fix: rootless AWF install uses $HOME/.local and exports $GITHUB_PATH

actions/setup/sh/install_awf_binary.sh

@@ -42,6 +42,15 @@ for arg in "${@:2}"; do
   esac
 done
 
+# In rootless mode, install into the user's home directory instead of /usr/local
+# so that standard GitHub-hosted runners (where /usr/local is root-owned) work
+# without requiring any pre-chowning or sudo.
+if [ "$ROOTLESS" = "true" ]; then
+  AWF_USER_PREFIX="${HOME}/.local"
+  AWF_INSTALL_DIR="${AWF_USER_PREFIX}/bin"
+  AWF_LIB_DIR="${AWF_USER_PREFIX}/lib/awf"
+fi
+
 # maybe_sudo runs a command with sudo unless --rootless was specified.
 # In network-isolation mode, AWF runs rootless so sudo is not available or needed.
 maybe_sudo() {
@@ -64,21 +73,14 @@ ARCH="$(uname -m)"
 
 echo "Installing awf with checksum verification (version: ${AWF_VERSION}, os: ${OS}, arch: ${ARCH})"
 
-# Rootless mode preflight: verify write access to install directories
+# Rootless mode preflight: create and verify write access to install directories
 if [ "$ROOTLESS" = "true" ]; then
-  if ! [ -w "${AWF_INSTALL_DIR}" ] 2>/dev/null; then
-    echo "ERROR: --rootless requires write access to ${AWF_INSTALL_DIR}" >&2
-    echo "       This directory is root-owned on standard runners. --rootless is intended" >&2
-    echo "       only for ARC/Kubernetes containers where the install dirs are pre-chowned" >&2
-    echo "       to the runner user." >&2
+  if ! { mkdir -p "${AWF_INSTALL_DIR}" && [ -w "${AWF_INSTALL_DIR}" ]; }; then
+    echo "ERROR: --rootless could not create a writable install directory at ${AWF_INSTALL_DIR}" >&2
     exit 1
   fi
-  # Also check lib dir writability (or ability to create it)
-  if ! { mkdir -p "${AWF_LIB_DIR}" 2>/dev/null && [ -w "${AWF_LIB_DIR}" ]; }; then
-    echo "ERROR: --rootless requires write access to ${AWF_LIB_DIR}" >&2
-    echo "       This directory is root-owned on standard runners. --rootless is intended" >&2
-    echo "       only for ARC/Kubernetes containers where the install dirs are pre-chowned" >&2
-    echo "       to the runner user." >&2
+  if ! { mkdir -p "${AWF_LIB_DIR}" && [ -w "${AWF_LIB_DIR}" ]; }; then
+    echo "ERROR: --rootless could not create a writable lib directory at ${AWF_LIB_DIR}" >&2
     exit 1
   fi
 fi
@@ -179,7 +181,7 @@ install_bundle() {
   # runtime argument forwarding.
   maybe_sudo tee "${AWF_INSTALL_DIR}/${AWF_INSTALL_NAME}" > /dev/null <<WRAPPER
 #!/bin/bash
-exec ${node_bin} /usr/local/lib/awf/awf-bundle.js "\$@"
+exec "${node_bin}" "${AWF_LIB_DIR}/awf-bundle.js" "\$@"
 WRAPPER
   maybe_sudo chmod +x "${AWF_INSTALL_DIR}/${AWF_INSTALL_NAME}"
 
