Expose AWF platform.type via sandbox.agent.platform frontmatter#40877
Conversation
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
platform.type via sandbox.agent.platform frontmatter
|
@pelikhan i want to make the deployment types more explicit to minimize guess work in awf |
There was a problem hiding this comment.
Pull request overview
This pull request exposes AWF’s platform.type selection through workflow frontmatter (sandbox.agent.platform) and wires the value into generated AWF config JSON, enabling explicit GitHub deployment targeting instead of relying on AWF host heuristics.
Changes:
- Add
sandbox.agent.platformto the sandbox agent frontmatter surface and retain it in parsed sandbox configuration. - Emit
sandbox.agent.platforminto generated AWF config JSON asplatform.type, including coverage that it’s embedded into the generated AWF command. - Extend schema validation and docs to include the new field and restrict values to the supported set.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/sandbox.go | Adds Platform to AgentSandboxConfig to retain the frontmatter value. |
| pkg/workflow/frontmatter_types_test.go | Verifies ParseFrontmatterConfig populates Sandbox.Agent.Platform. |
| pkg/workflow/frontmatter_extraction_security.go | Extracts sandbox.agent.platform from object-form sandbox agent config. |
| pkg/workflow/frontmatter_extraction_security_test.go | Adds focused unit coverage for platform extraction. |
| pkg/workflow/awf_config.go | Introduces AWF platform section emission (platform.type) from workflow sandbox config. |
| pkg/workflow/awf_config_test.go | Adds regression tests for AWF config JSON emission and command embedding. |
| pkg/parser/schemas/main_workflow_schema.json | Adds sandbox.agent.platform with enum validation. |
| pkg/parser/schema_test.go | Adds schema acceptance/rejection tests for sandbox.agent.platform. |
| docs/src/content/docs/reference/frontmatter-full.md | Documents sandbox.agent.platform in the frontmatter reference. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 9/9 changed files
- Comments generated: 4
|
@copilot please post a brief status update and recheck CI/review state before the next push.
|
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ Caution agentic threat detected DetailsThe threat detection engine failed to produce results. Review the workflow run logs for details. |
|
🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨ |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 Caution agentic threat detected DetailsThe threat detection engine failed to produce results. Review the workflow run logs for details. |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ Caution agentic threat detected DetailsThe threat detection engine failed to produce results. Review the workflow run logs for details. |
|
❌ Design Decision Gate 🏗️ failed to deliver outputs during design decision gate check. |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 Caution agentic threat detected DetailsThe threat detection engine failed to produce results. Review the workflow run logs for details. Smoke test completed; created issue summary. PR comment/label skipped because workflow context lacks a usable triggering PR target for safeoutputs. |
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
✅ PR Code Quality Reviewer completed the code quality review. |
|
✅ Test Quality Sentinel completed test quality analysis. |
|
📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing... |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
Caution agentic threat detected DetailsThe threat detection engine failed to produce results. Review the workflow run logs for details. Smoke test 27989413539
Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
|
Caution agentic threat detected DetailsThe threat detection engine failed to produce results. Review the workflow run logs for details. Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
|
Caution agentic threat detected DetailsThe threat detection engine failed to produce results. Review the workflow run logs for details. 🤖 Smoke Test: Claude — Run 27989413597Core #1-12: ✅ all passed Overall: PARTIAL (all executed tests passed; 2 conditional skips)
Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
agentic threat detected
Threat detection flagged this output in warn mode. Manual review is REQUIRED before any follow-up automation.
Details
The threat detection engine failed to produce results.
Review the workflow run logs for details.
💥 Automated smoke test review - all systems nominal! (Heads up: flagged a real missing-comma bug in the schema JSON.)
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · 77.7 AIC · ⊞ 8.5K
| "type": "string", | ||
| "enum": ["github.com", "ghes", "ghec", "ghec-self-hosted"], | ||
| "description": "AWF platform.type override. Declares the GitHub deployment type so AWF can apply deterministic Copilot auth behavior without relying on host heuristics. Omit to let AWF use its default host heuristic behavior." | ||
| } |
There was a problem hiding this comment.
🐞 Real bug found during smoke test: the new platform enum block is missing a trailing comma before "command". This breaks schema JSON parsing — go test ./pkg/parser/... now fails with invalid character '"' after object key:value pair. Add a comma after the closing } of the platform property.
| return workflowData.EngineConfig.TokenWeights.Multipliers | ||
| } | ||
|
|
||
| func extractPlatformType(workflowData *WorkflowData) string { |
There was a problem hiding this comment.
