Skip to content

fix: robust Docker socket GID resolution for ARC/DinD and split-daemon topologies#44446

Merged
pelikhan merged 17 commits into
mainfrom
copilot/fix-mcp-gateway-docker-daemon-access
Jul 10, 2026
Merged

fix: robust Docker socket GID resolution for ARC/DinD and split-daemon topologies#44446
pelikhan merged 17 commits into
mainfrom
copilot/fix-mcp-gateway-docker-daemon-access

Conversation

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

On runners where DOCKER_HOST=tcp:// (ARC + DinD sidecar), the MCP gateway's socket-group detection silently falls back to --group-add 0, producing a non-root container with no Docker socket access and a confusing downstream Docker daemon is not accessible error.

Root cause

Three compounding bugs in the shell emitted by generateMCPGatewaySetup:

  1. Non-unix DOCKER_HOST schemes fall back to /var/run/docker.sock, which doesn't exist on the runner when the daemon is in a sidecar
  2. stat -c '%g' (no -L) reads the symlink's own group, not the resolved socket's — so even a symlinked workaround requires chown -h
  3. stat … 2>/dev/null || echo '0' silently emits group 0, guaranteeing failure with zero signal

Changes

  • GH_AW_DOCKER_SOCK_PATH override — operators set this to the bind-mounted socket path (e.g. /dind-sock/docker.sock) instead of carrying a host-side symlink hack at /var/run/docker.sock
  • GH_AW_DOCKER_SOCK_GID override — operators can supply the GID directly when stat can't resolve it
  • stat -Lc '%g' — follows symlinks so a symlinked socket resolves to the real socket's group without chown -h on the link
  • Loud failure — when the group can't be resolved and no override is set, the step exit 1s with an actionable ::error:: message naming the path tried and the two override vars; no more silent --group-add 0

Generated shell (simplified):

DOCKER_SOCK_PATH="${GH_AW_DOCKER_SOCK_PATH:-}"
if [ -z "$DOCKER_SOCK_PATH" ]; then
  case "${DOCKER_HOST:-}" in
    unix://* ) DOCKER_SOCK_PATH="${DOCKER_HOST#unix://}" ;;
    /* )       DOCKER_SOCK_PATH="$DOCKER_HOST" ;;
    * )        DOCKER_SOCK_PATH=/var/run/docker.sock ;;
  esac
fi
if [ -n "${GH_AW_DOCKER_SOCK_GID:-}" ]; then
  DOCKER_SOCK_GID="$GH_AW_DOCKER_SOCK_GID"
else
  DOCKER_SOCK_GID=$(stat -Lc '%g' "$DOCKER_SOCK_PATH" 2>/dev/null)
  if [ -z "$DOCKER_SOCK_GID" ]; then
    echo "::error::Cannot determine Docker socket group for '$DOCKER_SOCK_PATH'. \
Set GH_AW_DOCKER_SOCK_PATH and GH_AW_DOCKER_SOCK_GID to configure the socket path and group explicitly." >&2
    exit 1
  fi
fi

Tests in mcp_setup_generator_test.go updated to assert the override check order, stat -L call, and failure message are present in compiled YAML. All .lock.yml files and wasm golden files regenerated.


Generated by 👨‍🍳 PR Sous Chef · 6.57 AIC · ⌖ 6.74 AIC · ⊞ 7.1K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 4.36 AIC · ⌖ 7.98 AIC · ⊞ 4.7K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 7.94 AIC · ⌖ 6.73 AIC · ⊞ 7.1K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 9.71 AIC · ⌖ 6.72 AIC · ⊞ 7.1K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 6.82 AIC · ⌖ 5.64 AIC · ⊞ 7.1K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 11.3 AIC · ⌖ 6.23 AIC · ⊞ 7.1K ·
Comment /souschef to run again



✨ PR Review Safe Output Test - Run 29100329226

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 121.8 AIC · ⌖ 31.1 AIC · ⊞ 8.4K ·
Comment /smoke-claude to run again

…topologies

- Add GH_AW_DOCKER_SOCK_PATH override env var: lets operators on ARC-DinD
  (DOCKER_HOST=tcp://) or other split-daemon setups point the MCP gateway
  at the real socket path without host-side symlink/chown hacks.
- Add GH_AW_DOCKER_SOCK_GID override env var: lets operators supply the
  socket group directly when stat cannot resolve it from the path.
- Change stat -c to stat -Lc (follow symlinks): a socket symlinked from
  a non-standard path now resolves to the real socket's group without
  requiring chown -h on the symlink.
- Fail loudly instead of falling back to group 0: when the socket group
  cannot be determined and no override is set, exit 1 with an actionable
  error message naming the path tried and the override env vars. Passing
  --group-add 0 to a non-root container guaranteed a confusing downstream
  'Docker daemon is not accessible' with no indication of the true cause.
- Update tests to assert the new override check snippets, stat -L call,
  and loud failure message are present in compiled YAML.
- Update wasm golden files and recompile all .lock.yml files.

