From d2236af1b593d9771e57e5ffc4a75710fbcaeb30 Mon Sep 17 00:00:00 2001 From: "Jiaxiao (mossaka) Zhou" Date: Fri, 6 Feb 2026 01:30:50 +0000 Subject: [PATCH 1/2] fix: ensure .copilot directory permissions before Copilot CLI install The Copilot CLI verification step tries to create /home/runner/.copilot/pkg/ which fails with EACCES if the directory was previously created with root ownership (e.g., by sudo -E awf during chroot version tests). Add a step to create .copilot with correct runner ownership before the Copilot CLI install in both the .md source and lock file. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/smoke-chroot.lock.yml | 8 ++++++++ .github/workflows/smoke-chroot.md | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/.github/workflows/smoke-chroot.lock.yml b/.github/workflows/smoke-chroot.lock.yml index 036d675b..06ec2ef6 100644 --- a/.github/workflows/smoke-chroot.lock.yml +++ b/.github/workflows/smoke-chroot.lock.yml @@ -191,6 +191,10 @@ jobs: run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + - name: Ensure .copilot directory permissions + run: | + mkdir -p /home/runner/.copilot + sudo chown -R runner:runner /home/runner/.copilot - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - name: Install awf binary @@ -959,6 +963,10 @@ jobs: run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + - name: Ensure .copilot directory permissions + run: | + mkdir -p /home/runner/.copilot + sudo chown -R runner:runner /home/runner/.copilot - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - name: Execute GitHub Copilot CLI diff --git a/.github/workflows/smoke-chroot.md b/.github/workflows/smoke-chroot.md index 3ed0ae0c..992ddb9a 100644 --- a/.github/workflows/smoke-chroot.md +++ b/.github/workflows/smoke-chroot.md @@ -153,6 +153,10 @@ steps: if: always() run: | ./scripts/ci/cleanup.sh || true + - name: Ensure .copilot directory permissions + run: | + mkdir -p /home/runner/.copilot + sudo chown -R runner:runner /home/runner/.copilot --- # Analyze Chroot Test Results From 3b5cc8d21575ce90b4a5c21b7a784ade01cff297 Mon Sep 17 00:00:00 2001 From: "Jiaxiao (mossaka) Zhou" Date: Fri, 6 Feb 2026 01:44:24 +0000 Subject: [PATCH 2/2] fix: remove leftover SQUID_INTERCEPT_PORT references from revert The intercept mode revert (#541) missed 3 references to SQUID_INTERCEPT_PORT in docker-manager.ts: the constant definition, the port mapping on the Squid container, and the env var passed to the agent container. Squid no longer listens on port 3129, so these are dead code. Co-Authored-By: Claude Opus 4.6 (1M context) --- src/docker-manager.ts | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/docker-manager.ts b/src/docker-manager.ts index 99f27b87..410ab789 100644 --- a/src/docker-manager.ts +++ b/src/docker-manager.ts @@ -9,7 +9,6 @@ import { generateSquidConfig } from './squid-config'; import { generateSessionCa, initSslDb, CaFiles, parseUrlPatterns } from './ssl-bump'; const SQUID_PORT = 3128; -const SQUID_INTERCEPT_PORT = 3129; // Port for transparently intercepted traffic /** * Base image for the 'act' preset when building locally. @@ -273,7 +272,7 @@ export function generateDockerCompose( retries: 5, start_period: '10s', }, - ports: [`${SQUID_PORT}:${SQUID_PORT}`, `${SQUID_INTERCEPT_PORT}:${SQUID_INTERCEPT_PORT}`], + ports: [`${SQUID_PORT}:${SQUID_PORT}`], // Security hardening: Drop unnecessary capabilities // Squid only needs network capabilities, not system administration capabilities cap_drop: [ @@ -329,7 +328,6 @@ export function generateDockerCompose( HTTPS_PROXY: `http://${networkConfig.squidIp}:${SQUID_PORT}`, SQUID_PROXY_HOST: 'squid-proxy', SQUID_PROXY_PORT: SQUID_PORT.toString(), - SQUID_INTERCEPT_PORT: SQUID_INTERCEPT_PORT.toString(), HOME: homeDir, PATH: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', };