fix: propagate RunnerConfig to detection job to fix arc-dind Copilot ENOENT#44445
Conversation
…ENOENT On arc-dind runners, the threat-detection job was silently no-oping because threatDetectionData was constructed without RunnerConfig. This caused isArcDindTopology() to return false for detection, so: - No "Copy Copilot CLI to daemon-visible path" staging step was emitted - The Copilot binary path resolved to /usr/local/bin/copilot (not present in the AWF chroot on the dind daemon's filesystem) → spawn ENOENT Fix: propagate data.RunnerConfig to threatDetectionData so detection uses the same arc-dind topology handling as the agent job. Tests: add TestBuildDetectionEngineExecutionStepArcDindTopology asserting that arc-dind detection emits the staging step and uses the daemon-visible copilot path, and that non-arc-dind detection uses /usr/local/bin/copilot. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
@copilot apply fix to evals job as well |
There was a problem hiding this comment.
Pull request overview
Fixes threat-detection silently no-op’ing on arc-dind runners by propagating RunnerConfig into the detection job’s WorkflowData, ensuring arc-dind-specific Copilot CLI staging and the daemon-visible spawn path are applied consistently.
Changes:
- Propagate
RunnerConfigwhen constructingthreatDetectionDatasoisArcDindTopology(...)works for the detection job. - Add a regression test covering arc-dind vs non-arc-dind behavior for detection engine installation/execution steps.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/threat_detection_inline_engine.go | Propagates RunnerConfig into the detection job’s WorkflowData so arc-dind handling triggers. |
| pkg/workflow/threat_detection_test.go | Adds regression coverage asserting arc-dind emits the Copilot staging step and uses the daemon-visible Copilot path. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 1
- Review effort level: Low
| // The execution step must reference the daemon-visible binary, not the sysroot one. | ||
| if !strings.Contains(allSteps, constants.GhAwRootDirShell+"/bin/copilot") { | ||
| t.Errorf("expected detection execution to use %q for arc-dind;\ngot:\n%s", constants.GhAwRootDirShell+"/bin/copilot", allSteps) | ||
| } |
…sertions Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done in commit Changes made:
|
|
@copilot please run the
|
|
🎉 This pull request is included in a new release. Release: |
On
arc-dindrunners, the threat-detection job silently no-ops: AWF spawns/usr/local/bin/copilotinside the chroot (which runs on the dind daemon's filesystem where that path doesn't exist), getsENOENT, and thecontinue-on-error: trueon the execution step swallows the failure — detection appears green while never running.Root cause
buildDetectionEngineExecutionStepconstructs a freshthreatDetectionDatawithout copyingRunnerConfigfrom the parentdata. This makesisArcDindTopology(threatDetectionData)alwaysfalse, so two arc-dind behaviors are skipped for detection only:nodejs.go: the "Copy Copilot CLI to daemon-visible path" step is gated onisFirewallEnabled && isArcDindTopology→ not emittedcopilot_engine_execution.go:resolveCopilotCommandfalls through toconstants.CopilotBinaryPath(/usr/local/bin/copilot) instead of${RUNNER_TEMP}/gh-aw/bin/copilotFix
One-line change in
threat_detection_inline_engine.go:Tests
TestBuildDetectionEngineExecutionStepArcDindTopologyinthreat_detection_test.go:${RUNNER_TEMP}/gh-aw/bin/copilot/usr/local/bin/copilotwith no staging step