security: add runtime check to prevent RUNNER_TEMP=/tmp collision with runtime tree

[Copilot]

On self-hosted runners where $RUNNER_TEMP resolves to /tmp, the setup tree (${RUNNER_TEMP}/gh-aw, :ro) and runtime tree (/tmp/gh-aw, :rw) collapse into the same path — giving the agent write access to compiled scripts, prompts, and MCP configs that must remain immutable.

Changes

• actions/setup/setup.sh: Added a collision guard immediately after the existing RUNNER_TEMP validation block:
  • Resolves RUNNER_TEMP to its canonical path via pwd -P (follows symlinks)
  • Guards against empty resolution result
  • Uses ${RESOLVED_RUNNER_TEMP%/} to normalize trailing slashes before comparison
  • Fails fast with an actionable error + docs link if RUNNER_TEMP resolves to /tmp

RESOLVED_RUNNER_TEMP="$(cd "${RUNNER_TEMP}" && pwd -P)"
if [ -z "${RESOLVED_RUNNER_TEMP}" ]; then
  echo "::error::Failed to resolve canonical path for RUNNER_TEMP: ${RUNNER_TEMP}"
  exit 1
fi
if [ "${RESOLVED_RUNNER_TEMP%/}" = "/tmp" ]; then
  echo "::error::RUNNER_TEMP resolves to /tmp, which conflicts with gh-aw's runtime tree (/tmp/gh-aw). ..."
  exit 1
fi

