fix: use absolute node path in awf wrapper to survive sudo PATH stripping by Copilot · Pull Request #25341 · github/gh-aw

Copilot · 2026-04-08T16:40:34Z

The Daily Issues Report Generator workflow was failing with exit code 127 (node: not found) during the AWF binary install step. The awf wrapper was created with exec node ..., but when verified via sudo env ... awf --version, sudo's secure_path doesn't include where actions/setup-node installs Node.js (e.g. ~/.nvm/versions/node/v24.x.x/bin).

Changes

actions/setup/sh/install_awf_binary.sh — in install_bundle(), capture the full node path at wrapper-creation time and embed it directly:

# Before (breaks under sudo)
sudo tee /usr/local/bin/awf <<'WRAPPER'
exec node /usr/local/lib/awf/awf-bundle.js "$@"
WRAPPER

# After (resolves path at creation time, works under sudo)
node_bin=$(command -v node)
sudo tee /usr/local/bin/awf <<WRAPPER
exec ${node_bin} /usr/local/lib/awf/awf-bundle.js "\$@"
WRAPPER

Switching from a quoted (<<'WRAPPER') to an unquoted heredoc allows ${node_bin} to expand to the absolute path at wrapper-creation time, while \$@ is preserved as the literal $@ for runtime argument forwarding.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw /tmp/go-build118rev-parse 1/x64/bin/node git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git ithub/workflows/git -buildtags /usr/lib/git-cor--show-toplevel git (http block)
https://api.github.com/orgs/test-owner/actions/secrets
- Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -c=4 -nolocalimports -importcfg /tmp/go-build1188708586/b411/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel S8eKncR/xY8IG6Cr96T_MkWd-kcE /usr/bin/git -json .cfg 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a 8708586/b166/vetrev-parse ache/go/1.25.8/x--show-toplevel git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --get remote.origin.url /usr/bin/git -json GO111MODULE x_amd64/compile git remo�� GOMODCACHE x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha se 8708586/b053/vet.cfg ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote.origin.url (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel xMTZrf-QsWrvKzqhgr/xwm51NO8TEw04Z4rthWP/1MmimbyXconfig /usr/bin/git se 8708586/b094/vetrev-parse g_.a git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git RequiresMinInteggit GO111MODULE ache/go/1.25.8/x--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel go ache/node/24.14.--show-toplevel git rev-�� --show-toplevel node /usr/bin/git k/gh-aw/gh-aw/.ggit go /usr/bin/git git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json .cfg 64/pkg/tool/linu--show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git 2912707371/.githgit .cfg 64/pkg/tool/linu--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json .cfg 64/pkg/tool/linu--show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git y_with_explicit_git .cfg 64/pkg/tool/linu--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha tags/v4 git /usr/bin/git r-test2069182160git go /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git s/test.md -trimpath /opt/hostedtoolc--show-toplevel git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --end-of-options-errorsas blob 64/bin/go prettier --write 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/infocmp -json .cfg 64/pkg/tool/linu--show-toplevel infocmp -1 xterm-color 64/pkg/tool/linux_amd64/vet /usr/bin/git y_only_defaults_git .cfg 64/pkg/tool/linu--show-toplevel git (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/auto-triage-issues.md 64/pkg/tool/linux_amd64/vet /usr/bin/infocmp -json .cfg 64/pkg/tool/linu--show-toplevel infocmp -1 xterm-color 64/pkg/tool/linurev-parse /usr/bin/git -json .cfg 64/pkg/tool/linu--show-toplevel git (http block)
https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha run --auto /usr/bin/git --detach -trimpath 64/bin/go git rev-�� --show-toplevel go 64/pkg/tool/linux_amd64/vet -json GO111MODULE 64/bin/go 64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/gh -json .cfg 64/pkg/tool/linu--show-toplevel gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts /usr/bin/git .artifacts[].namgit GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha /tmp/go-build1188708586/b429/semverutil.test -importcfg /usr/bin/git -s -w -buildmode=exe git -C /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_repos_array_c103682961/001 config clusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle remote.origin.urgit GO111MODULE 64/bin/go git (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha ithub/workflows/archie.md l 1/x64/bin/node --exclude-hiddengit --all --quiet 1/x64/bin/node rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 3807107336 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/xTest User (http block)
- Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/xtest@example.com (http block)
- Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 3807107336 GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
- Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE k GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 3807107336 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE k GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linu-nolocalimports GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/tmp/go-build1188708586/b444/_testmain.go env 3807107336 GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-importcfg (http block)
- Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env -json GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path -json (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linumyorg env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git /ref/tags/v8 GO111MODULE ser.test git rev-�� --show-toplevel ser.test /usr/bin/git -x c 64/pkg/tool/linu--show-toplevel git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha l.go l_test.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuorigin (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet 2247�� -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet 2247�� -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet 0469�� -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha /workflows GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
https://api.github.com/repos/nonexistent/repo/actions/runs/12345
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/owner/repo/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -nolocalimports -importcfg /tmp/go-build1188708586/b415/importcfg -pack /tmp/go-build1188708586/b415/_testmain.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/owner/repo/contents/file.md
- Triggering command: /tmp/go-build1188708586/b397/cli.test /tmp/go-build1188708586/b397/cli.test -test.testlogfile=/tmp/go-build1188708586/b397/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true .prettierignore (http block)
https://api.github.com/repos/test-owner/test-repo/actions/secrets
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

