Skip to content

docs: align ARC/DinD docs, spec, and schema with implementation#5890

Merged
lpcox merged 3 commits into
mainfrom
copilot/align-arc-dind-docs-spec-schema
Jul 4, 2026
Merged

docs: align ARC/DinD docs, spec, and schema with implementation#5890
lpcox merged 3 commits into
mainfrom
copilot/align-arc-dind-docs-spec-schema

Conversation

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

The runner.topology: arc-dind schema description incorrectly claimed that setting this topology automatically enables network.isolation=true and dind.preStageDirs=true. The implementation only enables sysroot staging and emits a RUNNER_TOOL_CACHE warning — other settings must be configured explicitly. Docs also lacked cross-links between ARC/DinD surfaces and were missing the loopback TCP auto-detection case.

Changes

docs/awf-config.schema.json

  • runner.topology (correctness fix): Remove false claim about automatic network.isolation=true / dind.preStageDirs=true defaults. Actual behavior: enables sysroot-stage init container + sysroot:/host:rw volume, emits /opt tool-cache warning. Explicitly state other fields must be set independently.
  • container.enableDind: Expand description to cover Docker socket exposure, DOCKER_HOST propagation, and security implication.
  • container.dockerHost: Expand to cover DOCKER_HOST auto-detection, enableDind interaction, and ARC/DinD loopback TCP detection.

docs/arc-dind.md

  • Add loopback TCP (tcp://localhost:* / tcp://127.0.0.1:*) to the auto-detection section — this pattern is handled by isSiblingDaemonSocket() but was undocumented.
  • Add See also section linking to config spec, schema, and environment.md.

docs/awf-config-spec.md

  • Add docs/arc-dind.md to Informative References.

docs/environment.md / docs/usage.md

  • Add cross-references to arc-dind.md at the relevant ARC/DinD sections.

Copilot AI linked an issue Jul 3, 2026 that may be closed by this pull request
6 tasks
Copilot AI changed the title [WIP] Align ARC/DinD docs, spec, and schema with current implementation docs: align ARC/DinD docs, spec, and schema with implementation Jul 3, 2026
Copilot AI requested a review from lpcox July 3, 2026 20:37
Copilot finished work on behalf of lpcox July 3, 2026 20:37
@lpcox lpcox requested a review from Copilot July 3, 2026 20:38
@lpcox lpcox marked this pull request as ready for review July 3, 2026 20:38

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR corrects and expands ARC/DinD (split runner/daemon filesystem) documentation and JSON schema descriptions so they match the current implementation, and adds cross-links between the various ARC/DinD guidance surfaces.

Changes:

  • Update runner.topology, container.enableDind, and container.dockerHost schema descriptions to reflect actual ARC/DinD behavior and security implications.
  • Document loopback TCP (tcp://localhost:* / tcp://127.0.0.1:*) as an ARC/DinD auto-detection signal and add “See also” cross-references.
  • Add references to arc-dind.md from the usage/environment docs and include it in the config spec’s informative references.
Show a summary per file
File Description
docs/usage.md Adds an ARC/DinD pointer from the --enable-dind section to the dedicated ARC/DinD guide.
docs/environment.md Adds a “See also” cross-reference to the ARC/DinD guide from the env/config guidance.
docs/awf-config.schema.json Updates schema descriptions for ARC/DinD topology and Docker host/DinD fields to better match implementation.
docs/awf-config-spec.md Adds arc-dind.md to Informative References.
docs/arc-dind.md Documents loopback TCP auto-detection and adds a “See also” section linking related references.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 5/5 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment on lines 794 to 801
"topology": {
"type": "string",
"enum": [
"standard",
"arc-dind"
],
"description": "Runner deployment topology. 'standard' (default) = GitHub-hosted VM or self-hosted runner with local Docker. 'arc-dind' = ARC (Actions Runner Controller) with Docker-in-Docker sidecar, where the runner and Docker daemon have separate filesystems. When set to 'arc-dind', AWF applies overridable defaults: network.isolation=true, dind.preStageDirs=true, sysroot image activation, and tool cache validation."
"description": "Runner deployment topology. 'standard' (default) = GitHub-hosted VM or self-hosted runner with local Docker. 'arc-dind' = ARC (Actions Runner Controller) with Docker-in-Docker sidecar, where the runner and Docker daemon have separate filesystems. When set to 'arc-dind', AWF enables sysroot staging (a sysroot-stage init container copies the build-tools image into a named volume mounted at /host:rw on the agent) and emits a warning when RUNNER_TOOL_CACHE points under /opt (which is typically invisible to the DinD daemon). Other ARC/DinD settings such as container.dockerHostPathPrefix, dind.preStageDirs, and network.isolation are configured explicitly through their own fields. See docs/arc-dind.md for a complete guide."
},
Comment on lines 599 to 602
"dockerHost": {
"type": "string",
"description": "Docker daemon socket or host to connect to (e.g. \"unix:///var/run/docker.sock\")."
"description": "Docker daemon socket URI for AWF's own operations (e.g. \"unix:///var/run/docker.sock\" or \"tcp://localhost:2375\"). Auto-detected from the DOCKER_HOST environment variable when not set explicitly. When combined with container.enableDind, AWF also mounts that socket inside the agent and sets the agent's DOCKER_HOST to the same URI so in-agent docker commands use the correct daemon. On ARC/DinD runners with a loopback TCP daemon (tcp://localhost:*), AWF detects the split-filesystem configuration automatically."
},
@lpcox

lpcox commented Jul 4, 2026

Copy link
Copy Markdown
Collaborator

@copilot address review feedback

Copilot AI commented Jul 4, 2026

Copy link
Copy Markdown
Contributor Author

@copilot address review feedback

Addressed in 96d9b54.

  • Synced src/awf-config-schema.json with docs/awf-config.schema.json so src/schema.test.ts passes.
  • Reworded container.dockerHost to clarify loopback TCP is only a DinD warning hint and does not auto-apply dockerHostPathPrefix.

Copilot finished work on behalf of lpcox July 4, 2026 13:11
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Documentation Preview

Documentation build failed for this PR. View logs.

Built from commit 293824a

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 98.59% 98.63% 📈 +0.04%
Statements 98.52% 98.55% 📈 +0.03%
Functions 99.44% 99.44% ➡️ +0.00%
Branches 94.34% 94.34% ➡️ +0.00%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/workdir-setup.ts 93.2% → 94.9% (+1.69%) 93.2% → 94.9% (+1.69%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Chroot tests failed Smoke Chroot failed - See logs for details.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

Smoke test completed with failures.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

Smoke test in progress: build and GitHub reads passed; browser automation tool was not exposed in this session yet.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

PR #5890 follows the applicable CONTRIBUTING.md guidelines based on the pre-fetched metadata, diffs, and contribution guide. Changes are documentation/schema-description only, the PR description is clear, documentation is updated, and no tests are required for new runtime functionality.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

Test Status
GitHub MCP Connectivity
GitHub.com HTTP ✅ HTTP 200
File Write/Read ⚠️ Template vars unexpanded (pre-step issue)

Overall: PASS — core connectivity verified.

@lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

✅ Smoke Test: Copilot BYOK Mode - PASS

  • ✅ GitHub MCP connectivity
  • ✅ GitHub.com connectivity (HTTP 200)
  • ✅ File write/read ops
  • ✅ BYOK inference path (agent → api-proxy → api.githubcopilot.com)

Running in direct BYOK mode via COPILOT_PROVIDER_API_KEY, credential injected at api-proxy sidecar.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API Status ✅ PASS
GH Check ✅ PASS
File Status ✅ PASS

Overall Result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #5890 · 55.5 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Services Connectivity

  • Redis PING: ❌ Network is unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network is unreachable

Overall: FAILhost.docker.internal (172.17.0.1) is not reachable from this runner environment.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

  • MCP PR Data: ✅
  • GitHub.com connectivity: ✅
  • File write/read test: ✅
  • BYOK inference: ✅

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall: PASS

cc @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🔬 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Result Details
1️⃣ Module Loading ✅ Pass otel.js loads successfully; isEnabled()=true; exports 7 public functions + test internals
2️⃣ Test Suite ✅ Pass 59 tests passed, 0 failed across 2 suites (otel.test.js, otel-fanout.test.js)
3️⃣ Env Var Forwarding ✅ Pass api-proxy-env-config.ts forwards all 5 OTEL vars; header vars secured via AWF_ONE_SHOT_TOKENS
4️⃣ Token Tracker Integration ✅ Pass onUsage callback confirmed in token-tracker-http.js as OTEL hook point
5️⃣ OTEL Diagnostics ✅ Pass (graceful degradation) No OTLP endpoint configured; module correctly fell back to FileSpanExporter — no errors

All scenarios pass.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot PAT Auth — PASS

✅ GitHub MCP connectivity: PR list confirmed
✅ GitHub.com HTTP: 200
✅ File write/read: confirmed (smoke-test-copilot-pat-28707817210.txt)

Auth mode: PAT (COPILOT_GITHUB_TOKEN)
Requested by @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

@lpcox

  • GitHub MCP: ✅
  • GitHub.com: ✅
  • File I/O: ✅
  • BYOK inference: ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Gemini Engine Smoke Test Results

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Runner Doctor Updater: add cache-memory restore fallback key
fix: propagate config fields to all layers
GitHub title check: ✅
File write + build: ✅
Discussion omen: ✅
Overall: PASS

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • awmgmcpg
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx all passed ✅ PASS
Node.js execa all passed ✅ PASS
Node.js p-limit all passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #5890 · 81.8 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@lpcox lpcox merged commit 5e8a466 into main Jul 4, 2026
89 of 90 checks passed
@lpcox lpcox deleted the copilot/align-arc-dind-docs-spec-schema branch July 4, 2026 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Align ARC/DinD docs, spec, and schema with current implementation

3 participants