Skip to content

Set runtime to docker-sbx in smoke-docker-sbx workflow frontmatter#6153

Merged
lpcox merged 21 commits into
mainfrom
set-docker-sbx-runtime
Jul 13, 2026
Merged

Set runtime to docker-sbx in smoke-docker-sbx workflow frontmatter#6153
lpcox merged 21 commits into
mainfrom
set-docker-sbx-runtime

Conversation

@lpcox

@lpcox lpcox commented Jul 12, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds sandbox.agent block with runtime: docker-sbx to all four smoke-docker-sbx workflow .md files:

  • smoke-docker-sbx.md
  • smoke-docker-sbx-build-test.md
  • smoke-docker-sbx-claude.md
  • smoke-docker-sbx-codex.md

This matches the pattern used by the gvisor smoke tests (which set runtime: gvisor). Previously these workflows had no sandbox.agent section, so the runtime was never explicitly set.

Note: Lock files are not recompiled in this PR.

Add sandbox.agent block with runtime: docker-sbx to all four
smoke-docker-sbx workflow .md files, matching the pattern used
by the gvisor smoke tests.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 12, 2026 21:05
lpcox and others added 2 commits July 12, 2026 14:06
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds explicit Docker sbx runtime configuration to four smoke workflow sources.

Changes:

  • Adds sandbox.agent using AWF and docker-sbx.
  • Enables sudo for each sandbox agent.
  • Generated lock workflows remain stale.
Show a summary per file
File Description
smoke-docker-sbx.md Configures Docker sbx runtime.
smoke-docker-sbx-build-test.md Configures runtime for build tests.
smoke-docker-sbx-claude.md Configures runtime for Claude tests.
smoke-docker-sbx-codex.md Configures runtime for Codex tests.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 7/7 changed files
  • Comments generated: 4
  • Review effort level: Medium

sandbox:
agent:
id: awf
runtime: docker-sbx
sandbox:
agent:
id: awf
runtime: docker-sbx
sandbox:
agent:
id: awf
runtime: docker-sbx
sandbox:
agent:
id: awf
runtime: docker-sbx
@github-actions

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@lpcox Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

Copy link
Copy Markdown
Contributor

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 98.92% 98.95% 📈 +0.03%
Statements 98.88% 98.91% 📈 +0.03%
Functions 99.34% 99.34% ➡️ +0.00%
Branches 95.11% 95.11% ➡️ +0.00%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/log-directory-setup.ts 96.2% → 100.0% (+3.78%) 96.3% → 100.0% (+3.71%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

lpcox and others added 17 commits July 12, 2026 14:26
execa throws 'Cannot read properties of null (reading end)' when
input is provided but stdio[0] is 'ignore'. Change stdin to 'pipe'
so the confirmation input can be written to the sbx create process.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Replace the released binary install step with a source build so the
stdin pipe fix in sbx-manager.ts is exercised in CI.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Removing XDG_CONFIG_HOME from the environment passed to sbx create
prevents the sbx CLI from finding Docker Hub credentials stored by
sbx login, causing 'user is not authenticated' errors even though
the daemon pre-pulled the image successfully.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
The released AWF binary (v0.27.30) has a bug where execa crashes with
'Cannot read properties of null (reading end)' because stdio[0] is set
to 'ignore' while input is provided. Build from source to include the
fix (stdio[0] changed to 'pipe').

This is a temporary workaround until a new AWF version is released.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
The compiled dist references ../containers/api-proxy/provider-env-constants.json
relative to the dist/ directory.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Passing a custom sanitized env to execa replaces the entire process
environment, which strips variables the sbx CLI needs to locate its
daemon socket and credential store. This causes 'user is not
authenticated to Docker' errors even when sbx login was run moments
before.

Instead, temporarily set DOCKER_SANDBOXES_PROXY in process.env and
restore it after the call, letting sbx inherit the full environment.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Revert to the original behavior from PR #6101: delete DOCKER_SANDBOXES_PROXY
from the env during sbx create. Setting it forces the sbx daemon to route
Docker Hub registry auth through Squid, which blocks the pull and causes
'user is not authenticated to Docker' errors.

The proxy is set at exec time instead, which is after Squid is fully
configured and ready.

Also reverts the process.env change (security issue: would have leaked
secrets like GITHUB_TOKEN, DOCKER_PAT etc to the sbx CLI). The sanitized
env approach (sanitizeEnvForSbx) is the correct security boundary.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
sbx create is a management command that talks to the local daemon — it
does not run user code inside the sandbox. Passing a custom sanitized env
strips variables the sbx CLI needs to locate the daemon's credential
store, causing 'user is not authenticated to Docker' errors.

The sandbox interior's env is controlled separately by execInSandbox()
which still uses sanitizeEnvForSbx() to strip secrets.

DOCKER_SANDBOXES_PROXY is temporarily removed during create to prevent
routing Docker Hub registry auth through Squid (which isn't ready yet).

