Skip to content

Harden Copilot AWF node bootstrap when GH_AW_NODE_BIN is invalid in container#26918

Merged
lpcox merged 10 commits intomainfrom
copilot/aw-failures-fix-node-bin-path
Apr 18, 2026
Merged

Harden Copilot AWF node bootstrap when GH_AW_NODE_BIN is invalid in container#26918
lpcox merged 10 commits intomainfrom
copilot/aw-failures-fix-node-bin-path

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 17, 2026
edited
Loading

Two Copilot workflows failed because GH_AW_NODE_BIN was exported from the host toolcache (/home/runner/work/_tool/...) and then reused inside AWF container execution where that path was not available. The driver launch used the broken path unconditionally, causing /bin/bash: ... No such file or directory.

  • Runtime node resolution in AWF Copilot execution

    • Replaced direct ${GH_AW_NODE_BIN:-node} usage with guarded runtime resolution:
      • prefer GH_AW_NODE_BIN only when executable
      • otherwise fall back to command -v node (then node)
    • This keeps host-optimized resolution when valid, but avoids hard failure on unmapped toolcache paths.

  • Shared command fragment for consistency

    • Extracted node-resolution shell logic into a shared constant used by command generation and tests to keep behavior and assertions aligned.

  • Golden/workflow output updates

    • Updated WASM golden fixtures for the generated AWF command to reflect the new guarded node bootstrap sequence.

  • Merge-conflict resolution with main

    • Merged origin/main and resolved conflicts in generated workflow outputs.
    • Preserved this PR’s node-bootstrap fallback while keeping AWF command-line flag behavior that already landed in main.
GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"
if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then
  GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || echo node)"
fi
"$GH_AW_NODE_EXEC" "${RUNNER_TEMP}/gh-aw/actions/copilot_driver.cjs" ...

[!WARNING]

Copilot AI linked an issue Apr 17, 2026 that may be closed by this pull request
[aw-failures] Node.js v24.15.0 binary not found in agent container (GH_AW_NODE_BIN path broken) #26876
Closed
Copilot AI and others added 5 commits April 17, 2026 17:50
@pelikhan
fix: fallback to runtime node when GH_AW_NODE_BIN path is invalid
284bd09 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/dd754442-4021-49ef-802b-d57b27f5a8ae

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
test: assert executable check in GH_AW_NODE_BIN fallback command
df28830 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/dd754442-4021-49ef-802b-d57b27f5a8ae

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
test: make node fallback assertion less brittle
82f8c08 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/dd754442-4021-49ef-802b-d57b27f5a8ae

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
refactor: share node resolution shell logic constant with tests
cbd53de 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/dd754442-4021-49ef-802b-d57b27f5a8ae

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
chore: rename shared node resolution command constant
ac0e9e7 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/dd754442-4021-49ef-802b-d57b27f5a8ae

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix broken Node.js binary path in agent container Harden Copilot AWF node bootstrap when GH_AW_NODE_BIN is invalid in container Apr 17, 2026
Copilot AI requested a review from pelikhan April 17, 2026 18:00
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 17, 2026

@lpcox i broke self hosted runners

@pelikhan pelikhan assigned lpcox and unassigned pelikhan and Copilot Apr 17, 2026
This was referenced Apr 18, 2026
Closed
Closed
Closed
@lpcox
Copy link
Copy Markdown
Collaborator

lpcox commented Apr 18, 2026

@copilot resolve the merge conflicts in this pull request make sure that awf command line flags incorporate requirements from this PR as well as what has already landed in main

@lpcox
Copy link
Copy Markdown
Collaborator

lpcox commented Apr 18, 2026

@copilot resolve the merge conflicts in this pull request

Copilot AI and others added 2 commits April 18, 2026 19:43
@lpcox
Merge remote-tracking branch 'origin/main' into copilot/aw-failures-f…
28f577f 
…ix-node-bin-path

