Add mounts configuration field to sandbox.agent

[Copilot]

Add mounts field to sandbox.agent

Summary

Adds a configuration field "mounts" (string[]) to the sandbox.agent field that allows specifying container mounts using Docker syntax (e.g., "/path/to/source:/path/to/dest:ro"). Custom mounts are automatically sorted alphabetically for consistent output.

Implementation

This PR adds complete support for custom container mounts in AWF (Agent Workflow Firewall) configurations:

Schema & Validation

• Added mounts array field to sandbox.agent in JSON schema with pattern validation
• Created validateMountsSyntax() function to validate mount format: source:destination:mode
• Validates mode is either ro (read-only) or rw (read-write)
• Provides clear error messages for invalid syntax

AWF Integration

• Updated AWF argument generation in copilot_engine.go to include custom mounts
• Custom mounts are automatically sorted alphabetically before being added to AWF arguments
• Custom mounts are added after standard system mounts (workspace, /tmp, gh CLI binaries)
• Properly integrated with existing firewall configuration

Parsing & Extraction

• Added Mounts field to AgentSandboxConfig Go struct
• Implemented frontmatter extraction logic to parse mounts from YAML configuration

Documentation

• Added "Custom Mounts" section to sandbox reference guide
• Included examples and use cases
• Explained Docker mount syntax

Example Usage

---
name: My Workflow
on: workflow_dispatch
engine: copilot
sandbox:
  agent:
    id: awf
    mounts:
      - "/host/data:/data:ro"
      - "/usr/local/bin/custom-tool:/usr/local/bin/custom-tool:ro"
      - "/tmp/cache:/cache:rw"
network:
  allowed:
    - defaults
---

Your workflow content here.

This generates AWF commands with the custom mounts included as --mount arguments in alphabetical order.

Testing

• ✅ 11 test cases for mount syntax validation
• ✅ 4 test cases for sandbox configuration validation
• ✅ 3 test cases for AWF integration (including alphabetical sorting verification)
• ✅ All existing firewall and sandbox tests continue to pass
• ✅ Integration test workflow compiles successfully

Recent Changes

Sorted mounts alphabetically

• ✅ Custom mounts are now sorted alphabetically before being added to AWF args
• ✅ Ensures consistent and predictable output across compilations
• ✅ Added test case to verify sorting behavior

Merged from main

• ✅ Merged latest changes from main branch (4 commits)
• ✅ Includes bundler scope narrowing bug fixes
• ✅ Includes workflow editing support improvements
• ✅ Includes safe-output jobs enhancements
• ✅ Includes safe inputs MCP server HTTP launch updates

Recompiled workflows

• ✅ All 98 workflows compiled successfully
• ✅ Updated lock files reflect latest changes
• ✅ No compilation errors

Files Changed

• pkg/parser/schemas/main_workflow_schema.json - Schema definition
• pkg/workflow/sandbox.go - Struct and validation
• pkg/workflow/copilot_engine.go - AWF integration with alphabetical sorting
• pkg/workflow/frontmatter_extraction.go - YAML parsing
• pkg/workflow/sandbox_mounts_test.go - Test suite including sorting test
• pkg/cli/workflows/test-custom-mounts.md - Integration test
• docs/src/content/docs/reference/sandbox.md - Documentation
• .github/workflows/*.lock.yml - Recompiled workflows after merge

Original prompt

Add a configuration field "mounts" (string[]) to the sandbox.agent field that allows to specify container mounts (using usual syntax).

• add to schema
• validate syntax
• implement support with awf by generating --mount ... arguments

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[pelikhan]

@copilot continue work

[Copilot]

@copilot continue work

Completed the mounts implementation! The missing piece was adding the extraction logic for the mounts field in the frontmatter parser.

What was added (commit 149d769):

• Added mounts extraction in pkg/workflow/frontmatter_extraction.go to parse the mounts array from YAML frontmatter
• Formatted code and recompiled all workflows

Implementation is now complete:

• ✅ Schema definition with validation pattern
• ✅ Go struct with Mounts field
• ✅ Mount syntax validation function
• ✅ AWF argument generation with custom mounts
• ✅ Frontmatter extraction
• ✅ Comprehensive unit tests
• ✅ Integration test with test workflow

Verified working:
The test workflow compiles successfully and includes custom mounts in the AWF command:

--mount /host/data:/data:ro
--mount /usr/local/bin/custom-tool:/usr/local/bin/custom-tool:ro

All tests pass. Ready for documentation and final validation.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login '**/*.cjs' '**/*.ts' '**/*.json' git /usr/bin/head v/null 2>&1; thegit 64/pkg/tool/linurev-parse 64/pkg/tool/linu--show-toplevel head -10 ache/go/1.25.0/x--noprofile 64/pkg/tool/linuGOPROXY (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login '**/*.cjs' '**/*.ts' '**/*.json' 64/pkg/tool/linuGO111MODULE ache/go/1.25.0/x64/bin/go pace:]]*:[[:spacinfocmp --json 64/bin/go node /opt�� /ref/tags/v8 ache/go/1.25.0/x-lname ache/go/1.25.0/x64/pkg/tool/linux_amd64/cgo --show-toplevel 64/pkg/tool/linu-1 run-script/lib/nxterm-color ache/go/1.25.0/x64/pkg/tool/linux_amd64/cgo (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login 6645849/b345/_pkg_.a security 98387410f49ed3152894c28559468ec0fa1/log.json OUTPUT -d 168.63.129.16 node /hom�� b-script.git 53 /node_modules/.bin/node led."; \ echo "/usr/bin/containerd-shim-runc-v2 refs/tags/v4 64/pkg/tool/linumoby 6645849/b345/imp-address (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot Playwright reports failed. Our correspondents are investigating the incident...

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[github-actions]

💀 Blimey! Changeset Generator failed and walked the plank! No treasure today, matey! ☠️

[github-actions]

🤖 ALERT: Smoke Copilot No Firewall failed. ANOMALY_DETECTED. REPAIR_REQUIRED.

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges...

[pelikhan]

@copilot merge main, recompile

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[Copilot]

@copilot merge main, recompile

Done! Merged main and recompiled all workflows (commit 8808c24).

What was done:

• Merged 4 commits from main branch including bundler fixes and safe-input updates
• Rebuilt the binary successfully
• Recompiled all 98 workflows with no errors
• Updated lock files to reflect latest changes

Verified:

• ✅ All mount-related tests pass
• ✅ Test workflow compiles and includes custom mounts correctly
• ✅ No merge conflicts or compilation issues

The mounts feature is fully functional and up-to-date with main.

[github-actions]

🤖 ALERT: Smoke Copilot No Firewall failed. ANOMALY_DETECTED. REPAIR_REQUIRED.

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot Playwright reports failed. Our correspondents are investigating the incident...

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges...

[github-actions]

💀 Blimey! Changeset Generator failed and walked the plank! No treasure today, matey! ☠️

[pelikhan]

@copilot

make sure mounts are sorted

[Copilot]

@copilot

make sure mounts are sorted

Done! Custom mounts are now sorted alphabetically (commit 16cb6fb).

Changes:

• Added sort.Strings() to sort mounts before adding them to AWF arguments
• Ensures consistent, predictable output across compilations
• Added test case to verify alphabetical sorting

Verified:

• ✅ All mount tests pass including new sorting test
• ✅ Test workflow compiles with mounts in alphabetical order
• ✅ No impact on existing functionality