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
The Copilot harness sets XDG_CONFIG_HOME=$HOME before running AWF.
This makes the sbx CLI look for credentials in $HOME/ instead of the
default $HOME/.config/ where 'sbx login' stored them (sbx login runs
in a step before the harness, with XDG_CONFIG_HOME unset).

Temporarily unset XDG_CONFIG_HOME during sbx create so the sbx CLI
finds the daemon credentials at the correct default path.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Add source build + credential refresh step to match the other lock files.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Docker Sbx has concluded. All systems operational. This is a developing story. 🎤

@github-actions

Copy link
Copy Markdown
Contributor

Thanks for the focused runtime configuration change. One contribution-guideline item needs clarification: the PR description says lock files are not recompiled, but the diff includes changes to the generated .lock.yml files (metadata, secrets, action references, and runtime-related steps). Under CONTRIBUTING.md, please update the description to accurately describe these generated changes and confirm they are intentional, or remove unintended generated output. Also, per the PR requirements to include tests for new functionality, please add or link to the relevant workflow validation (or explain why the frontmatter-only change does not require an additional test).

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Contribution Check for #6153 · 5.89 AIC · ⊞ 19.3K ·
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK Direct Mode

✅ GitHub.com Connectivity (HTTP 200)
✅ File Write/Read Test
✅ BYOK Inference Path (api-proxy → api.githubcopilot.com)
✅ MCP Connectivity

Status: PASS — Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot PAT Auth — ⚠️ INCOMPLETE

Test Result
MCP Connectivity ❌ MCP tools unavailable in sandbox
GitHub.com HTTP ❌ Template vars unresolved
File Write/Read ❌ Template vars unresolved

Overall: FAIL — workflow template variables were not substituted (pre-step outputs missing).
Auth mode: PAT (COPILOT_GITHUB_TOKEN)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test Results

Test Result
GitHub MCP
github.com HTTP ✅ 200
File Write/Read

Overall: PASS

Author: @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API status ✅ PASS
GH check ✅ PASS
File status ✅ PASS

Overall result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #6153 · 55 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

✅ GitHub MCP connectivity
✅ GitHub.com connectivity
✅ File write/read test
✅ BYOK inference test

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

PASS
cc @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test Results

  • Redis PING: ❌ Network unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network unreachable

Overall: FAILhost.docker.internal (172.17.0.1) is not reachable. Service containers may not be running or the network route is unavailable.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Result Notes
Module Loading ✅ Pass otel.js loads; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled
Test Suite ✅ Pass 59 tests passed across otel.test.js + otel-fanout.test.js (2 suites, 0 failures)
Env Var Forwarding ✅ Pass api-proxy-env-config.test.ts confirms forwarding of all 6 OTEL env vars
Token Tracker Integration ✅ Pass onUsage callback present in token-tracker-http.js (lines 285/343)
OTEL Diagnostics ✅ Pass Graceful degradation confirmed — falls back to file exporter when no endpoint configured

All 5 scenarios passed. OTEL tracing integration is functional.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Recent merged PRs: compiled workflows; compiled workflows
✅ GitHub PR review
✅ GH CLI query
✅ Playwright title check
✅ File write/read
✅ Discussion comment
✅ npm ci && npm run build
Overall status: PASS

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • awmgmcpg
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Gemini Smoke Test Results

  • GitHub MCP Testing: ❌ (Tools not found)
  • GitHub.com Connectivity: ❌ (DNS SERVFAIL)
  • File Writing Testing: ✅
  • Bash Tool Testing: ✅

Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

@lpcox Smoke Test Results:

  • GitHub MCP Testing: ✅
  • GitHub.com connectivity: ✅
  • File write/read: ✅
  • Direct BYOK inference: ✅

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Chroot Version Comparison Results

Runtime Host Version Chroot Version Match?
Python Python 3.12.13 Python 3.12.3 ❌ NO
Node.js v24.18.0 v22.23.1 ❌ NO
Go go1.22.12 go1.22.12 ✅ YES

ALL_TESTS_PASSED: false — Python and Node.js versions differ between host and chroot environments.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Tested by Smoke Chroot
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

🔥 Smoke Test: Docker Sbx — PASS

Test Result
GitHub MCP connectivity
GitHub.com HTTP ✅ (pre-step)
File write/read ✅ (pre-step)

Overall: PASS

PR by @lpcox — "Set runtime to docker-sbx in smoke-docker-sbx workflow frontmatter"

📰 BREAKING: Report filed by Smoke Docker Sbx
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color passed ✅ PASS
Go env passed ✅ PASS
Go uuid passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx passed ✅ PASS
Node.js execa passed ✅ PASS
Node.js p-limit passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Note: Java Maven required a writable local repository path (-Dmaven.repo.local=/tmp/...) since the default ~/.m2/repository was owned by root.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #6153 · 29.2 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@lpcox lpcox merged commit 70f9027 into main Jul 13, 2026
140 of 141 checks passed
@lpcox lpcox deleted the set-docker-sbx-runtime branch July 13, 2026 01:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants