fix: correctly recover runner tool on PATH (after sudo w/ secure_path). remove incorrect reading from GITHUB_PATH#5144
Draft
zarenner wants to merge 11 commits into
Draft
fix: correctly recover runner tool on PATH (after sudo w/ secure_path). remove incorrect reading from GITHUB_PATH#5144zarenner wants to merge 11 commits into
zarenner wants to merge 11 commits into
Conversation
Contributor
Contributor
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 97.30% | 97.29% | ➡️ -0.01% |
| Statements | 97.16% | 97.11% | 📉 -0.05% |
| Functions | 98.84% | 98.84% | ➡️ +0.00% |
| Branches | 91.92% | 91.88% | 📉 -0.04% |
📁 Per-file Coverage Changes (2 files)
| File | Lines (Before → After) | Statements (Before → After) |
|---|---|---|
src/services/agent-environment/host-path-recovery.ts |
100.0% → 93.0% (-6.98%) | 100.0% → 88.9% (-11.12%) |
src/workdir-setup.ts |
92.7% → 94.5% (+1.82%) | 92.7% → 94.5% (+1.82%) |
Coverage comparison generated by scripts/ci/compare-coverage.ts
zarenner
changed the title
Contributor
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 97.30% | 97.58% | 📈 +0.28% |
| Statements | 97.16% | 97.51% | 📈 +0.35% |
| Functions | 98.84% | 98.68% | 📉 -0.16% |
| Branches | 91.92% | 92.99% | 📈 +1.07% |
📁 Per-file Coverage Changes (5 files)
| File | Lines (Before → After) | Statements (Before → After) |
|---|---|---|
src/services/agent-environment/host-path-recovery.ts |
100.0% → 96.4% (-3.58%) | 100.0% → 96.7% (-3.34%) |
src/workdir-setup.ts |
92.7% → 94.5% (+1.82%) | 92.7% → 94.5% (+1.82%) |
src/logs/audit-enricher.ts |
89.4% → 95.7% (+6.38%) | 83.6% → 95.1% (+11.48%) |
src/services/agent-volumes/docker-host-staging.ts |
87.2% → 95.7% (+8.51%) | 87.8% → 95.9% (+8.16%) |
src/commands/validators/log-and-limits.ts |
90.3% → 100.0% (+9.68%) | 90.3% → 100.0% (+9.68%) |
Coverage comparison generated by scripts/ci/compare-coverage.ts
zarenner
commented
Jun 17, 2026
Collaborator
Author
There was a problem hiding this comment.
this was wrong - GITHUB_PATH is meant to be written to (to then have the runner automatically add it to PATH in subsequent steps). It is not meant to be read from, and will be empty again on each new step.
zarenner
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates AWF’s GitHub Actions path-recovery behavior so that tools installed into the runner tool cache remain discoverable inside the chroot when AWF is invoked under sudo (e.g., when secure_path sanitizes PATH). It removes the previous (incorrect) attempt to recover paths by reading $GITHUB_PATH, and instead derives AWF_HOST_PATH from the inherited PATH plus bin directories discovered under RUNNER_TOOL_CACHE.
Changes:
- Build
AWF_HOST_PATHby prepending discoveredRUNNER_TOOL_CACHE/**/bindirectories ahead of the currentPATH, and stop reading$GITHUB_PATH. - Update/replace unit tests to cover
RUNNER_TOOL_CACHEdiscovery and to align with the new PATH-building logic. - Update documentation to describe the new recovery mechanism and explicitly note that
$GITHUB_PATHis not used.
