fix: use absolute node path in AWF command to fix node: command not found on GPU runners + regenerate stale lock files

[Copilot]

Two issues from the Apr 15 workflow health dashboard: node: command not found recurring in Daily Issues Report Generator (aw-gpu-runner-T4), and 18 stale lock files from PR #26372 (context propagation refactor) that touched source without triggering recompile.

node: command not found fix

Root cause: On aw-gpu-runner-T4, sudo resets PATH via security policy. When sudo -E awf executes, the actions/setup-node path is stripped from the environment. AWF's chroot mode builds AWF_HOST_PATH from the environment at startup — but by then, node is gone from PATH. The copilot driver command inside the container:

# Before — relies on PATH having node, fails when sudo strips it
-- /bin/bash -c 'node ${RUNNER_TEMP}/gh-aw/actions/copilot_driver.cjs ...'

# After — uses absolute path captured before sudo, works in AWF chroot
-- /bin/bash -c '${GH_AW_NODE_BIN:-node} ${RUNNER_TEMP}/gh-aw/actions/copilot_driver.cjs ...'

Changes:

• pkg/workflow/copilot_engine_execution.go: The absolute node binary path is now resolved inline in the generated AWF execution step's PathSetup, before sudo -E awf runs. sudo -E preserves the exported variable, and AWF's --env-all forwards it into the container where ${GH_AW_NODE_BIN:-node} resolves to the correct binary. The generated script looks like:

  touch /tmp/gh-aw/agent-step-summary.md
  GH_AW_NODE_BIN=$(command -v node 2>/dev/null || true)
  export GH_AW_NODE_BIN
  (umask 177 && touch /tmp/gh-aw/agent-stdio.log)
  sudo -E awf ... --env-all \
    -- /bin/bash -c '${GH_AW_NODE_BIN:-node} ${RUNNER_TEMP}/gh-aw/actions/copilot_driver.cjs ...'

  The fallback to node preserves compatibility where PATH propagation works normally.

Stale lock files

• Ran make recompile — all 191 workflow lock files regenerated.
• Updated WASM golden test fixtures for the new command format.

---

Changeset

• Type: patch
• Description: Fixes AWF Copilot execution on runners where sudo strips PATH by using an absolute Node.js binary path, and documents regenerated stale workflow lock files.

Warning

⚠️ Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• chatgpt.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "chatgpt.com"

See Network Configuration for more information.

Generated by Changeset Generator for issue #26427 · ◷

---

---

✨ PR Review Safe Output Test - Run 24462380538

💥 [THE END] — Illustrated by Smoke Claude · ● 173.6K · ◷

[github-actions]

Hey @Copilot 👋 — thanks for picking up this workflow-health regression! Fixing the 18 stale lock files and the node: command not found failure in the Daily Issues Report Generator are both important, and it's great to see them tracked together in a PR.

A couple of things to address before this is ready for review:

• Split the PR — this covers two distinct issues: (1) stale lock-file recompilation and (2) the missing Node.js setup step in the Daily Issues Report Generator workflow. Keeping them separate makes it easier for reviewers to reason about each fix and to revert independently if needed.
• No diff yet — the PR is still a draft with 0 files changed. Once the implementation lands, make sure it includes:
  • The make recompile output or the actual recompiled .lock.yml files for the 18 affected workflows.
  • A Node.js setup step (or equivalent runner-config fix) in the affected workflow file.
• Add tests — if any Go-level logic is touched (e.g., lock-staleness detection), unit tests should accompany the change per the project's CI requirements (make test).

If you'd like a hand splitting and implementing, here's a ready-to-use prompt:

This WIP PR addresses two separate issues that should be split into two focused PRs:

**PR 1 — Fix stale lock files (18 workflows)**
- Run `make recompile` and commit the updated `.lock.yml` files for all 18 affected workflows listed in the PR body.
- Verify with `make build` and `make lint`.

**PR 2 — Fix `node: command not found` in Daily Issues Report Generator**
- Open `.github/workflows/daily-issues-report.md` (or the equivalent source file).
- Add a Node.js setup step (e.g., `actions/setup-node`) before the step that invokes the Copilot engine.
- Recompile that workflow with `make recompile`.
- Add or update any relevant tests, then verify with `make test` and `make lint`.

