fix: add write permission in rootless artifact permission repair#5717
Conversation
Add docs/model-api-mapping.json mapping OpenAI and Anthropic models to their supported API endpoints (chat/completions vs responses vs messages). Add an agentic workflow that refreshes the mapping daily from official provider documentation and opens a PR if changes are detected. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Load docs/model-api-mapping.json at startup and include it in the /reflect management endpoint response. This allows SDK drivers and harness scripts to query which endpoint a model requires (responses vs chat/completions vs messages) before making requests. Adds: - model-api-mapping.js: loader with glob-pattern lookup - model-api-mapping.json: bundled copy for the container image - model-api-mapping.test.js: unit tests for pattern matching and lookup - Dockerfile: includes new files in the image - management.js: adds model_api_mapping to /reflect response Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
The rootless permission repair container runs chmod with a+rX, which doesn't grant write permission. When chown fails to translate across the user namespace boundary, the host user still cannot delete directories because they lack write permission on them. Change chmod from a+rX to a+rwX so that even if chown doesn't work across the namespace, the world-writable permissions allow the host process to delete the files. Fixes #5708 Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
|
✅ Smoke Gemini completed. All facets verified. 💎 |
|
Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded. |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
✅ Contribution Check completed successfully! |
|
❌ Security Guard failed. Please review the logs for details. |
|
✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓 |
|
✅ Build Test Suite completed successfully! |
|
📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅ |
|
✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓 |
|
✅ Smoke Claude passed |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓 |
|
🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅ |
|
🔌 Smoke Services — All services reachable! ✅ |
|
Thanks for the contribution! I noticed one contribution-guideline gap to address before merge:
The new model-mapping functionality does include colocated tests, so this is mainly about making the PR description match the significant changes in the diff.
|
Smoke Test: Claude Engine Validation
Overall result: PASS ✅
|
🔬 Smoke Test ResultsPR: fix: add write permission in rootless artifact permission repair
Overall: FAIL — smoke-data step outputs were not substituted (template variables unresolved).
|
🔥 Smoke Test: PAT Auth — PASSPR: fix: add write permission in rootless artifact permission repair
Overall: PASS | Auth mode: PAT (COPILOT_GITHUB_TOKEN)
|
Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra Overall: PASS
|
Chroot Version Comparison Results
Overall: ❌ FAILED — Python and Node.js versions differ between host and chroot environments.
|
|
Merged PRs reviewed:
✅ GitHub CLI query Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Smoke Test Results: Copilot BYOK ✅
Status: PASS | Direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy → api.githubcopilot.com | @lpcox
|
🔍 Smoke Test: API Proxy OpenTelemetry Tracing
All 5 scenarios passed. OTEL module is fully functional with graceful degradation (file fallback when no endpoint configured).
|
Smoke Test: GitHub Actions Services Connectivity
Overall: FAIL —
|
|
@lpcox
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
Smoke Test Results (Gemini)
Overall status: FAIL Note: GitHub MCP tools were not found in the environment. Connectivity issues prevented external API access. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
Problem
On rootless Docker runners, the chroot home directory (
/tmp/awf-*-chroot-home) cannot be removed during cleanup. ThefixArtifactPermissionsForRootlessrepair container runs successfully butchowndoesn't translate across the user namespace boundary, leaving files still inaccessible to the host process.The subsequent
chmod -R a+rXdoesn't help because it only adds read/execute — without write permission on directories, the host user cannot delete their contents.Fixes #5708
Fix
Change
chmod -R a+rX→chmod -R a+rwXin the repair container command. This ensures that even whenchownfails silently within the rootless user namespace, the world-writable permissions allow the host process to delete the directory on retry.Testing
artifact-permissions.test.tstests pass