Closes #44251

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix MCP gateway access to Docker daemon in split-daemon topologies fix: robust Docker socket GID resolution for ARC/DinD and split-daemon topologies Jul 9, 2026
Copilot AI requested a review from pelikhan July 9, 2026 02:34
@pelikhan pelikhan marked this pull request as ready for review July 9, 2026 02:35
Copilot AI review requested due to automatic review settings July 9, 2026 02:35

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the generated “Start MCP Gateway” shell to resolve the Docker socket path and socket group more reliably on runners where the Docker daemon is not exposed via the default /var/run/docker.sock path (e.g., ARC + DinD sidecar / split-daemon topologies), and regenerates all impacted golden/lock artifacts.

Changes:

  • Add GH_AW_DOCKER_SOCK_PATH and GH_AW_DOCKER_SOCK_GID overrides for explicit socket path and group configuration.
  • Switch socket-group detection to stat -Lc '%g' … to follow symlinks and remove the silent --group-add 0 fallback in favor of an explicit failure.
  • Regenerate workflow .lock.yml files and wasm golden fixtures to reflect the new emitted shell.
Show a summary per file
File Description
pkg/workflow/mcp_setup_generator.go Updates MCP gateway setup generation to support socket path/GID overrides, symlink-following stat -L, and loud failure behavior.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden Regenerated golden fixture reflecting new socket path/GID resolution shell.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden Regenerated golden fixture reflecting new socket path/GID resolution shell.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden Regenerated golden fixture reflecting new socket path/GID resolution shell.
pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden Regenerated golden fixture reflecting new socket path/GID resolution shell.
.github/workflows/ace-editor.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/agentic-token-audit.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/agentic-token-optimizer.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/agentic-token-trend-audit.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/archie.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/architecture-guardian.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/artifacts-summary.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/bot-detection.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/brave.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/ci-coach.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/cli-consistency-checker.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/code-simplifier.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/contribution-check.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/copilot-centralization-drilldown.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/copilot-centralization-optimizer.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/copilot-opt.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/craft.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/daily-byok-ollama-test.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/daily-credit-limit-test.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/daily-max-ai-credits-test.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/daily-team-status.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/daily-windows-terminal-integration-builder.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/delight.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/dependabot-repair.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/designer-drift-audit.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/dev-hawk.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/eslint-miner.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/example-failure-category-filter.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/example-permissions-warning.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/firewall-escape.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/firewall.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/gpclean.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/jsweep.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/layout-spec-maintainer.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/linter-miner.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/mergefest.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/objective-impact-report.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/org-health-report.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/outcome-collector.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/pdf-summary.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/plan.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/pr-description-caveman.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/pr-triage-agent.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/python-data-charts.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/q.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/refactoring-cadence.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/refiner.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/release.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/repo-tree-map.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/research.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/ruflo-backed-task.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/security-compliance.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/security-review.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/skillet.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/smoke-ci.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/smoke-copilot-sdk.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/smoke-copilot-small.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/smoke-copilot-sub-agents.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/smoke-service-ports.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/smoke-test-tools.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/smoke-workflow-call.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/stale-pr-cleanup.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/super-linter.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/technical-doc-writer.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/test-dispatcher.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/test-project-url-default.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/test-quality-sentinel.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/test-workflow.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/tidy.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/ubuntu-image-analyzer.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/update-astro.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/video-analyzer.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/weekly-issue-summary.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/workflow-generator.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/workflow-health-manager.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.
.github/workflows/workflow-normalizer.lock.yml Regenerated workflow lock with updated MCP gateway docker-socket detection shell.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 273/273 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread pkg/workflow/mcp_setup_generator.go Outdated
yaml.WriteString(" if [ -n \"${GH_AW_DOCKER_SOCK_GID:-}\" ]; then\n")
yaml.WriteString(" DOCKER_SOCK_GID=\"$GH_AW_DOCKER_SOCK_GID\"\n")
yaml.WriteString(" else\n")
yaml.WriteString(" DOCKER_SOCK_GID=$(stat -Lc '%g' \"$DOCKER_SOCK_PATH\" 2>/dev/null)\n")

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in earlier commit. Line 592 of mcp_setup_generator.go now includes || true:

yaml.WriteString("            DOCKER_SOCK_GID=$(stat -Lc '%g' \"$DOCKER_SOCK_PATH\" 2>/dev/null || true)\n")

This ensures the empty-variable check and error path at lines 593-597 are always reachable under set -eo pipefail.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

PR Code Quality Reviewer completed the code quality review.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Design Decision Gate 🏗️ completed the design decision gate check.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Test Quality Sentinel completed test quality analysis.

Documents the decision to add GH_AW_DOCKER_SOCK_PATH/GH_AW_DOCKER_SOCK_GID
overrides and replace the silent --group-add 0 fallback with a loud exit 1
for ARC/DinD and split-daemon runner topologies.
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (740 new lines in business-logic directories) but does not have a linked Architecture Decision Record (ADR).