@@ -258,6 +260,16 @@ else
   install_platform_binary
 fi
 
+# In rootless mode, add the install dir to PATH for subsequent steps.
+# $GITHUB_PATH is the mechanism for persisting PATH additions across steps in GitHub Actions.
+if [ "$ROOTLESS" = "true" ]; then
+  if [ -n "${GITHUB_PATH:-}" ]; then
+    echo "${AWF_INSTALL_DIR}" >> "${GITHUB_PATH}"
+  else
+    echo "WARNING: --rootless install complete but \$GITHUB_PATH is unset; add ${AWF_INSTALL_DIR} to PATH manually" >&2
+  fi
+fi
+
 # Verify installation by running --version.
 # In legacy (non-rootless) mode, run with sudo (without -E, since we explicitly unset
 # environment variables below). On GPU runners (e.g. aw-gpu-runner-T4), /usr/local/bin

actions/setup/sh/install_awf_binary_test.sh

@@ -0,0 +1,128 @@
+#!/usr/bin/env bash
+set +o histexpand
+
+# Tests for install_awf_binary.sh flag-parsing and variable-override logic.
+# Run: bash install_awf_binary_test.sh
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+TESTS_PASSED=0
+TESTS_FAILED=0
+
+pass() { echo "PASS: $1"; TESTS_PASSED=$((TESTS_PASSED + 1)); }
+fail() { echo "FAIL: $1"; echo "  $2"; TESTS_FAILED=$((TESTS_FAILED + 1)); }
+
+# Inline the flag-parsing and directory-override block from install_awf_binary.sh
+# in a subshell so we can vary the arguments without touching the real filesystem.
+parse_and_override() {
+  local args=("$@")
+  bash -c '
+    AWF_INSTALL_DIR="/usr/local/bin"
+    AWF_LIB_DIR="/usr/local/lib/awf"
+    ROOTLESS=false
+    for arg in "${@:1}"; do
+      case "$arg" in
+        --rootless) ROOTLESS=true ;;
+      esac
+    done
+    if [ "$ROOTLESS" = "true" ]; then
+      AWF_USER_PREFIX="${HOME}/.local"
+      AWF_INSTALL_DIR="${AWF_USER_PREFIX}/bin"
+      AWF_LIB_DIR="${AWF_USER_PREFIX}/lib/awf"
+    fi
+    echo "AWF_INSTALL_DIR=${AWF_INSTALL_DIR}"
+    echo "AWF_LIB_DIR=${AWF_LIB_DIR}"
+  ' -- "${args[@]}"
+}
+
+echo "Running install_awf_binary.sh tests..."
+echo
+
+# Test 1: rootless flag sets AWF_INSTALL_DIR to $HOME/.local/bin
+echo "Test 1: --rootless sets AWF_INSTALL_DIR to \$HOME/.local/bin..."
+result=$(parse_and_override --rootless)
+expected_install_dir="${HOME}/.local/bin"
+if echo "$result" | grep -q "AWF_INSTALL_DIR=${expected_install_dir}"; then
+  pass "AWF_INSTALL_DIR is ${expected_install_dir}"
+else
+  fail "AWF_INSTALL_DIR was not ${expected_install_dir}" "$result"
+fi
+
+# Test 2: rootless flag sets AWF_LIB_DIR to $HOME/.local/lib/awf
+echo "Test 2: --rootless sets AWF_LIB_DIR to \$HOME/.local/lib/awf..."
+expected_lib_dir="${HOME}/.local/lib/awf"
+if echo "$result" | grep -q "AWF_LIB_DIR=${expected_lib_dir}"; then
+  pass "AWF_LIB_DIR is ${expected_lib_dir}"
+else
+  fail "AWF_LIB_DIR was not ${expected_lib_dir}" "$result"
+fi
+
+# Test 3: without --rootless, AWF_INSTALL_DIR stays /usr/local/bin
+echo "Test 3: without --rootless, AWF_INSTALL_DIR stays /usr/local/bin..."
+result=$(parse_and_override)
+if echo "$result" | grep -q "AWF_INSTALL_DIR=/usr/local/bin"; then
+  pass "AWF_INSTALL_DIR is /usr/local/bin"
+else
+  fail "AWF_INSTALL_DIR was not /usr/local/bin" "$result"
+fi
+
+# Test 4: without --rootless, AWF_LIB_DIR stays /usr/local/lib/awf
+echo "Test 4: without --rootless, AWF_LIB_DIR stays /usr/local/lib/awf..."
+if echo "$result" | grep -q "AWF_LIB_DIR=/usr/local/lib/awf"; then
+  pass "AWF_LIB_DIR is /usr/local/lib/awf"
+else
+  fail "AWF_LIB_DIR was not /usr/local/lib/awf" "$result"
+fi
+
+# Test 5: GITHUB_PATH export — install dir is written when GITHUB_PATH is set
+echo "Test 5: AWF_INSTALL_DIR is appended to GITHUB_PATH in rootless mode..."
+FAKE_GITHUB_PATH=$(mktemp)
+bash -c '
+  AWF_INSTALL_DIR="${HOME}/.local/bin"
+  ROOTLESS=true
+  GITHUB_PATH="'"${FAKE_GITHUB_PATH}"'"
+  if [ "$ROOTLESS" = "true" ]; then
+    if [ -n "${GITHUB_PATH:-}" ]; then
+      echo "${AWF_INSTALL_DIR}" >> "${GITHUB_PATH}"
+    else
+      echo "WARNING: --rootless install complete but \$GITHUB_PATH is unset; add ${AWF_INSTALL_DIR} to PATH manually" >&2
+    fi
+  fi
+'
+expected_path_entry="${HOME}/.local/bin"
+if grep -qF "${expected_path_entry}" "${FAKE_GITHUB_PATH}"; then
+  pass "${expected_path_entry} written to GITHUB_PATH"
+else
+  fail "${expected_path_entry} not found in GITHUB_PATH" "$(cat "${FAKE_GITHUB_PATH}")"
+fi
+rm -f "${FAKE_GITHUB_PATH}"
+
+# Test 6: warning emitted when GITHUB_PATH is unset in rootless mode
+echo "Test 6: warning emitted when GITHUB_PATH is unset in rootless mode..."
+warning_output=$(bash -c '
+  AWF_INSTALL_DIR="${HOME}/.local/bin"
+  ROOTLESS=true
+  unset GITHUB_PATH
+  if [ "$ROOTLESS" = "true" ]; then
+    if [ -n "${GITHUB_PATH:-}" ]; then
+      echo "${AWF_INSTALL_DIR}" >> "${GITHUB_PATH}"
+    else
+      echo "WARNING: --rootless install complete but \$GITHUB_PATH is unset; add ${AWF_INSTALL_DIR} to PATH manually" >&2
+    fi
+  fi
+' 2>&1)
+if echo "$warning_output" | grep -q "WARNING"; then
+  pass "WARNING emitted when GITHUB_PATH is unset"
+else
+  fail "No WARNING when GITHUB_PATH is unset" "$warning_output"
+fi
+
+echo
+echo "Tests passed: $TESTS_PASSED"
+echo "Tests failed: $TESTS_FAILED"
+
+if [ "$TESTS_FAILED" -gt 0 ]; then
+  exit 1
+fi
+
+echo "✓ All tests passed!"

pkg/workflow/copilot_engine_installation.go

@@ -274,7 +274,9 @@ func generateAWFInstallationStep(version string, agentConfig *AgentSandboxConfig
 
 	installCmd := "bash \"${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh\" " + version
 	// When sudo is false (network isolation mode), AWF runs rootless: pass --rootless
-	// so the install script skips sudo when writing to /usr/local/bin and /usr/local/lib/awf.
+	// so the install script installs into $HOME/.local/{bin,lib/awf} (always writable,
+	// even on standard GitHub-hosted runners where /usr/local is root-owned) and exports
+	// $GITHUB_PATH so the bare awf invocation in later steps resolves correctly.
 	// Also check Disabled to match isAWFNetworkIsolationEnabled() behavior.
 	if agentConfig != nil && agentConfig.NetworkIsolation && !agentConfig.Disabled {
 		installCmd += " --rootless"