🏥 CI Failurechroot mode fails to pass container environment variables to executing command

[github-actions]

Summary

The Smoke Copilot workflow fails with "No authentication information found" when running GitHub Copilot CLI in chroot mode. The root cause is that environment variables set in the Docker container (like COPILOT_GITHUB_TOKEN) are not being passed through to commands executing inside the chroot environment.

Failed Run

• Run: 21727558239
• Workflow: Smoke Copilot
• Commit: 54fd26e (PR fix: remove HTTP_PROXY/HTTPS_PROXY env vars from agent container #524 merge commit)
• Job: agent
• Step: "Execute GitHub Copilot CLI"

Error Message

Error: No authentication information found.

Copilot can be authenticated with GitHub using an OAuth Token or a Fine-Grained Personal Access Token.

To authenticate, you can use any of the following methods:
  • Start 'copilot' and run the '/login' command
  • Set the COPILOT_GITHUB_TOKEN, GH_TOKEN, or GITHUB_TOKEN environment variable
  • Run 'gh auth login' to authenticate with the GitHub CLI

Root Cause Analysis

Environment Variable Flow

1. Workflow sets COPILOT_GITHUB_TOKEN in environment (line 711 of workflow file)
2. Command uses sudo -E awf --env-all to pass all environment variables to container
3. docker-manager.ts correctly passes COPILOT_GITHUB_TOKEN to the agent container (not in EXCLUDED_ENV_VARS)
4. BUG: containers/agent/entrypoint.sh writes command to temp script but does not export container environment variables

Code Analysis

In containers/agent/entrypoint.sh (lines 213-270), when chroot mode is enabled:

# Write the command to a temporary script file in the chroot
SCRIPT_FILE="/tmp/awf-cmd-$$.sh"

# Only PATH and language-specific vars are exported
cat > "/host${SCRIPT_FILE}" << AWFEOF
#!/bin/bash
export PATH="${AWF_HOST_PATH}"
AWFEOF

# Command is written directly - NO ENVIRONMENT VARIABLE EXPORTS
printf '%q ' "$@" >> "/host${SCRIPT_FILE}"

The script only exports:

• PATH (AWF_HOST_PATH)
• CARGO_HOME (if set)
• JAVA_HOME (if set)
• GOROOT (if set)
• LD_LIBRARY_PATH (for Java)

All other container environment variables (including COPILOT_GITHUB_TOKEN) are lost.

Impact

Affected Workflows

• ✅ Non-chroot workflows work fine (environment passed directly)
• ❌ Chroot workflows fail when commands need authentication tokens or other environment variables

Current Failures

• Smoke Copilot workflow (uses --enable-chroot)
• Potentially any workflow using chroot mode that relies on environment variables

Working Workarounds (none ideal)

1. Disable chroot mode (loses transparent host binary access)
2. Manually pass tokens via command arguments instead of environment
3. Write tokens to files and read from files (security risk)

Recommended Fix

Option 1: Export All Non-Excluded Env Vars (Preferred)

Modify entrypoint.sh to export all container environment variables (except system ones) when writing the chroot script:

# Export all non-system environment variables to the script
# This ensures tokens, credentials, and user-provided vars are available
for var in $(compgen -e); do
  # Skip system vars and those managed explicitly
  case "$var" in
    PATH|PWD|OLDPWD|SHLVL|_|SUDO_*|AWF_*|HOSTNAME|HOME)
      # Handled separately or not needed
      ;;
    *)
      # Export user/workflow environment variables
      echo "export $var=\"${!var}\"" >> "/host${SCRIPT_FILE}"
      ;;
  esac
done

Option 2: Selective Export Based on Prefix

Export only variables with specific prefixes:

• COPILOT_* - Copilot CLI tokens
• GH_* - GitHub CLI vars
• GITHUB_* - GitHub Actions vars
• NPM_*, PIP_*, etc. - Package manager configs

Option 3: Use env Command

Pass environment explicitly via env in the chroot command:

chroot /host env -i $(env | grep -E '^(COPILOT|GH|GITHUB)_') capsh --user="$HOST_USER" ...

Testing Requirements

After fix, verify:

1. ✅ Smoke Copilot workflow passes with chroot mode
2. ✅ COPILOT_GITHUB_TOKEN is accessible to copilot CLI
3. ✅ GH_TOKEN/GITHUB_TOKEN work for GitHub API calls
4. ✅ No system variables leak (PATH, HOME, etc. still controlled)
5. ✅ Non-chroot mode still works (no regression)

Related Issues

• 🏥 CI Failureissue monster workflow fails with missing copilot authentication token #511 - Similar authentication failure (issue monster workflow)
• PR fix: remove HTTP_PROXY/HTTPS_PROXY env vars from agent container #524 - Trigger commit (removed HTTP_PROXY env vars, exposed this bug)

Additional Context

This bug was masked before PR #524 because other issues prevented workflows from reaching the execution stage. After #524 fixed the proxy configuration, this environment variable bug became visible.

The issue affects all commands running in chroot mode that depend on environment variables, not just authentication tokens. Examples:

• API keys (ANTHROPIC_API_KEY, OPENAI_API_KEY)
• Configuration variables (DEBUG, LOG_LEVEL)
• Tool-specific settings (NODE_ENV, RUST_BACKTRACE)

AI generated by CI Doctor

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster