Add stdio transport mode for safe-inputs MCP server#5817
Merged
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add configurable mode for safe inputs in AWF firewall
Add stdio transport mode for safe-inputs MCP server
Dec 8, 2025
lpcox
added a commit
that referenced
this pull request
Jul 2, 2026
Picks up the pre-shutdown squid log chmod fix (#5817) which resolves artifact permission errors on ARC/DinD runners.
lpcox
added a commit
that referenced
this pull request
Jul 2, 2026
… build-tools image (#42906) * fix: pre-create rw mount source directories for ARC/DinD AWF validates that --mount host paths exist before starting containers. On ARC/DinD, the compiler emits mounts for ${RUNNER_TEMP}/gh-aw/home and ${RUNNER_TEMP}/gh-aw/sandbox/agent which may not exist yet (only the parent ${RUNNER_TEMP}/gh-aw/ is created by actions/setup). Add mkdir -p for these directories in the generated shell script, right after the DOCKER_HOST detection probe and before the AWF invocation. Error seen in canary run 28566765653: Invalid volume mount: ...gh-aw/home:...gh-aw/home:rw Reason: Host path does not exist: ...gh-aw/home Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * fix: install Docker Compose plugin for ARC/DinD topology ARC/DinD runners may not have the Docker Compose v2 CLI plugin pre-installed. AWF requires 'docker compose' to orchestrate its containers (squid-proxy, agent, api-proxy). Add a generated step that downloads and installs docker-compose v2.36.2 into $DOCKER_CONFIG/cli-plugins/ before the AWF invocation. Error seen in canary: 'unknown shorthand flag: -d in -d' when AWF tried to run 'docker compose up -d'. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * fix: include build-tools sysroot image in download step for ARC/DinD AWF uses --pull never when starting containers, so all images must be pre-downloaded. The build-tools image (used as the sysroot-stage init container on arc-dind topology) was missing from the download list, causing: 'No such image: ghcr.io/github/gh-aw-firewall/build-tools:0.27.21' Add build-tools to collectDockerImages() when arc-dind topology is active. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * fix: ensure Node.js and Copilot CLI are at daemon-visible paths for ARC/DinD On ARC runners, setup-node may find a pre-cached node at the original tool cache (/home/runner/_work/_tool/) which is NOT under RUNNER_TEMP and therefore not bind-mounted into the AWF container. Add a step after runtime setup that copies node to the redirected tool cache if needed. Also add a step to copy the Copilot CLI binary from /usr/local/bin (where install_copilot_cli.sh places it) to ${RUNNER_TEMP}/gh-aw/bin/ which is the daemon-visible path the AWF command references. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * fix: copy prompts to daemon-visible path and fix prompt-file ref for ARC/DinD On ARC/DinD, /tmp/gh-aw/ is on the runner's filesystem but NOT visible to the Docker daemon. The activation job writes prompt files to /tmp/gh-aw/aw-prompts/, but AWF can only access daemon-visible paths. Two fixes: 1. Copy /tmp/gh-aw/aw-prompts/ to ${RUNNER_TEMP}/gh-aw/aw-prompts/ before AWF invocation (in the arcDindDockerHostProbe preamble) 2. Change --prompt-file path in copilot engine from /tmp/gh-aw/... to ${RUNNER_TEMP}/gh-aw/... when arc-dind topology is active Other engines (Claude, Codex) have the same hardcoded /tmp/ path and will need similar fixes for arc-dind support. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * test: add unit tests for build-tools image in collectDockerImages for arc-dind Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * fix: use daemon-visible paths for firewall logs/artifacts on ARC/DinD The post-run steps (firewall log parsing, artifact upload) used hardcoded /tmp/gh-aw/sandbox/firewall/ paths. On ARC/DinD, AWF writes logs to ${RUNNER_TEMP}/gh-aw/sandbox/firewall/ (daemon-visible). This mismatch caused 'No log sources found' errors and empty artifact uploads. Fix generateFirewallLogParsingStep(), generateSquidLogsUploadStep(), and the unified artifact path list to use ${RUNNER_TEMP} paths when arc-dind topology is active. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * fix: use Actions expressions for ARC/DinD firewall log paths in env/with blocks ${RUNNER_TEMP} is a shell variable that only expands in `run:` blocks. In `env:` and `with:` blocks, GitHub Actions only expands ${{ }} expressions. The firewall log summary step and artifact upload paths were using ${RUNNER_TEMP} which was passed as a literal string, causing 'No log sources found' even though AWF_LOGS_DIR was set. Fix: use ${{ runner.temp }} in env/with contexts for ARC/DinD topology. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Apply remaining changes Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> * bump DefaultFirewallVersion to v0.27.22 Picks up the pre-shutdown squid log chmod fix (#5817) which resolves artifact permission errors on ARC/DinD runners. * test: update wasm golden files after merge with main Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a configurable
modefield to safe-inputs that allows the MCP server to run within the AWF firewall using stdio transport instead of as a separate HTTP service.Changes
modefield to safe-inputs configuration with values"http"(default) or"stdio"type: "stdio",command: "node",args: ["/tmp/gh-aw/safe-inputs/mcp-server.cjs"]startSafeInputsServer()type: "http",url: "http://host.docker.internal:${PORT}"startHttpServer()modeproperty, pattern regex excludes "mode" from tool namesshared/gh.mdUsage
Omitting
modedefaults to"http"for backward compatibility.Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/user/usr/bin/gh gh api user --jq .login -json GO111MODULE ir GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile env d-artifact.git d-artifact.git /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api user --jq .login action.git GO111MODULE 1/x64/bin/node by/2d2c7a5149acfnode GOMOD -d/gh-aw go env 4b82ac6d18922b48 -d/gh-aw 1593003/b201/vet.cfg GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api user --jq .login .git .git 6f4186579cd7cae5e68b087f4a6313c0443/log.json GOINSECURE GOMOD GOMODCACHE go env f/tags/v6 GO111MODULE(http block)If you need me to access, download, or install something from one of these locations, you can either:
Original prompt
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.