Skip to content

Commit 6eea890

Browse files
Mossakaclaude
andcommitted
refactor(workflow): simplify chroot smoke test prompt
Reduce the prompt to just verify language runtimes exist and print versions. The agent doesn't need to know it's running inside awf/chroot - if the runtimes work, the feature works. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1 parent 6ff64fb commit 6eea890

2 files changed

Lines changed: 9 additions & 188 deletions

File tree

.github/workflows/smoke-chroot.lock.yml

Lines changed: 5 additions & 99 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.github/workflows/smoke-chroot.md

Lines changed: 4 additions & 89 deletions
Original file line numberDiff line numberDiff line change
@@ -46,25 +46,11 @@ safe-outputs:
4646
timeout-minutes: 20
4747
---
4848

49-
# Smoke Test: Chroot Feature Validation
49+
# Verify Language Runtimes
5050

51-
**IMPORTANT: You are running inside awf with `--enable-chroot` enabled. Host binaries are available at their standard paths. Run commands directly - do NOT use `sudo awf` or any wrapper.**
51+
Check that common language runtimes are installed and print their versions.
5252

53-
## Context
54-
55-
The `--enable-chroot` feature allows you to transparently access host binaries (Python, Node, Go, Java, .NET) at their standard paths. You can run these directly without any special commands.
56-
57-
The expected host versions are set up by the workflow:
58-
- Python: 3.12.x
59-
- Node.js: 24.x.x
60-
- Go: 1.23.x
61-
- Java: 21.x.x (Temurin)
62-
- .NET: 8.x.x
63-
64-
## Test Tasks
65-
66-
### 1. Language Runtime Version Tests
67-
Run each runtime and capture its version. These should match the host versions above.
53+
Run these commands and report the results:
6854

6955
```bash
7056
python3 --version
@@ -74,75 +60,4 @@ java --version 2>&1 | head -1
7460
dotnet --version
7561
```
7662

77-
### 2. Standard Library Tests
78-
Verify each runtime can access its standard libraries:
79-
80-
```bash
81-
# Python stdlib
82-
python3 -c "import json, os, sys, http.client; print('Python stdlib OK')"
83-
84-
# Node.js builtins
85-
node -e "require('fs'); require('path'); require('os'); console.log('Node builtins OK')"
86-
87-
# Go compilation (needs init for modules)
88-
cd /tmp && rm -rf gotest && mkdir gotest && cd gotest && go mod init test && echo 'package main; func main() { println("Go OK") }' > main.go && go run main.go
89-
90-
# .NET runtime check
91-
dotnet --list-runtimes
92-
```
93-
94-
### 3. Security Boundary Tests
95-
Verify security restrictions are in place:
96-
97-
```bash
98-
# Docker socket should NOT exist or be /dev/null
99-
ls -la /var/run/docker.sock 2>&1
100-
101-
# iptables should fail (no NET_ADMIN capability)
102-
iptables -L 2>&1
103-
104-
# /usr should be read-only
105-
touch /usr/testfile 2>&1
106-
107-
# /tmp should be writable
108-
echo test > /tmp/awf-test && cat /tmp/awf-test && rm /tmp/awf-test
109-
```
110-
111-
### 4. User Identity Test
112-
```bash
113-
whoami
114-
id
115-
```
116-
117-
## Output Requirements
118-
119-
Create a PR comment with a summary table. Keep it concise.
120-
121-
| Test | Result |
122-
|------|--------|
123-
| Python version | [version] - PASS if 3.12.x |
124-
| Node.js version | [version] - PASS if 24.x |
125-
| Go version | [version] - PASS if 1.23.x |
126-
| Java version | [version] - PASS if 21.x |
127-
| .NET version | [version] - PASS if 8.x |
128-
| Python stdlib | PASS/FAIL |
129-
| Node builtins | PASS/FAIL |
130-
| Go compilation | PASS/FAIL |
131-
| .NET runtime | PASS/FAIL |
132-
| Docker socket hidden | PASS/FAIL |
133-
| iptables blocked | PASS/FAIL |
134-
| /usr read-only | PASS/FAIL |
135-
| /tmp writable | PASS/FAIL |
136-
| User not root | PASS/FAIL |
137-
138-
If ALL tests pass, add the label `smoke-chroot`.
139-
140-
## Expected Results
141-
142-
- All runtimes should be accessible at standard paths with matching versions
143-
- Standard library tests should all pass
144-
- Docker socket should not exist or be mapped to /dev/null
145-
- iptables commands should fail with "Permission denied" or "Operation not permitted"
146-
- /usr should be read-only
147-
- /tmp should be writable
148-
- User should NOT be root (should be awfuser or similar)
63+
Add a comment to the PR with a table showing each runtime and its version. If all runtimes are found, add the label `smoke-chroot`.

0 commit comments

Comments
 (0)