From 6e7bb20eb53dde0104b3da8fe61640c53447d2ee Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 28 Jan 2026 22:26:31 +0000 Subject: [PATCH 1/4] Initial plan From f4739302f169d0b5d0040dce7c5bdeeff1ed317a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 28 Jan 2026 22:31:34 +0000 Subject: [PATCH 2/4] Initial plan for build/test environment documentation Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com> --- pkg/cli/templates/github-agentic-workflows.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/pkg/cli/templates/github-agentic-workflows.md b/pkg/cli/templates/github-agentic-workflows.md index aeb7321327..70a786b553 100644 --- a/pkg/cli/templates/github-agentic-workflows.md +++ b/pkg/cli/templates/github-agentic-workflows.md @@ -138,6 +138,20 @@ The YAML frontmatter supports these fields: - Enables searching and retrieving assets associated with this workflow - Examples: `"workflow-2024-q1"`, `"team-alpha-bot"`, `"security_audit_v2"` +- **`project:`** - GitHub Projects integration configuration (string or object) + - String format: `"https://github.com/orgs/myorg/projects/42"` - Project URL only + - Object format for advanced configuration: + ```yaml + project: + url: "https://github.com/orgs/myorg/projects/42" # Required: full project URL + scope: ["owner/repo", "org:name"] # Optional: repositories/organizations workflow can operate on + max-updates: 100 # Optional: max project updates per run (default: 100) + max-status-updates: 1 # Optional: max status updates per run (default: 1) + github-token: ${{ secrets.PROJECTS_PAT }} # Optional: custom token for project operations + ``` + - When configured, enables project board management operations + - Works with `update-project` safe-output for automated project tracking + - **`secret-masking:`** - Configuration for secret redaction behavior in workflow outputs and artifacts (object) - `steps:` - Additional secret redaction steps to inject after the built-in secret redaction (array) - Use this to mask secrets in generated files using custom patterns @@ -609,6 +623,9 @@ The YAML frontmatter supports these fields: safe-outputs: assign-to-agent: name: "copilot" # Optional: agent name + allowed: [copilot] # Optional: restrict to specific agent names + max: 1 # Optional: max assignments (default: 1) + target: "*" # Optional: "triggering" (default), "*", or number target-repo: "owner/repo" # Optional: cross-repository ``` Requires PAT with elevated permissions as `GH_AW_AGENT_TOKEN`. From 70efa9773d835f93380d867f9a5bcf6326c56a6c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 28 Jan 2026 22:33:32 +0000 Subject: [PATCH 3/4] docs: Update sandbox.md with comprehensive build/test environment documentation Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com> --- .../src/content/docs/agent-factory-status.mdx | 1 + docs/src/content/docs/reference/sandbox.md | 95 ++++++++++++++++++- 2 files changed, 94 insertions(+), 2 deletions(-) diff --git a/docs/src/content/docs/agent-factory-status.mdx b/docs/src/content/docs/agent-factory-status.mdx index 0536fb79ba..0b75e0b102 100644 --- a/docs/src/content/docs/agent-factory-status.mdx +++ b/docs/src/content/docs/agent-factory-status.mdx @@ -75,6 +75,7 @@ These are experimental agentic workflows used by the GitHub Next team to learn, | [Discussion Task Miner - Code Quality Improvement Agent](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/discussion-task-miner.md) | copilot | [![Discussion Task Miner - Code Quality Improvement Agent](https://github.com/githubnext/gh-aw/actions/workflows/discussion-task-miner.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/discussion-task-miner.lock.yml) | - | - | | [Documentation Noob Tester](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/docs-noob-tester.md) | copilot | [![Documentation Noob Tester](https://github.com/githubnext/gh-aw/actions/workflows/docs-noob-tester.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/docs-noob-tester.lock.yml) | - | - | | [Documentation Unbloat](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/unbloat-docs.md) | claude | [![Documentation Unbloat](https://github.com/githubnext/gh-aw/actions/workflows/unbloat-docs.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/unbloat-docs.lock.yml) | - | `/unbloat` | +| [Draft PR Cleanup](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/draft-pr-cleanup.md) | copilot | [![Draft PR Cleanup](https://github.com/githubnext/gh-aw/actions/workflows/draft-pr-cleanup.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/draft-pr-cleanup.lock.yml) | - | - | | [Duplicate Code Detector](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/duplicate-code-detector.md) | codex | [![Duplicate Code Detector](https://github.com/githubnext/gh-aw/actions/workflows/duplicate-code-detector.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/duplicate-code-detector.lock.yml) | - | - | | [Example: Custom Error Patterns](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/example-custom-error-patterns.md) | copilot | [![Example: Custom Error Patterns](https://github.com/githubnext/gh-aw/actions/workflows/example-custom-error-patterns.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/example-custom-error-patterns.lock.yml) | - | - | | [Example: Properly Provisioned Permissions](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/example-permissions-warning.md) | copilot | [![Example: Properly Provisioned Permissions](https://github.com/githubnext/gh-aw/actions/workflows/example-permissions-warning.