[ARC/DinD] Pass through tcp:// DOCKER_HOST to AWF in generated runtime command#38913
Conversation
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR updates gh-aw’s AWF runtime command generation to correctly pass through DOCKER_HOST=tcp://... to AWF (via --docker-host) in ARC RunnerScaleSet DinD setups, while preserving existing --docker-host-path-prefix behavior and version gating.
Changes:
- Added a
DOCKER_HOSTtcp:// probe that setsGH_AW_DOCKER_HOSTand conditionally appends--docker-host "$GH_AW_DOCKER_HOST"to the generated AWF invocation. - Updated unit tests to assert the new probe/expansion ordering and validate runtime behavior for both docker-host passthrough and docker-host-path-prefix.
- Refreshed WASM golden fixtures impacted by the command output change.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/awf_helpers.go | Adds GH_AW_DOCKER_HOST probe and conditional --docker-host expansion in generated AWF command. |
| pkg/workflow/firewall_args_test.go | Expands assertions to validate docker-host passthrough probe/setup and correct ordering with existing path-prefix logic. |
| pkg/workflow/awf_helpers_test.go | Extends ARC/DinD detection test to assert both docker-host value and docker-host-path-prefix value. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden | Updates golden output to include GH_AW_DOCKER_HOST init/probe and --docker-host expansion. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden | Updates golden output to include GH_AW_DOCKER_HOST init/probe and --docker-host expansion. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden | Updates golden output to include GH_AW_DOCKER_HOST init/probe and --docker-host expansion. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden | Updates golden output to include GH_AW_DOCKER_HOST init/probe and --docker-host expansion. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden | Updates golden output to include GH_AW_DOCKER_HOST init/probe and --docker-host expansion. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden | Updates golden output to include GH_AW_DOCKER_HOST init/probe and --docker-host expansion. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden | Updates golden output to include GH_AW_DOCKER_HOST init/probe and --docker-host expansion. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden | Updates golden output to include GH_AW_DOCKER_HOST init/probe and --docker-host expansion. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden | Updates golden output to include GH_AW_DOCKER_HOST init/probe and --docker-host expansion. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 12/12 changed files
- Comments generated: 1
| @@ -202,6 +203,15 @@ func BuildAWFCommand(config AWFCommandConfig) string { | |||
| // This avoids requiring workflow-authored sandbox.agent.args for standard ARC DinD setups. | |||
|
``
|
|
``
|
|
@copilot address review feedback |
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Updated the comment in [Fix inaccurate comment above ARC/DinD probe in BuildAWFCommand]($(git -C /home/runner/work/gh-aw/gh-aw rev-parse HEAD)). The comment now accurately describes both the
Updated the comment in fd0e786. The comment now accurately describes both the |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 No action needed: smoke test requires local verification and write-side effects, but no GitHub mutation has been completed yet. |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨ |
|
|
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing... |
|
Commit pushed:
|
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
💥 Smoke Test: Claude — Run 27447488948Core #1-12: ✅ all passed Overall: PARTIAL ✅ (all executed tests passed) Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · 80.9 AIC · ⌖ 9.18 AIC · ⊞ 8.1K
| cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json | ||
| export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json" | ||
| GH_AW_DOCKER_HOST="" | ||
| if [[ "${DOCKER_HOST:-}" =~ ^tcp:// ]]; then |
There was a problem hiding this comment.
Smoke test review: this (redacted) guard for GH_AW_DOCKER_HOST looks consistent with the path-prefix block above. 💥
| fi | ||
| # shellcheck disable=SC1003 | ||
| sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_TOOL_CACHE_MOUNT:+--mount "$GH_AW_TOOL_CACHE_MOUNT"} ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \ | ||
| sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_TOOL_CACHE_MOUNT:+--mount "$GH_AW_TOOL_CACHE_MOUNT"} ${GH_AW_DOCKER_HOST:+--docker-host "$GH_AW_DOCKER_HOST"} ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \ |
There was a problem hiding this comment.
Smoke test review: passing --docker-host conditionally via parameter expansion is a clean approach. 👍
|
Smoke Test Results:
|
|
PR: [ARC/DinD] Pass through (redacted) DOCKER_HOST to AWF in generated runtime command Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
AWF command generation in
gh-awdetectedtcp://Docker hosts for--docker-host-path-prefixbut did not pass the Docker host itself through to AWF. In ARC RunnerScaleSet DinD setups (DOCKER_HOST=tcp://localhost:2375), this prevented native tcp host usage and forced unix-socket workarounds.Runtime AWF command wiring
BuildAWFCommand:GH_AW_DOCKER_HOSTDOCKER_HOSTwhen^tcp://matches--docker-host "$GH_AW_DOCKER_HOST"to AWF invocation--docker-host-path-prefix /tmp/gh-awprobing and AWF version gating unchanged.Test coverage updates
--docker-hostprobe/setup and argument expansion.Changeset
DOCKER_HOSTto AWF in generated runtime commands for ARC/DinD tcp hosts.✨ PR Review Safe Output Test - Run 27447488948
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.