Skip to content

fix: add write permission in rootless artifact permission repair#5717

Merged
lpcox merged 5 commits into
mainfrom
feat/model-api-mapping
Jun 30, 2026
Merged

fix: add write permission in rootless artifact permission repair#5717
lpcox merged 5 commits into
mainfrom
feat/model-api-mapping

Conversation

@lpcox

@lpcox lpcox commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Problem

On rootless Docker runners, the chroot home directory (/tmp/awf-*-chroot-home) cannot be removed during cleanup. The fixArtifactPermissionsForRootless repair container runs successfully but chown doesn't translate across the user namespace boundary, leaving files still inaccessible to the host process.

The subsequent chmod -R a+rX doesn't help because it only adds read/execute — without write permission on directories, the host user cannot delete their contents.

Fixes #5708

Fix

Change chmod -R a+rXchmod -R a+rwX in the repair container command. This ensures that even when chown fails silently within the rootless user namespace, the world-writable permissions allow the host process to delete the directory on retry.

Testing

  • Existing artifact-permissions.test.ts tests pass
  • Type checks clean

lpcox and others added 5 commits June 29, 2026 21:13
Add docs/model-api-mapping.json mapping OpenAI and Anthropic models to
their supported API endpoints (chat/completions vs responses vs messages).

Add an agentic workflow that refreshes the mapping daily from official
provider documentation and opens a PR if changes are detected.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Load docs/model-api-mapping.json at startup and include it in the
/reflect management endpoint response. This allows SDK drivers and
harness scripts to query which endpoint a model requires (responses
vs chat/completions vs messages) before making requests.

Adds:
- model-api-mapping.js: loader with glob-pattern lookup
- model-api-mapping.json: bundled copy for the container image
- model-api-mapping.test.js: unit tests for pattern matching and lookup
- Dockerfile: includes new files in the image
- management.js: adds model_api_mapping to /reflect response

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
The rootless permission repair container runs chmod with a+rX, which
doesn't grant write permission. When chown fails to translate across the
user namespace boundary, the host user still cannot delete directories
because they lack write permission on them.

Change chmod from a+rX to a+rwX so that even if chown doesn't work
across the namespace, the world-writable permissions allow the host
process to delete the files.

Fixes #5708

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 30, 2026 11:55
@github-actions

Copy link
Copy Markdown
Contributor

Documentation Preview

Documentation build failed for this PR. View logs.

Built from commit 3ceaf76

@lpcox lpcox removed the request for review from Copilot June 30, 2026 11:57
@github-actions

Copy link
Copy Markdown
Contributor

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 98.39% 98.43% 📈 +0.04%
Statements 98.32% 98.36% 📈 +0.04%
Functions 99.55% 99.55% ➡️ +0.00%
Branches 94.41% 94.41% ➡️ +0.00%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/workdir-setup.ts 92.7% → 94.5% (+1.82%) 92.7% → 94.5% (+1.82%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Security Guard failed. Please review the logs for details.

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

Copy link
Copy Markdown
Contributor

Thanks for the contribution! I noticed one contribution-guideline gap to address before merge:

  • Pull request requirements: CONTRIBUTING.md asks for a clear description of what the PR does and references to related issues. The current title/description cover the rootless artifact-permission fix, but the diff also adds the model API mapping files, /reflect exposure, workflow permission changes, and related tests. Please update the PR description/title so reviewers can understand the full scope and any related issue/context for those model-mapping changes.

The new model-mapping functionality does include colocated tests, so this is mainly about making the PR description match the significant changes in the diff.

Generated by Contribution Check for #5717 · 47.5 AIC · ⊞ 23.3K ·

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API status ✅ PASS
GitHub check ✅ PASS
File status ✅ PASS

Overall result: PASS

Generated by Smoke Claude for #5717 · 52.4 AIC · ⊞ 3.3K ·

@github-actions

Copy link
Copy Markdown
Contributor

🔬 Smoke Test Results

PR: fix: add write permission in rootless artifact permission repair
Author: @lpcox

Test Result
GitHub MCP connectivity ✅ PASS
GitHub.com HTTP connectivity ❌ FAIL (pre-step outputs not resolved)
File write/read ❌ FAIL (pre-step outputs not resolved)

Overall: FAIL — smoke-data step outputs were not substituted (template variables unresolved).