Nice helper. Consider adding a short doc comment on extractPlatformType describing precedence (disabled / unsupported sandbox type returns empty string) to match the style of the surrounding extractor functions.
There was a problem hiding this comment.
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 92.3 AIC · ⌖ 11.1 AIC · ⊞ 6.5K
Comments that could not be inline-anchored
pkg/workflow/awf_config.go:538
[/tdd] The Disabled=true guard (and the isSupportedSandboxType guard on line 541) silently drop the platform value, but neither path has a test. If a workflow sets platform: ghes on a disabled or non-AWF agent, the value is dropped without any assertion proving that.
<details>
<summary>💡 Suggested tests</summary>
Add to TestBuildAWFConfigJSON in awf_config_test.go:
t.Run("platform is omitted when agent is disabled", func(t *testing.T) {
config := AWFCommandConfig{
Eng…
</details>
<details><summary>pkg/workflow/awf_config.go:549</summary>
**[/zoom-out]** `extractPlatformType` guards against `Disabled` and non-AWF sandbox types, but the structurally equivalent `extractModelFallback` (immediately below) does not apply either guard. Since `BuildAWFConfigJSON` is only called for AWF agents, both extra checks in `extractPlatformType` may be dead code — or alternatively, `extractModelFallback` is missing them. Either way, the intent should be made explicit to avoid confusion for the next reader.
<details>
<summary>💡 Options</summary…
</details>
<details><summary>docs/src/content/docs/reference/frontmatter-full.md:1873</summary>
**[/grill-with-docs]** "Omit to use the default github.com behavior." could be read as: if you omit this field, AWF always behaves as if `platform: github.com` was set — which would worry GHES/GHEC users into thinking they *must* set this field. The intent is that AWF falls back to automatic host detection, not that it hard-codes `github.com`.
<details>
<summary>💡 Suggested wording</summary>Omit to let AWF detect the platform automatically from the host environment.
The JSON sche…
</details>
<details><summary>pkg/parser/schema_test.go:708</summary>
**[/tdd]** `TestValidateMainWorkflowFrontmatterWithSchemaAndLocation_SandboxAgentPlatform` is missing `t.Parallel()` at the top level. Both neighboring tests — `TestValidateMainWorkflowFrontmatterWithSchemaAndLocation_MaxDailyAICreditsNegativeAllowed` (line 694) and `TestMainWorkflowSchema_WorkflowDispatchNumberTypeDocumentation` (line 751) — call `t.Parallel()`. Add `t.Parallel()` at the start of this function and also to each `t.Run` subtest to be consistent with the file's pattern.
</details>
<details><summary>pkg/workflow/sandbox.go:54</summary>
**[/zoom-out]** The struct comment alignment regressed when `Platform` was inserted. `ID`, `Type`, `Version`, `Platform`, and `Disabled` are reasonably aligned, but `DisableReason` through `Targets` have a large excess of spaces in their inline comments (visible in the diff). Running `make fmt` should normalise the struct tags; the trailing inline comments may need a manual pass to restore the original column alignment.
<details>
<summary>💡 Quick check</summary>
Before merging, confirm `make…
</details>
There was a problem hiding this comment.
REQUEST_CHANGES — one blocking defect must be fixed before merge.
### Findings
🔴 Blocking: Invalid JSON in main_workflow_schema.json
The "platform" property block is missing a trailing comma before "command", making the schema file unparseable JSON. Every schema-validation path will error on load — this regresses all workflow validation, not just the new platform field. Fix: add , after the closing } of the platform block (line 3259).
🟡 Medium: Disabled=true guard in extractPlatformType is untested
The guard is correct and necessary (platform must not be emitted when the sandbox agent is disabled), but there is no test exercising that branch. A suggested subtest is included in the inline comment.
✅ What's solid
- The
extractPlatformTypedefensive nil-chain andisSupportedSandboxTypetype filter are well-structured. - The end-to-end coverage (frontmatter parsing → AWF config JSON → embedded command) is thorough.
- Previous review feedback (json tag inconsistency, disabled-agent leakage, misleading schema/doc descriptions) has been addressed in the fix commits.