📄 Draft ADR committed: docs/adr/44446-robust-docker-socket-gid-resolution-for-arc-dind.md — review and complete it before merging.

🔒 This PR cannot merge until an ADR is linked in the PR body.

📋 What to do next
  1. Review the draft ADR committed to your branch at docs/adr/44446-robust-docker-socket-gid-resolution-for-arc-dind.md — it was generated from the PR diff
  2. Complete any missing sections — add context the AI couldn't infer, refine the decision rationale, and verify the alternatives reflect what you actually considered
  3. Commit the finalized ADR to docs/adr/ on your branch
  4. Reference the ADR in this PR body by adding a line such as:

    ADR: ADR-44446: Robust Docker Socket GID Resolution for ARC/DinD

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

❓ Why ADRs Matter

"AI made me procrastinate on key design decisions. Because refactoring was cheap, I could always say 'I'll deal with this later.' Deferring decisions corroded my ability to think clearly."

ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you.

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

  • Context — What is the problem? What forces are at play?
  • Decision — What did you decide? Why?
  • Alternatives Considered — What else could have been done?
  • Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number (e.g., 44446-robust-docker-socket-gid-resolution-for-arc-dind.md for PR #44446).

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · 56 AIC · ⌖ 10.1 AIC · ⊞ 4.3K ·
Comment /review to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🧪 Test Quality Sentinel Report

Test Quality Score: 100/100 — Excellent

Analyzed 1 test(s): 1 design, 0 implementation, 0 violation(s).

📊 Metrics (1 test)
Metric Value
Analyzed 1 (Go: 1, JS: 0)
✅ Design 1 (100%)
⚠️ Implementation 0 (0%)
Edge/error coverage 1 (100%)
Duplicate clusters 0
Inflation No
🚨 Violations 0
Test File Classification Issues
TestMCPGatewayDockerCommandUsesRunnerIdentityAndSocketGroup (modified) pkg/workflow/mcp_setup_generator_test.go:487 design_test / behavioral_contract / high_value None

Verdict

Passed. 0% implementation tests (threshold: 30%). No violations.

Test scope: The only changed test is TestMCPGatewayDockerCommandUsesRunnerIdentityAndSocketGroup, which gained 5 new require.Contains/require.Less assertions verifying the generated shell-script contracts introduced by this PR:

  • GH_AW_DOCKER_SOCK_PATH override var is emitted before the DOCKER_HOST case statement (ordering contract)
  • stat -Lc (symlink-following) is used for GID resolution instead of stat -c
  • GH_AW_DOCKER_SOCK_GID override is checked before the stat call
  • Loud error + exit 1 fires when socket group cannot be resolved (error path coverage included)

All assertions carry descriptive failure messages. Build tag //go:build integration is present on line 1. No mock libraries used. Test inflation ratio is 0.72:1 (well below the 2:1 threshold).

References: §28990059189

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🧪 Test quality analysis by Test Quality Sentinel · 54.2 AIC · ⌖ 10.4 AIC · ⊞ 6.8K ·
Comment /review to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 100/100. 0% implementation tests (threshold: 30%). No violations.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Skills-Based Review Summary 🧠

Applied /diagnosing-bugs, /tdd, and /grill-with-docs. The core bug fix is solid — requesting changes on 4 findings before merge.

📋 Findings (4)
# Skill File Issue
1 /tdd mcp_setup_generator_test.go:582 Missing require.Less for GID-override ordering — symmetrical with the existing path-override ordering assertion
2 /tdd mcp_setup_generator_test.go:566 No test asserts that sockGIDOverrideSnippet precedes socketGIDComputeSnippet in output — a block transposition passes today
3 /diagnosing-bugs mcp_setup_generator.go:586 Add [ -e "$DOCKER_SOCK_PATH" ] before exit 1 to distinguish "path missing" from "stat permission denied"
4 /grill-with-docs self-hosted-runners.md:168,245 Two stale paragraphs describe silent fallback and omit GH_AW_DOCKER_SOCK_PATH/GH_AW_DOCKER_SOCK_GID — ARC/DinD operators reading those pages won't find the new overrides

@copilot please address the review comments above.

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 128 AIC · ⌖ 7 AIC · ⊞ 6.6K ·
Comment /matt to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skills-Based Review 🧠

Applied /diagnosing-bugs, /tdd, and /grill-with-docs — requesting changes on three areas.