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -buildtags 1/x64/bin/node git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linutest@example.com /usr/bin/git ithub/workflows/git -buildtags ache/node/24.14.--show-toplevel git (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -c=4 -nolocalimports -importcfg /tmp/go-build2921229393/b411/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json age/common.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq /usr/bin/git til.go o 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a 1229393/b042/vetrev-parse ache/go/1.25.8/x--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha /tmp/gh-aw-test-runs/20260407-222419-31675/test-3138989788 config om/owner/repo.git remote.origin.urgit GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha DefaultBranchFromLsRemoteWithRea-s DefaultBranchFromLsRemoteWithRea-w .cfg -p internal/runtimeremote -lang=go1.25 ache/go/1.25.8/x64/pkg/tool/linurev-parse (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git efaultBranchFromgit efaultBranchFromrev-parse ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linumyorg /usr/bin/git CommaSeparatedCogit 1229393/b276/vetrev-parse ache/go/1.25.8/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel git /usr/bin/git runs/20260407-22git rev-parse /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link /usr/bin/git /tmp/go-build292git -importcfg /usr/bin/git git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linu-test.v=true /usr/bin/infocmp ortcfg .cfg 64/pkg/tool/linu--show-toplevel infocmp -1 xterm-color 64/pkg/tool/linurev-parse /usr/bin/git ortcfg .cfg 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git GC5KoXeF4 .cfg 64/pkg/tool/linu--show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git d .cfg 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha tags/v4 ache/go/1.25.8/x64/pkg/tool/linux_amd64/link /usr/bin/git 1229393/b449/typgit x_amd64/compile e/git git rev-�� --show-toplevel e/git /usr/bin/git ry=1 x_amd64/compile 1229393/b449/_pk--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json 1.4.1/internal/u-ifaceassert x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha 01 /common.go x_amd64/compile GOINSECURE GOMOD runtime/atomic/a/repos/actions/github-script/git/ref/tags/v8 x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --git-dir 64/pkg/tool/linu-importcfg /usr/bin/git tFXNL1qGI .cfg 64/pkg/tool/linu--show-toplevel /usr/bin/git remo�� -v 64/pkg/tool/linu--auto /usr/bin/git 0041327/b117/_pkgit .cfg 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git ba-vTFQEj .cfg 64/pkg/tool/linu--show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git 1299958111/.githgit .cfg 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha /tmp/go-build2921229393/b426/_pkg_.a l /usr/bin/git -p main -lang=go1.25 git rev-�� --show-toplevel -dwarf=false 64/pkg/tool/linux_amd64/vet go1.25.8 -c=4 -nolocalimports 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel 64/pkg/tool/linuorigin /usr/bin/git XNkoVNoB0 .cfg 64/pkg/tool/linu--show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git ty-test.md .cfg 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha ithub/workflows/audit-workflows.md -trimpath /usr/bin/git -p main -lang=go1.25 git -C /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_repos_array_c2135611052/001 rev-parse /usr/bin/git go1.25.8 -c=4 -nolocalimports git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --objects (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env plorer.md 3zY_/HcUWNrRjpCKdAR9m3zY_ .cfg GOINSECURE t/internal/langurev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE 0041327/b092/ 0041327/b015/symabis 64/pkg/tool/linux_amd64/vet env 0041327/b254/_pkg_.a 0041327/b015/importcfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE b/gh-aw/pkg/typerev-parse ache/go/1.25.8/x--show-toplevel ache/go/1.25.8/x64/pkg/tool/linu-buildtags (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE de_modules/.bin/node GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE fips140deps/goderev-parse GOMODCACHE 64/pkg/tool/linux_amd64/vet env 0041327/b215/_pkg_.a V4ci/NWzImF-917Hk3aRqV4ci .cfg GOINSECURE ntio/asm/base64 GOMODCACHE ache/go/1.25.8/xorigin (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 om/modelcontextp-nolocalimports 64/pkg/tool/linu-importcfg GOINSECURE /unix GOMODCACHE 64/pkg/tool/linutest@example.com env 0041327/b216/_pkg_.a 7LFx/9x5EhNlMwHDxpQFH7LFx x_amd64/compile GOINSECURE ntio/asm/keyset GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name mLsRemoteWithRealGitbranch_with_hyphen4126798516/001' ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env ithout_min-integrity3993013562/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name om/segmentio/asm@v1.1.3/base64/base64.go 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 0041327/b220/_pkg_.a GO111MODULE .cfg GOINSECURE /cpu GOMODCACHE ache/go/1.25.8/xTest User (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 om/segmentio/asm@v1.1.3/cpu/cpu.go 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ylQP4Z8/vCNYLdc7D8RXanEmFBss env 0041327/b230/_pkg_.a GO111MODULE .cfg GOINSECURE contextprotocol/config GOMODCACHE ache/go/1.25.8/xremote.origin.url (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE tions/setup/js/node_modules/.bin/prettier GOINSECURE GOMOD GOMODCACHE go env epOnly,Imports,ImportMap,TestImports,XTestImpor GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name rg/x/text@v0.35.-c=4 64/pkg/tool/linu-nolocalimports GOINSECURE fips140/aes GOMODCACHE 64/pkg/tool/linu/tmp/go-build2921229393/b444/_testmain.go env 3138989788 til_test.go .cfg GOINSECURE t/internal/strinrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE 0041327/b012/equrev-parse ache/go/1.25.8/x--git-dir 64/pkg/tool/linux_amd64/vet env 0041327/b237/_pkg_.a BHdz/-6z_QJDvZKLbBouUBHdz ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE t/feature/pluralrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE ules/.bin/node GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env 3138989788 gNV_/-ERQMY_tDmUJytyNgNV_ ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-importcfg (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/nistec/frev-parse 0041327/b012/sym--show-toplevel 64/pkg/tool/linux_amd64/vet env 0041327/b245/_pkg_.a mW0N/BDDpIqgj5QBgNtEbmW0N ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE t/message/catalorev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE ode GOINSECURE GOMOD GOMODCACHE go tion�� mpiledOutput1239353712/001 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name rg/x/text@v0.35.0/internal/language/compact/compact.go 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 0041327/b149/_pkg_.a rn9z/FXv0oohNOW0KmEF_rn9z x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE fips140cache ache/go/1.25.8/xuser.name 64/pkg/tool/linuTest User env 0041327/b255/_pkg_.a bmPh/U3cD-KndS88JWpi-bmPh k GOINSECURE v3 GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-test.v=true (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go tion�� mpiledOutput1239353712/001 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuorigin (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name rg/x/text@v0.35.0/internal/tag/tag.go 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/check GOMODCACHE 64/pkg/tool/linux_amd64/vet ortc�� 0041327/b240/_pkg_.a stmain.go 64/pkg/tool/linux_amd64/compile GOINSECURE t/internal/langurev-parse GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/edwards2rev-parse 0041327/b021/sym--show-toplevel 64/pkg/tool/linux_amd64/vet env 0041327/b253/_pkg_.a sP8T/7wqnwPqkUSIEmzJIsP8T ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe GOINSECURE /semver GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-extld=gcc (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE bin/node GOINSECURE GOMOD GOMODCACHE go tion�� 070/001/stability-test.md GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/vet env -json 1a8acfce6c720f2fc x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 0041327/b006/ GOMODCACHE 64/pkg/tool/linuremote.origin.url env 0041327/b160/_pkg_.a GO111MODULE x_amd64/compile GOINSECURE fips140/ecdsa 0041327/b006/symuser.email x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuupstream /usr/bin/git RequiresMinInteggit -trimpath ser.test git rev-�� --show-toplevel ser.test /usr/bin/git t0 /tmp/go-build292rev-parse (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha til.go o 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE x_amd64/vet GOINSECURE jsonrpc2 GOMODCACHE x_amd64/vet env g_.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go 9031�� -json GO111MODULE ode_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet _bra�� g_.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env g_.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env lGitmaster_branch3838037087/001' lGitmaster_branch3838037087/001' x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha 0041327/b185/_pkg_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE fips140/hkdf GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuTest User (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE /go-yaml/internarev-parse ache/go/1.25.8/x--show-toplevel 64/pkg/tool/linux_amd64/vet env GgAk/DJ3JnFq1XLtSaeZgGgAk GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go 8d51�� ithub/workflows GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -nolocalimports -importcfg /tmp/go-build2921229393/b415/importcfg -pack /tmp/go-build2921229393/b415/_testmain.go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build2921229393/b397/cli.test /tmp/go-build2921229393/b397/cli.test -test.testlogfile=/tmp/go-build2921229393/b397/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
  • Triggering command: /tmp/go-build3198227836/b397/cli.test /tmp/go-build3198227836/b397/cli.test -test.testlogfile=/tmp/go-build3198227836/b397/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true !../../../pkg/wogo --ignore-path ../../../.pretti-json go env -json GO111MODULE de GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json c x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