Show a summary per file
| File | Description |
|---|---|
| tests/chroot-path-ordering.test.sh | Updates fallback-path ordering assertions and adds coverage for self-hosted runner toolcache scanning. |
| src/services/agent-service.test.ts | Reworks PATH-recovery unit tests to validate RUNNER_TOOL_CACHE-based merging behavior. |
| src/services/agent-environment/host-path-recovery.ts | Implements RUNNER_TOOL_CACHE bin-dir discovery and merges into AWF_HOST_PATH; continues sudo $GITHUB_ENV recovery for toolchain vars. |
| src/github-env.ts | Removes $GITHUB_PATH helpers and generalizes path merging helper as prependPathEntries. |
| src/github-env.test.ts | Removes $GITHUB_PATH tests and renames/adjusts tests for prependPathEntries. |
| src/docker-manager-utils.test.ts | Drops tests tied to removed $GITHUB_PATH helpers. |
| docs/environment.md | Updates GitHub Actions tool-availability docs to describe PATH + RUNNER_TOOL_CACHE recovery (and not $GITHUB_PATH). |
| containers/agent/entrypoint.sh | Removes $GITHUB_PATH ingestion in the fallback PATH construction branch. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 8/8 changed files
- Comments generated: 5
Comment on lines
12
to
16
| const runnerToolCacheBinDirs = discoverRunnerToolCacheBinDirs(process.env.RUNNER_TOOL_CACHE); | ||
| environment.AWF_HOST_PATH = prependPathEntries(process.env.PATH, runnerToolCacheBinDirs); | ||
| if (runnerToolCacheBinDirs.length > 0) { | ||
| logger.debug(`Merged ${runnerToolCacheBinDirs.length} runner tool cache bin path(s) into AWF_HOST_PATH`); | ||
| } |
Comment on lines
+479
to
+482
| // create a file instead of a directory | ||
| const tmpFile = fs.mkdtempSync(path.join(os.tmpdir(), 'awf-tool-cache-file-')) + '.file'; | ||
| fs.writeFileSync(tmpFile, 'not a dir'); | ||
| process.env.RUNNER_TOOL_CACHE = tmpFile; |
Comment on lines
72
to
77
| # Run the script in a sub-shell with a clean environment | ||
| ( | ||
| export PATH="${base_path}" | ||
| [ -n "${github_path_file}" ] && export GITHUB_PATH="${github_path_file}" | ||
| eval "${script}" | ||
| eval "${check_expr}" | ||
| ) |
Contributor
|
✅ Copilot review passed with no inline comments. @zarenner Add the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Recover runner
toolcachebin directories into the chrootPATHused by the agent container when AWF runs undersudoor when the runner tool cache contains needed binaries. This avoids preflight failures (e.g., missingnode) caused bysudosanitizingPATHon self-hosted/DinD runners.Root cause
When
sudois used inside some self-hosted runner environments,secure_pathin/etc/sudoersmay remove the runner's tool-cachebindirectories fromPATH. AWF's previous attempt to read per-stepGITHUB_PATHwas incorrect (it's per-step and cannot reliably recover prior step changes), which led to brittle behavior and confusing documentation.What this change does
RUNNER_TOOL_CACHEbin directories and merges them ahead of the existingPATHintoAWF_HOST_PATHso chrooted agent processes can find tool binaries.GITHUB_PATHfor PATH recovery.GITHUB_ENVwhen AWF is running undersudo(unchanged behavior, but clarified).RUNNER_TOOL_CACHEdiscovery.Testing
toolcache/*/<version>/<arch>/bindirectoriesRUNNER_TOOL_CACHEis not setRUNNER_TOOL_CACHEpoints to non-directories or contains non-directory entriesGITHUB_ENVwhen running as root withSUDO_UIDsetnpm test -- --coverage— all tests passed.Risk and rollout
Low-risk. Changes are localized to host-path recovery logic and tests. If a regression is seen, revert the commit that modifies
src/services/agent-environment/host-path-recovery.ts.Notes for reviewers
discoverRunnerToolCacheBinDirslogic and the test cases that exercise non-directory entries and permission-safe reads.GITHUB_PATHmerging; see docs update in the branch for rationale.Related
GH_AW_NODE_BINwhen set.