fix: reclaim non-writable /tmp/gh-aw/sandbox before AWF writeConfigs() to prevent EACCES#42400
Open
Copilot wants to merge 2 commits into
Open
fix: reclaim non-writable /tmp/gh-aw/sandbox before AWF writeConfigs() to prevent EACCES#42400Copilot wants to merge 2 commits into
Copilot wants to merge 2 commits into
Conversation
…) to prevent EACCES Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix EACCES error in Smoke CI startup
fix: reclaim non-writable /tmp/gh-aw/sandbox before AWF writeConfigs() to prevent EACCES
Jun 30, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens gh-aw’s runner setup by proactively reclaiming a stale, non-writable /tmp/gh-aw/sandbox (often left root-owned by prior rootless container jobs) so AWF writeConfigs() doesn’t fail early with EACCES during sandbox config/log directory creation.
Changes:
- Add preflight detection and reclamation of
/tmp/gh-aw/sandboxwhen it exists but is not writable, usingsudo rm -rfwith a fallback torm -rf. - Add a shell test script validating normal creation, preservation of user-owned sandboxes, and simulated reclaim behavior.
- Add a changeset documenting the patch release.
Show a summary per file
| File | Description |
|---|---|
| actions/setup/sh/create_gh_aw_tmp_dir.sh | Adds sandbox reclamation logic prior to creating gh-aw temp directories. |
| actions/setup/sh/create_gh_aw_tmp_dir_test.sh | Adds a dedicated test script to validate the new sandbox reclaim behavior. |
| .changeset/patch-reclaim-sandbox-rootless-eacces.md | Documents the patch release rationale and behavior change. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 3
- Review effort level: Low
Comment on lines
1
to
+3
| #!/usr/bin/env bash | ||
| set +o histexpand | ||
|
|
Comment on lines
+17
to
+20
| else | ||
| echo "[WARN] Failed to remove ${sandbox_dir}; AWF writeConfigs() may fail with EACCES" >&2 | ||
| fi | ||
| fi |
Comment on lines
+12
to
+14
| TESTS_PASSED=0 | ||
| TESTS_FAILED=0 | ||
|
|
Contributor
|
🔎 PR Code Quality Reviewer is reviewing code quality for this pull request... |
Contributor
|
🔍 Design Decision Gate 🏗️ is checking for design decision records on this pull request... |
Contributor
|
🔬 Test Quality Sentinel is analyzing test quality on this pull request... |
Contributor
|
🧠 Matt Pocock Skills Reviewer is reviewing this pull request using Matt Pocock's engineering skills... |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rootless containers on GitHub-hosted runners can leave
/tmp/gh-aw/sandboxowned by root. AWF'swriteConfigs()then dies withEACCES: mkdir /tmp/gh-aw/sandbox/firewall/logsbefore the agent is ever invoked — and thechmod -R a+rXfallback inside AWF fails for the same reason, making the error unrecoverable. This manifests as a per-runner ownership race: identical runs succeed or fail depending on whether a prior rootless job ran on the same runner.Changes
create_gh_aw_tmp_dir.sh— added a pre-flight check beforemkdir: if/tmp/gh-aw/sandboxexists but is not writable by the current user, remove it withsudo rm -rf(falling back to plainrm -rf) so the subsequentmkdir -pcreates a fresh, uid-owned tree before AWF startsUses
[ -w ]rather than UID comparison — portable across Linux/macOS and directly tests the condition that causesEACCES.create_gh_aw_tmp_dir_test.sh— new test covering: syntax validity, normal creation, user-owned sandbox preservation (no removal), and simulated non-writable sandbox reclaim (fakesudorecords arguments and mimics root privilege).