Problem
On gh-aw v0.75.4 + AWF v0.25.53, running the Copilot engine in ARC/DinD mode (`DOCKER_HOST=(localhost/redacted) still requires six distinct workflow/infra-level workarounds that should be handled by AWF internally. Teams must ship a custom composite action alongside every workflow to work around these gaps.
Context
Source issue: github/gh-aw#34896
Closed issue #30840 marked this scenario COMPLETED at v0.75.0, but the workarounds are still required in v0.75.4.
Root Cause
Six remaining gaps in AWF's ARC/DinD support:
/etc/passwd, /etc/group, /etc/hosts not staged from runner to DinD temp volume — AWF does not synthesize these for DinD mode.- Copilot CLI binary not accessible at
/host/usr/local/bin/copilot inside DinD chroot — runner FS is invisible to the DinD daemon.
mount_mcp_as_cli.cjs hard-codes github as INTERNAL_SERVERS, silencing github MCP tools in DinD environments.- Required
/tmp/gh-aw subdirectories (mcp-logs, sandbox/firewall/logs) not pre-created by AWF in DinD mode.
- Node.js availability assumed baked into DinD image rather than sourced from runner FS.
- No first-class workaround detection or deprecation path.
Proposed Solution
In containers/agent/entrypoint.sh and src/docker-manager.ts: auto-synthesize /etc overrides and ensure required temp subdirs exist in DinD mode. In mount_mcp_as_cli.cjs: remove github from INTERNAL_SERVERS or make it configurable. Provide a documented migration guide to remove the workaround composite action.
Generated by Firewall Issue Dispatcher · 157.4 AIC · ⊞ 27.8K · ◷
Problem
On gh-aw v0.75.4 + AWF v0.25.53, running the Copilot engine in ARC/DinD mode (`DOCKER_HOST=(localhost/redacted) still requires six distinct workflow/infra-level workarounds that should be handled by AWF internally. Teams must ship a custom composite action alongside every workflow to work around these gaps.
Context
Source issue: github/gh-aw#34896
Closed issue #30840 marked this scenario COMPLETED at v0.75.0, but the workarounds are still required in v0.75.4.
Root Cause
Six remaining gaps in AWF's ARC/DinD support:
/etc/passwd,/etc/group,/etc/hostsnot staged from runner to DinD temp volume — AWF does not synthesize these for DinD mode./host/usr/local/bin/copilotinside DinD chroot — runner FS is invisible to the DinD daemon.mount_mcp_as_cli.cjshard-codesgithubasINTERNAL_SERVERS, silencing github MCP tools in DinD environments./tmp/gh-awsubdirectories (mcp-logs,sandbox/firewall/logs) not pre-created by AWF in DinD mode.Proposed Solution
In
containers/agent/entrypoint.shandsrc/docker-manager.ts: auto-synthesize/etcoverrides and ensure required temp subdirs exist in DinD mode. Inmount_mcp_as_cli.cjs: removegithubfromINTERNAL_SERVERSor make it configurable. Provide a documented migration guide to remove the workaround composite action.