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/example-permissions-warning.lock.yml) | - | - | diff --git a/docs/src/content/docs/reference/sandbox.md b/docs/src/content/docs/reference/sandbox.md index db6b347541..c5c52b3473 100644 --- a/docs/src/content/docs/reference/sandbox.md +++ b/docs/src/content/docs/reference/sandbox.md @@ -1,6 +1,6 @@ --- title: Sandbox Configuration -description: Configure sandbox environments for AI engines including MCP Gateway and Sandbox Runtime (SRT) +description: Configure sandbox environments for AI engines including AWF agent container, mounted tools, runtime environments, and MCP Gateway sidebar: order: 1350 --- @@ -85,13 +85,55 @@ AWF automatically mounts several paths from the host into the container to enabl | Host Path | Container Path | Mode | Purpose | |-----------|----------------|------|---------| | `/tmp` | `/tmp` | `rw` | Temporary files and cache | +| `${HOME}/.cache` | `${HOME}/.cache` | `rw` | Build caches (Go, npm, etc.) | | `${GITHUB_WORKSPACE}` | `${GITHUB_WORKSPACE}` | `rw` | Repository workspace directory | -| `/usr/bin/{date,gh,yq}` | `/usr/bin/{date,gh,yq}` | `ro` | System utilities (date, GitHub CLI, yq) | +| `/opt/hostedtoolcache` | `/opt/hostedtoolcache` | `ro` | Runtimes (Node.js, Python, Go, Ruby, Java) | +| `/opt/gh-aw` | `/opt/gh-aw` | `ro` | Script and configuration files | | `/usr/local/bin/copilot` | `/usr/local/bin/copilot` | `ro` | Copilot CLI binary | | `/home/runner/.copilot` | `/home/runner/.copilot` | `rw` | Copilot configuration and state | These default mounts ensure the agent has access to essential tools and the repository files. Custom mounts specified via `sandbox.agent.mounts` are added alongside these defaults. +#### Mounted System Utilities + +AWF mounts common system utilities from the host into the container as read-only binaries. These utilities are frequently used in workflow scripts and are organized by priority: + +**Essential Utilities** (most commonly used): + +| Utility | Purpose | +|---------|---------| +| `cat` | Display file contents | +| `curl` | HTTP client for API calls | +| `date` | Date/time operations | +| `find` | Locate files by pattern | +| `gh` | GitHub CLI operations | +| `grep` | Pattern matching | +| `jq` | JSON processing | +| `yq` | YAML processing | + +**Common Utilities** (frequently used for file operations): + +| Utility | Purpose | +|---------|---------| +| `cp` | Copy files | +| `cut` | Extract text columns | +| `diff` | Compare files | +| `head` | Display file start | +| `ls` | List directory contents | +| `mkdir` | Create directories | +| `rm` | Remove files | +| `sed` | Stream text editing | +| `sort` | Sort text lines | +| `tail` | Display file end | +| `wc` | Count lines/words | +| `which` | Locate commands | + +All utilities are mounted read-only (`:ro`) from `/usr/bin/` on the host. They execute on the read-write workspace directory inside the container. + +> [!TIP] +> Available Utilities +> Run `which jq` or `jq --version` in your workflow to verify utility availability. The agent has access to all mounted utilities without additional setup. + > [!WARNING] > Docker socket access is not supported for security > reasons. The agent firewall does not mount @@ -123,6 +165,55 @@ The following environment variables are mirrored (if they exist on the host): > Environment Variable Handling > Variables are only passed to the container if they exist on the host runner. Missing variables are silently ignored, ensuring workflows work across different runner configurations. +#### Runtime Tools (hostedtoolcache) + +AWF mounts the `/opt/hostedtoolcache` directory from the GitHub Actions runner, providing access to all runtimes installed via `actions/setup-*` steps. This directory contains pre-installed and dynamically-installed versions of popular development tools. + +**Available Runtimes:** + +| Runtime | Setup Action | Example Versions | +|---------|-------------|------------------| +| **Node.js** | `actions/setup-node` | 18.x, 20.x, 22.x | +| **Python** | `actions/setup-python` | 3.9, 3.10, 3.11, 3.12, 3.13, 3.14 | +| **Go** | `actions/setup-go` | 1.22.x, 1.23.x, 1.24.x, 1.25.x | +| **Ruby** | `ruby/setup-ruby` | 3.2, 3.3, 3.4 | +| **Java** | `actions/setup-java` | 8, 11, 17, 21, 25 | + +**PATH Integration:** + +All runtime binaries are automatically added to PATH inside the agent container. The PATH is configured using a dynamic `find` command that discovers all `bin` directories within `/opt/hostedtoolcache`: + +```bash +# PATH includes all hostedtoolcache binaries +export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin)$PATH" +``` + +**Version Priority:** + +When multiple versions of a runtime are installed, versions configured by `actions/setup-*` take precedence. The agent detects which specific version is active by reading environment variables like `GOROOT`, `JAVA_HOME`, and ensures that version's binaries appear first in PATH. + +**Using Runtimes in Workflows:** + +```yaml wrap +--- +jobs: + setup: + steps: + - uses: actions/setup-go@v5 + with: + go-version: '1.25' + - uses: actions/setup-python@v5 + with: + python-version: '3.12' +--- + +Use `go build` or `python3` in your workflow - both are available! +``` + +> [!TIP] +> Verify Runtime Availability +> Use `node --version`, `python3 --version`, `go version`, or `ruby --version` in your workflow to confirm runtime availability. The agent automatically inherits all runtimes configured by setup actions. + #### Custom AWF Configuration Use custom commands, arguments, and environment variables to replace the standard AWF installation with a custom setup: From 25e3edb7627b1f8810daac88f5b157770dfb0d83 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 28 Jan 2026 22:35:50 +0000 Subject: [PATCH 4/4] docs: Fix PATH export command in sandbox.md to show proper colon separator Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com> --- docs/src/content/docs/reference/sandbox.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/src/content/docs/reference/sandbox.md b/docs/src/content/docs/reference/sandbox.md index c5c52b3473..fd89ddb2aa 100644 --- a/docs/src/content/docs/reference/sandbox.md +++ b/docs/src/content/docs/reference/sandbox.md @@ -185,7 +185,7 @@ All runtime binaries are automatically added to PATH inside the agent container. ```bash # PATH includes all hostedtoolcache binaries -export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin)$PATH" +export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\n' ':')$PATH" ``` **Version Priority:**