feat: mount /usr/lib shared libraries for AWF container utilities #12085
+15,422
−8,627
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
- Create pkg/workflow/library_mounts.go with centralized mount logic - GetLibraryMountArgs() for shared library directories - GetBinaryMountArgs() for /usr/bin utilities - GetAllUtilityMountArgs() combining both for engines - Add pkg/workflow/library_mounts_test.go with comprehensive tests - Update copilot_engine_execution.go to use centralized mount functions - Update claude_engine.go to use library and binary mounts - Update codex_engine.go to use library and binary mounts - Add tests for library mounts across all engine types in gh_cli_mount_test.go - Recompile all workflows with new library mounts Library directories mounted (read-only): - /usr/lib/x86_64-linux-gnu: Primary shared library location - /lib/x86_64-linux-gnu: Alternative library location This enables mounted /usr/bin utilities (curl, grep, jq, etc.) to access their shared library dependencies inside the AWF container. Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Implement selective mounting for /usr/lib shared libraries
feat: mount /usr/lib shared libraries for AWF container utilities
Jan 27, 2026
Contributor
🔍 PR Triage ResultsCategory: feature | Risk: high | Priority: 45/100 Scores Breakdown
📋 Recommended Action: batch_reviewThis PR mounts essential shared libraries ( Implementation:
Risk: High due to scope (142 files changed) and security implications of library mounting, but necessary for utility functionality. Related PRs: Builds on #12062 (binary mounting) and enables #12130 (parity tests). Triaged by PR Triage Agent on 2026-01-28T00:34:49Z
|
This was referenced Jan 28, 2026
Collaborator
|
@copilot merge origin/main and regenerate |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR ensures mounted /usr/bin utilities (e.g., curl, jq, grep) work inside AWF containers by also mounting the host shared-library directories they depend on.
Changes:
- Added centralized helper functions to provide consistent binary + shared-library mount args.
- Updated Copilot/Claude/Codex engines to use the centralized mount configuration.
- Updated generated workflow “lock” YAMLs to include the new shared-library mounts in AWF invocations.
Reviewed changes
Copilot reviewed 142 out of 142 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/library_mounts.go | Introduces shared helper functions for /usr/bin and library-directory mounts. |
| pkg/workflow/copilot_engine_execution.go | Replaces inline utility mounts with centralized helper output. |
| pkg/workflow/claude_engine.go | Adds centralized utility + library mounts for Claude engine AWF execution. |
| pkg/workflow/codex_engine.go | Adds centralized utility + library mounts for Codex engine AWF execution. |
| .github/workflows/workflow-health-manager.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/workflow-generator.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/terminal-stylist.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/technical-doc-writer.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/super-linter.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/sub-issue-closer.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/smoke-codex.lock.yml | Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow. |
| .github/workflows/security-review.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/security-fix-pr.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/security-compliance.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/secret-scanning-triage.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/repository-quality-improver.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/repo-tree-map.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/repo-audit-analyzer.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/q.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/pr-triage-agent.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/pr-nitpick-reviewer.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/portfolio-analyst.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/poem-bot.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/plan.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/pdf-summary.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/notion-issue-summary.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/metrics-collector.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/issue-triage-agent.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/issue-monster.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/issue-arborist.lock.yml | Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow. |
| .github/workflows/grumpy-reviewer.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/github-remote-mcp-auth-test.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/example-permissions-warning.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/example-custom-error-patterns.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/duplicate-code-detector.lock.yml | Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow. |
| .github/workflows/dictation-prompt.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/dev.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/dependabot-go-checker.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/dependabot-bundler.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/deep-report.lock.yml | Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow. |
| .github/workflows/daily-team-status.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/daily-semgrep-scan.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/daily-secrets-analysis.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/daily-regulatory.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/daily-performance-summary.lock.yml | Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow. |
| .github/workflows/daily-observability-report.lock.yml | Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow. |
| .github/workflows/daily-issues-report.lock.yml | Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow. |
| .github/workflows/daily-firewall-report.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/daily-fact.lock.yml | Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow. |
| .github/workflows/daily-assign-issue-to-user.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/craft.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/copilot-pr-merged-report.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow. |
| .github/workflows/code-simplifier.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/code-scanning-fixer.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/ci-doctor.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/ci-coach.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/chroma-issue-indexer.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/changeset.lock.yml | Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow. |
| .github/workflows/brave.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/archie.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/ai-moderator.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/agent-persona-explorer.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
| .github/workflows/agent-performance-analyzer.lock.yml | Adds shared-library mounts to AWF command in locked workflow. |
Comments suppressed due to low confidence (5)
pkg/workflow/library_mounts.go:1
- These mount paths are hard-coded for Debian/Ubuntu x86_64 multiarch layouts. On other architectures (e.g., arm64) or distros (e.g., lib64 layouts), these directories may not exist, causing mounted utilities to still fail (or the container invocation to fail if AWF requires the source path to exist). Consider selecting library directories based on
runtime.GOARCH/platform conventions and/or making the mounted library roots configurable (e.g., via a config/env override), while defaulting to the current Ubuntu runner paths.
pkg/workflow/library_mounts.go:1 - These mount paths are hard-coded for Debian/Ubuntu x86_64 multiarch layouts. On other architectures (e.g., arm64) or distros (e.g., lib64 layouts), these directories may not exist, causing mounted utilities to still fail (or the container invocation to fail if AWF requires the source path to exist). Consider selecting library directories based on
runtime.GOARCH/platform conventions and/or making the mounted library roots configurable (e.g., via a config/env override), while defaulting to the current Ubuntu runner paths.
pkg/workflow/library_mounts.go:1 - Building the mount arg list via many
appendcalls is verbose and easy to drift when updating the list. Consider defining the mount specs in a[]string(or a small table of paths) and generating the[]string{\"--mount\", spec, ...}output in a short loop, or returning a[]stringliteral directly. This reduces duplication and makes future edits less error-prone.
pkg/workflow/library_mounts.go:1 - Mounting entire system library directories into the sandbox increases the exposed host surface area compared to mounting only the specific
.sofiles required by the mounted utilities. If the intent is to keep mounts as selective as possible, consider deriving a minimal allowlist of required shared libraries (e.g., from the known mounted binaries’ dependency graph) and mounting only those files (still read-only), rather than whole directories.
pkg/workflow/library_mounts.go:1 - Mounting entire system library directories into the sandbox increases the exposed host surface area compared to mounting only the specific
.sofiles required by the mounted utilities. If the intent is to keep mounts as selective as possible, consider deriving a minimal allowlist of required shared libraries (e.g., from the known mounted binaries’ dependency graph) and mounting only those files (still read-only), rather than whole directories.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Contributor
Author
Merged origin/main and regenerated all lock files. The commit |
github-actions
bot
added
pr-action:defer
pr-agent:copilot
pr-priority:medium
pr-risk:high
labels
Contributor
🔍 PR Triage ResultsCategory: feature | Risk: high | Priority: 42/100 Scores Breakdown
📋 Recommended Action: deferRationale: This is a high-risk PR that implements selective /usr/lib mounting for shared libraries needed by container utilities. The massive changeset (15,422 additions, 8,627 deletions across 239 files) requires careful review. Should remain deferred until out of draft and CI validation is complete. Security implications of library mounting need thorough assessment. Next steps: Mark as ready for review when CI is stable, security review is complete, and the scope of file changes is explained. Triaged by PR Triage Agent on 2026-01-28
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Warning
GitHub's Secret Scanning detected potential secrets in the added content. We attempted to remediate the issue by updating the code or redacting.
Original prompt
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.