---

✨ PR Review Safe Output Test - Run 24108821682

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

• security: add runtime check to prevent RUNNER_TEMP=/tmp collision with runtime tree #25176 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

💥 [THE END] — Illustrated by Smoke Claude · ● 215K · ◷

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.53.0
jq	✅	1.7
yq	✅	4.52.5
curl	✅	8.5.0
gh	✅	2.89.0
node	✅	20.20.2
python3	✅	3.12.3
go	✅	1.24.13
java	✅	10.0.201
dotnet	✅	10.0.201

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test · ● 155.6K · ◷

[github-actions]

🤖 Smoke test §24108821660 by @pelikhan

Test
GitHub MCP	✅
MCP Scripts GH CLI	✅
Serena MCP	❌ unavailable
Playwright	✅
Web Fetch	✅
File Writing	✅
Bash Tool	✅
Discussion Interaction	✅
Build gh-aw	✅
Discussion Creation	✅
Workflow Dispatch	✅
PR Review	✅

Overall: ⚠️ PARTIAL PASS (Serena MCP not available)

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• #25186 list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #25185 list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

📰 BREAKING: Report filed by Smoke Copilot · ● 652.5K · ◷

[github-actions]

Security fix looks solid — fail-fast on RUNNER_TEMP=/tmp collision is the right approach. Two minor inline observations about symlink handling and macOS edge cases.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• #25186 list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #25185 list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

📰 BREAKING: Report filed by Smoke Copilot · ● 652.5K

[github-actions]

Good use of pwd -P to resolve symlinks — this ensures the check is against the canonical /tmp path rather than any symlinked alias.

