Propagate runner topology into detection AWF image pre-pull#45274
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
✅ PR Code Quality Reviewer completed the code quality review. |
|
✅ Design Decision Gate 🏗️ completed the design decision gate check. No ADR enforcement needed: PR #45274 does not have the 'implementation' label and has ≤100 new lines of code in business logic directories (96 additions across 4 files, threshold is 100). |
|
✅ Test Quality Sentinel completed test quality analysis. |
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
There was a problem hiding this comment.
Pull request overview
Propagates runner topology into synthetic threat-detection contexts so arc-dind jobs pre-pull required AWF images.
Changes:
- Centralizes detection
WorkflowDataconstruction. - Adds arc-dind build-tools pre-pull regression tests.
- Updates one generated workflow’s AWF runtime metadata.
Show a summary per file
| File | Description |
|---|---|
pkg/workflow/threat_detection_external.go |
Adds shared detection context construction. |
pkg/workflow/threat_detection_inline_engine.go |
Uses the shared context helper. |
pkg/workflow/threat_detection_test.go |
Tests topology-sensitive image pre-pulling. |
.github/workflows/sighthound-security-scan.lock.yml |
Updates generated AWF version and digests. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 4/4 changed files
- Comments generated: 1
- Review effort level: Medium
There was a problem hiding this comment.
The fix is correct and well-structured. buildThreatDetectionWorkflowData now consistently propagates RunnerConfig across all detection paths (pull, inline, external), and the new helper eliminates the drift that caused the arc-dind build-tools image to be omitted from the pre-pull step. Tests are focused and cover both the positive and negative cases.
🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 18.6 AIC · ⌖ 4.92 AIC · ⊞ 4.8K
🧪 Test Quality Sentinel Report✅ Test Quality Score: 100/100 — Excellent
📊 Metrics (2 tests)
Verdict
The single new test function Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
There was a problem hiding this comment.
Non-blocking observations on the refactor; the core topology-propagation fix looks correct.
### Findings summary
Medium — Mounts assignment clobbers instead of appends (threat_detection_external.go line 141): assigning Mounts directly is fragile; use append to avoid silently discarding mounts added by the helper in future.
Medium — Duplicated engine-default logic (threat_detection_external.go line 73): buildPullAWFContainersStep still applies its own "claude" fallback before calling the helper, which has its own identical fallback — two divergence points for a one-line rule.
Medium — Silent permissions propagation into pull step (threat_detection_external.go line 83): the shared helper copies Permissions/CachedPermissions into the image-pull WorkflowData where the old code did not, with no test coverage confirming this has no effect on collectDockerImages.
None of these block the stated fix, but the Mounts assignment is a trap for the next refactor.
🔎 Code quality review by PR Code Quality Reviewer · 50.2 AIC · ⌖ 4.7 AIC · ⊞ 5.4K
Comment /review to run again
Comments that could not be inline-anchored
pkg/workflow/threat_detection_external.go:141
Mount assignment clobbers rather than merges: directly assigning Mounts will silently discard any mounts that buildThreatDetectionWorkflowData initialises in future refactors.
<details>
<summary>💡 Suggested fix</summary>
The helper currently sets no mounts, so this works today — but it's one helper-update away from a silent regression. Append instead:
threatDetectionData.SandboxConfig.Agent.Mounts = append(
threatDetectionData.SandboxConfig.Agent.Mounts,
constants.Thre…
</details>
<details><summary>pkg/workflow/threat_detection_external.go:73</summary>
**Duplicated engine-default logic will silently diverge**: `buildPullAWFContainersStep` computes an `engineSetting` with its own `"claude"` fallback and then passes the result into `buildThreatDetectionWorkflowData`, which applies the same fallback again — creating two independent places to update.
<details>
<summary>💡 Suggested fix</summary>
Remove the fallback from `buildPullAWFContainersStep` and pass `""` so the helper owns all default logic:
```go
engineSetting := ""
if data.SafeOutput…
</details>
<details><summary>pkg/workflow/threat_detection_external.go:83</summary>
**Silent behavior change: permissions now propagated into the image-pull step**: the old `buildPullAWFContainersStep` only copied `ActionCache` and `Features`. The shared helper also copies `Permissions` and `CachedPermissions` — a change not mentioned in the PR description and not covered by any new test.
<details>
<summary>💡 Why this matters</summary>
If `collectDockerImages` or any downstream consumer of the constructed `WorkflowData` branches on `Permissions`/`CachedPermissions`, pull st…
</details>There was a problem hiding this comment.
Skills-Based Review 🧠
Applied /tdd and /codebase-design — commenting with two targeted observations; no blocking issues.
📋 Key Themes & Highlights
Key Themes
- Test coverage gap:
buildExternalDetectorExecutionStepwas refactored to use the new factory but has no arc-dind topology regression test. The pre-pull and inline-engine paths both have topology tests; the external-detector path doesn't. - Implicit invariant: The
SandboxConfig.Agent.Mountsmutation at line 279 relies on the factory always returning a non-nilAgent. This is true today but undocumented — worth a comment or a guard.
Positive Highlights
- ✅ Clean extraction of
buildThreatDetectionWorkflowData— eliminates three near-identical struct literals and makes topology propagation impossible to miss on future changes - ✅ Regression tests for the pre-pull step follow the arc-dind / non-arc-dind pair pattern already established for the inline engine test
- ✅ PR description accurately describes root cause and fix scope
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 72.5 AIC · ⌖ 5.14 AIC · ⊞ 6.6K
Comment /matt to run again
|
@copilot run pr-finisher skill |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Ran the pr-finisher pass in |
|
@copilot please run the
|
…44249-fix-detection-job Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Addressed on HEAD |
PR Triage (run 29275650494)\n\nCategory: bug | Risk: high | Score: 75/100 | Action: fast_track\n\nScore: Impact 38/50 + Urgency 25/30 + Quality 12/20\n\nFixes arc-dind threat detection breakage - AWF image pre-pull omitted build-tools, causing silent No Such Image failures on detection jobs. 5 files, +203/-83, regression tests included.
|
|
|
No further code changes were needed on The external-detector topology path already has dedicated regression coverage in I reran the local finisher checks on the current head and they all passed: The branch is already up to date with |
Threat detection on
arc-dindwas still effectively no-oping after the previous fix: the detection execution step ran with arc-dind topology, but the separate AWF image pre-pull step built a different minimalWorkflowDatawithoutRunnerConfig. That causedcollectDockerImagesto omitbuild-tools, so AWF sysroot startup failed withNo such imagewhile the detection job still reported green.Pull-step topology propagation
buildPullAWFContainersStepnow uses detection workflow data that carriesRunnerConfig, so arc-dind detection jobs pre-pull thebuild-toolsimage alongside the existing firewall images.Keep synthetic detection contexts in sync
buildThreatDetectionWorkflowData(...)helper for minimal detection-jobWorkflowData.Comment cleanup
build-tools).Regression coverage
ghcr.io/github/gh-aw-firewall/build-tools:...