fix(copilot): support arbitrary HOME directory, not just /home/runner

[Copilot]

Problem

The Copilot engine generator hard-coded /home/runner/.copilot (and XDG_CONFIG_HOME=/home/runner) in several places. This breaks workflows on self-hosted, containerized, or rootless runners where $HOME is not /home/runner (e.g. /home/actions, /root, /var/lib/runner). On those runners the Copilot CLI would either fail to find its config or write it into the wrong place, depending on how ~ was resolved.

Additionally, two of the affected paths were emitted into the YAML env: block, where GitHub Actions does not shell-expand values. That meant any $HOME-based value put there would be passed to the agent as the literal string $HOME/..., not the resolved path — so the fix isn't just "search/replace /home/runner with $HOME"; it also requires moving certain vars out of YAML env: and into the run: script where the shell does expand.

Scope

Affects only the copilot engine (other engines already use ${{ runner.temp }} / ${{ github.workspace }} paths that GitHub Actions resolves at YAML-eval time). The shared MCP gateway dispatcher (used by all engines) only consults HOME when actually writing the Copilot fallback config — non-Copilot engines do not gain a new HOME dependency.

Changes

Go compiler (pkg/workflow/)

• copilot_mcp.go: mkdir -p $HOME/.copilot and MCP configPath use $HOME.
• copilot_engine_execution.go:
  • copilotSettingsPath → $HOME/.copilot/settings.json.
  • Cleanup trap body is single-quoted so $HOME expands at trap-fire time, not at trap-definition time.
  • New buildCopilotMCPConfigExport() emits export XDG_CONFIG_HOME="$HOME" (always) and export GH_AW_MCP_CONFIG="$HOME/.copilot/mcp-config.json" (when MCP servers are configured) from the run script. These used to live in the YAML env: block where shell expansion does not happen.
• threat_detection.go: detection-job MCP cleanup uses $HOME.

Runtime scripts

• actions/setup/js/start_mcp_gateway.cjs:
  • New resolveCopilotConfigPaths() helper (lazily called only when writing the Copilot fallback config, so non-Copilot engines do not require HOME).
  • New detectEngineType() helper extracted for testability; only consults HOME when auto-detecting Copilot via ~/.copilot.
• actions/setup/js/convert_gateway_config_copilot.cjs: new resolveCopilotConfigOutputPath() helper computes the output path from process.env.HOME.
• actions/setup/sh/start_mcp_gateway.sh and actions/setup/sh/convert_gateway_config_copilot.sh: mirror the same $HOME changes (these .sh files are not currently invoked by the generated workflow, but kept consistent with the .cjs counterparts). Both validate HOME before any $HOME/.copilot write so an unset HOME fails loudly rather than writing to /.copilot. start_mcp_gateway.sh engine auto-detection uses -d "$HOME/.copilot" (the directory test) rather than -f so it actually matches.

Lock files

All 245 generated .lock.yml files in .github/workflows/ recompiled to use the new $HOME-based shell snippets (see commit "Recompile lock files for $HOME-based Copilot config paths").

Tests

New Go test file: pkg/workflow/copilot_home_expansion_test.go

Two categories:

1. String-level pins on the helpers so a regression to a hard-coded /home/runner flips a focused test rather than only the broader goldens:

   • TestCopilotSettingsPath_UsesHomeNotLiteralRunner
   • TestBuildCopilotSettingsSetup_UsesHomeExpansion (with and without sudo chown)
   • TestBuildCopilotSettingsCleanupTrap_SingleQuotedSoHomeExpandsAtTrapFire
   • TestBuildCopilotMCPConfigExport_{NoMCPServers,WithMCPServers} (github / safe-outputs / custom MCP tool triggers)
   • TestCopilotMCPRenderer_UsesHomeForConfigPath
   • TestGetExecutionSteps_NoLiteralHomeRunner — broad guard that no Copilot step emits /home/runner/.copilot, XDG_CONFIG_HOME: /home/run, or GH_AW_MCP_CONFIG: /home/r (scoped to those patterns so the AWF tool-cache mount /home/runner/work/_tool, governed by RUNNER_TOOL_CACHE and out of scope here, is allowed).

