feat: add --rootless flag to install_copilot_cli.sh for ARC/DinD runners#46047
Conversation
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
- Parse --rootless flag (plus any flags before VERSION) with a full arg scan
instead of ${@:2} so --rootless works in any argument position
- Override INSTALL_DIR to ${HOME}/.local/bin in rootless mode
- Add maybe_sudo() wrapper that skips sudo when ROOTLESS=true
- Add preflight check for writable install directory in rootless mode
- Replace all sudo calls (chown, find, install, tar, chmod) with maybe_sudo
- Add GITHUB_PATH export after fresh-download install in rootless mode
- Use direct binary path for verification in rootless mode
Add install_copilot_cli_test.sh with 10 tests covering:
- Flag parsing in all argument positions
- INSTALL_DIR override for rootless/non-rootless modes
- GITHUB_PATH export and missing-GITHUB_PATH warning
- maybe_sudo behavior in both modes
Update docs to document --rootless and remove the
'allowPrivilegeEscalation: false is not supported' known limitation
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds rootless Copilot CLI installation support for restricted ARC/DinD runners.
Changes:
- Adds
--rootless, user-local installation, and PATH export. - Adds shell tests and ARC documentation.
- Refreshes generated workflow metadata and schedule.
Show a summary per file
| File | Description |
|---|---|
actions/setup/sh/install_copilot_cli.sh |
Implements rootless installation. |
actions/setup/sh/install_copilot_cli_test.sh |
Adds rootless behavior tests. |
docs/.../arc-dind-copilot-agent.md |
Documents ARC rootless setup. |
docs/.../self-hosted-runners.md |
Updates sudo guidance. |
.github/workflows/skillet.lock.yml |
Refreshes action annotations. |
.github/workflows/release.lock.yml |
Refreshes action annotations. |
.github/workflows/hourly-ci-cleaner.lock.yml |
Refreshes action annotations. |
.github/workflows/avenger.lock.yml |
Refreshes action annotations. |
.github/workflows/agentic-auto-upgrade.yml |
Changes the weekly schedule. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 9/9 changed files
- Comments generated: 3
- Review effort level: Medium
| # Inline the flag-parsing and directory-override block from install_copilot_cli.sh | ||
| # in a subshell so we can vary the arguments without touching the real filesystem. | ||
| parse_and_override() { | ||
| local args=("$@") | ||
| bash -c ' |
| on: | ||
| schedule: | ||
| - cron: "21 3 * * 5" # Weekly (auto-upgrade) | ||
| - cron: "11 4 * * 6" # Weekly (auto-upgrade) |
| - name: Install Copilot CLI (rootless) | ||
| run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" --rootless |
|
@copilot please run the Unresolved review threads:
|
|
Great work on the --rootless flag for install_copilot_cli.sh! Unblocking ARC/DinD clusters that enforce allowPrivilegeEscalation: false is a real pain point, and mirroring the pattern from install_awf_binary.sh keeps things consistent. This PR looks well-structured and ready for review: clear focused change, includes shell tests (install_copilot_cli_test.sh), updates relevant docs, and no new dependencies. No blockers spotted — looks good to go!
|
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Addressed the unresolved review feedback in commit
I also reran local validation ( Code review validation is clean; CodeQL timed out in the validation tool. CI on this new HEAD still needs a maintainer-triggered rerun (agent pushes do not trigger workflows). |
|
@copilot please run the Unresolved review threads:
|
Verified this on current HEAD ( Reran validation locally:
CI state for this HEAD is currently |
|
@copilot run pr-finisher skill |
Ran pr-finisher again on current HEAD ( Current state:
|
Add the same maybe_sudo / --rootless pattern from install_copilot_cli.sh and install_awf_binary.sh to the remaining install scripts that use sudo unconditionally: - install_antigravity_cli.sh: installs to ~/.local/bin without sudo - install_threat_detect_binary.sh: installs to ~/.local/bin without sudo Update the Go compiler to pass --rootless when network isolation is enabled (agent.network-isolation: true) for all three binary installers: antigravity, copilot, and threat-detect. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
AWF runs engine binaries inside a Docker container where they're referenced by absolute path (/usr/local/bin/copilot). Installing to ~/.local/bin would make them invisible to the container. The --rootless flag is correct for: - AWF binary itself (runs on host, found via PATH) - print_firewall_logs.sh (runs on host) But NOT for engine binaries (copilot, antigravity, threat-detect) that AWF mounts into the container from /usr/local/bin. The shell scripts still support --rootless for future use (e.g., non-sandbox workflows or direct invocation on restricted runners). Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
On ARC/DinD runners with allowPrivilegeEscalation: false, sudo is unavailable. Pass --rootless to install_copilot_cli.sh so it installs to ~/.local/bin instead of /usr/local/bin. Update the 'Copy Copilot CLI to daemon-visible path' step to use $(command -v copilot) instead of hardcoding /usr/local/bin/copilot, so it works regardless of where the binary was installed. Standard runners continue to install to /usr/local/bin (where AWF's container expects the binary via its sysroot overlay). Antigravity and threat-detect shell scripts support --rootless but the compiler doesn't wire them up yet — ARC/DinD support for those engines requires additional container PATH work. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
|
@copilot please run the Unresolved review threads:
Failed checks: The threads already have author follow-up replies; please verify the current HEAD, resolve stale review state where appropriate, and get the branch rechecked.
|
🤖 PR Triage
Rationale: Adds --rootless flag to install_copilot_cli.sh — unblocks ARC/DinD clusters with allowPrivilegeEscalation:false. Mirrors existing pattern in install_awf_binary.sh. CI pre_activation passing.
|
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Addressed and pushed in
I also verified the three referenced review threads are outdated relative to current branch content; they remain shown as unresolved in stale review state. Latest Smoke CI on this HEAD is |
|
@copilot please run the Unresolved review threads:
Failed checks:
|
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Verified on current HEAD
No additional code changes were required in this pass. CI on the current agent HEAD remains |
|
@copilot please run the
|
Revisited on current HEAD
No additional commit was required in this pass. Branch is ready for maintainer review; CI needs a maintainer-triggered rerun to refresh stale |
|
@copilot please run the Unresolved review threads:
|
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
install_copilot_cli.shunconditionally usessudo, blocking ARC/DinD clusters that enforceallowPrivilegeEscalation: false. This mirrors the pattern already used byinstall_awf_binary.sh.Shell script (
install_copilot_cli.sh)--rootlessis recognized in any position (before or afterVERSION); first non-flag arg isVERSIONmaybe_sudo()— passes commands through directly in rootless mode, wraps withsudootherwise; replaces all 5 previous baresudocalls (chown,find,install,tar,chmod)--rootlessredirectsINSTALL_DIRfrom/usr/local/binto~/.local/bin~/.local/binis writable before attempting installGITHUB_PATHexport — appendsINSTALL_DIRafter fresh-download installs in rootless mode so subsequent steps find the binary${INSTALL_DIR}/copilot --versiondirectly in rootless mode (binary isn't onPATHyet)Tests (
install_copilot_cli_test.sh, new)10-test shell suite covering: flag parsing in all argument positions,
INSTALL_DIRoverrides,GITHUB_PATHexport, warning whenGITHUB_PATHis unset, andmaybe_sudobehavior in both modes.Docs
allowPrivilegeEscalation: false is not supportedknown limitation; updates troubleshooting entry to point at--rootlessinstead of "remove the constraint"--rootless