Create each PR as a separate branch from `main`, with a clear description explaining what was changed and why.

Generated by Contribution Check · ● 1.6M · ◷

[Copilot]

Pull request overview

This PR fixes AWF-based Copilot workflow execution on GPU runners where sudo resets PATH (causing node: command not found), and regenerates previously-stale compiled workflow lock files / golden fixtures.

Changes:

• Export an absolute Node binary path (GH_AW_NODE_BIN) during AWF bundle installation for reuse in later steps.
• Update Copilot engine execution to invoke the driver via ${GH_AW_NODE_BIN:-node} instead of plain node.
• Regenerate workflow lock files and WASM golden fixtures to reflect the updated command format.

Show a summary per file

File	Description
actions/setup/sh/install_awf_binary.sh	Exports GH_AW_NODE_BIN to GITHUB_ENV during bundle install.
pkg/workflow/copilot_engine_execution.go	Switches driver invocation prefix from node to ${GH_AW_NODE_BIN:-node}.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden	Updates golden output to new driver invocation.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden	Updates golden output to new driver invocation.
.github/workflows/workflow-health-manager.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/workflow-generator.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/weekly-safe-outputs-spec-review.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/weekly-blog-post-writer.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/video-analyzer.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/update-astro.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/test-workflow.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/test-project-url-default.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/test-dispatcher.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/terminal-stylist.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/super-linter.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/sub-issue-closer.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/smoke-update-cross-repo-pr.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/smoke-service-ports.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/smoke-create-cross-repo-pr.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/security-review.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/security-compliance.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/repository-quality-improver.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/repo-tree-map.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/repo-audit-analyzer.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/refiner.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/refactoring-cadence.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/q.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/pr-triage-agent.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/pr-nitpick-reviewer.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/plan.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/pdf-summary.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/notion-issue-summary.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/metrics-collector.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/jsweep.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/issue-triage-agent.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/issue-monster.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/gpclean.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/github-remote-mcp-auth-test.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/functional-pragmatist.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/firewall.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/example-permissions-warning.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/dictation-prompt.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/dev.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/dependabot-go-checker.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/dependabot-burner.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/dead-code-remover.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/daily-workflow-updater.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/daily-team-status.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/daily-semgrep-scan.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/daily-secrets-analysis.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/daily-regulatory.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/daily-malicious-code-scan.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/daily-cli-tools-tester.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/daily-cli-performance.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/daily-assign-issue-to-user.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/daily-architecture-diagram.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/craft.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/copilot-token-optimizer.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/copilot-pr-merged-report.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/contribution-check.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/constraint-solving-potd.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/code-simplifier.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/code-scanning-fixer.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/ci-coach.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/brave.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/bot-detection.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/artifacts-summary.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/archie.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/agentic-observability-kit.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/agent-persona-explorer.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/agent-performance-analyzer.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/agent-performance-analyzer.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.
.github/workflows/ace-editor.lock.yml	Regenerated lock output uses ${GH_AW_NODE_BIN:-node} for driver execution.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 131/131 changed files
• Comments generated: 1

[pelikhan]

@copilot do NOT modify GITHUB_ENV. Instead resolve node inlined when launching the driver.

[Copilot]

@copilot do NOT modify GITHUB_ENV. Instead resolve node inlined when launching the driver.

Done in eb8b970. The GITHUB_ENV write is removed from install_awf_binary.sh. Instead, GH_AW_NODE_BIN=$(command -v node 2>/dev/null || true) and export GH_AW_NODE_BIN are added to PathSetup in copilot_engine_execution.go, so the absolute node path is captured in the same run: script (before sudo -E awf resets PATH). sudo -E preserves the exported variable, and AWF's --env-all forwards it into the container where ${GH_AW_NODE_BIN:-node} uses it.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw gEcFlUU5L-xi_Cinapi (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ota=5% yHigh=170M 64/pkg/tool/linu-f conf�� to pkg/workflow/-f cfg ache/go/1.25.8/x-f (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha e-locks^{commit} (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha --local cfg $name) { hasDiscussionsEnabled } } (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/docker/build-push-action/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v7 --jq .object.sha Jl_2rH3Mo cfg 64/pkg/tool/linu-f opilot (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v7 --jq .object.sha -health-fix-stale-locks^{commit} cfg $name) { hasDiscussionsEnabled } } user.email (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

⚠️ Smoke Gemini failed. Gemini encountered unexpected challenges...