📋 Key Themes & Highlights

Issues Found

  • Missing ordering assertion (/tdd): require.Less(sockGIDOverrideSnippet, socketGIDComputeSnippet) is missing — the path-override ordering is tested but the GID-override ordering is not, so a block transposition would go undetected.
  • Missing branch-order coverage (/tdd): tests only do Contains; no assertion verifies the GID override appears before stat in generated output.
  • Diagnostic gap on failure (/diagnosing-bugs): adding a [ -e "$DOCKER_SOCK_PATH" ] check before exit 1 would help operators distinguish "path not found" from "stat permission denied" without any additional tooling.
  • Stale docs (/grill-with-docs): self-hosted-runners.md lines 168 and 245 still describe the old silent-fallback behaviour and omit GH_AW_DOCKER_SOCK_PATH / GH_AW_DOCKER_SOCK_GID; ARC/DinD operators reading those pages won't know the new overrides exist.

Positive Highlights

  • ✅ All three root-cause bugs (non-unix scheme fallback, missing symlink follow, silent group-0) addressed cleanly.
  • stat -Lc is the right fix — compact, portable, and the Go comment explains why -L is needed.
  • ✅ Fail-loud with ::error:: + exit 1 is the correct pattern; the message names both override variables.
  • ✅ Ordering assertions for the path-override side are a great TDD pattern.
  • ✅ 273 lock files regenerated consistently — expected and correct churn.

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 128 AIC · ⌖ 7 AIC · ⊞ 6.6K
Comment /matt to run again

"MCP_GATEWAY_GID should be computed before it is used in the docker command")
require.Less(t, strings.Index(yamlStr, userSnippet), strings.Index(yamlStr, groupAddSnippet),
"Docker command should include user mapping before supplementary group mapping")
require.Less(t, strings.Index(yamlStr, sockPathOverrideSnippet), strings.Index(yamlStr, socketPathSnippet),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/tdd] Missing ordering assertion: there is no require.Less verifying that sockGIDOverrideSnippet appears before socketGIDComputeSnippet. The path-override ordering is checked (line 582), but the GID-override ordering is not — a future refactor could swap those blocks undetected.

💡 Suggested assertion
require.Less(t, strings.Index(yamlStr, sockGIDOverrideSnippet), strings.Index(yamlStr, socketGIDComputeSnippet),
	"GH_AW_DOCKER_SOCK_GID override check should appear before stat-based GID computation")

This mirrors the existing sockPathOverrideSnippet < socketPathSnippet assertion and closes the symmetry gap.

@copilot please address this.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in commit 20dfd54. The ordering assertion is present at lines 604-605 of mcp_setup_generator_test.go:

require.Less(t, strings.Index(yamlStr, sockGIDOverrideSnippet), strings.Index(yamlStr, socketGIDComputeSnippet),
    "GH_AW_DOCKER_SOCK_GID override check should appear before stat call")

require.Contains(t, yamlStr, socketGIDComputeSnippet,
"Shell should compute DOCKER_SOCK_GID from resolved socket path")
"Shell should compute DOCKER_SOCK_GID from resolved socket path following symlinks")
require.Contains(t, yamlStr, sockGIDFailSnippet,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/tdd] No test covers the success path when GH_AW_DOCKER_SOCK_GID is set — the test only verifies the override snippet is present in the YAML, not that the generated shell skips stat when the override is supplied. A test that exercises both the override-present and override-absent branches at runtime would catch regressions where the branch order is correct but the conditional logic is inverted.

💡 Suggested test

Add a separate test (or table-driven sub-test) that compiles a workflow with GH_AW_DOCKER_SOCK_GID set and asserts that the generated shell takes the short-circuit branch:

// Verify that when GH_AW_DOCKER_SOCK_GID is set the stat call is inside the else branch,
// not reachable before the override check.
require.Less(t,
    strings.Index(yamlStr, sockGIDOverrideSnippet),
    strings.Index(yamlStr, socketGIDComputeSnippet),
    "GID override branch must appear before stat-based fallback")

Current tests only do Contains, so a transposition of the two blocks would pass undetected.

@copilot please address this.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ordering assertion at lines 604-605 addresses this concern. It verifies that sockGIDOverrideSnippet appears before socketGIDComputeSnippet in the generated YAML, which ensures the override check precedes the stat call. A transposition of the blocks would fail this assertion.

Comment thread pkg/workflow/mcp_setup_generator.go Outdated
yaml.WriteString(" else\n")
yaml.WriteString(" DOCKER_SOCK_GID=$(stat -Lc '%g' \"$DOCKER_SOCK_PATH\" 2>/dev/null)\n")
yaml.WriteString(" if [ -z \"$DOCKER_SOCK_GID\" ]; then\n")
yaml.WriteString(" echo \"::error::Cannot determine Docker socket group for '$DOCKER_SOCK_PATH'. Set GH_AW_DOCKER_SOCK_PATH and GH_AW_DOCKER_SOCK_GID to configure the socket path and group explicitly.\" >&2\n")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/diagnosing-bugs] The error message is emitted to stderr but then exit 1 terminates the whole runner step — any downstream log lines (including the gateway startup logs) are lost. Consider also printing the resolved DOCKER_SOCK_PATH value alongside the error message so operators can quickly see exactly which path was tried.

