feat(compile): add awf_path_prepends for chroot PATH injection#358
Closed
jamesadevine wants to merge 9 commits intomainfrom
Closed
feat(compile): add awf_path_prepends for chroot PATH injection#358jamesadevine wants to merge 9 commits intomainfrom
jamesadevine wants to merge 9 commits intomainfrom
Conversation
…runtime
AWF replaces $HOME with an empty directory overlay for security,
only mounting specific known subdirectories (.cargo, .rustup, etc.).
The Lean toolchain installed at $HOME/.elan/ was not mounted,
causing lean/lake/elan binaries to be missing inside the chroot.
Add
equired_awf_mounts() to the CompilerExtension trait so
extensions can declare Docker volume mounts needed inside the AWF
chroot. The Lean extension returns $HOME/.elan:C:\Users\devinejames/.elan:ro
to mount the elan toolchain read-only.
The compiler collects mounts from all extensions via
generate_awf_mounts() and injects them as --mount flags on
the AWF invocation through a new {{ awf_mounts }} template
marker in both standalone and 1ES base templates.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/3352a7f0-905a-491f-a9df-3aefb8ffec4b Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…emove from detection job Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/5651c5dd-be03-4f3b-86d5-4f925a895a21 Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>
Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/f5e68c33-b3b9-4193-bb1f-fac6137f299f Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>
Move {{ awf_mounts }} to its own template line so replace_with_indent
handles indentation automatically. When no mounts exist, emit a bare
bash continuation marker (\) to preserve the surrounding \-chain.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Always store an explicit AwfMountMode instead of Option<AwfMountMode>. Parsing 'host:container' without a mode suffix now defaults to ReadOnly (secure default). Display/Serialize always emit the mode suffix so generated AWF flags are self-documenting. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… test The symlink loop was removed from generate_lean_install() but the doc still referenced it. Also adds a test for single-segment AwfMount parse input to lock the error contract. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…PATH injection Add a new CompilerExtension trait method awf_path_prepends() that lets extensions declare directories to prepend to PATH inside the AWF chroot. The compiler collects these paths and generates a dedicated pipeline step (Generate GITHUB_PATH file) that writes them to a file and sets the GITHUB_PATH env var via ##vso[task.setvariable]. AWF natively reads this file at startup and merges entries into the chroot PATH, bypassing the sudo secure_path reset that strips custom PATH entries. LeanExtension declares \C:\Users\devinejames/.elan/bin so lean, lake, and elan are discoverable by the agent without requiring absolute paths. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Collaborator
Author
|
Replaced with a clean branch cherry-picked from latest main. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
awf_path_prepends()to theCompilerExtensiontrait so extensions can declare directories that should be on PATH inside the AWF chroot. The Lean runtime uses this to makelean,lake, andelandiscoverable without absolute paths.Problem
After PR #354 added the
$HOME/.elanAWF mount, the agent could access Lean binaries at~/.elan/bin/lean— butleanwasn't on PATH. The agent had to do an extra step (which leanfails →~/.elan/bin/lean -hworks) before it could use Lean.Root cause:
sudoresets PATH viasecure_path. AWF reconstructs PATH internally fromprocess.env.PATH(post-sudo, missing elan). On GitHub Actions, AWF reads the$GITHUB_PATHfile to recover lost paths, but no equivalent existed for ADO.Solution
CompilerExtension::awf_path_prepends()trait method — extensions declare bin directories to inject into the chroot PATHLeanExtensionreturns["$HOME/.elan/bin"]generate_awf_path_step()generates a dedicated pipeline step ("Generate GITHUB_PATH file") that writes path entries to a file and setsGITHUB_PATHvia##vso[task.setvariable]$GITHUB_PATHat startup and merges entries into the chroot PATHGenerated step (when Lean is enabled):
Changes
src/compile/extensions/mod.rsawf_path_prepends()trait method + macro dispatchsrc/runtimes/lean/extension.rs["$HOME/.elan/bin"]src/compile/common.rsgenerate_awf_path_step()+ testssrc/compile/standalone.rssrc/compile/onees.rssrc/data/base.yml{{ awf_path_step }}markersrc/data/1es-base.yml{{ awf_path_step }}markersrc/compile/extensions/tests.rsdocs/extending.mddocs/template-markers.md{{ awf_path_step }}Testing
awf_path_prepends()default + Lean impl, andgenerate_awf_path_step()with/without Lean