feat: add --rootless flag to install_copilot_cli.sh for ARC/DinD runners#46047
Conversation
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
- Parse --rootless flag (plus any flags before VERSION) with a full arg scan
instead of ${@:2} so --rootless works in any argument position
- Override INSTALL_DIR to ${HOME}/.local/bin in rootless mode
- Add maybe_sudo() wrapper that skips sudo when ROOTLESS=true
- Add preflight check for writable install directory in rootless mode
- Replace all sudo calls (chown, find, install, tar, chmod) with maybe_sudo
- Add GITHUB_PATH export after fresh-download install in rootless mode
- Use direct binary path for verification in rootless mode
Add install_copilot_cli_test.sh with 10 tests covering:
- Flag parsing in all argument positions
- INSTALL_DIR override for rootless/non-rootless modes
- GITHUB_PATH export and missing-GITHUB_PATH warning
- maybe_sudo behavior in both modes
Update docs to document --rootless and remove the
'allowPrivilegeEscalation: false is not supported' known limitation
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds rootless Copilot CLI installation support for restricted ARC/DinD runners.
Changes:
- Adds
--rootless, user-local installation, and PATH export. - Adds shell tests and ARC documentation.
- Refreshes generated workflow metadata and schedule.
Show a summary per file
| File | Description |
|---|---|
actions/setup/sh/install_copilot_cli.sh |
Implements rootless installation. |
actions/setup/sh/install_copilot_cli_test.sh |
Adds rootless behavior tests. |
docs/.../arc-dind-copilot-agent.md |
Documents ARC rootless setup. |
docs/.../self-hosted-runners.md |
Updates sudo guidance. |
.github/workflows/skillet.lock.yml |
Refreshes action annotations. |
.github/workflows/release.lock.yml |
Refreshes action annotations. |
.github/workflows/hourly-ci-cleaner.lock.yml |
Refreshes action annotations. |
.github/workflows/avenger.lock.yml |
Refreshes action annotations. |
.github/workflows/agentic-auto-upgrade.yml |
Changes the weekly schedule. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 9/9 changed files
- Comments generated: 3
- Review effort level: Medium
| # Inline the flag-parsing and directory-override block from install_copilot_cli.sh | ||
| # in a subshell so we can vary the arguments without touching the real filesystem. | ||
| parse_and_override() { | ||
| local args=("$@") | ||
| bash -c ' |
| on: | ||
| schedule: | ||
| - cron: "21 3 * * 5" # Weekly (auto-upgrade) | ||
| - cron: "11 4 * * 6" # Weekly (auto-upgrade) |
| - name: Install Copilot CLI (rootless) | ||
| run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" --rootless |
|
@copilot please run the Unresolved review threads:
|
|
Great work on the --rootless flag for install_copilot_cli.sh! Unblocking ARC/DinD clusters that enforce allowPrivilegeEscalation: false is a real pain point, and mirroring the pattern from install_awf_binary.sh keeps things consistent. This PR looks well-structured and ready for review: clear focused change, includes shell tests (install_copilot_cli_test.sh), updates relevant docs, and no new dependencies. No blockers spotted — looks good to go!
|
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Addressed the unresolved review feedback in commit
I also reran local validation ( Code review validation is clean; CodeQL timed out in the validation tool. CI on this new HEAD still needs a maintainer-triggered rerun (agent pushes do not trigger workflows). |
|
@copilot please run the Unresolved review threads:
|
Verified this on current HEAD ( Reran validation locally:
CI state for this HEAD is currently |
|
@copilot run pr-finisher skill |
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Resolved by merging latest |
|
\n@copilot please run the skill, address any unresolved review feedback, and rerun checks once the branch is up to date.
|
|
@copilot please run the
|
Ran pr-finisher on current HEAD
No additional code changes were required in this pass. CI on the current agent HEAD remains maintainer-gated/stale until a human re-triggers workflows.
Completed in the latest pass: pr-finisher run on HEAD No new code changes were needed. Remaining CI state is maintainer-gated/stale and requires a human-triggered rerun. |
|
@copilot please run the
|
Ran
No additional code changes were required in this pass. CI for the agent HEAD remains maintainer-gated/stale until a human re-triggers workflows. |
|
@copilot please run the Unresolved review feedback:
|
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Implemented one remaining in-scope fix in Verified the other two unresolved threads are already satisfied on this branch:
Validation on current HEAD passed locally: Branch freshness check: this branch is still behind current Next concrete maintainer action: click Update branch (or merge latest |
|
@copilot please run the
|
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
…ess-cli-installation Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Done in Current verification:
Next concrete maintainer action after checks are rerun: if required PR checks on this refreshed HEAD are green, proceed with final human review/approval and merge. |
|
@copilot please run the
|
Ran pr-finisher on HEAD
Next concrete maintainer action: re-trigger required PR workflows on this HEAD (close/reopen PR, workflow_dispatch, or a maintainer push). If required checks are green after rerun, proceed with final review/merge. |
🤖 PR Triage
Automated triage — run §29677420780
|
install_copilot_cli.shunconditionally usessudo, blocking ARC/DinD clusters that enforceallowPrivilegeEscalation: false. This mirrors the pattern already used byinstall_awf_binary.sh.Shell script (
install_copilot_cli.sh)--rootlessis recognized in any position (before or afterVERSION); first non-flag arg isVERSIONmaybe_sudo()— passes commands through directly in rootless mode, wraps withsudootherwise; replaces all 5 previous baresudocalls (chown,find,install,tar,chmod)--rootlessredirectsINSTALL_DIRfrom/usr/local/binto~/.local/bin~/.local/binis writable before attempting installGITHUB_PATHexport — appendsINSTALL_DIRafter fresh-download installs in rootless mode so subsequent steps find the binary${INSTALL_DIR}/copilot --versiondirectly in rootless mode (binary isn't onPATHyet)Tests (
install_copilot_cli_test.sh, new)10-test shell suite covering: flag parsing in all argument positions,
INSTALL_DIRoverrides,GITHUB_PATHexport, warning whenGITHUB_PATHis unset, andmaybe_sudobehavior in both modes.Docs
allowPrivilegeEscalation: false is not supportedknown limitation; updates troubleshooting entry to point at--rootlessinstead of "remove the constraint"--rootless