💡 Suggested improvement

Current:

echo "::error::Cannot determine Docker socket group for '$DOCKER_SOCK_PATH'. Set GH_AW_DOCKER_SOCK_PATH and GH_AW_DOCKER_SOCK_GID to configure the socket path and group explicitly." >&2
exit 1

The path is already embedded in the message, which is good. A small additional hint — listing whether the path exists at all — would reduce the "no such file vs wrong permissions" ambiguity for operators:

echo "::error::Cannot determine Docker socket group for '$DOCKER_SOCK_PATH'. Set GH_AW_DOCKER_SOCK_PATH and GH_AW_DOCKER_SOCK_GID to configure the socket path and group explicitly." >&2
[ -e "$DOCKER_SOCK_PATH" ] || echo "::warning::'$DOCKER_SOCK_PATH' does not exist on this runner." >&2
exit 1

This is optional but significantly speeds up diagnosis when the socket path itself is wrong.

@copilot please address this.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in commit 20dfd54. Socket existence warning added at line 595 of mcp_setup_generator.go:

yaml.WriteString("              [ -e \"$DOCKER_SOCK_PATH\" ] || echo \"::warning::'$DOCKER_SOCK_PATH' does not exist on this runner.\" >&2\n")

Corresponding test assertion at line 582-583 of mcp_setup_generator_test.go.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: fix: robust Docker socket GID resolution for ARC/DinD and split-daemon topologies

Overall: The fix is well-scoped and addresses the three root causes correctly. The approach — operator overrides, symlink-following stat, and loud failure — is the right pattern for this class of infrastructure portability issue.

Findings:

One non-blocking but recommended improvement: the GH_AW_DOCKER_SOCK_GID override is used without numeric validation. If an operator sets this to a non-numeric value, docker run --group-add <value> will fail with an opaque Docker engine error rather than the actionable message already established in the stat-failure path. Adding a grep -qE '^[0-9]+$' check before use would maintain consistency.

Everything else looks correct:

  • stat -Lc correctly follows symlinks on Linux runners.
  • Lock file regeneration is mechanically uniform across all 260+ workflows.
  • Tests assert override order, symlink-following stat, and loud failure.
  • The exit 1 + ::error:: message naming the override vars is actionable.

🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 89.3 AIC · ⌖ 6.13 AIC · ⊞ 4.8K

Comment thread pkg/workflow/mcp_setup_generator.go Outdated
// to a non-root container gives no Docker-socket access and produces a confusing
// downstream "Docker daemon is not accessible" error.
yaml.WriteString(" if [ -n \"${GH_AW_DOCKER_SOCK_GID:-}\" ]; then\n")
yaml.WriteString(" DOCKER_SOCK_GID=\"$GH_AW_DOCKER_SOCK_GID\"\n")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The GH_AW_DOCKER_SOCK_GID override is accepted without validating that it contains a numeric value. Docker requires --group-add to receive a numeric GID or group name; a non-numeric user-supplied string will be passed through to the docker run command and fail with a cryptic Docker engine error rather than an early actionable message.

Consider adding a validation step:

if ! printf '%s' "$GH_AW_DOCKER_SOCK_GID" | grep -qE '^[0-9]+$'; then
  echo "::error::GH_AW_DOCKER_SOCK_GID must be a numeric GID, got: ${GH_AW_DOCKER_SOCK_GID}" >&2
  exit 1
fi

This would surface misconfiguration early with the same clear error-message pattern already used for the missing-GID case.

@copilot please address this.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in commit 8c22b9f. Numeric validation implemented at lines 601-606 of mcp_setup_generator.go:

yaml.WriteString("          case \"$DOCKER_SOCK_GID\" in\n")
yaml.WriteString("            ''|*[!0-9]*)\n")
yaml.WriteString("              echo \"::error::DOCKER_SOCK_GID='$DOCKER_SOCK_GID' is not a valid numeric group ID. Set GH_AW_DOCKER_SOCK_GID to a numeric value.\" >&2\n")
yaml.WriteString("              exit 1\n")
yaml.WriteString("              ;;\n")
yaml.WriteString("          esac\n")

Corresponding test assertions at lines 584-587, 608-610.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, complete the ADR linked by the design gate, update the PR body to reference it, and rerun checks once the branch is up to date.

Generated by 👨‍🍳 PR Sous Chef · 6.67 AIC · ⌖ 8.02 AIC · ⊞ 7.1K ·
Comment /souschef to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

REQUEST_CHANGES — The core logic is a clear improvement over the silent --group-add 0 fallback, but three issues should be addressed before merge.

