Skip to content

Update Runner Doctor A15 status to reflect merged ARC/DinD permission-repair fix#5971

Merged
lpcox merged 3 commits into
mainfrom
copilot/update-a15-status-to-fixed
Jul 7, 2026
Merged

Update Runner Doctor A15 status to reflect merged ARC/DinD permission-repair fix#5971
lpcox merged 3 commits into
mainfrom
copilot/update-a15-status-to-fixed

Conversation

Copilot AI commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

The Runner Doctor knowledge base still described A15 as an open ARC/DinD failure even though PR #5963 merged the underlying fix. This updates the catalog so diagnoses point users to the shipped remediation instead of an in-progress workaround.

  • Catalog status update

    • Mark A15 as fixed in github/gh-aw-firewall#5963
    • Replace the old “fix in progress” wording with the shipped behavior: fixArtifactPermissionsForRootless() now applies applyHostPathPrefixToVolumes() for the repair bind mount
    • Keep the older chmod -R a+rX guidance as a workaround for pre-fix AWF versions
  • Citations

    • Expand A15 citations to include the original report, tracking PR, and merged fix:
      • github/gh-aw-firewall#5816
      • github/gh-aw-firewall#5817
      • github/gh-aw-firewall#5963
  • Unresolved-items cleanup

    • Remove A15 from the “Known unresolved items” list now that the fix is merged
  • Mirrored runner-doctor sources

    • Apply the same A15 update to both embedded catalogs:
      • .github/workflows/shared/self-hosted-failure-modes.md
      • .github/agents/self-hosted-runner-doctor.md
  • Alignment guard

    • Update the runner-doctor sync test to assert the new fixed wording and ensure A15 no longer appears in unresolved items
| A15 | ... | **Fixed in PR github/gh-aw-firewall#5963**: `fixArtifactPermissionsForRootless()` now calls `applyHostPathPrefixToVolumes()` so the repair container bind mount is correctly translated for the DinD daemon. Upgrade AWF to the version that includes github/gh-aw-firewall#5963. Workaround (older AWF): run `chmod -R a+rX` inside the squid container before `docker compose down`. | ... | github/gh-aw-firewall#5816, github/gh-aw-firewall#5817, github/gh-aw-firewall#5963 |

Copilot AI changed the title [WIP] Update A15 status to fixed with citation Update Runner Doctor A15 status to reflect merged ARC/DinD permission-repair fix Jul 7, 2026
Copilot AI requested a review from lpcox July 7, 2026 02:41
Copilot finished work on behalf of lpcox July 7, 2026 02:41
@lpcox lpcox marked this pull request as ready for review July 7, 2026 12:11
Copilot AI review requested due to automatic review settings July 7, 2026 12:11

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Runner Doctor failure-mode catalog to reflect that ARC/DinD A15 is no longer an open issue, aligning diagnoses and citations with the merged remediation in github/gh-aw-firewall#5963.

Changes:

  • Mark A15 as fixed (with updated remediation text) and expand citations to include the original report, tracking PR, and merged fix.
  • Remove A15 from the “Known unresolved items” section in the mirrored runner-doctor catalogs.
  • Update the runner-doctor alignment test to validate the new fixed wording and ensure the unresolved-items entry is gone.
Show a summary per file
File Description
scripts/ci/self-hosted-runner-doctor-workflow.test.ts Updates the alignment guard assertions for A15’s new “fixed” wording and removal from unresolved items.
.github/workflows/shared/self-hosted-failure-modes.md Updates A15 status/remediation text and removes A15 from the unresolved-items list.
.github/agents/self-hosted-runner-doctor.md Mirrors the same A15 status/remediation and unresolved-items cleanup for the portable agent catalog.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 3/3 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment on lines +45 to +49
expect(content).toContain('**Fixed in PR github/gh-aw-firewall#5963**: `fixArtifactPermissionsForRootless()` now calls `applyHostPathPrefixToVolumes()` so the repair container bind mount is correctly translated for the DinD daemon. Upgrade AWF to the version that includes github/gh-aw-firewall#5963. Workaround (older AWF): run `chmod -R a+rX` inside the squid container before `docker compose down`.');
expect(content).toContain('github/gh-aw-firewall#5816, github/gh-aw-firewall#5817, github/gh-aw-firewall#5963');
expect(content).toContain('| `unknown shorthand flag: \'d\' in -d` from `docker compose up -d` on ARC/DinD | A14 |');
expect(content).toContain('| `Rootless artifact permission repair failed for .../sandbox/firewall/logs` on ARC/DinD | A15 |');
expect(content).toContain('- A15 / github/gh-aw-firewall#5816 — rootless artifact permission repair on ARC/DinD: `fixArtifactPermissionsForRootless()` does not apply `dockerHostPathPrefix` to repair step bind mount; fix tracked in PR github/gh-aw-firewall#5817');
expect(content).not.toContain('- A15 / github/gh-aw-firewall#5816 — rootless artifact permission repair on ARC/DinD: `fixArtifactPermissionsForRootless()` does not apply `dockerHostPathPrefix` to repair step bind mount; fix tracked in PR github/gh-aw-firewall#5817');
@lpcox

