Fix AWF resolution in PR Sous Chef detection job

[Copilot]

Bug Fix

What was the bug?

PR Sous Chef failed with a downstream “No Safe Outputs Generated” symptom, but the actual break was earlier in threat detection: the detection job never started AWF because sudo -E awf resolved to no binary on the runner (sudo: awf: command not found).

How did you fix it?

• Secure-path compatibility

  • Update actions/setup/sh/install_awf_binary.sh to expose the installed AWF binary at /usr/bin/awf on Linux.
  • This keeps existing workflow invocations of sudo -E awf working even when sudo does not include /usr/local/bin in its effective PATH.

• Installer hardening

  • Verify the installed AWF target exists before creating the compatibility symlink.
  • Fail early with clearer install-time errors when the binary is missing or the symlink cannot be created.

• Detection-path verification

  • Add an explicit post-install check that awf is callable under a minimal sudo-style secure path, matching the execution mode used by detection jobs.

Example

# Before: succeeds only if /usr/local/bin is visible to sudo
sudo -E awf --version

# After install: awf is also available via secure_path
sudo env PATH="/usr/sbin:/usr/bin:/sbin:/bin" awf --version

---

Changeset

• Type: patch
• Description: Fixed AWF resolution in the PR Sous Chef detection job by making the installed awf binary available under a secure sudo path on Linux and validating the install-time compatibility symlink.

Generated by Changeset Generator for issue #32169 · ◷

[github-actions]

⚠️ Security scanning failed for Smoke OTEL Backends. Review the logs for details.

[github-actions]

⚠️ Security scanning failed for Smoke Gemini. Review the logs for details.

[github-actions]

⚠️ Security scanning failed for Smoke Claude. Review the logs for details.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

✅ Smoke OTEL — OTEL telemetry verified

[github-actions]

🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

Commit pushed: 72dae5a

Generated by Changeset Generator

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.53.0
jq	✅	1.7
yq	✅	4.52.5
curl	✅	8.5.0
gh	✅	2.89.0
node	✅	22.22.2
python3	✅	3.10.16 (PyPy 7.3.19)
go	✅	1.24.13
java	✅	21.0.10 (Temurin)
dotnet	✅	10.0.201

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test · ● 2.1M · ◷

[github-actions]

Smoke Test Codex 25874070518: FAIL
PRs: #32161 Remove firewall.effective-token-steering frontmatter key; #32136 Add missing pkg/linters package spec and complete pkg/cli dependency list
✅ GitHub MCP, Serena, Playwright fallback, file write/read, build, cache
❌ Web-fetch MCP unavailable; set-field could not target new issue number
⚠️ Comment memory skipped: no files

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · ◷

[github-actions]

⚠️ Security scanning failed for Smoke Copilot. Review the logs for details.