Skip to content

feat: add runner.topology arc-dind support for ARC/DinD rootless execution#42371

Merged
lpcox merged 3 commits into
mainfrom
arc-dind-rootless-topology
Jun 30, 2026
Merged

feat: add runner.topology arc-dind support for ARC/DinD rootless execution#42371
lpcox merged 3 commits into
mainfrom
arc-dind-rootless-topology

Conversation

@lpcox

@lpcox lpcox commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

"body": "### Summary\n\nAdds runner.topology: arc-dind as a first-class frontmatter configuration

Generated by PR Description Updater for #42371 · 96.4 AIC · ⌖ 7.45 AIC · ⊞ 4.7K ·

…ution

Add runner.topology configuration to enable ARC/DinD runner topology
detection and rootless agent job execution:

- Add runner.topology field to frontmatter schema and AWF config schema
- Emit {"runner":{"topology":"arc-dind"}} in AWF config JSON
- Add RunnerConfig type with parsing from frontmatter
- Redirect RUNNER_TOOL_CACHE to /tmp/gh-aw/tool-cache on ARC/DinD
- Validate no sudo/apt-get in generated steps when topology is arc-dind
- Add comprehensive tests for all new functionality

The runner.topology key is the single stable contract between gh-aw and
AWF for runner environment detection — AWF resolves all internal details
(network isolation, sysroot image, path-prefix probes, tool cache
validation) from this signal.

Closes #42368

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 29, 2026 23:20

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds explicit runner.topology: arc-dind support to gh-aw so compiled workflows can (a) emit a single runner-topology signal into the AWF config JSON, (b) apply ARC/DinD-specific workflow wiring (tool-cache redirection), and (c) validate user-authored step blocks for root-required commands in ARC/DinD mode.

Changes:

  • Introduces RunnerConfig (runner.topology) in frontmatter parsing + WorkflowData, with validation for supported topology values.
  • Emits an AWF config runner section containing topology when set.
  • Adds ARC/DinD rootless validation and an ARC/DinD tool-cache redirection step in the main job.
Show a summary per file
File Description
pkg/workflow/frontmatter_types.go Adds RunnerConfig type and RunnerTopologyArcDind constant; wires runner config into parsed frontmatter struct.
pkg/workflow/runner_config.go Extracts runner.topology from frontmatter and validates allowed topology values.
pkg/workflow/runner_config_test.go Unit tests for runner config extraction/validation and topology helpers.
pkg/workflow/workflow_builder.go Plumbs extracted runner config into initial WorkflowData.
pkg/workflow/compiler_types.go Extends WorkflowData with RunnerConfig.
pkg/workflow/compiler.go Wires runner topology validation into the compiler validation pipeline.
pkg/workflow/runner_topology_validation.go Adds ARC/DinD rootless validation (sudo/apt install detection) for user-authored step blocks.
pkg/workflow/runner_topology_validation_test.go Unit tests for ARC/DinD rootless validation helpers.
pkg/workflow/compiler_yaml_main_job.go Adds an ARC/DinD tool-cache redirection step to the generated main job.
pkg/workflow/awf_config.go Adds runner section to AWF config JSON emission, and helper functions for topology detection.
pkg/workflow/awf_config_test.go Tests that runner.topology is emitted (or omitted) in AWF config JSON.
pkg/parser/schemas/main_workflow_schema.json Updates main workflow frontmatter schema to allow runner.topology: arc-dind.
pkg/workflow/schemas/awf-config.schema.json Updates AWF config schema to allow runner.topology: arc-dind.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 13/13 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment on lines +80 to +104
// containsSudoCommand checks if a line contains a sudo invocation.
// Matches "sudo " at word boundaries but not inside comments or strings mentioning sudo.
func containsSudoCommand(line string) bool {
// Look for sudo as a command (not in a YAML key or comment)
trimmed := strings.TrimSpace(line)
if strings.HasPrefix(trimmed, "#") {
return false
}
// Check for sudo at start of a command or after common shell operators
for _, prefix := range []string{"sudo ", "sudo\t"} {
if strings.Contains(trimmed, prefix) {
return true
}
}
return false
}

// containsAptGetInstall checks if a line contains apt-get install.
func containsAptGetInstall(line string) bool {
trimmed := strings.TrimSpace(line)
if strings.HasPrefix(trimmed, "#") {
return false
}
return strings.Contains(trimmed, "apt-get install") || strings.Contains(trimmed, "apt install")
}
Comment thread pkg/workflow/compiler_yaml_main_job.go Outdated
Comment on lines +246 to +250
// Redirect tool cache for ARC/DinD runners.
// On ARC, the standard RUNNER_TOOL_CACHE=/opt/hostedtoolcache is invisible to the DinD
// daemon's filesystem. Redirecting to /tmp/gh-aw/tool-cache (a shared emptyDir volume)
// ensures setup-* actions install to a path visible to both runner and DinD containers.
if isArcDindTopology(data) {
@lpcox

lpcox commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator Author

@copilot run pr-finisher skill

…e redirection

- Fix containsSudoCommand false positives: only flag sudo when it appears
  as a command invocation (at line start, as inline run: value, or after
  a shell operator). YAML metadata lines like "- name: avoid sudo" no
  longer cause false positive compilation failures.

- Add isYAMLKey/hasSudoInvocation helpers to make the logic clear and
  auditable.