### Blocking findings (3)
  1. stat -Lc is GNU coreutils only (line 584) — On macOS self-hosted runners stat -Lc silently returns empty, triggering the loud exit 1 with a misleading message. Either add a BSD fallback or document the Linux-only assumption and update the error message to mention GH_AW_DOCKER_SOCK_GID as the macOS path. (Comment on line 584)

  2. GH_AW_DOCKER_SOCK_GID is not validated as numeric (line 582) — The override value is passed verbatim to docker --group-add. A non-numeric string will fail at container startup with an opaque Docker error rather than an actionable one at the point of override consumption. A case *[!0-9]*) guard should be added after resolving DOCKER_SOCK_GID. (Comment on line 582)

  3. exit 1 presence is untested (line 534) — sockGIDFailSnippet tests the error echo but not exit 1. Removal of exit 1 would pass tests while silently allowing the step to continue with an empty GID. (Comment on line 534)

### Non-blocking finding (1)
  • **(sockname/redacted) (2-slash authority form) yields a relative path** (line 570) — ${DOCKER_HOST#(redacted) works correctly for the standard three-slash form but produces sockname (relative) for `(sockname/redacted) Low likelihood in practice; acceptable to handle with a comment rather than a fix. (Comment on line 570)

🔎 Code quality review by PR Code Quality Reviewer · 194 AIC · ⌖ 5.92 AIC · ⊞ 5.4K
Comment /review to run again

Comment thread pkg/workflow/mcp_setup_generator.go Outdated
yaml.WriteString(" if [ -n \"${GH_AW_DOCKER_SOCK_GID:-}\" ]; then\n")
yaml.WriteString(" DOCKER_SOCK_GID=\"$GH_AW_DOCKER_SOCK_GID\"\n")
yaml.WriteString(" else\n")
yaml.WriteString(" DOCKER_SOCK_GID=$(stat -Lc '%g' \"$DOCKER_SOCK_PATH\" 2>/dev/null)\n")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

stat -Lc is GNU coreutils only and will silently break on macOS self-hosted runners.

💡 Details & suggested fix

stat -Lc is Linux/GNU coreutils syntax. On macOS (and other BSD-based self-hosted runners) the equivalent flag is stat -Lf. Running this generated script on a macOS runner will produce empty DOCKER_SOCK_GID output (stat exits non-zero, swallowed by 2>/dev/null), which triggers the new exit 1 with a misleading message claiming the socket group cannot be determined — when the real problem is the wrong stat flag.

Since ARC/DinD is Linux this may be acceptable, but the assumption is implicit and the error message will confuse macOS operators who try the GH_AW_DOCKER_SOCK_PATH override and still get a failure.

Portable fallback:

DOCKER_SOCK_GID=$(stat -Lc '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || \
                 stat -Lf '%g' "$DOCKER_SOCK_PATH" 2>/dev/null)

Or at minimum add a comment in the generator code:

// stat -Lc is GNU coreutils (Linux only). macOS self-hosted runners must
// set GH_AW_DOCKER_SOCK_GID explicitly to bypass stat.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in commit 20dfd54. Portability comment added at lines 584-585 of mcp_setup_generator.go:

// Note: stat -Lc is GNU coreutils (Linux only). macOS self-hosted runners must set
// GH_AW_DOCKER_SOCK_GID explicitly to bypass stat.

Comment thread pkg/workflow/mcp_setup_generator.go Outdated
// to a non-root container gives no Docker-socket access and produces a confusing
// downstream "Docker daemon is not accessible" error.
yaml.WriteString(" if [ -n \"${GH_AW_DOCKER_SOCK_GID:-}\" ]; then\n")
yaml.WriteString(" DOCKER_SOCK_GID=\"$GH_AW_DOCKER_SOCK_GID\"\n")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GH_AW_DOCKER_SOCK_GID is passed to docker --group-add without validating it is numeric, so a misconfigured override will cause a cryptic container startup failure instead of a clear error.

💡 Details & suggested fix

Line 582 assigns DOCKER_SOCK_GID="$GH_AW_DOCKER_SOCK_GID" verbatim. Docker's --group-add requires a numeric GID or a group name that exists inside the container's /etc/group. A non-numeric value (e.g., docker as a group name string, or a typo like 1000 --privileged) will not be shell-injected (the quoting in buildDockerCommandWithExpandableVars prevents that), but it will cause docker run to fail with an opaque error rather than a clear one at the point the override is consumed.

The same issue applies to the stat-derived path: stat -Lc '%g' should always produce a number, but on unusual filesystems it can return a group name string.

Suggested guard after resolving DOCKER_SOCK_GID:

case "$DOCKER_SOCK_GID" in
  *[!0-9]*)
    echo "::error::DOCKER_SOCK_GID must be a numeric GID, got: '$DOCKER_SOCK_GID'" >&2
    exit 1 ;;
esac

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in commit 8c22b9f. Numeric validation implemented at lines 601-606 of mcp_setup_generator.go using the case pattern ''|*[!0-9]* to reject empty and non-numeric values. Test coverage at lines 584-587, 608-610 of mcp_setup_generator_test.go.

sockGIDOverrideSnippet := `if [ -n "${GH_AW_DOCKER_SOCK_GID:-}" ]; then`
// Loud failure: exit 1 + error message when socket group can't be resolved, instead of
// silently passing --group-add 0 which guarantees a confusing downstream failure.
sockGIDFailSnippet := `echo "::error::Cannot determine Docker socket group for '$DOCKER_SOCK_PATH'. Set GH_AW_DOCKER_SOCK_PATH and GH_AW_DOCKER_SOCK_GID to configure the socket path and group explicitly." >&2`

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The loud-failure test verifies the echo message but never asserts exit 1 is present, leaving a silent regression path.