✨ PR Review Safe Output Test - Run 24148090336

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

fix: use absolute node path in awf wrapper to survive sudo PATH stripping #25341 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

💥 [THE END] — Illustrated by Smoke Claude · ● 399K · ◷

The install_awf_binary.sh script was creating a wrapper at /usr/local/bin/awf with `exec node ...` (unqualified command). When the verification step runs `sudo env ... awf --version`, sudo's PATH does not include the directory where actions/setup-node installed Node.js (e.g., ~/.nvm/versions/node/v24.x.x/bin), causing 'node: not found' (exit code 127) and failing the Daily Issues Report Generator workflow. Fix: capture the absolute path to `node` via `command -v node` at wrapper- creation time and embed it using an unquoted heredoc, ensuring the wrapper works correctly regardless of the PATH available under sudo. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/7bf34285-5bc9-41e7-b789-43462dd15e4b Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

github-actions · 2026-04-08T17:02:35Z

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

github-actions · 2026-04-08T17:02:36Z

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

github-actions · 2026-04-08T17:02:39Z

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

github-actions · 2026-04-08T17:02:42Z

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

github-actions · 2026-04-08T17:05:56Z

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.53.0
jq	✅	1.7
yq	✅	v4.52.5
curl	✅	8.5.0
gh	✅	2.89.0
node	✅	v20.20.2
python3	✅	3.12.3
go	✅	1.24.13
java	✅	21.0.10
dotnet	✅	10.0.201

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test · ● 194.5K · ◷

github-actions · 2026-04-08T17:09:32Z

Smoke test (Codex) for run 24148090282:

PRs: [slides] Add Staged Mode slide to presentation #25343 [slides] Add Staged Mode slide to presentation; Fix Changeset Generator missing github network preset in allowed-domains config #25333 Fix Changeset Generator missing github network preset in allowed-domains config
GitHub MCP: ✅
Serena MCP: ✅
Playwright: ✅
Web Fetch MCP: ❌ (tool unavailable)
File/Bash/Build: ✅
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex · ◷

github-actions · 2026-04-08T17:10:50Z

Smoke test 24148090363 results for PR by Copilot (assignees: pelikhan, Copilot):

GitHub MCP ✅ | mcpscripts-gh ✅ | Serena ⚠️
Playwright ❌ | Web Fetch ✅ | File I/O ✅
Build ✅ | Artifact Upload ✅ | PR Review ✅
Discussion ✅ | Dispatch ✅

Overall: ⚠️ PARTIAL PASS (Playwright MCP permission issue)

📰 BREAKING: Report filed by Smoke Copilot · ● 1.5M · ◷

github-actions

This is a clean fix for the sudo PATH issue. Capturing the absolute node path at wrapper-creation time is the correct solution. Two inline comments: one suggesting a guard for missing node, and one confirming the \$@ escaping is correct.

📰 BREAKING: Report filed by Smoke Copilot · ● 1.5M

github-actions · 2026-04-08T17:10:52Z

actions/setup/sh/install_awf_binary.sh


+  # Capture the absolute path to node so the wrapper works correctly when
+  # invoked via sudo (where PATH may not include the setup-node install dir,
+  # e.g. ~/.nvm/versions/node/v24.x.x/bin).