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.53.0
jq	✅	1.7
yq	✅	v4.52.5
curl	✅	8.5.0
gh	✅	2.89.0
node	✅	v20.20.2
python3	✅	3.12.3
go	✅	1.24.13
java	✅	21.0.10 (Temurin)
dotnet	✅	10.0.201

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test · ● 166.4K · ◷

[github-actions]

Smoke test summary (run 24462380478):

• Merged PRs: Rename NewWorkflow → CreateWorkflowMarkdownFile #26425 Rename NewWorkflow → CreateWorkflowMarkdownFile; fix: remove crates.io domains from python ecosystem entry #26430 fix: remove crates.io domains from python ecosystem entry
• GitHub MCP ✅
• Serena MCP ❌
• Playwright ✅
• Web Fetch ❌
• File Write ✅ | Bash Cat ✅ | Build ✅
• Overall: FAIL

Warning

⚠️ Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• chatgpt.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "chatgpt.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · ◷

[github-actions]

🤖 Smoke test complete for run §24462380446

@Copilot (author) | assignees: @pelikhan, @Copilot

Test	Result
GitHub MCP	✅
MCP Scripts GH CLI	✅
Playwright	✅
Web Fetch	✅
File Writing + Bash	✅
Discussion Interaction	✅
Build gh-aw	✅
Artifact Upload	✅
Discussion Creation	✅
Workflow Dispatch	✅
PR Review	✅

Overall: ✅ PASS

📰 BREAKING: Report filed by Smoke Copilot · ● 805.7K · ◷

[github-actions]

This PR correctly addresses the node: command not found issue on GPU runners by capturing the absolute node path before sudo strips the PATH. The approach is sound — resolve once, export, and use ${GH_AW_NODE_BIN:-node} as a safe fallback. The lock file regeneration is also a good cleanup. LGTM.

📰 BREAKING: Report filed by Smoke Copilot · ● 805.7K

[github-actions]

Good fix — capturing node path before sudo strips the PATH. The || true guard prevents set -e failures when node is not installed, ensuring the export is graceful.

[github-actions]

Exporting GH_AW_NODE_BIN before the sudo -E invocation ensures sudo -E can forward it. This pattern is correct — the variable will be available in the AWF container environment.

[github-actions]

Commit pushed: 5b6d110

Generated by Changeset Generator

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

💥 Smoke Test 24462380538 — Claude engine nominal!

Core (#1-12)	PR Review (#13-19)	Overall
✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅	✅ ✅ ✅ ⚠️ ✅ ✅ ⚠️	PARTIAL (skips: #16 resolved thread, #19 no test PR)

💥 [THE END] — Illustrated by Smoke Claude · ● 173.6K · ◷

[github-actions]

💥 Automated smoke test review — all systems nominal! Run 24462380538. The GH_AW_NODE_BIN fix looks solid across all regenerated lock files.

💥 [THE END] — Illustrated by Smoke Claude · ● 173.6K

[github-actions]

✅ Good fix: Capturing the absolute node path before sudo resets PATH is the right approach. The 2>/dev/null || true graceful fallback ensures this doesn't break in environments where command -v behaves differently. Consider adding a comment here explaining why this capture is needed (e.g., # Capture node path before sudo strips PATH).

[github-actions]

🔍 These lock file regenerations look correct — the pattern \$\{GH_AW_NODE_BIN:-node} is consistently applied. Since this is a generated file, the fix in pkg/workflow/copilot_engine_execution.go is the source of truth; the lock file regeneration here correctly reflects the upstream template change.