lpcox commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

@copilot address review feedback

Copilot AI commented Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

@copilot address review feedback

Addressed in f37b451. I updated scripts/ci/self-hosted-runner-doctor-workflow.test.ts to replace the brittle full-string A15 assertion with key fragment checks (PR, function names, workaround) and changed the unresolved-items assertion to reject any - A15 / ... entry via regex.

Copilot finished work on behalf of lpcox July 7, 2026 12:32
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) reports failed. AOAI BYOK (api-key) mode investigation needed...

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Chroot tests failed Smoke Chroot failed - See logs for details.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) reports failed. AOAI BYOK (Entra) mode investigation needed...

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

PR follows the applicable contribution guidelines; no review comment needed.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 98.82% 98.82% ➡️ +0.00%
Statements 98.76% 98.76% ➡️ +0.00%
Functions 99.72% 99.72% ➡️ +0.00%
Branches 95.19% 95.15% 📉 -0.04%

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API Status ✅ PASS
GH Check ✅ PASS
File Status ✅ PASS

Overall Result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #5971 · 35.6 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

  • Redis PING: ❌ Network is unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network is unreachable

Overall: FAILhost.docker.internal (172.17.0.1) is unreachable from this environment. Services are not accessible.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: PAT Auth

Test Result
MCP connectivity
github.com HTTP ✅ 200
File write/read ⚠️ template vars unresolved

Overall: PASS
Author: @lpcox
Auth mode: PAT (COPILOT_GITHUB_TOKEN)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🔬 Smoke Test Results

Test Status
GitHub MCP connectivity
GitHub.com HTTP ⚠️ (pre-step data unavailable)
File write/read ⚠️ (pre-step data unavailable)

Overall: PASS (MCP verified)

Author: @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Result Notes
1. Module Loading ✅ Pass otel.js loads cleanly; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled + internal helpers
2. Test Suite ✅ Pass 59 tests passed, 0 failed across otel.test.js + otel-fanout.test.js (2.39 s)
3. Env Var Forwarding ✅ Pass src/services/api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
4. Token Tracker Integration ✅ Pass onUsage callback exists in token-tracker.js; invoked post-normalisation as the OTEL hook point for span token attributes
5. OTEL Diagnostics ✅ Pass (static) FileSpanExporter fallback writes to /var/log/api-proxy/otel.jsonl when no OTLP endpoint configured; no live export data in this environment

All scenarios pass. OTEL tracing integration is functional.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) — PR #5971

Test Result
GitHub MCP (list PRs)
GitHub.com Connectivity ✅ HTTP 200
File Write/Read ⚠️ Pre-fetched data unavailable
BYOK Inference (api-proxy → api.githubcopilot.com)

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy → api.githubcopilot.com.

cc @lpcox

Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

  • GitHub MCP Testing: ✅
  • GitHub.com Connectivity: ✅
  • File Writing Testing: ✅
  • Bash Tool Testing: ✅

PR Titles Reviewed:

Overall status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color passed ✅ PASS
Go env passed ✅ PASS
Go uuid passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx passed ✅ PASS
Node.js execa passed ✅ PASS
Node.js p-limit passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Note: Java Maven required using /tmp as the local repository (-Dmaven.repo.local) because the default ~/.m2/repository directory is owned by root in this runner environment.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #5971 · 55.2 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Test

  • PRs: 5963, 5960
  • GitHub page title: ✅
  • File write/read: ✅
  • Build: ❌ (npm ci npm internal error)
  • Overall: FAIL

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • awmgmcpg
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@lpcox lpcox merged commit 1ae4a64 into main Jul 7, 2026
84 of 89 checks passed
@lpcox lpcox deleted the copilot/update-a15-status-to-fixed branch July 7, 2026 12:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

🩺 Runner Doctor UpdateRunner Doctor update: A15 fixed in PR #5963 (rootless artifact permission repair on ARC/DinD)

3 participants