💡 Details & suggested fix

sockGIDFailSnippet checks only that the ::error:: echo line exists. If the exit 1 on the next line is accidentally removed from the generator, the step will emit the error annotation and then continue executing — passing DOCKER_SOCK_GID='' (empty string) to docker --group-add '' which fails with a different, unrelated error.

Add an assertion:

sockGIDExitSnippet := `exit 1`
// ... inside the require block:
require.Less(t, strings.Index(yamlStr, sockGIDFailSnippet), strings.Index(yamlStr, sockGIDExitSnippet),
    "exit 1 must immediately follow the loud error message in the socket-group failure block")

Or at minimum:

require.Contains(t, yamlStr, sockGIDExitSnippet,
    "Shell must exit 1 when socket group cannot be resolved")

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in commit 20dfd54. Exit assertion added at lines 606-607 of mcp_setup_generator_test.go:

require.Less(t, strings.Index(yamlStr, sockGIDFailSnippet), strings.Index(yamlStr, sockGIDExitSnippet),
    "exit 1 must immediately follow the loud error message in the socket-group failure block")

sockGIDExitSnippet is defined at line 537.

Comment thread pkg/workflow/mcp_setup_generator.go Outdated
yaml.WriteString(" DOCKER_SOCK_PATH=\"${GH_AW_DOCKER_SOCK_PATH:-}\"\n")
yaml.WriteString(" if [ -z \"$DOCKER_SOCK_PATH\" ]; then\n")
yaml.WriteString(" case \"${DOCKER_HOST:-}\" in\n")
yaml.WriteString(" unix://* ) DOCKER_SOCK_PATH=\"${DOCKER_HOST#unix://}\" ;;\n")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

${DOCKER_HOST#(redacted) strips only two slashes, yielding a relative path for the two-slash authority form (sockname/redacted)

💡 Details & suggested fix

The standard Docker unix socket URI uses three slashes: (redacted) The strip ${DOCKER_HOST#(redacted) removes the (redacted) prefix, leaving /var/run/docker.sock` (correct for the three-slash form).

However, Docker Engine also accepts the two-slash authority form (docker.sock/redacted) (socket in the current directory), and some orchestrators emit (redacted) In these cases the strip produces a relative path (docker.sock or ./docker.sock), which:

  • Makes stat -Lc '%g' resolve relative to the step working directory (not the socket's actual location)
  • Makes docker -v relative-path:/var/run/docker.sock fail with invalid volume specification

The fix is to strip the authority component explicitly:

(redacted) ) DOCKER_SOCK_PATH="${DOCKER_HOST#(redacted)
           # Strip optional authority (e.g. (hostname/redacted) -> /path)
           case "$DOCKER_SOCK_PATH" in
             /*) ;; # already absolute
             *)  DOCKER_SOCK_PATH="/${DOCKER_SOCK_PATH#*/}" ;;
           esac ;;

This is a narrow edge case in practice, but the /* fallback branch below this line (line 571) does not cover it.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in commit 20dfd54. Authority-stripping logic added at lines 572-576 of mcp_setup_generator.go:

yaml.WriteString("                # Strip optional authority component (e.g., unix://hostname/path -> /path)\n")
yaml.WriteString("                case \"$DOCKER_SOCK_PATH\" in\n")
yaml.WriteString("                  /* ) ;; # already absolute\n")
yaml.WriteString("                  * ) DOCKER_SOCK_PATH=\"/${DOCKER_SOCK_PATH#*/}\" ;;\n")
yaml.WriteString("                esac ;;\n")

This handles both unix:///path (three-slash) and unix://hostname/path (two-slash authority) forms.

@pelikhan

pelikhan commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

@copilot run pr-finisher skill

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

🎬 THE ENDSmoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧

@github-actions

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

@github-actions

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing...

@github-actions

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing...

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot Small failed. Please review the logs for details.

@github-actions

Copy link
Copy Markdown
Contributor

Agent Container Tool Check\n\n| Tool | Status | Version |\n|------|--------|--------|\n| bash | ✅ | 5.2.21 |\n| sh | ✅ | available |\n| git | ✅ | 2.54.0 |\n| jq | ✅ | 1.7 |\n| yq | ✅ | 4.53.3 |\n| curl | ✅ | 8.5.0 |\n| gh | ✅ | 2.96.0 |\n| node | ✅ | 22.23.1 |\n| python3 | ✅ | 3.11.15 (PyPy) |\n| go | ✅ | 1.24.13 |\n| java | ✅ | 10.0.301 |\n| dotnet | ✅ | available |\n\nResult: 12/12 tools available ✅\n\nOverall Status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔧 Tool validation by Agent Container Smoke Test · 11.9 AIC · ⌖ 6.78 AIC · ⊞ 4.6K ·
Comment /smoke-test-tools to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke test

  • GitHub CLI: ✅
  • Web fetch: ❌
  • File write: ✅
  • Bash verify: ✅
  • Build: ❌
  • Overall: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"

See Network Configuration for more information.