Good fix — capturing node_bin with command -v node at wrapper-creation time is the right approach. Consider adding a guard here in case node isn't on PATH yet when this function runs, e.g. if [[ -z "$node_bin" ]]; then echo "ERROR: node not found" >&2; return 1; fi.

github-actions · 2026-04-08T17:10:52Z

actions/setup/sh/install_awf_binary.sh

+  sudo tee "${AWF_INSTALL_DIR}/${AWF_INSTALL_NAME}" > /dev/null <<WRAPPER
 #!/bin/bash
-exec node /usr/local/lib/awf/awf-bundle.js "$@"
+exec ${node_bin} /usr/local/lib/awf/awf-bundle.js "\$@"


The \$@ escaping is correct for the unquoted heredoc — it ensures $@ is written literally into the wrapper script. Clear comment above explains this well. ✅

github-actions · 2026-04-08T17:11:19Z

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

Copilot

Pull request overview

Fixes AWF installation failures under sudo by ensuring the generated awf wrapper invokes Node via an absolute path rather than relying on PATH (which may be stripped by sudo secure_path).

Changes:

Resolve the Node executable path at install time and embed it into the /usr/local/bin/awf wrapper script.
Switch from a quoted to an unquoted heredoc to allow ${node_bin} expansion while preserving $@ forwarding.

Show a summary per file

File	Description
`actions/setup/sh/install_awf_binary.sh`	Embeds the resolved Node path into the AWF wrapper to make `sudo ... awf` reliable when PATH is sanitized.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files reviewed: 1/1 changed files
Comments generated: 2

Copilot · 2026-04-08T17:11:49Z

actions/setup/sh/install_awf_binary.sh

+  node_bin=$(command -v node)
+
  echo "Node.js >= 20 detected ($(node --version)), using lightweight bundle..."


node_bin=$(command -v node) does not guarantee an absolute filesystem path: in bash it can return a bare name (or function/alias resolution), which would recreate the original failure mode under sudo secure_path. Prefer node_bin=$(type -P node) (and/or validate [[ -x "$node_bin" ]]) so the wrapper always embeds an executable path or fails fast with a clear error.

Suggested change

node_bin=$(command -v node)

echo "Node.js >= 20 detected ($(node --version)), using lightweight bundle..."

node_bin=$(type -P node || true)

if [[ -z "$node_bin" || ! -x "$node_bin" ]]; then

echo "ERROR: Unable to resolve an executable absolute path for node"

return 1

fi

echo "Node.js >= 20 detected ($("$node_bin" --version)), using lightweight bundle..."

Copilot · 2026-04-08T17:11:49Z

actions/setup/sh/install_awf_binary.sh

+  sudo tee "${AWF_INSTALL_DIR}/${AWF_INSTALL_NAME}" > /dev/null <<WRAPPER
 #!/bin/bash
-exec node /usr/local/lib/awf/awf-bundle.js "$@"
+exec ${node_bin} /usr/local/lib/awf/awf-bundle.js "\$@"


The generated wrapper uses exec ${node_bin} ... without quoting. Even if uncommon, an unexpected path containing whitespace or glob characters would break execution due to word-splitting/globbing. Quote the node path in the wrapper (e.g., exec "${node_bin}" ...).

Suggested change

exec ${node_bin} /usr/local/lib/awf/awf-bundle.js "\$@"

exec "${node_bin}" /usr/local/lib/awf/awf-bundle.js "\$@"

github-actions · 2026-04-08T17:13:32Z

Smoke Test Run 24148090336 — PARTIAL PASS

Test	Result
1 GitHub MCP	✅
2 mcpscripts-gh	✅
3 Serena MCP	✅
4 Make Build	✅
5 Playwright	✅
6 Web Search	✅
7 File Writing	✅
8 Bash Tool	✅
9 Discussion Comment	✅
10 Agentic Workflows MCP	✅
11 Slack Safe Output	✅
12 Code Scanning Alert	✅
13 Update PR	✅
14 PR Review Comments	✅
15 Submit PR Review	✅
16 Resolve Thread	⚠️ skipped
17 Add Reviewer	✅
18 Push to Branch	✅
19 Close PR	⚠️ skipped

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

fix: use absolute node path in awf wrapper to survive sudo PATH stripping #25341 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

💥 [THE END] — Illustrated by Smoke Claude · ● 399K · ◷

github-actions

💥 Automated smoke test review - all systems nominal!