🔎 Code quality review by PR Code Quality Reviewer · 119.2 AIC · ⌖ 7.15 AIC · ⊞ 5.1K
| "type": "string", | ||
| "enum": ["github.com", "ghes", "ghec", "ghec-self-hosted"], | ||
| "description": "AWF platform.type override. Declares the GitHub deployment type so AWF can apply deterministic Copilot auth behavior without relying on host heuristics. Omit to use the default github.com behavior." | ||
| }, |
There was a problem hiding this comment.
Broken JSON syntax: missing comma causes the entire schema to fail to load, breaking all workflow validation.
💡 Details and fix
The closing } of the new "platform" property has no trailing comma before "command". JSON requires commas between sibling properties, so main_workflow_schema.json is now syntactically invalid — json.Unmarshal errors on load.
Impact: Every code path that reads this schema to validate workflow frontmatter will fail before any validation logic runs. This breaks all field validation, not just platform.
Fix: add the missing comma:
- }
+ },
"command": {The TestValidateMainWorkflowFrontmatterWithSchemaAndLocation_SandboxAgentPlatform tests added in this PR will also fail (masking all other schema tests) until this is corrected.
| if workflowData == nil || workflowData.SandboxConfig == nil || workflowData.SandboxConfig.Agent == nil { | ||
| return "" | ||
| } | ||
| return workflowData.SandboxConfig.Agent.Platform |
There was a problem hiding this comment.
The Disabled=true guard is untested: a regression that removes this check would silently emit platform.type into AWF config even when the sandbox agent is disabled.
💡 Details and suggested test
extractPlatformType correctly short-circuits when Agent.Disabled == true, but no test covers this path. If someone inadvertently removes or inverts this guard in a future change, no test will catch it.
Add a subtest in TestBuildAWFConfigJSON (or TestBuildAWFCommand_EmbedsPlatformConfig):
t.Run("platform config is omitted when sandbox agent is disabled", func(t *testing.T) {
config := AWFCommandConfig{
EngineName: "copilot",
AllowedDomains: "github.com",
WorkflowData: &WorkflowData{
EngineConfig: &EngineConfig{ID: "copilot"},
NetworkPermissions: &NetworkPermissions{
Firewall: &FirewallConfig{Enabled: true},
},
SandboxConfig: &SandboxConfig{
Agent: &AgentSandboxConfig{
Type: SandboxTypeAWF,
Platform: "ghes",
Disabled: true,
},
},
},
}
jsonStr, err := BuildAWFConfigJSON(config)
require.NoError(t, err)
assert.NotContains(t, jsonStr, `"platform":`, "platform should be absent when sandbox agent is disabled")
})
|
Caution agentic threat detected DetailsPotential security threats were detected in the agent output. Review the workflow run logs for details. Smoke tests completed with overall FAIL status:
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
Smoke review tools check complete.
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot · 287.9 AIC · ⌖ 13.9 AIC · ⊞ 19.2K
🧪 Test Quality Sentinel Report
📊 Metrics & Test Classification (6 tests analyzed)
Go: 6 (
|
|
Smoke test 279905: FAIL\ngh pr list: ✅\nmcpscripts pr list: ❌\nSerena CLI: ❌\nPlaywright CLI: ✅\nGitHub fetch: ✅\nFile create: ✅\nDiscussion interaction: ❌\nBuild: ✅\nArtifact upload: ❌\nDiscussion create: ❌\nWorkflow dispatch: ❌\nPR review: ❌\nComment memory: ❌\nFile summarizer: ❌\nCheck run: ❌\nOverall: FAIL\n@app/copilot-swe-agent Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
|
@copilot merge main and recompile run pr-finisher skill |
|
@copilot review all comments and address unresolved review feedback.
|
|
Please summarize the remaining blockers and refresh checks after the review fixes land.
|
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…atform-type Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Merged |
|
``
|
|
``
|
AWF already supports explicit
platform.typeto select GitHub deployment behavior, but gh-aw had no frontmatter path to set it. This change surfaces that setting in workflow frontmatter and wires it into generated AWF config so platform selection is explicit instead of host-heuristic-driven.Frontmatter surface
sandbox.agent.platformas the workflow-facing knob for AWF platform selectiongithub.comghesghecghec-self-hostedCompiler mapping
platform.typeSchema and docs
Regression coverage
Example:
This now produces AWF config containing:
{ "platform": { "type": "ghes" } }Caution
agentic threat detected
Threat detection flagged this output in warn mode. Manual review is REQUIRED before any follow-up automation.
Details
The threat detection engine failed to produce results.
Review the workflow run logs for details.
✨ PR Review Safe Output Test - Run 27989413597
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.