🥧 Smoke Pi — Powered by Pi · 2.38 AIC · ⌖ 6.63 AIC · ⊞ 4.4K ·
Comment /smoke-pi to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Gemini - 29100329385\n- Test 1: ✅\n- Test 2: ✅\n- Test 3: ✅\n- Test 4: ✅\n- Test 5: ❌\n\nOverall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

Smoke Gemini — Powered by Gemini · 17.5 AIC · ⌖ 3.63 AIC · ⊞ 9.3K ·
Comment /smoke-gemini to run again

@pelikhan pelikhan merged commit 2ba65bd into main Jul 10, 2026
200 of 203 checks passed
@pelikhan pelikhan deleted the copilot/fix-mcp-gateway-docker-daemon-access branch July 10, 2026 14:47
@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Codex - 29100329324
✅ GitHub MCP merged PR reads
✅ Serena symbols
✅ Playwright GitHub title
❌ Web-fetch MCP unavailable; curl fallback used
✅ Temp file, bash read-back, build, comment memory, cache memory
⏭ Set issue field skipped
Overall: FAIL

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · 1.64 AIC · ⌖ 3.49 AIC · ⊞ 22.4K ·
Comment /smoke-codex to run again

@github-actions

Copy link
Copy Markdown
Contributor

Comment Memory

Quiet build completes
Git and cache keep steady watch
Smoke drifts into green

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · 1.64 AIC · ⌖ 3.49 AIC · ⊞ 22.4K ·
Comment /smoke-codex to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test 29100726052 Results:
❌ Test1–4,7 ✅ Test5,6,8–15
Overall: FAIL
cc @app/copilot-swe-agent @pelikhan @Copilot

📰 BREAKING: Report filed by Smoke Copilot - AOAI (apikey) · 15.6 AIC · ⌖ 3.09 AIC · ⊞ 17.9K ·
Comment /smoke-copilot-aoai-apikey to run again
Add label smoke to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💥 Automated smoke test review - all systems nominal!

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 121.8 AIC · ⌖ 31.1 AIC · ⊞ 8.4K
Comment /smoke-claude to run again

// The script handles override variables (GH_AW_DOCKER_SOCK_PATH, GH_AW_DOCKER_SOCK_GID),
// DOCKER_HOST parsing, stat -Lc symlink following, and numeric validation.
// See actions/setup/sh/resolve_docker_socket_gid.sh for implementation details.
yaml.WriteString(" source \"${RUNNER_TEMP}/gh-aw/actions/resolve_docker_socket_gid.sh\"\n")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice — delegating socket GID resolution to a dedicated script improves testability and readability. 👍

yaml.WriteString(" * ) DOCKER_SOCK_PATH=/var/run/docker.sock ;;\n")
yaml.WriteString(" esac\n")
yaml.WriteString(" DOCKER_SOCK_GID=$(stat -c '%g' \"$DOCKER_SOCK_PATH\" 2>/dev/null || echo '0')\n")
// Resolve Docker socket path and GID using the dedicated shell script.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call documenting the override vars and stat -Lc behavior inline; helps future maintainers understand the ARC/DinD edge cases.

@github-actions

Copy link
Copy Markdown
Contributor

Comment Memory

Bot poke cold steel
Tests thump drum in night machine
Green sparks lick dark logs

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 93.9 AIC · ⌖ 5.88 AIC · ⊞ 19.1K ·
Comment /smoke-copilot to run again
Add label smoke to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smoke bot leave two notes. Build good. Some smoke checks fail from missing tools and perms.

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 93.9 AIC · ⌖ 5.88 AIC · ⊞ 19.1K
Comment /smoke-copilot to run again
Add label smoke to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke test results: ✅1,2,5,6,8,10,15; ❌3,4,7,9,11,12,14
Overall Status: FAIL
@pelikhan @Copilot

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot - AOAI (Entra) · 69.7 AIC · ⌖ 3 AIC · ⊞ 17.6K ·
Comment /smoke-copilot-aoai-entra to run again
Add label smoke to run again

@github-actions

Copy link
Copy Markdown
Contributor

Comment Memory

Smoke drifts on code
Tests echo with perfect grace
Copilot stands proud

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot - AOAI (Entra) · 69.7 AIC · ⌖ 3 AIC · ⊞ 17.6K ·
Comment /smoke-copilot-aoai-entra to run again
Add label smoke to run again

@github-actions github-actions Bot mentioned this pull request Jul 10, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

4 participants