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

#25341 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

💥 [THE END] — Illustrated by Smoke Claude · ● 399K

github-actions · 2026-04-08T17:13:35Z

actions/setup/sh/install_awf_binary.sh

+  # invoked via sudo (where PATH may not include the setup-node install dir,
+  # e.g. ~/.nvm/versions/node/v24.x.x/bin).
+  local node_bin
+  node_bin=$(command -v node)


Good use of command -v node to capture the absolute path at install time rather than relying on $PATH at runtime. This is the key fix for the sudo PATH-stripping issue — when sudo drops the non-root $PATH, the wrapper script would fail to find node without an absolute path here.

github-actions · 2026-04-08T17:13:35Z

actions/setup/sh/install_awf_binary.sh

+  sudo tee "${AWF_INSTALL_DIR}/${AWF_INSTALL_NAME}" > /dev/null <<WRAPPER
 #!/bin/bash
-exec node /usr/local/lib/awf/awf-bundle.js "$@"
+exec ${node_bin} /usr/local/lib/awf/awf-bundle.js "\$@"


The heredoc-expanded \$\{node_bin} correctly hard-codes the absolute node path into the wrapper script at creation time. The comment above (lines 136–138) explaining the unquoted heredoc (<<WRAPPER) vs a quoted one (<<'WRAPPER') is clear and helpful for future maintainers.

Initial plan

23c6023

Copilot AI assigned Copilot and pelikhan Apr 8, 2026

Copilot started work on behalf of pelikhan April 8, 2026 16:40 View session

Copilot AI linked an issue Apr 8, 2026 that may be closed by this pull request

[deep-report] Investigate Daily Issues Report Generator persistent failure (recurrence after Apr 3 fix) #25326

Closed

Copilot AI changed the title ~~[WIP] Investigate Daily Issues Report Generator persistent failure~~ fix: use absolute node path in awf wrapper to survive sudo PATH stripping Apr 8, 2026

Copilot finished work on behalf of pelikhan April 8, 2026 16:57

Copilot AI requested a review from pelikhan April 8, 2026 16:57

pelikhan added the smoke label Apr 8, 2026

github-actions bot removed the smoke label Apr 8, 2026

pelikhan marked this pull request as ready for review April 8, 2026 17:09

Copilot AI review requested due to automatic review settings April 8, 2026 17:09

pelikhan merged commit fd53849 into main Apr 8, 2026
199 of 200 checks passed

pelikhan deleted the copilot/deep-report-investigate-daily-issues branch April 8, 2026 17:09

Copilot started reviewing on behalf of pelikhan April 8, 2026 17:10 View session

github-actions bot added the smoke-copilot label Apr 8, 2026

github-actions bot reviewed Apr 8, 2026

View reviewed changes

Copilot AI reviewed Apr 8, 2026

View reviewed changes

github-actions bot mentioned this pull request Apr 8, 2026

Smoke Test: Claude - 24148090336 #25348

Closed

github-actions bot added the smoke-claude label Apr 8, 2026

github-actions bot reviewed Apr 8, 2026

View reviewed changes

This was referenced Apr 8, 2026

fix: quote ${RUNNER_TEMP} in generated shell commands and replace template expressions in run: blocks #25330

Merged

Smoke Test: Claude - 24149252240 #25358

Closed

		node_bin=$(command -v node)

		echo "Node.js >= 20 detected ($(node --version)), using lightweight bundle..."

-  node_bin=$(command -v node)
-  echo "Node.js >= 20 detected ($(node --version)), using lightweight bundle..."
+  node_bin=$(type -P node || true)
+  if [[ -z "$node_bin" || ! -x "$node_bin" ]]; then
+    echo "ERROR: Unable to resolve an executable absolute path for node"
+    return 1
+  fi
+  echo "Node.js >= 20 detected ($("$node_bin" --version)), using lightweight bundle..."

	exec ${node_bin} /usr/local/lib/awf/awf-bundle.js "\$@"
	exec "${node_bin}" /usr/local/lib/awf/awf-bundle.js "\$@"

Conversation

Copilot AI commented Apr 8, 2026 • edited by github-actions bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

github-actions bot commented Apr 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Apr 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Apr 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Agent Container Tool Check

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions bot Apr 8, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions bot Apr 8, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Copilot's findings

Uh oh!

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions bot Apr 8, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions bot Apr 8, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented Apr 8, 2026 •

edited by github-actions bot

Loading

github-actions bot commented Apr 8, 2026 •

edited

Loading

github-actions bot commented Apr 8, 2026 •

edited

Loading

github-actions bot commented Apr 8, 2026 •

edited

Loading