- Move ARC/DinD tool cache redirection step to before runtime setup steps
  so setup-* actions (setup-go, setup-node, etc.) see the redirected
  RUNNER_TOOL_CACHE path. Add mkdir -p to create the directory before
  it is referenced.

- Add/extend tests: TestContainsSudoCommand covers command-start,
  inline run:, shell operators, and false-positive cases; updated
  TestValidateArcDindRootless covers step-name false positive; apply
  require.Error per testifylint; use strings.SplitSeq per modernize.

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

Copilot AI commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

@copilot run pr-finisher skill

Done. Two issues fixed in commit fix: address review feedback on arc-dind sudo detection and tool cache redirection:

containsSudoCommand false positives — The function now distinguishes metadata YAML lines from shell commands. When a line is a YAML key-value pair, it only inspects the value when the key is run; all other keys (name, id, if, uses, etc.) return false immediately. Added isYAMLKey/hasSudoInvocation helpers to make the logic auditable. New TestContainsSudoCommand suite covers command-start, inline run: value, shell operators, and all the false-positive cases.

Tool cache redirection step ordering — The ARC/DinD RUNNER_TOOL_CACHE redirect step is now emitted before the runtime setup steps block, so setup-* actions (setup-go, setup-node, etc.) see the redirected path when they install tools. Also added mkdir -p /tmp/gh-aw/tool-cache to the step so the directory exists before it's referenced.

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

🎬 THE ENDSmoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

@github-actions

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing...

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧

@github-actions

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing...

@github-actions

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨

Testing

@github-actions

Copy link
Copy Markdown
Contributor

Agent Container Tool Check

Tool Status Version
bash 5.2.21
sh available
git 2.54.0
jq 1.7
yq v4.53.3
curl 8.5.0
gh 2.95.0
node 22.23.0
python3 3.11.15 (PyPy 7.3.23)
go 1.24.13
java 21.0.11 (Temurin)
dotnet 10.0.301

Result: 12/12 tools available ✅

Overall Status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔧 Tool validation by Agent Container Smoke Test · 16.3 AIC · ⌖ 6.36 AIC · ⊞ 4.6K ·
Comment /smoke-test-tools to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Gemini Results

  • GitHub MCP Testing: ✅
  • Web Fetch Testing: ✅
  • File Writing Testing: ✅
  • Bash Tool Testing: ✅
  • Build gh-aw: ❌

Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

Smoke Gemini — Powered by Gemini ·
Comment /smoke-gemini to run again

@github-actions

Copy link
Copy Markdown
Contributor

Comment Memory

Lanterns in quiet code
Build logs breathe across midnight
Green checks hold the line

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · 6.56 AIC · ⌖ 0.947 AIC · ⊞ 10.9K ·
Comment /smoke-codex to run again

@github-actions

Copy link
Copy Markdown
Contributor

🧪 Smoke Test: Claude — Run 28412908793

Core #1-12: ✅ all passed
PR Review #13-18: ✅ all passed | #19: ⚠️ skipped (no safe test PR)

Overall: PASS

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 52.9 AIC · ⌖ 25.6 AIC · ⊞ 8.7K ·
Comment /smoke-claude to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💥 Automated smoke test review - all systems nominal!

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 52.9 AIC · ⌖ 25.6 AIC · ⊞ 8.7K
Comment /smoke-claude to run again

var runnerConfigLog = logger.New("workflow:runner_config")

// extractRunnerConfig extracts runner topology configuration from frontmatter.
// Returns nil when no runner configuration is present.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider documenting the expected frontmatter shape for runner here so callers know which keys are read.

return nil
}

config := &RunnerConfig{}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice—returning nil on empty topology keeps the zero-config path clean. A brief comment on why empty topology means no config could help future readers.

@github-actions

Copy link
Copy Markdown
Contributor

Caution

agentic threat detected
Threat detection flagged this output in warn mode. Manual review is REQUIRED before any follow-up automation.

Details

The threat detection engine failed to produce results.

Review the workflow run logs for details.

Pull request created: #42386

Generated by Changeset Generator

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smoke review tools work. Me leave tiny notes.

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 333.1 AIC · ⌖ 22.4 AIC · ⊞ 19.1K
Comment /smoke-copilot to run again
Add label smoke to run again

@github-actions

Copy link
Copy Markdown
Contributor

@lpcox Tests results:

  1. PR list: ✅
  2. mcpscripts PR list: ❌
  3. Serena CLI: ❌
  4. Playwright CLI: ❌
  5. Web fetch: ✅
  6. File create/cat: ✅
    Overall: FAIL

📰 BREAKING: Report filed by Smoke Copilot - AOAI (Entra) · 69.6 AIC · ⌖ 6.22 AIC · ⊞ 17.7K ·
Comment /smoke-copilot-aoai-entra to run again
Add label smoke to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test Results: 1✅ 2❌ 3❌ 4✅ 5❌ 6✅ 7❌ 8✅ Overall: FAIL @lpcox

📰 BREAKING: Report filed by Smoke Copilot - AOAI (apikey) · 104.5 AIC · ⌖ 7.51 AIC · ⊞ 18K ·
Comment /smoke-copilot-aoai-apikey to run again
Add label smoke to run again

@lpcox lpcox merged commit e35d10c into main Jun 30, 2026
29 checks passed
@lpcox lpcox deleted the arc-dind-rootless-topology branch June 30, 2026 01:46
@github-actions

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants