8✅
9✅ 10❌ 11❌ 12✅ 13✅ 14❌ 15✅ 16✅
Status: FAIL
Author: lpcox
Assignees: none

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 103.1 AIC · ⌖ 4.99 AIC · ⊞ 19.1K ·
Comment /smoke-copilot to run again
Add label smoke to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Comment Memory

Steel bot tap stone
Tiny tests grunt in night fog
Green sparks mark path home

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 103.1 AIC · ⌖ 4.99 AIC · ⊞ 19.1K ·
Comment /smoke-copilot to run again
Add label smoke to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smoke bot comment review. Tool path worked.

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 103.1 AIC · ⌖ 4.99 AIC · ⊞ 19.1K
Comment /smoke-copilot to run again
Add label smoke to run again

@lpcox lpcox merged commit 332d5e2 into main Jul 3, 2026
209 of 215 checks passed
@lpcox lpcox deleted the fix/arc-dind-workspace-mount branch July 3, 2026 16:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants