diff --git a/.changeset/patch-fix-macos-arm64-agent-smoke-test.md b/.changeset/patch-fix-macos-arm64-agent-smoke-test.md new file mode 100644 index 0000000000..eda18c3506 --- /dev/null +++ b/.changeset/patch-fix-macos-arm64-agent-smoke-test.md @@ -0,0 +1,4 @@ +--- +"gh-aw": patch +--- +Fix the macOS ARM64 smoke test so the agent runs directly on the host without Docker and the Copilot CLI install script honors `$HOME`-based paths. diff --git a/.github/workflows/smoke-macos-arm64.lock.yml b/.github/workflows/smoke-macos-arm64.lock.yml index 0c7cc2494b..83e95ff0de 100644 --- a/.github/workflows/smoke-macos-arm64.lock.yml +++ b/.github/workflows/smoke-macos-arm64.lock.yml @@ -29,7 +29,7 @@ # - shared/github-queries-safe-input.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"b70a1fe2da0ccabf8a0f346e743ccb2ef07f8e0e7d3854c2fff90bb54fe8feb8"} +# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"b1ba6353cfdad528882b9a44fb9d63c6c6e89bfb55d85276f1217f6b66ab90ad"} name: "Smoke macOS ARM64" "on": @@ -147,7 +147,6 @@ jobs: cat "/opt/gh-aw/prompts/xpia.md" >> "$GH_AW_PROMPT" cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" - cat "/opt/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" cat "/opt/gh-aw/prompts/cache_memory_prompt.md" >> "$GH_AW_PROMPT" cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT" @@ -229,7 +228,6 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); @@ -406,12 +404,12 @@ jobs: actor: context.actor, event_name: context.eventName, staged: false, - allowed_domains: ["defaults","node","github","playwright"], - firewall_enabled: true, - awf_version: "v0.20.2", + allowed_domains: ["defaults"], + firewall_enabled: false, + awf_version: "", awmg_version: "v0.1.4", steps: { - firewall: "squid" + firewall: "" }, created_at: new Date().toISOString() }; @@ -431,10 +429,6 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.411 - - name: Install Docker on macOS - run: bash /opt/gh-aw/actions/install_docker_macos.sh - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.20.2 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -446,7 +440,13 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.20.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.20.2 ghcr.io/github/gh-aw-firewall/squid:0.20.2 ghcr.io/github/gh-aw-mcpg:v0.1.4 ghcr.io/github/github-mcp-server:v0.30.3 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine + run: | + # Skip Docker image downloads on macOS (Docker not available on GHA macOS runners) + if [ "$(uname -s)" = "Darwin" ]; then + echo "Skipping Docker image downloads on macOS (no Docker available)" + exit 0 + fi + bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -1477,6 +1477,7 @@ jobs: - name: Start MCP Gateway id: start-mcp-gateway + if: runner.os != 'macOS' env: GH_AW_GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} @@ -1494,7 +1495,7 @@ jobs: # Export gateway environment variables for MCP config and gateway script export MCP_GATEWAY_PORT="80" - export MCP_GATEWAY_DOMAIN="host.docker.internal" + export MCP_GATEWAY_DOMAIN="localhost" MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') echo "::add-mask::${MCP_GATEWAY_API_KEY}" export MCP_GATEWAY_API_KEY @@ -1505,7 +1506,7 @@ jobs: export GH_AW_ENGINE="copilot" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_INPUTS_PORT -e GH_AW_SAFE_INPUTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.4' - mkdir -p /home/runner/.copilot + mkdir -p "$HOME/.copilot" cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { @@ -1519,34 +1520,19 @@ jobs: "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" } }, - "playwright": { - "type": "stdio", - "container": "mcr.microsoft.com/playwright/mcp", - "args": ["--init", "--network", "host", "--security-opt", "seccomp=unconfined", "--ipc=host"], - "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--allowed-hosts", "localhost,localhost:*,127.0.0.1,127.0.0.1:*,github.com", "--allowed-origins", "localhost;localhost:*;127.0.0.1;127.0.0.1:*;github.com"], - "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] - }, "safeinputs": { "type": "http", - "url": "http://host.docker.internal:$GH_AW_SAFE_INPUTS_PORT", + "url": "http://localhost:$GH_AW_SAFE_INPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_INPUTS_API_KEY}" } }, "safeoutputs": { "type": "http", - "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "url": "http://localhost:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" } - }, - "serena": { - "type": "stdio", - "container": "ghcr.io/github/serena-mcp-server:latest", - "args": ["--network", "host"], - "entrypoint": "serena", - "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "\${GITHUB_WORKSPACE}"], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] } }, "gateway": { @@ -1557,6 +1543,39 @@ jobs: } } GH_AW_MCP_CONFIG_EOF + - name: Setup MCP config for macOS (no Docker) + if: runner.os == 'macOS' + env: + GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} + GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} + run: | + # On macOS, skip the Docker-based MCP Gateway and write a direct MCP config + # with only HTTP-based MCP servers (safe-inputs, safe-outputs) + mkdir -p "$HOME/.copilot" + cat > "$HOME/.copilot/mcp-config.json" << MACOS_MCP_EOF + { + "mcpServers": { + "safeinputs": { + "type": "http", + "url": "http://localhost:${GH_AW_SAFE_INPUTS_PORT}", + "headers": { + "Authorization": "${GH_AW_SAFE_INPUTS_API_KEY}" + } + }, + "safeoutputs": { + "type": "http", + "url": "http://localhost:${GH_AW_SAFE_OUTPUTS_PORT}", + "headers": { + "Authorization": "${GH_AW_SAFE_OUTPUTS_API_KEY}" + } + } + } + } + MACOS_MCP_EOF + echo "Wrote macOS MCP config to $HOME/.copilot/mcp-config.json" + cat "$HOME/.copilot/mcp-config.json" - name: Generate workflow overview uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: @@ -1576,12 +1595,17 @@ jobs: timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,esm.sh,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,googleapis.deno.dev,googlechromelabs.github.io,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,playwright.download.prss.microsoft.com,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,storage.googleapis.com,sum.golang.org,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.20.2 --skip-pull --enable-api-proxy \ - -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log + COPILOT_CLI_INSTRUCTION="$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" + mkdir -p /tmp/ + mkdir -p /tmp/gh-aw/ + mkdir -p /tmp/gh-aw/agent/ + mkdir -p /tmp/gh-aw/cache-memory/ + mkdir -p /tmp/gh-aw/sandbox/agent/logs/ + copilot --add-dir /tmp/ --add-dir /tmp/gh-aw/ --add-dir /tmp/gh-aw/agent/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$COPILOT_CLI_INSTRUCTION"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json + GH_AW_MCP_CONFIG: ${{ env.HOME }}/.copilot/mcp-config.json GH_AW_MODEL_AGENT_COPILOT: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} @@ -1590,7 +1614,7 @@ jobs: GITHUB_REF_NAME: ${{ github.ref_name }} GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} GITHUB_WORKSPACE: ${{ github.workspace }} - XDG_CONFIG_HOME: /home/runner + XDG_CONFIG_HOME: ${{ env.HOME }} - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -1656,7 +1680,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,esm.sh,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,googleapis.deno.dev,googlechromelabs.github.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: @@ -1709,21 +1733,6 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); await main(); - - name: Print firewall logs - if: always() - continue-on-error: true - env: - AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Fix permissions on firewall logs so they can be uploaded as artifacts - # AWF runs with sudo, creating files owned by root - sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi - name: Upload cache-memory data as artifact uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 if: always() @@ -1741,7 +1750,6 @@ jobs: /tmp/gh-aw/aw_info.json /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/safe-inputs/logs/ - /tmp/gh-aw/sandbox/firewall/logs/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ if-no-files-found: ignore @@ -1962,7 +1970,7 @@ jobs: GITHUB_REF_NAME: ${{ github.ref_name }} GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} GITHUB_WORKSPACE: ${{ github.workspace }} - XDG_CONFIG_HOME: /home/runner + XDG_CONFIG_HOME: ${{ env.HOME }} - name: Parse threat detection results id: parse_results uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 diff --git a/.github/workflows/smoke-macos-arm64.md b/.github/workflows/smoke-macos-arm64.md index 465083e7ab..f320d7909b 100644 --- a/.github/workflows/smoke-macos-arm64.md +++ b/.github/workflows/smoke-macos-arm64.md @@ -20,31 +20,18 @@ imports: - shared/gh.md - shared/reporting.md - shared/github-queries-safe-input.md -network: - allowed: - - defaults - - node - - github - - playwright tools: cache-memory: true edit: bash: - "*" - github: - playwright: - allowed_domains: - - github.com - serena: - languages: - go: {} web-fetch: runtimes: go: version: "1.25" sandbox: - mcp: - container: "ghcr.io/github/gh-aw-mcpg" + agent: false +strict: false safe-outputs: add-comment: allowed-repos: ["github/gh-aw"] @@ -107,57 +94,41 @@ safe-outputs: run-success: "📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤" run-failure: "📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident..." timeout-minutes: 15 -strict: true --- -# Smoke Test: macOS ARM64 Container Validation +# Smoke Test: macOS ARM64 Agent Validation **IMPORTANT: Keep all outputs extremely short and concise. Use single-line responses where possible. No verbose explanations.