# Conflicts:
#	.github/workflows/ace-editor.lock.yml
#	.github/workflows/agent-performance-analyzer.lock.yml
#	.github/workflows/agent-persona-explorer.lock.yml
#	.github/workflows/agentic-observability-kit.lock.yml
#	.github/workflows/archie.lock.yml
#	.github/workflows/architecture-guardian.lock.yml
#	.github/workflows/artifacts-summary.lock.yml
#	.github/workflows/auto-triage-issues.lock.yml
#	.github/workflows/bot-detection.lock.yml
#	.github/workflows/brave.lock.yml
#	.github/workflows/breaking-change-checker.lock.yml
#	.github/workflows/ci-coach.lock.yml
#	.github/workflows/cli-consistency-checker.lock.yml
#	.github/workflows/code-scanning-fixer.lock.yml
#	.github/workflows/code-simplifier.lock.yml
#	.github/workflows/constraint-solving-potd.lock.yml
#	.github/workflows/contribution-check.lock.yml
#	.github/workflows/copilot-cli-deep-research.lock.yml
#	.github/workflows/copilot-pr-merged-report.lock.yml
#	.github/workflows/copilot-pr-nlp-analysis.lock.yml
#	.github/workflows/copilot-pr-prompt-analysis.lock.yml
#	.github/workflows/copilot-token-audit.lock.yml
#	.github/workflows/copilot-token-optimizer.lock.yml
#	.github/workflows/craft.lock.yml
#	.github/workflows/daily-architecture-diagram.lock.yml
#	.github/workflows/daily-assign-issue-to-user.lock.yml
#	.github/workflows/daily-cli-performance.lock.yml
#	.github/workflows/daily-cli-tools-tester.lock.yml
#	.github/workflows/daily-community-attribution.lock.yml
#	.github/workflows/daily-compiler-quality.lock.yml
#	.github/workflows/daily-file-diet.lock.yml
#	.github/workflows/daily-firewall-report.lock.yml
#	.github/workflows/daily-hippo-learn.lock.yml
#	.github/workflows/daily-integrity-analysis.lock.yml
#	.github/workflows/daily-issues-report.lock.yml
#	.github/workflows/daily-malicious-code-scan.lock.yml
#	.github/workflows/daily-mcp-concurrency-analysis.lock.yml
#	.github/workflows/daily-news.lock.yml
#	.github/workflows/daily-performance-summary.lock.yml
#	.github/workflows/daily-regulatory.lock.yml
#	.github/workflows/daily-repo-chronicle.lock.yml
#	.github/workflows/daily-safe-output-integrator.lock.yml
#	.github/workflows/daily-secrets-analysis.lock.yml
#	.github/workflows/daily-semgrep-scan.lock.yml
#	.github/workflows/daily-syntax-error-quality.lock.yml
#	.github/workflows/daily-team-status.lock.yml
#	.github/workflows/daily-testify-uber-super-expert.lock.yml
#	.github/workflows/daily-workflow-updater.lock.yml
#	.github/workflows/dead-code-remover.lock.yml
#	.github/workflows/delight.lock.yml
#	.github/workflows/dependabot-burner.lock.yml
#	.github/workflows/dependabot-go-checker.lock.yml
#	.github/workflows/dev-hawk.lock.yml
#	.github/workflows/dev.lock.yml
#	.github/workflows/dictation-prompt.lock.yml
#	.github/workflows/discussion-task-miner.lock.yml
#	.github/workflows/docs-noob-tester.lock.yml
#	.github/workflows/draft-pr-cleanup.lock.yml
#	.github/workflows/example-permissions-warning.lock.yml
#	.github/workflows/firewall-escape.lock.yml
#	.github/workflows/firewall.lock.yml
#	.github/workflows/functional-pragmatist.lock.yml
#	.github/workflows/github-remote-mcp-auth-test.lock.yml
#	.github/workflows/glossary-maintainer.lock.yml
#	