Skip to content

Update AWF to v0.13.0 and enable --enable-chroot #12827

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update AWF to v0.13.0 and enable --enable-chroot #12827

Copilot wants to merge 2 commits into from
+619 −576

Conversation

Copy link
Contributor

Copilot AI commented Jan 30, 2026
edited
Loading

Updates the AWF (agentic-workflow-firewall) from v0.11.2 to v0.13.0 and enables the new --enable-chroot flag for transparent host binary execution in the chroot environment.

Changes

  • Version bump: DefaultFirewallVersionv0.13.0
  • Enable chroot: Added --enable-chroot flag to AWF invocations in all engines (copilot, claude, codex)
  • Test coverage: New test case verifying --enable-chroot is included in AWF commands
  • Lock files: Recompiled all workflow lock files

What --enable-chroot does

Enables chroot to /host for running host binaries (Python, Node, Go, etc.) inside the container using selective path mounts. Docker socket is hidden to prevent firewall bypass.

# Before
sudo -E awf --env-all ... --image-tag 0.11.2 --agent-image act \

# After  
sudo -E awf --env-all ... --image-tag 0.13.0 --agent-image act --enable-chroot \
Original prompt

Update awf (agentic-workflow-firewall) to the latest version and enable the --enable-chroot feature. This will allow transparent host binary execution in the chroot environment.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@Mossaka
Update AWF version from v0.11.2 to v0.13.0 and enable --enable-chroot…
6c49180 
… flag

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Copilot AI changed the title [WIP] Update AWF to latest version and enable --enable-chroot feature Update AWF to v0.13.0 and enable --enable-chroot Jan 30, 2026
Copilot AI requested a review from Mossaka January 30, 2026 22:27
This was referenced Jan 30, 2026
Closed
Closed
Merged
@Mossaka Mossaka added the smoke label Jan 31, 2026
@Mossaka Mossaka marked this pull request as ready for review January 31, 2026 00:48
@Mossaka Mossaka added smoke and removed smoke labels Jan 31, 2026
This was referenced Jan 31, 2026
Closed
Open
@github-actions
Copy link
Contributor

github-actions bot commented Jan 31, 2026

🔍 PR Triage Results

Category: chore | Risk: medium | Priority: 45/100

Scores Breakdown

  • Impact: 20/50 - AWF version update with chroot enablement
  • Urgency: 10/30 - Recent PR (0 days old) with standard urgency
  • Quality: 15/20 - Not draft, CI pending completion

📋 Recommended Action: batch_review

This PR is part of Batch #4: Chore Updates (batch-chore-001) along with PR #12815. Review together for configuration consistency.

Batch Review Strategy: Verify compatibility and test for regressions.

Next Steps:

  1. Wait for CI completion
  2. Test AWF v0.13.0 compatibility
  3. Review with batch-chore-001

Triaged by PR Triage Agent on 2026-01-31 | Run #21540069309

AI generated by PR Triage Agent

@github-actions github-actions bot mentioned this pull request Jan 31, 2026
Closed
@github-actions
Copy link
Contributor

github-actions bot commented Jan 31, 2026

🔍 PR Triage Results

Category: chore | Risk: high | Priority: 55/100

Scores Breakdown

  • Impact: 25/50 - Chore with high risk level
  • Urgency: 10/30 - Recent PR (0 days), CI pending
  • Quality: 20/20 - CI pending, Ready for review

📋 Recommended Action: Batch Review

This PR is recommended for batch review with similar PRs.

Triaged by PR Triage Agent on 2026-01-31 12:17 UTC
See full report: PR Triage Discussion

AI generated by PR Triage Agent

@github-actions
Copy link
Contributor

github-actions bot commented Jan 31, 2026

🔍 PR Triage Results

Category: chore | Risk: high | Priority: 37/100

Scores Breakdown

  • Impact: 25/50 - Version update with new chroot feature. Important for security and functionality but not critical.
  • Urgency: 2/30 - 1 day old, standard urgency for version updates.
  • Quality: 10/20 - Clean PR with good description. CI pending. Lower comment count (2) but clear scope. High file count (151 files) due to lock file recompilation.