📰 BREAKING: Report filed by Smoke Copilot

@github-actions

Copy link
Copy Markdown
Contributor

🔥 Smoke Test: PAT Auth — PASS

PR: fix: add write permission in rootless artifact permission repair
Author: @lpcox

Test Result
GitHub MCP connectivity
github.com HTTP ✅ 200
File write/read

Overall: PASS | Auth mode: PAT (COPILOT_GITHUB_TOKEN)

🔑 PAT report filed by Smoke Copilot PAT

@github-actions

Copy link
Copy Markdown
Contributor

@lpcox

  • GitHub MCP connectivity: ✅
  • GitHub.com connectivity: ✅
  • File write/read test: ✅
  • BYOK inference: ✅

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall: PASS

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)

@github-actions

Copy link
Copy Markdown
Contributor

Chroot Version Comparison Results

Runtime Host Version Chroot Version Match?
Python Python 3.12.13 Python 3.12.3 ❌ NO
Node.js v24.17.0 v22.23.0 ❌ NO
Go go1.22.12 go1.22.12 ✅ YES

Overall: ❌ FAILED — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

@github-actions

Copy link
Copy Markdown
Contributor

Merged PRs reviewed:

  • feat: add model-to-API endpoint mapping and daily updater workflow
  • fix: update invalid docker/setup-qemu-action SHA in release workflow

✅ GitHub CLI query
✅ Playwright title check
✅ File write/read
✅ Discussion comment
✅ Build
Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test Results: Copilot BYOK ✅

Test Result
GitHub MCP ✅ (2 merged PRs fetched)
github.com Connectivity ✅ (HTTP 200)
File Write/Read ✅ (exists & readable)
BYOK Inference ✅ (active)

Status: PASS | Direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy → api.githubcopilot.com | @lpcox

🔑 BYOK report filed by Smoke Copilot BYOK

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Result Notes
1. Module Loading otel.js loads; exports 14 symbols incl. startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled
2. Test Suite 59 tests passed — otel.test.js (39) + otel-fanout.test.js (20), 0 failures
3. Env Var Forwarding api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
4. Token Tracker Integration onUsage callback confirmed in token-tracker-http.js; proxy-request.js calls startRequestSpan/setTokenAttributes
5. OTEL Diagnostics 1 span exported to /tmp/gh-aw/otel.jsonl (file fallback — no OTLP endpoint configured). Span: gh-aw.agent.setup with run/repo/actor attributes

All 5 scenarios passed. OTEL module is fully functional with graceful degradation (file fallback when no endpoint configured).

📡 OTel tracing validated by Smoke OTel Tracing

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: GitHub Actions Services Connectivity

Check Result
Redis PING ❌ Timeout/no response
PostgreSQL pg_isready ❌ No response (host.docker.internal:5432 - no response)
PostgreSQL SELECT 1 ❌ Timeout/no response

Overall: FAILhost.docker.internal is not reachable from this runner environment. Service containers appear unreachable.

🔌 Service connectivity validated by Smoke Services

@github-actions

Copy link
Copy Markdown
Contributor

@lpcox
GitHub MCP connectivity: ✅
GitHub.com HTTP: ✅
File write/read: ✅
Direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw): ✅
Merged PR titles:

  • feat: add model-to-API endpoint mapping and daily updater workflow
  • fix: update invalid docker/setup-qemu-action SHA in release workflow
    Overall: PASS

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)

@github-actions

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx passed ✅ PASS
Node.js execa passed ✅ PASS
Node.js p-limit passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for #5717 · 49 AIC · ⊞ 7.8K ·

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test Results (Gemini)

Overall status: FAIL

Note: GitHub MCP tools were not found in the environment. Connectivity issues prevented external API access.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Rootless Docker: chroot-home cleanup fails after permission repair

2 participants