fix(ci): postprocess install-step swap must tolerate trailing --rootless flag#5800
Conversation
gh-aw v0.82+ emits the AWF install step with a trailing flag, e.g. `install_awf_binary.sh v0.27.16 --rootless`. The postprocess regex anchored the version to an immediate newline (`v[0-9.]+\n`), so the install-step replacement silently no-op'd while the `--skip-pull -> --build-local` rewrite still fired. This left every non-release lock file in a broken state: standalone bundle install + `--build-local`, which awf rejects at runtime: The --build-local flag requires a full repository checkout. It is not supported with the standalone bundle. Widen the regex to `v[0-9.]+[^\n]*\n` so trailing flags are tolerated, add a `--rootless` regression test, and recompile + postprocess all workflows so smoke/build-test suites build the firewall containers from source locally again. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
There was a problem hiding this comment.
Pull request overview
This PR fixes the AWF smoke-harness postprocessing so it still replaces the compiled “Install AWF binary” step when gh aw appends trailing flags (e.g. --rootless), preventing workflows from ending up with an invalid standalone-bundle install combined with --build-local.
Changes:
- Broaden
installStepRegexto tolerate trailing flags after the AWF version string. - Add a regression test covering the
--rootlesssuffix case. - Recompile + re-run the postprocess script so affected
.lock.ymlworkflows consistently build AWF from source again (with expected cron “fuzz” drift).
Show a summary per file
| File | Description |
|---|---|
| scripts/ci/postprocess-smoke-workflows.ts | Loosens AWF installer step matching so the postprocess swap still triggers with trailing flags like --rootless. |
| scripts/ci/postprocess-smoke-workflows.test.ts | Adds coverage ensuring the updated install-step regex matches vX.Y.Z --rootless. |
| .github/workflows/update-release-notes.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/test-hard-cap-ai-credits.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/test-coverage-reporter.lock.yml | Recompiled lock: swaps AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/test-coverage-improver.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/smoke-services.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/smoke-otel-tracing.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/smoke-gemini.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/smoke-copilot.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/smoke-copilot-pat.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/smoke-copilot-byok.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/smoke-copilot-byok-aoai-entra.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/smoke-copilot-byok-aoai-apikey.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/smoke-codex.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/smoke-claude.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/smoke-chroot.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/self-hosted-runner-doctor.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install (also updates metadata body hash). |
| .github/workflows/self-hosted-runner-doctor-updater.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift + metadata updates. |
| .github/workflows/security-review.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/security-guard.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/secret-digger-copilot.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/secret-digger-codex.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/secret-digger-claude.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/schema-sync.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/refactoring-scanner.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/red-team-benchmark.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/plan.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/pelis-agent-factory-advisor.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/model-api-mapping-updater.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/issue-monster.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/issue-duplication-detector.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/firewall-issue-dispatcher.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/export-audit.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/duplicate-code-detector.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/doc-maintainer.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/dependency-security-monitor.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/copilot-token-usage-analyzer.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/copilot-token-optimizer.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/contribution-check.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/config-consistency-auditor.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/cli-flag-consistency-checker.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/claude-token-usage-analyzer.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/claude-token-optimizer.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/ci-doctor.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
| .github/workflows/ci-cd-gaps-assessment.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install; cron drift from recompilation. |
| .github/workflows/build-test.lock.yml | Recompiled lock: swaps standalone AWF installer step for local build-from-source AWF install. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 47/47 changed files
- Comments generated: 2
- Review effort level: Low
gh-aw v0.82 moved AWF network/host config out of CLI flags and into the awf-config.json (--config), and added native support for a top-level `services:` frontmatter section. The compiler now emits the GitHub Actions `services:` block into the agent job AND auto-derives `--allow-host-service-ports` from the declared port mappings. The old smoke-services post-processing (inject a services block + swap a `--enable-host-access` CLI flag) silently no-op'd against the new output: the agent job gained an `if:` line that broke the injection regex, and the `--enable-host-access` flag no longer exists. Result: smoke-services ran with no service containers and no host-service-port access. - Declare redis + postgres under a native `services:` section in smoke-services.md. - Remove the entire smoke-services special-case from postprocess-smoke-workflows.ts (now handled by the compiler). - Recompile + postprocess (also drops a stale codex env_key in secret-digger-codex that a prior recompile left behind). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
✅ Copilot review passed with no inline comments. @lpcox Add the |
Follow-up: fixed a second v0.82 regression in
|
The local-build install steps inject a Setup Node.js step; some workflows already emit an identical one immediately before, yielding duplicate consecutive steps. Add a backreference-guarded post-pass that collapses only byte-identical consecutive blocks, so workflows without one keep the injected step. Resolves the Copilot review nit on smoke-claude/smoke-gemini. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Addressed the duplicate The local-build install steps inject a Fix: a backreference-guarded post-pass that collapses only byte-identical consecutive |
Problem
The Build Test Suite (and every other agentic workflow run through the AWF smoke harness) was failing with:
(Observed on run 28550453439, PR #5783.)
Root cause
gh awv0.82+ now emits the AWF install step with a trailing flag:scripts/ci/postprocess-smoke-workflows.tsswaps that step for a build-from-source step and rewrites--skip-pull→--build-local. But its install-step regex anchored the version directly to a newline:The new trailing
--rootlessbroke that match, so the install-step replacement silently no-op'd while the--build-localrewrite still fired. Result: every non-release lock file ended up with a standalone-bundle install +--build-local— an impossible combination that awf rejects at runtime.Fix
v[0-9.]+[^\n]*\nso trailing flags (--rootless, etc.) are tolerated (in both the script and its test copy).--rootlessregression test.gh aw compile) + re-run the postprocess script so all smoke/build-test workflows build the firewall containers from source again.Verification
npx jest scripts/ci/postprocess-smoke-workflows.test.ts→ 47 passed (incl. new case).npm run buildclean.--build-localwithinstall_awf_binary.sh. The only files still using the standalone installer are the two intentional release-mode files (build-test-network-isolation,network-isolation-test), which correctly keep--skip-pull.The large lock-file diff is expected: the install-step swap now correctly applies to all non-release workflows (previously all silently skipped). Cron changes are normal fuzz-schedule drift from recompilation.
Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com