📋 Recommended Action: batch_review

Batch: batch-chore-001 (with PR #12574)

This PR should be reviewed together with #12574 to assess combined infrastructure impact. Both PRs modify workflow generation and execution patterns.

Blockers:

  • CI status pending
  • High risk due to extensive lock file changes (151 files)

Strengths:

  • Clear version bump with explicit changelog
  • New chroot feature enables transparent host binary execution
  • Test coverage for new flag

Review Notes:

Triaged by PR Triage Agent on 2026-01-31T18:14:11Z

AI generated by PR Triage Agent

@github-actions github-actions bot mentioned this pull request Jan 31, 2026
Open
@github-actions
Copy link
Contributor

github-actions bot commented Feb 1, 2026

🔍 PR Triage Results

Category: chore | Risk: high | Priority: 40/100

Scores Breakdown

  • Impact: 25/50 - AWF version update affects security/sandbox environment - critical infrastructure change
  • Urgency: 5/30 - 2 days old, pending CI, affects sandbox security with --enable-chroot
  • Quality: 10/20 - CI pending, good description with examples, includes tests, 151 files changed

📋 Recommended Action: batch_review

Why: High-risk infrastructure change needing careful review. Part of batch-chore-001 for coordinated infrastructure updates.

Batch: batch-chore-001 (Infrastructure Updates)

Next steps:

  • Wait for CI results
  • Coordinate review with other infrastructure PRs
  • Verify --enable-chroot behavior in various scenarios
  • Check for any security implications

Triaged by PR Triage Agent on 2026-02-01

AI generated by PR Triage Agent

@github-actions
Copy link
Contributor

github-actions bot commented Feb 1, 2026

🔍 PR Triage Results

Category: chore | Risk: high | Priority: 43/100

Scores Breakdown

  • Impact: 30/50 - Security infrastructure update (AWF v0.13.0 with chroot support)
  • Urgency: 5/30 - 1 day old, has merge conflict, affects security sandbox
  • Quality: 8/20 - Good description with examples, needs conflict resolution

📋 Recommended Action: Fast-track

This PR updates critical security infrastructure (AWF to v0.13.0) and enables chroot for transparent host binary execution. High-risk change requiring careful review.

Next Steps:

  1. Resolve merge conflicts by rebasing on main
  2. Verify all 151 lock files recompiled correctly
  3. Test chroot functionality in sandbox environment

Merge Conflict Status: ⚠️ Requires resolution before review can proceed

Batch Info: Part of batch-chore-001 - Infrastructure updates batch

Triaged by PR Triage Agent on 2026-02-01

AI generated by PR Triage Agent

@github-actions
Copy link
Contributor

github-actions bot commented Feb 1, 2026

🔍 PR Triage Results

Category: chore | Risk: high | Priority: 62/100

Scores Breakdown

  • Impact: 30/50 - Important security/infrastructure update - enables chroot for container security
  • Urgency: 22/30 - High - 2 days old with smoke label indicating important infrastructure change
  • Quality: 10/20 - Fair - CI pending, good description, recompiled lock files, but no passing tests yet

📋 Recommended Action: fast_track

This PR requires priority review. The AWF version update to v0.13.0 with chroot enablement is a significant security enhancement that should be expedited once CI passes.

Next steps:

  1. Wait for CI to complete
  2. Review security implications of chroot changes
  3. Verify smoke tests pass
  4. Merge after approval

Triaged by PR Triage Agent on 2026-02-01 - Run #21567753665

AI generated by PR Triage Agent

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mossaka Mossaka Awaiting requested review from Mossaka

Assignees

@Mossaka Mossaka

Copilot code review Copilot

Labels

pr-action:batch-review pr-agent:copilot pr-batch:batch-chore-001 pr-priority:low pr-priority:medium pr-risk:high pr-risk:medium pr-type:chore smoke

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Mossaka