Use AWF --enable-chroot mode and remove unnecessary --mount and --env flags #13576
Conversation
…lags - Add --enable-chroot flag to AWF invocations for transparent host access - Remove unnecessary --mount flags for host binaries (replaced by chroot mode) - Remove --env-all and mirrored environment variable flags (inherited by chroot) - Remove tool bins setup command (not needed with chroot mode) - Update tests to verify new chroot mode behavior - Recompile all workflow files with simplified AWF commands Co-authored-by: Mossaka <[email protected]>
Co-Authored-By: Claude Opus 4.5 <[email protected]>
There was a problem hiding this comment.
Pull request overview
This pull request adopts AWF v0.13.1's new --enable-chroot feature to significantly simplify workflow commands by eliminating unnecessary mount and environment variable flags. The chroot mode provides transparent access to host binaries and environment while maintaining network isolation.
Changes:
- Added
--enable-chrootflag to AWF invocations, enabling transparent host filesystem access - Removed 17+ individual binary mounts (cat, curl, gh, jq, yq, etc.) and system directory mounts that are now unnecessary
- Removed
--env-alland individual--envflags since chroot inherits the host environment - Updated tests to verify chroot mode behavior instead of checking for individual mounts
Reviewed changes
Copilot reviewed 139 out of 139 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| pkg/workflow/sandbox_mounts_test.go | Updated tests to verify --enable-chroot flag presence instead of checking for standard mounts |
| pkg/workflow/firewall_args_test.go | Updated tests to verify chroot mode and confirm individual binary mounts are no longer used |
| .github/workflows/*.lock.yml (100+ files) | All compiled workflow files updated with simplified AWF commands using --enable-chroot instead of explicit mount/env flags |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰 |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident... |
|
PR titles:
|
|
@copilot This PR only adds Please also update:
to use |
Bumps gh-aw-firewall from v0.13.1 to v0.13.2 which includes the fix for --enable-chroot with preset agent images (PR #459). Co-Authored-By: Claude Opus 4.5 <[email protected]>
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Agent Container Tool Check ✅All required development tools are available in the agent container:
Result: 12/12 tools available ✅ Status: PASS - All required tools are accessible in the container environment.
|
Smoke Test Results
Overall: cc @Mossaka
|
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
AWF v0.13.4 fixes an issue where the Go version from actions/setup-go was not being found in chroot mode. The entrypoint now prepends $GOROOT/bin to PATH when AWF_GOROOT is provided, ensuring the correct Go version is used. This fixes the smoke-copilot test failure: "Build: ❌ (Go 1.24.12 < required 1.25.0)" Also updates the constants_test.go expectation from v0.13.1 to v0.13.4. Co-Authored-By: Claude Opus 4.5 <[email protected]>
🔍 PR Triage ResultsCategory: feature | Risk: high | Priority: 75/100 Scores Breakdown
📋 Recommended Action: fast_trackThis is a critical infrastructure improvement that adopts AWF chroot mode and simplifies the codebase significantly (net -469 lines). The PR has been actively developed with 29 commits and 110 comments, showing thorough iteration. Despite the large scope and pending CI, the architectural benefits and issue resolution ( Triaged by PR Triage Agent on 2026-02-04T06:24:15Z
|
|
🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Agent Container Tool Check
Result: 10/12 tools fully verified ✅ | 2 tools present but path issues in smoke test Note: Java and .NET are installed at
|
|
Smoke Test Results: ✅ PASS PRs Tested:
Tests: ✅ GitHub MCP | ✅ Safe Inputs | ✅ Serena | ✅ Playwright | ✅ File I/O | ✅ Bash | ✅ Discussion | ✅ Build | ✅ Dispatch
|
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
--enable-chrootflag to AWF invocations for Copilot engine--mountflags for host binaries (Copilot engine)Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.
Changeset
--enable-chrootmode so agent runs inherit the host binaries and environment without manually mounting each tool.Changeset
--env-allis passed to AWF to even receive the host vars.