** -**PURPOSE**: This smoke test validates that ARM64 container images (firewall, MCP gateway, API proxy) work correctly on macOS ARM64 (Apple Silicon) runners. This is critical for ensuring multi-architecture support. +**PURPOSE**: This smoke test validates that the Copilot CLI agent works correctly on macOS ARM64 (Apple Silicon) runners. The agent runs directly on the host without network firewall or containerized MCP servers, since Docker is not available on macOS GHA runners. ## Test Requirements 1. **Architecture Verification**: Run `uname -m` and `uname -s` to confirm you are running on an ARM64 macOS host. Report the architecture and OS. -2. **Docker Availability**: Verify Docker is available by running `docker info` and `docker version`. Report the Docker engine version and architecture. -3. **ARM64 Container Image Pull Test**: Pull the following container images and verify they are ARM64 architecture: - - `ghcr.io/github/gh-aw-firewall/agent:v0.20.0` - - `ghcr.io/github/gh-aw-firewall/squid:v0.20.0` - - `ghcr.io/github/gh-aw-firewall/api-proxy:v0.20.0` - - `ghcr.io/github/gh-aw-mcpg:v0.1.4` - For each image, run `docker inspect --format '{{.Architecture}}' ` and verify it reports `arm64`. -4. **Container Startup Test**: For each pulled image, attempt to start a container and verify it runs without crash: - - For `agent`: `docker run --rm ghcr.io/github/gh-aw-firewall/agent:v0.20.0 echo "agent OK"` - - For `squid`: `docker run --rm -d --name smoke-squid ghcr.io/github/gh-aw-firewall/squid:v0.20.0` then check it's running with `docker ps`, then `docker stop smoke-squid` - - For `api-proxy`: `docker run --rm ghcr.io/github/gh-aw-firewall/api-proxy:v0.20.0 --help` (or similar basic invocation) - - For `mcpg`: `docker run --rm ghcr.io/github/gh-aw-mcpg:v0.1.4 --help` (or similar basic invocation) -5. **GitHub MCP Testing**: Review the last 2 merged pull requests in ${{ github.repository }} -6. **Safe Inputs GH CLI Testing**: Use the `safeinputs-gh` tool to query 2 pull requests from ${{ github.repository }} (use args: "pr list --repo ${{ github.repository }} --limit 2 --json number,title,author") -7. **Serena MCP Testing**: - - Use the Serena MCP server tool `activate_project` to initialize the workspace at `${{ github.workspace }}` and verify it succeeds (do NOT use bash to run go commands - use Serena's MCP tools) - - After initialization, use the `find_symbol` tool to search for symbols (find which tool to call) and verify that at least 3 symbols are found in the results -8. **Playwright Testing**: Use the playwright tools to navigate to and verify the page title contains "GitHub" (do NOT try to install playwright - use the provided MCP tools) -9. **File Writing Testing**: Create a test file `/tmp/gh-aw/agent/smoke-test-macos-arm64-${{ github.run_id }}.txt` with content "Smoke test passed for macOS ARM64 at $(date)" (create the directory if it doesn't exist) -10. **Bash Tool Testing**: Execute bash commands to verify file creation was successful (use `cat` to read the file back) -11. **Discussion Interaction Testing**: +2. **Environment Check**: Run `sw_vers` to report the macOS version. Run `go version` to confirm Go is available. +3. **GitHub MCP Testing**: Review the last 2 merged pull requests in ${{ github.repository }}. Report the PR numbers and titles. +4. **Safe Inputs GH CLI Testing**: Use the `safeinputs-gh` tool to query 2 pull requests from ${{ github.repository }} (use args: "pr list --repo ${{ github.repository }} --limit 2 --json number,title,author") +5. **File Writing Testing**: Create a test file `/tmp/gh-aw/agent/smoke-test-macos-arm64-${{ github.run_id }}.txt` with content "Smoke test passed for macOS ARM64 at $(date)" (create the directory if it doesn't exist) +6. **Bash Tool Testing**: Execute bash commands to verify file creation was successful (use `cat` to read the file back) +7. **Discussion Interaction Testing**: - Use the `github-discussion-query` safe-input tool with params: `limit=1, jq=".[0]"` to get the latest discussion from ${{ github.repository }} - Extract the discussion number from the result (e.g., if the result is `{"number": 123, "title": "...", ...}`, extract 123) - Use the `add_comment` tool with `discussion_number: ` to add a fun, playful comment stating that the macOS ARM64 smoke test agent was here -12. **Build gh-aw**: Run `GOCACHE=/tmp/go-cache GOMODCACHE=/tmp/go-mod make build` to verify the agent can successfully build the gh-aw project (both caches must be set to /tmp because the default cache locations are not writable). If the command fails, mark this test as ❌ and report the failure. -13. **Discussion Creation Testing**: Use the `create_discussion` safe-output tool to create a discussion in the announcements category titled "macos-arm64 was here" with the label "ai-generated" -14. **Workflow Dispatch Testing**: Use the `dispatch_workflow` safe output tool to trigger the `haiku-printer` workflow with a haiku as the message input. Create an original, creative haiku about ARM64 containers or Apple Silicon. -15. **PR Review Testing**: Review the diff of the current pull request. Leave 1-2 inline `create_pull_request_review_comment` comments on specific lines, then call `submit_pull_request_review` with a brief body summarizing your review and event `COMMENT`. +8. **Build gh-aw**: Run `GOCACHE=/tmp/go-cache GOMODCACHE=/tmp/go-mod make build` to verify the agent can successfully build the gh-aw project (both caches must be set to /tmp because the default cache locations are not writable). If the command fails, mark this test as ❌ and report the failure. +9. **Discussion Creation Testing**: Use the `create_discussion` safe-output tool to create a discussion in the announcements category titled "macos-arm64 was here" with the label "ai-generated" +10. **Workflow Dispatch Testing**: Use the `dispatch_workflow` safe output tool to trigger the `haiku-printer` workflow with a haiku as the message input. Create an original, creative haiku about Apple Silicon. +11. **PR Review Testing**: Review the diff of the current pull request. Leave 1-2 inline `create_pull_request_review_comment` comments on specific lines, then call `submit_pull_request_review` with a brief body summarizing your review and event `COMMENT`. +12. **Web Fetch Testing**: Use the `web-fetch` tool to fetch https://api.github.com and verify the response contains valid JSON with a `current_user_url` field. ## Output 1. **Create an issue** with a summary of the smoke test run: - Title: "Smoke Test: macOS ARM64 - ${{ github.run_id }}" - Body should include: - - Host architecture and OS info - - Docker engine version and architecture - - ARM64 container image pull results (✅ or ❌ for each image) - - Container startup results (✅ or ❌ for each container) + - Host architecture and OS info (ARM64/macOS version) + - Go version - Test results (✅ or ❌ for each test) + - Note: Docker/containers are not tested (not available on macOS GHA runners) - Overall status: PASS or FAIL - Run URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} - Timestamp @@ -165,13 +136,11 @@ strict: true 2. Add a **very brief** comment (max 5-10 lines) to the current pull request with: - Host arch confirmation (ARM64/macOS) - - Container image status (✅ or ❌ for each) - - PR titles only (no descriptions) - ✅ or ❌ for each test result - Overall status: PASS or FAIL - Mention the pull request author and any assignees -3. Use the `add_comment` tool to add a **fun and creative comment** to the latest discussion (using the `discussion_number` you extracted in step 11) - be playful and entertaining in your comment +3. Use the `add_comment` tool to add a **fun and creative comment** to the latest discussion (using the `discussion_number` you extracted in step 7) - be playful and entertaining in your comment 4. Use the `send_slack_message` tool to send a brief summary message (e.g., "macOS ARM64 smoke test ${{ github.run_id }}: All tests passed! ✅") diff --git a/actions/setup/sh/install_copilot_cli.sh b/actions/setup/sh/install_copilot_cli.sh index e21de647f5..b129bb6eb2 100755 --- a/actions/setup/sh/install_copilot_cli.sh +++ b/actions/setup/sh/install_copilot_cli.sh @@ -21,7 +21,7 @@ VERSION="${1:-}" INSTALLER_URL="https://raw.githubusercontent.com/github/copilot-cli/main/install.sh" INSTALLER_TEMP="/tmp/copilot-install.sh" MAX_ATTEMPTS=3 -COPILOT_DIR="/home/runner/.copilot" +COPILOT_DIR="${HOME}/.copilot" # Fix directory ownership before installation # This is needed because a previous AWF run on the same runner may have used @@ -30,7 +30,7 @@ COPILOT_DIR="/home/runner/.copilot" # trying to create subdirectories. See: https://github.com/github/gh-aw/issues/12066 echo "Ensuring correct ownership of $COPILOT_DIR..." mkdir -p "$COPILOT_DIR" -sudo chown -R runner:runner "$COPILOT_DIR" +sudo chown -R "$(whoami)" "$COPILOT_DIR" # Function to download installer with retry logic download_installer_with_retry() {