2. Bash integration tests that actually execute the generated snippets under a fresh environment with different HOME values (/home/runner, /home/actions, /root, /var/lib/actions runner with a space, /home/runner-2.x) to confirm:

   • $HOME expands as expected.
   • Quoting survives a HOME containing spaces and other special chars.
   • The EXIT trap fires and uses the runtime HOME, not the trap-definition-time HOME (TestBashIntegration_TrapFiresWithRuntimeHome).
   • The settings file is written then cleaned up at exit.
   • GH_AW_MCP_CONFIG is unset when there are no MCP servers.

New JS tests (vitest)

• actions/setup/js/convert_gateway_config_copilot.test.cjs — resolveCopilotConfigOutputPath across the same HOME matrix, plus the unset/empty branches.
• actions/setup/js/start_mcp_gateway.test.cjs — resolveCopilotConfigPaths tests plus detectEngineType tests covering: explicit non-copilot engine (no HOME needed), auto-detect codex (no HOME needed), and HOME-scoped copilot auto-detection.

All 28 vitest tests pass; targeted Go test suite passes locally.

Golden files

Regenerated:

• pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden
• pkg/workflow/testdata/TestWasmGolden_CompileFixtures/{basic-copilot,playwright-cli-mode,smoke-copilot,with-imports}.golden
• pkg/workflow/testdata/wasm_golden/WasmBinary/*.golden

Lock files (*.lock.yml) in user repos will see mechanical diffs on their next gh aw compile. No codemod is needed — the affected text only appears in compiler output (not user-authored markdown). Behavior on standard GitHub-hosted runners (HOME=/home/runner) is unchanged.

Why $HOME and not a fallback like ${HOME:-/home/runner}

Other gh-aw generators (mcp_setup_generator.go for the gh extension dir, the copilot session-state copy script, the codex engine config) already rely on bare $HOME with no fallback. HOME is a standard POSIX environment variable inherited from the runner's parent process and passed through to shell steps. Adding a fallback only here would be inconsistent; if $HOME is genuinely missing the workflow has bigger pre-existing problems than this one path. The JS helpers (resolveCopilotConfigPaths / resolveCopilotConfigOutputPath) and the .sh scripts do throw a clear error if HOME is unset (and only check it when actually about to write a Copilot path), so the failure is loud rather than a silent wrong-path write, and non-Copilot engines are unaffected.

Changeset

.changeset/patch-copilot-home-expansion-self-hosted-runners.md (patch).

ADR

ADR: ADR-38725: Resolve Copilot Config Paths from $HOME

---

Changeset

• Type: patch
• Description: Resolve Copilot config paths from $HOME instead of hard-coded /home/runner so the copilot engine works on self-hosted and containerized runners.

Generated by 📋 Changeset Generator for issue #38725 · 7.89 AIC · ⊞ 17K · ◷

---

---

✨ PR Review Safe Output Test - Run 27387269540

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 65.2 AIC · ⌖ 25.6 AIC · ⊞ 8.1K · ◷

[github-actions]

✅ PR Code Quality Reviewer completed the code quality review.

[github-actions]

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

[github-actions]

🧪 Test Quality Sentinel completed test quality analysis.

[github-actions]

❌ Design Decision Gate 🏗️ failed to deliver outputs during design decision gate check.

[Copilot]

Pull request overview

This PR tightens Copilot MCP config path handling so Copilot config/state locations are derived from HOME (keeping GitHub-hosted runner defaults intact), and updates setup/conversion scripts plus generated artifacts to reflect the resolved Copilot MCP config path.

Changes:

• Introduces centralized Copilot path helpers and uses them when rendering Copilot MCP config steps.
• Updates gateway start/conversion scripts (bash + Node) to resolve the Copilot MCP config path via GH_AW_MCP_CONFIG with a backward-compatible default.
• Regenerates goldens and workflow lockfiles to reflect the new Copilot MCP config path handling.

