Skip to content

fix: propagate RunnerConfig to detection job to fix arc-dind Copilot ENOENT#44445

Merged
pelikhan merged 3 commits into
mainfrom
copilot/fix-threat-detection-job-no-op
Jul 9, 2026
Merged

fix: propagate RunnerConfig to detection job to fix arc-dind Copilot ENOENT#44445
pelikhan merged 3 commits into
mainfrom
copilot/fix-threat-detection-job-no-op

Conversation

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

On arc-dind runners, the threat-detection job silently no-ops: AWF spawns /usr/local/bin/copilot inside the chroot (which runs on the dind daemon's filesystem where that path doesn't exist), gets ENOENT, and the continue-on-error: true on the execution step swallows the failure — detection appears green while never running.

Root cause

buildDetectionEngineExecutionStep constructs a fresh threatDetectionData without copying RunnerConfig from the parent data. This makes isArcDindTopology(threatDetectionData) always false, so two arc-dind behaviors are skipped for detection only:

  1. Staging stepnodejs.go: the "Copy Copilot CLI to daemon-visible path" step is gated on isFirewallEnabled && isArcDindTopology → not emitted
  2. Spawn pathcopilot_engine_execution.go: resolveCopilotCommand falls through to constants.CopilotBinaryPath (/usr/local/bin/copilot) instead of ${RUNNER_TEMP}/gh-aw/bin/copilot

Fix

One-line change in threat_detection_inline_engine.go:

threatDetectionData := &WorkflowData{
    // ...
    RunnerConfig: data.RunnerConfig, // propagate runner.topology (e.g. arc-dind) to the detection job
    // ...
}

Tests

TestBuildDetectionEngineExecutionStepArcDindTopology in threat_detection_test.go:

  • arc-dind: detection emits "Copy Copilot CLI to daemon-visible path" and the harness invocation uses ${RUNNER_TEMP}/gh-aw/bin/copilot
  • non-arc-dind regression: detection still uses /usr/local/bin/copilot with no staging step

…ENOENT

On arc-dind runners, the threat-detection job was silently no-oping because
threatDetectionData was constructed without RunnerConfig. This caused
isArcDindTopology() to return false for detection, so:
- No "Copy Copilot CLI to daemon-visible path" staging step was emitted
- The Copilot binary path resolved to /usr/local/bin/copilot (not present
  in the AWF chroot on the dind daemon's filesystem) → spawn ENOENT

Fix: propagate data.RunnerConfig to threatDetectionData so detection
uses the same arc-dind topology handling as the agent job.

Tests: add TestBuildDetectionEngineExecutionStepArcDindTopology asserting
that arc-dind detection emits the staging step and uses the daemon-visible
copilot path, and that non-arc-dind detection uses /usr/local/bin/copilot.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix threat-detection job silent no-op on arc-dind runners fix: propagate RunnerConfig to detection job to fix arc-dind Copilot ENOENT Jul 9, 2026
Copilot AI requested a review from pelikhan July 9, 2026 02:30
@pelikhan pelikhan marked this pull request as ready for review July 9, 2026 02:34
Copilot AI review requested due to automatic review settings July 9, 2026 02:34
@pelikhan

pelikhan commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

@copilot apply fix to evals job as well

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes threat-detection silently no-op’ing on arc-dind runners by propagating RunnerConfig into the detection job’s WorkflowData, ensuring arc-dind-specific Copilot CLI staging and the daemon-visible spawn path are applied consistently.

Changes:

  • Propagate RunnerConfig when constructing threatDetectionData so isArcDindTopology(...) works for the detection job.
  • Add a regression test covering arc-dind vs non-arc-dind behavior for detection engine installation/execution steps.
Show a summary per file
File Description
pkg/workflow/threat_detection_inline_engine.go Propagates RunnerConfig into the detection job’s WorkflowData so arc-dind handling triggers.
pkg/workflow/threat_detection_test.go Adds regression coverage asserting arc-dind emits the Copilot staging step and uses the daemon-visible Copilot path.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread pkg/workflow/threat_detection_test.go Outdated
Comment on lines +2283 to +2286
// The execution step must reference the daemon-visible binary, not the sysroot one.
if !strings.Contains(allSteps, constants.GhAwRootDirShell+"/bin/copilot") {
t.Errorf("expected detection execution to use %q for arc-dind;\ngot:\n%s", constants.GhAwRootDirShell+"/bin/copilot", allSteps)
}
…sertions

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

@copilot apply fix to evals job as well

Done in commit fix: propagate RunnerConfig to evals job; strengthen arc-dind test assertions.

Changes made:

  1. evals_steps.go: Added RunnerConfig: data.RunnerConfig to evalsData in buildEvalsEngineSteps, mirroring the detection job fix.
  2. evals_steps_test.go: New TestBuildEvalsEngineStepsArcDindTopology test covering both arc-dind (staging step + daemon-visible harness path) and non-arc-dind (no staging, /usr/local/bin/copilot) cases.
  3. threat_detection_test.go: Strengthened the arc-dind assertion to check copilot_harness.cjs ${RUNNER_TEMP}/gh-aw/bin/copilot specifically in the harness invocation line, avoiding the false positive the reviewer flagged (the staging cp command also contains that substring).

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, address the latest maintainer feedback about applying this fix to the evals job as well, and rerun checks once the branch is up to date.

Generated by 👨‍🍳 PR Sous Chef · 6.67 AIC · ⌖ 8.02 AIC · ⊞ 7.1K ·
Comment /souschef to run again

@pelikhan pelikhan merged commit 56e2b69 into main Jul 9, 2026
29 of 30 checks passed
@pelikhan pelikhan deleted the copilot/fix-threat-detection-job-no-op branch July 9, 2026 03:03
Copilot AI requested a review from gh-aw-bot July 9, 2026 03:03
Copilot stopped work on behalf of gh-aw-bot due to an error July 9, 2026 03:03
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Threat-detection job silently no-ops on arc-dind runners: Copilot binary not staged into the chroot (spawn /usr/local/bin/copilot ENOENT)

4 participants