[github-actions]

The trailing-slash strip %/ is a nice touch to handle edge cases like RUNNER_TEMP=/tmp/. Consider also checking for /tmp/ variations on macOS where /tmp often symlinks to /private/tmp — though pwd -P should already handle that.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Smoke test (run 24108821679):
Merged PRs: #25172 "docs: expand auth.mdx with engine-specific sections, quick-reference table, and troubleshooting"; #25168 "[log] feat: add debug logging to artifact sets, manifests, virtual FS, completion, and schema triggers"
GitHub MCP: ✅
Serena MCP: ✅
Playwright: ❌ (EACCES writing /tmp/gh-aw/mcp-logs/playwright/page-*.yml)
Web-fetch MCP: ❌ (tool unavailable)
File write + bash cat: ✅
Build (make build): ✅
Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex · ◷

[Copilot]

Pull request overview

Adds a runtime safety check in the setup action to prevent a security boundary break when RUNNER_TEMP resolves to /tmp, which would cause the read-only setup tree and read-write runtime tree to overlap.

Changes:

• Canonicalizes RUNNER_TEMP using pwd -P and validates the result is non-empty.
• Fails fast with a ::error:: message if the resolved temp dir is /tmp.
• Expands debug logging to include the resolved RUNNER_TEMP path.

Show a summary per file

File	Description
actions/setup/setup.sh	Adds a guard to prevent RUNNER_TEMP resolving to /tmp, avoiding setup/runtime tree path collisions.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 2

[Copilot]

The collision guard only compares the canonical RUNNER_TEMP to the literal string "/tmp". On systems where "/tmp" is a symlink (e.g., macOS where /tmp -> /private/tmp), pwd -P resolves RUNNER_TEMP=/tmp to "/private/tmp", so this check would not trigger even though the setup and runtime trees still collide. Consider resolving "/tmp" canonically as well (e.g., compare RESOLVED_RUNNER_TEMP against $(cd /tmp && pwd -P)), or otherwise ensure the guard detects equivalence to the runtime tmp directory even when symlinks are involved.

Suggested change

	# Detect tree collision: RUNNER_TEMP must not resolve to /tmp.
	# gh-aw mounts ${RUNNER_TEMP}/gh-aw read-only (setup tree) and /tmp/gh-aw read-write
	# (runtime tree). When RUNNER_TEMP=/tmp both paths collapse into /tmp/gh-aw, giving
	# the agent write access to compiled scripts, prompts, and MCP configs that must stay
	# immutable. Fail fast here rather than silently running with a broken security boundary.
	RESOLVED_RUNNER_TEMP="$(cd "${RUNNER_TEMP}" && pwd -P)"
	if [ -z "${RESOLVED_RUNNER_TEMP}" ]; then
	echo "::error::Failed to resolve canonical path for RUNNER_TEMP: ${RUNNER_TEMP}"
	exit 1
	fi
	if [ "${RESOLVED_RUNNER_TEMP%/}" = "/tmp" ]; then
	echo "::error::RUNNER_TEMP resolves to /tmp, which conflicts with gh-aw's runtime tree (/tmp/gh-aw). Please configure your self-hosted runner with a different temp directory to maintain security isolation. See: https://docs.github.com/en/actions/hosting-your-own-runners"
	exit 1
	fi
	debug_log "Using RUNNER_TEMP: ${RUNNER_TEMP} (resolved: ${RESOLVED_RUNNER_TEMP}, writable: yes)"
	# Detect tree collision: RUNNER_TEMP must not resolve to the same canonical path as /tmp.
	# gh-aw mounts ${RUNNER_TEMP}/gh-aw read-only (setup tree) and /tmp/gh-aw read-write
	# (runtime tree). When RUNNER_TEMP and /tmp resolve to the same location, both paths
	# collapse into the same gh-aw tree, giving the agent write access to compiled scripts,
	# prompts, and MCP configs that must stay immutable. Fail fast here rather than silently
	# running with a broken security boundary.
	RESOLVED_RUNNER_TEMP="$(cd "${RUNNER_TEMP}" && pwd -P)"
	if [ -z "${RESOLVED_RUNNER_TEMP}" ]; then
	echo "::error::Failed to resolve canonical path for RUNNER_TEMP: ${RUNNER_TEMP}"
	exit 1
	fi
	RESOLVED_RUNTIME_TMP="$(cd /tmp && pwd -P)"
	if [ -z "${RESOLVED_RUNTIME_TMP}" ]; then
	echo "::error::Failed to resolve canonical path for runtime temp directory: /tmp"
	exit 1
	fi
	if [ "${RESOLVED_RUNNER_TEMP%/}" = "${RESOLVED_RUNTIME_TMP%/}" ]; then
	echo "::error::RUNNER_TEMP resolves to the same location as gh-aw's runtime temp directory (${RESOLVED_RUNTIME_TMP}), which conflicts with the runtime tree (${RESOLVED_RUNTIME_TMP%/}/gh-aw). Please configure your self-hosted runner with a different temp directory to maintain security isolation. See: https://docs.github.com/en/actions/hosting-your-own-runners"
	exit 1
	fi
	debug_log "Using RUNNER_TEMP: ${RUNNER_TEMP} (resolved: ${RESOLVED_RUNNER_TEMP}, runtime tmp: ${RESOLVED_RUNTIME_TMP}, writable: yes)"