Show a summary per file

File	Description
pkg/workflow/threat_detection.go	Adjusts detection-job cleanup to remove MCP config artifacts (now parameterized).
pkg/workflow/copilot_paths.go	Adds helper functions/constants to derive Copilot config paths from workflow HOME.
pkg/workflow/copilot_mcp.go	Uses derived Copilot paths when emitting the MCP config setup step.
docs/src/content/docs/reference/self-hosted-runners.md	Documents self-hosted runner considerations for Copilot config placement.
actions/setup/sh/start_mcp_gateway.sh	Resolves Copilot config dir from GH_AW_MCP_CONFIG default and uses it for engine detection/fallback write path.
actions/setup/sh/install_copilot_cli.sh	Derives Copilot directory from GH_AW_MCP_CONFIG (with default) before ownership repair.
actions/setup/sh/install_copilot_cli_test.sh	Adds a shell test asserting install_copilot_cli.sh derives Copilot dir from GH_AW_MCP_CONFIG and avoids runner:runner.
actions/setup/sh/convert_gateway_config_copilot.sh	Writes Copilot config to GH_AW_MCP_CONFIG (defaulting to /home/runner/.copilot/mcp-config.json) and ensures parent dir exists.
actions/setup/sh/convert_gateway_config_copilot_test.sh	Adds a shell test verifying Copilot converter honors GH_AW_MCP_CONFIG and sets mode 600.
actions/setup/js/start_mcp_gateway.cjs	Resolves Copilot MCP config path and uses it for detection/fallback writes with secure permissions.
actions/setup/js/convert_gateway_config_shared.cjs	Adds a shared DEFAULT_COPILOT_MCP_CONFIG_PATH constant and a resolver helper.
actions/setup/js/convert_gateway_config_copilot.cjs	Writes Copilot config to the resolved GH_AW_MCP_CONFIG path (default fallback).
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden	Updates expected compiled workflow output to export GH_AW_MCP_CONFIG before gateway start.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden	Same as above for the smoke fixture.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden	Same as above for the Playwright CLI mode fixture.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden	Same as above for the basic Copilot fixture.
pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden	Same as above for the all-engines Copilot fixture.
.github/workflows/workflow-normalizer.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/workflow-health-manager.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/workflow-generator.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/video-analyzer.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/update-astro.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/unbloat-docs.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/typist.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/tidy.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/test-workflow.lock.yml	Updates Copilot MCP config export path in the locked workflow.
.github/workflows/test-quality-sentinel.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/test-project-url-default.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/test-dispatcher.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/test-create-pr-error-handling.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/super-linter.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/step-name-alignment.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/static-analysis-report.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/spec-librarian.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/spec-extractor.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/spec-enforcer.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/smoke-test-tools.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/smoke-pi.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/smoke-opencode.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/smoke-gemini.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/smoke-crush.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/smoke-copilot-sdk.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/smoke-codex.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/smoke-claude.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/smoke-ci.lock.yml	Updates Copilot MCP config export path in the locked workflow.
.github/workflows/smoke-call-workflow.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/smoke-antigravity.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/smoke-agent-scoped-approved.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/smoke-agent-public-none.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/smoke-agent-public-approved.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/smoke-agent-all-none.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/smoke-agent-all-merged.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/sergo.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/semantic-function-refactor.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/security-review.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/security-compliance.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/scout.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/schema-feature-coverage.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/schema-consistency-checker.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/safe-output-health.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/ruflo-backed-task.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/research.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/repo-tree-map.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/release.lock.yml	Updates Copilot MCP config export path in the locked workflow.
.github/workflows/refiner.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/q.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/python-data-charts.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/prompt-clustering-analysis.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/pr-description-caveman.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/plan.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/pdf-summary.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/outcome-collector.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/org-health-report.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/objective-impact-report.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/necromancer.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/metrics-collector.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/mergefest.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/lockfile-stats.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/linter-miner.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/lint-monster.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/layout-spec-maintainer.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/jsweep.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/issue-arborist.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/instructions-janitor.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/hourly-ci-cleaner.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/hippo-embed.lock.yml	Updates Copilot MCP config export path in the locked workflow.
.github/workflows/grumpy-reviewer.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/gpclean.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/go-pattern-detector.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/go-logger.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/go-fan.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/github-mcp-tools-report.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/github-mcp-structural-analysis.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/firewall.lock.yml	Updates Copilot MCP config export path in the locked workflow.
.github/workflows/firewall-escape.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/example-workflow-analyzer.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/example-permissions-warning.lock.yml	Updates Copilot MCP config export path in the locked workflow.
.github/workflows/duplicate-code-detector.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/docs-noob-tester.lock.yml	Updates Copilot MCP config export path in the locked workflow.
.github/workflows/developer-docs-consolidator.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/dev.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/dev-hawk.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/designer-drift-audit.lock.yml	Updates Copilot MCP config export path in the locked workflow.
.github/workflows/design-decision-gate.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/dependabot-worker.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/dependabot-repair.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/delight.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/deep-report.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-windows-terminal-integration-builder.lock.yml	Updates Copilot MCP config export path in the locked workflow.
.github/workflows/daily-token-consumption-report.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-team-status.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/daily-team-evolution-insights.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-security-red-team.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-safeoutputs-git-simulator.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-safe-outputs-conformance.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-safe-output-optimizer.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-rendering-scripts-verifier.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-reliability-review.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-observability-report.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-news.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/daily-multi-device-docs-tester.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-model-inventory.lock.yml	Updates Copilot MCP config export path in the locked workflow.
.github/workflows/daily-max-ai-credits-test.lock.yml	Updates Copilot MCP config export path in the locked workflow.
.github/workflows/daily-malicious-code-scan.lock.yml	Updates Copilot MCP config export path in the locked workflow.
.github/workflows/daily-function-namer.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-firewall-report.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/daily-fact.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-doc-updater.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-doc-healer.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-credit-limit-test.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/daily-code-metrics.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-choice-test.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-caveman-optimizer.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-cache-strategy-analyzer.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-byok-ollama-test.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-aw-cross-repo-compile-check.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/daily-agentrx-trace-optimizer.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/craft.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/copilot-session-insights.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/copilot-opt.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/copilot-agent-analysis.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/contribution-check.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/constraint-solving-potd.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/commit-changes-analyzer.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/code-simplifier.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/cloclo.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/cli-version-checker.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/claude-code-user-docs-review.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/ci-doctor.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/ci-coach.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/brave.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/bot-detection.lock.yml	Updates Copilot MCP config export path in the locked workflow.
.github/workflows/blog-auditor.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/aw-failure-investigator.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/avenger.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/audit-workflows.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/artifacts-summary.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/architecture-guardian.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/archie.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/approach-validator.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/api-consumption-report.lock.yml	Updates Copilot MCP config cleanup path in the locked workflow.
.github/workflows/agentic-token-trend-audit.lock.yml	Updates Copilot MCP config export path in the locked workflow.
.github/workflows/agentic-token-optimizer.lock.yml	Updates Copilot MCP config export path in the locked workflow.
.github/workflows/agentic-token-audit.lock.yml	Updates Copilot MCP config export/cleanup paths in the locked workflow.
.github/workflows/ace-editor.lock.yml	Updates Copilot MCP config export path in the locked workflow.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 262/262 changed files
• Comments generated: 3

[pelikhan]

oops sorry i mechanically synched it

[github-actions]

Two blocking issues need to be resolved before merge.

### Blocking issues

1. Installer step targets the wrong directory on self-hosted runners (install_copilot_cli.sh line 27)

The installer script now derives COPILOT_DIR from GH_AW_MCP_CONFIG, but GH_AW_MCP_CONFIG is not injected into the installer step — that env var only reaches the agent execution step. On a self-hosted runner with HOME=/srv/gha, the installer creates and chowns /home/runner/.copilot (the hardcoded default) while the agent later uses /srv/gha/.copilot. The previous code used "${HOME}/.copilot" which naturally picked up the runner's real home. This regression directly breaks the goal of the PR.

2. Documentation tells users to set engine.env.GH_AW_MCP_CONFIG (self-hosted-runners.md line 179)

The docs were written against the first commit. The second commit (0f61e58) replaced GH_AW_MCP_CONFIG-based override with HOME-based override, but the docs were never updated. Users following this doc will set the wrong key and see no error.

🔎 Code quality review by PR Code Quality Reviewer · 627.9 AIC · ⌖ 14 AIC · ⊞ 16.7K

[github-actions]

🧪 Test Quality Sentinel Report

✅ Test Quality Score: 80/100 — Excellent

Analyzed 3 test(s): 3 design, 0 implementation, 0 guideline violation(s). Score capped at 80 due to potential test-inflation signal in the JS test file (no direct corresponding production file).

📊 Metrics & Test Classification (3 tests analyzed)

Metric	Value
New/modified tests analyzed	3
✅ Design tests (behavioral contracts)	3 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	2 (67%)
Duplicate test clusters	0
Test inflation detected	⚠️ JS file (54 added vs ~14 production lines ≈ 3.9:1 — no direct corresponding production file, contextual)
🚨 Coding-guideline violations	0

Test Classification Details

Test	File	Classification	Issues Detected
resolves Copilot MCP config path from GH_AW_MCP_CONFIG with default fallback	actions/setup/js/convert_gateway_config_adapters.test.cjs:42	✅ Design	Has edge case (env var absent → default fallback)
copilot converter writes to the resolved non-default config path	actions/setup/js/convert_gateway_config_adapters.test.cjs:61	✅ Design	End-to-end: verifies file creation, URL rewriting, and permissions (0o600); no explicit error path
TestCopilotEngineConfigPathsDefaultAndOverride (2 table rows: default + home override)	pkg/workflow/copilot_engine_test.go:252	✅ Design	Table-driven; includes negative assertions (unexpectedExecutionStrings); both happy-path and HOME-override case

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 1 new test function — unit (//go:build !integration ✅)
• 🟨 JavaScript (*.test.cjs): 2 new tests (vitest)

i️ Tests in other languages were found but are outside the current analysis scope (Go and JavaScript supported).

• Shell (*.sh): actions/setup/sh/convert_gateway_config_copilot_test.sh (+53 lines, new), actions/setup/sh/install_copilot_cli_test.sh (+31 lines, new)

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). No coding-guideline violations detected. All 3 new tests verify observable behavioral contracts.

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §27383667182

🧪 Test quality analysis by Test Quality Sentinel · 541.7 AIC · ⌖ 27.6 AIC · ⊞ 27.2K · ◷

[github-actions]

✅ Test Quality Sentinel: 80/100. Test quality is acceptable — 0% of new tests are implementation tests (threshold: 30%). All 3 new tests verify behavioral contracts with no mock-library violations and valid build tags.

[github-actions]

Skills-Based Review 🧠

Applied /zoom-out — requesting one change: the lock files need regeneration to match the final Go source.

📋 Key Themes & Findings

Critical: Lock files are stale

The PR contains two rounds of Go source changes:

Commit	Change
6ca2901	Added the conditional guard pattern and regenerated lock files
0f61e58	Simplified back to a direct export pattern — but lock files were not regenerated

As a result, every .lock.yml in this PR emits:

if [ -z "${GH_AW_MCP_CONFIG:-}" ]; then export GH_AW_MCP_CONFIG=/home/runner/.copilot/mcp-config.json; fi
mkdir -p "$(dirname "${GH_AW_MCP_CONFIG}")"

while pkg/workflow/copilot_mcp.go (current HEAD) would generate:

export GH_AW_MCP_CONFIG=/home/runner/.copilot/mcp-config.json
mkdir -p /home/runner/.copilot

This is not cosmetic — the conditional preserves a pre-set GH_AW_MCP_CONFIG, which contradicts the stated goal of stopping GH_AW_MCP_CONFIG from acting as an override. Run make recompile from the branch tip to fix all lock files in one shot.

Positive Highlights

• ✅ copilot_paths.go refactor is clean — deriving all paths from HOME via copilotHomeForWorkflow makes the relationship explicit.
• ✅ Asserting XDG_CONFIG_HOME and GH_AW_MCP_CONFIG after the engine.env merge correctly prevents user-supplied values from redirecting config placement.
• ✅ The threat-detection cleanup (rm -f "${GH_AW_MCP_CONFIG:-/home/runner/.copilot/mcp-config.json}") is a well-written safe fallback.
• ✅ Test cases for the HOME-override scenario clearly document that a caller-supplied GH_AW_MCP_CONFIG in engine.env is intentionally ignored.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"

See Network Configuration for more information.