.github/workflows/gpclean.lock.yml
#	.github/workflows/issue-monster.lock.yml
#	.github/workflows/issue-triage-agent.lock.yml
#	.github/workflows/jsweep.lock.yml
#	.github/workflows/layout-spec-maintainer.lock.yml
#	.github/workflows/mcp-inspector.lock.yml
#	.github/workflows/mergefest.lock.yml
#	.github/workflows/metrics-collector.lock.yml
#	.github/workflows/notion-issue-summary.lock.yml
#	.github/workflows/org-health-report.lock.yml
#	.github/workflows/pdf-summary.lock.yml
#	.github/workflows/plan.lock.yml
#	.github/workflows/poem-bot.lock.yml
#	.github/workflows/portfolio-analyst.lock.yml
#	.github/workflows/pr-nitpick-reviewer.lock.yml
#	.github/workflows/pr-triage-agent.lock.yml
#	.github/workflows/python-data-charts.lock.yml
#	.github/workflows/q.lock.yml
#	.github/workflows/refactoring-cadence.lock.yml
#	.github/workflows/refiner.lock.yml
#	.github/workflows/release.lock.yml
#	.github/workflows/repo-audit-analyzer.lock.yml
#	.github/workflows/repo-tree-map.lock.yml
#	.github/workflows/repository-quality-improver.lock.yml
#	.github/workflows/research.lock.yml
#	.github/workflows/security-compliance.lock.yml
#	.github/workflows/security-review.lock.yml
#	.github/workflows/slide-deck-maintainer.lock.yml
#	.github/workflows/smoke-copilot-arm.lock.yml
#	.github/workflows/smoke-copilot.lock.yml
#	.github/workflows/smoke-create-cross-repo-pr.lock.yml
#	.github/workflows/smoke-multi-pr.lock.yml
#	.github/workflows/smoke-project.lock.yml
#	.github/workflows/smoke-service-ports.lock.yml
#	.github/workflows/smoke-temporary-id.lock.yml
#	.github/workflows/smoke-test-tools.lock.yml
#	.github/workflows/smoke-update-cross-repo-pr.lock.yml
#	.github/workflows/smoke-workflow-call-with-inputs.lock.yml
#	.github/workflows/smoke-workflow-call.lock.yml
#	.github/workflows/spec-extractor.lock.yml
#	.github/workflows/spec-librarian.lock.yml
#	.github/workflows/stale-repo-identifier.lock.yml
#	.github/workflows/sub-issue-closer.lock.yml
#	.github/workflows/super-linter.lock.yml
#	.github/workflows/technical-doc-writer.lock.yml
#	.github/workflows/terminal-stylist.lock.yml
#	.github/workflows/test-dispatcher.lock.yml
#	.github/workflows/test-project-url-default.lock.yml
#	.github/workflows/test-quality-sentinel.lock.yml
#	.github/workflows/test-workflow.lock.yml
#	.github/workflows/tidy.lock.yml
#	.github/workflows/ubuntu-image-analyzer.lock.yml
#	.github/workflows/update-astro.lock.yml
#	.github/workflows/video-analyzer.lock.yml
#	.github/workflows/weekly-blog-post-writer.lock.yml
#	.github/workflows/weekly-editors-health-check.lock.yml
#	.github/workflows/weekly-issue-summary.lock.yml
#	.github/workflows/weekly-safe-outputs-spec-review.lock.yml
#	.github/workflows/workflow-generator.lock.yml
#	.github/workflows/workflow-health-manager.lock.yml
#	.github/workflows/workflow-normalizer.lock.yml
#	.github/workflows/workflow-skill-extractor.lock.yml
#	pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden
#	pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
@lpcox
merge: resolve conflicts with origin/main and keep awf flag updates
7cb0909 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/e53f0635-c318-4554-99af-3575b7e8748a

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 18, 2026

@copilot resolve the merge conflicts in this pull request make sure that awf command line flags incorporate requirements from this PR as well as what has already landed in main

Merged origin/main, resolved the PR conflicts, and kept both sets of requirements in the AWF/Copilot command path (including your latest main-branch AWF flag behavior plus this PR’s GH_AW_NODE_BIN runtime fallback). Addressed in 28f577f (merge resolution) with fixture refresh in 7cb0909.

Copilot AI requested a review from lpcox April 18, 2026 19:45
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 18, 2026

@copilot resolve the merge conflicts in this pull request

Conflicts are resolved on this PR branch. Merge resolution is in 28f577f, with follow-up fixture alignment in 7cb0909. No UI changes were made (no screenshot applicable).

@lpcox lpcox marked this pull request as ready for review April 18, 2026 19:50
Copilot AI review requested due to automatic review settings April 18, 2026 19:50
Copilot AI reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens Copilot AWF container execution by avoiding unconditional use of GH_AW_NODE_BIN when it points to a host-only toolcache path, preventing /bin/bash: ... No such file or directory failures inside containers.

Changes:

  • Add guarded runtime Node resolution (prefer GH_AW_NODE_BIN only when executable; otherwise fall back to command -v node / node) for driver invocation.
  • Centralize the shell fragment as a shared constant and assert its presence in the execution-step unit test.
  • Regenerate golden fixtures and workflow lockfiles to match the new bootstrap sequence.
Show a summary per file
File Description
pkg/workflow/copilot_engine_execution.go Introduces shared Node runtime resolution fragment and uses it when building the driver execution prefix.
pkg/workflow/copilot_engine_test.go Adds an assertion that the execution step includes the Node runtime resolution logic.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden Updates expected generated AWF command to include guarded Node bootstrap logic.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden Updates expected generated AWF command to include guarded Node bootstrap logic.
.github/workflows/workflow-health-manager.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/workflow-generator.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/weekly-safe-outputs-spec-review.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/weekly-blog-post-writer.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/video-analyzer.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/test-workflow.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/test-project-url-default.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/test-dispatcher.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/terminal-stylist.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/technical-doc-writer.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/super-linter.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/sub-issue-closer.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/smoke-update-cross-repo-pr.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/smoke-service-ports.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/smoke-create-cross-repo-pr.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/smoke-ci.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/security-review.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/security-compliance.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/repository-quality-improver.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/repo-tree-map.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/repo-audit-analyzer.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/refiner.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/refactoring-cadence.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/q.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/pr-triage-agent.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/pr-nitpick-reviewer.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/plan.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/pdf-summary.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/notion-issue-summary.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/metrics-collector.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/jsweep.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/issue-triage-agent.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/issue-monster.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/gpclean.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/github-remote-mcp-auth-test.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/firewall.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/example-permissions-warning.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/dictation-prompt.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/dev.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/dependabot-go-checker.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/dependabot-burner.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/dead-code-remover.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/daily-workflow-updater.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/daily-team-status.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/daily-semgrep-scan.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/daily-secrets-analysis.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/daily-regulatory.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/daily-malicious-code-scan.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/daily-cli-tools-tester.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/daily-cli-performance.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/daily-assign-issue-to-user.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/daily-architecture-diagram.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/craft.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/copilot-token-optimizer.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/copilot-pr-merged-report.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/contribution-check.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/constraint-solving-potd.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/code-simplifier.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/code-scanning-fixer.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/ci-coach.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/brave.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/bot-detection.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/archie.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/agentic-observability-kit.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/agent-persona-explorer.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/agent-performance-analyzer.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.
.github/workflows/agent-performance-analyzer.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic (threat-detection step).
.github/workflows/ace-editor.lock.yml Regenerated locked workflow output to include guarded Node bootstrap logic.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 131/131 changed files
  • Comments generated: 0

@lpcox lpcox merged commit 038ad0c into main Apr 18, 2026
95 of 142 checks passed
@lpcox lpcox deleted the copilot/aw-failures-fix-node-bin-path branch April 18, 2026 19:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

@lpcox lpcox Awaiting requested review from lpcox

Assignees

@lpcox lpcox

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[aw-failures] Node.js v24.15.0 binary not found in agent container (GH_AW_NODE_BIN path broken)

4 participants

@pelikhan @lpcox