[Copilot]

Because the script runs with set -e, if cd "${RUNNER_TEMP}" fails (e.g., directory is writable but not searchable/executable), the assignment will cause an immediate exit and the subsequent empty-check/error message won’t run. To make the failure mode deterministic and actionable, capture/validate the command substitution with an explicit if ! ...; then block (or add an -x permission check) and emit the structured ::error:: message before exiting.

Suggested change

	RESOLVED_RUNNER_TEMP="$(cd "${RUNNER_TEMP}" && pwd -P)"
	if [ -z "${RESOLVED_RUNNER_TEMP}" ]; then
	if ! RESOLVED_RUNNER_TEMP="$(cd "${RUNNER_TEMP}" && pwd -P)"; then

[github-actions]

Smoke Test Run 24108821682 — Claude Engine

Test	Result
1. GitHub MCP	✅
2. GH CLI	✅
3. Serena (11 symbols)	✅
4. Make Build	✅
5. Playwright	❌
6. Web Search	✅
7. File Write	✅
8. Bash Tool	✅
9. Discussion	✅
10. AW MCP Status	✅
11. Slack	✅
12. Code Scan Alert	✅
13. Update PR	✅
14. Review Comments	✅
15. Submit Review	✅
16. Resolve Thread	⚠️
17. Add Reviewer	✅
18. Push to Branch	✅
19. Close PR	⚠️

Overall: PARTIAL (Playwright log dir permissions issue; 2 skipped)

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

• security: add runtime check to prevent RUNNER_TEMP=/tmp collision with runtime tree #25176 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

💥 [THE END] — Illustrated by Smoke Claude · ● 215K · ◷

[github-actions]

💥 Automated smoke test review - all systems nominal!

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

• #25176 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

💥 [THE END] — Illustrated by Smoke Claude · ● 215K

[github-actions]

The canonical path resolution via cd && pwd -P is a good approach for following symlinks. Consider also handling the case where cd itself fails (e.g., if RUNNER_TEMP is not a directory), which would silently set RESOLVED_RUNNER_TEMP to empty — though the subsequent empty-check on line 68 does catch this.

[github-actions]

The /tmp comparison looks correct. It might also be worth guarding against RUNNER_TEMP resolving to subdirectories of /tmp that could still cause issues (e.g., /tmp/runner), though the current check specifically targets the exact /tmp collision case described in the PR.