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 838 AIC · ⌖ 13.4 AIC · ⊞ 27.8K

[Copilot]

@copilot run pr-finisher skill

Ran the PR-finisher pass. No further code changes were needed on top of 9e04b2f: make fmt, make lint, make test-unit, make test, and make recompile all pass locally. The earlier Design Decision Gate failure was on an older head and the two current bot failures are AIC guardrail failures, not code regressions. GitHub still shows the PR blocked/pending, so CI/review state needs human follow-up before merge.

[github-actions]

🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨

[github-actions]

🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧

[github-actions]

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

⚠️ Smoke Gemini failed. Gemini encountered unexpected challenges...

[github-actions]

🌑 The shadows whisper... Smoke Codex failed to deliver outputs. The oracle requires further meditation...

[github-actions]

📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing...

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.54.0
jq	✅	1.7
yq	✅	4.53.3
curl	✅	8.5.0
gh	✅	2.93.0
node	✅	22.22.3
python3	✅	3.11.15 (PyPy 7.3.23)
go	✅	1.24.13
java	✅	21.0.11
dotnet	✅	10.0.300

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test · 39.3 AIC · ⌖ 12.3 AIC · ⊞ 28.1K · ◷

[github-actions]

💥 Smoke Test: Claude — Run 27387269540

Core #1-12: ✅ all passed
#13 ✅ #14 ✅ #15 ✅ #16 ⚠️ skip #17 ✅ #18 ✅ #19 ⚠️ skip
Overall: PARTIAL (all executed passed; 2 skipped)

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 65.2 AIC · ⌖ 25.6 AIC · ⊞ 8.1K · ◷

[github-actions]

💥 Automated smoke test review - all systems nominal!

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 65.2 AIC · ⌖ 25.6 AIC · ⊞ 8.1K

Comments that could not be inline-anchored

.changeset/patch-copilot-home-expansion-self-hosted-runners.md:5

Nice clear changeset entry explaining the HOME-based path resolution and the expected mechanical lock-file diffs. 👍

.github/skills/http-mcp-headers/SKILL.md:9

Consider linking to the relevant copilot engine source so readers can jump straight to the implementation.

[zarenner]

This PR is still missing some fixes for /home/runner/work/_tool AWF invocation - going to handle those separately as this PR is large enough and there's other possible fixes that need to be made there that should be looked at closer.

[github-actions]

Smoke test status: FAIL\n✅ PR reads; Serena; Playwright; file write; bash verify; build; comment memory; cache memory; issue field\n❌ web-fetch tool unavailable\nOverall: FAIL

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · 39.2 AIC · ⊞ 11.2K · ◷

[github-actions]

Comment Memory

Silent builds breathe in
Merged checks drift through the daylight
Agents keep their vow

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · 39.2 AIC · ⊞ 11.2K · ◷

[github-actions]

Smoke tests:

1. GH MCP: ✅
2. mcpscripts: ✅
3. Serena: ✅
4. Playwright: ✅
5. Web fetch: ✅
6. File ops: ✅
   Others: ❌
   Overall: FAIL

📰 BREAKING: Report filed by Smoke Copilot - AOAI (apikey) · 96.2 AIC · ⌖ 7.54 AIC · ⊞ 19K · ◷

[github-actions]

Smoke test: fix(copilot): support arbitrary HOME directory, not just /home/runner
Merged PRs: #38742 Add hardcodedfilepath linter to detect hard-coded file path string literals; #38740 Scale homepage hero slides correctly on mobile
Results: 1✅ 2✅ 3✅ 4✅ 5✅ 6✅ 7✅ 8✅ 9✅ 10✅ 11✅ 12✅ 13✅ 14✅ 15✅
Status: PASS
Author: @app/copilot-swe-agent | Assignees: zarenner, Copilot

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 420.8 AIC · ⌖ 9.44 AIC · ⊞ 20.3K · ◷

[zarenner]

Smoke Copilot looking good with $HOME changes, merging. Will continue to hunt additional /home/runner hardcodes in follow-up PRs.