Skip to content

[Experiment] Test dotnet build inside gh-aw agent container#34762

Closed
PureWeen wants to merge 12 commits into
mainfrom
experiment/gh-aw-build-test
Closed

[Experiment] Test dotnet build inside gh-aw agent container#34762
PureWeen wants to merge 12 commits into
mainfrom
experiment/gh-aw-build-test

Conversation

@PureWeen

@PureWeen PureWeen commented Mar 31, 2026

Copy link
Copy Markdown
Member

Experiment

Tests whether the gh-aw agent sandbox can run dotnet build. Expected results:

  • api.nuget.org is blocked by AWF firewall → restore fails
  • dotnet CLI may or may not be installed in the container
  • TOKEN env vars are visible to subprocesses (via --env-all)

This is a throwaway experiment PR — do not merge.

What we're verifying

  1. AWF firewall blocks NuGet restore (accidental security)
  2. Environment variable exposure inside the container
  3. Whether dotnet CLI is even available in the agent image

github-actions Bot and others added 10 commits March 26, 2026 11:46
@github-actions
Switch evaluate-pr-tests to pull_request_target for fork PR support
0cc2384 
- Change trigger from pull_request to pull_request_target so fork PRs
  have access to secrets (COPILOT_GITHUB_TOKEN)
- Add roles: all to allow fork contributors (who have read permission)
  to trigger the workflow
- Remove forks: ["*"] (not needed with pull_request_target)
- Remove ready_for_review type (not supported by gh-aw for
  pull_request_target)
- Update if condition and gate step to reference pull_request_target

Validated on PureWeen/maui:
- Same-repo PR: all green (run 23603776593)
- Fork PR via workflow_dispatch: all green (run 23605610535)
- Fork PR via pull_request_target: all green (run 23606033617)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Gate workflow_dispatch checkout to PRs from authors with write access
2dfcf71 
The workflow_dispatch step runs with GITHUB_TOKEN and checks out PR code.
Restrict it to only process PRs from authors with write/maintain/admin
access, preventing checkout of untrusted fork code in a privileged context.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Move write-access gate into Checkout-GhAwPr.ps1 for reuse
d79ff20 
Move the PR author permission check from inline workflow bash into the
shared Checkout-GhAwPr.ps1 script. Any gh-aw workflow using this script
now automatically gates on the PR author having write/maintain/admin
access before checking out code.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Skip workflow_dispatch checkout for fork PRs
8234b33 
Fork PRs are handled by pull_request_target (platform checkout in
sandboxed container). The workflow_dispatch path should only process
same-repo PRs from authors with write access.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Restore entire .github/ from base branch instead of individual paths
e1dee57 
Restoring only skills/, instructions/, and copilot-instructions.md left
other .github/ subdirs (pr-review/, scripts/, workflows/) from the PR
branch. Restore the entire .github/ directory for complete coverage.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Use merge instead of restore for workflow_dispatch checkout
f4c4791 
Instead of deleting .github/ and restoring from main, merge the base
branch into the PR branch after checkout. This produces the same state
as a pull_request merge commit: PR changes + latest main. If the PR
modifies a skill, the PR version wins; otherwise main's version is used.

This lets contributors iterate on skills via workflow_dispatch while
keeping everything else current. On merge conflict, falls back to the
PR branch as-is with a warning.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Gate auto-evaluation on author_association for write access
c089534 
- pull_request_target: only auto-runs for OWNER/MEMBER/COLLABORATOR
- issue_comment: /evaluate-tests only accepted from OWNER/MEMBER/COLLABORATOR
- workflow_dispatch: unchanged
- External PRs require maintainer /evaluate-tests comment to trigger

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Fix review findings: shallow clone, write-access gating, fork message
e6004b7 
- Revert merge strategy to targeted git checkout (works in shallow clones)
- Remove roles:all, restore gh-aw pre_activation with write-level checks
- Remove author_association from if: (gh-aw handles access gating)
- Update fork fallback message to remove stale workflow_dispatch advice

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Add dry-run mode and noop guidance to evaluate-tests workflow
00af259 
- Add suppress_comment input for workflow_dispatch dry-run (evaluate without posting comment)
- Add explicit noop guidance so the agent uses it instead of silently exiting
- Update posting results section to respect dry-run mode

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Experiment: test dotnet build inside gh-aw agent container
13f34ee 
Tests whether the AWF firewall blocks api.nuget.org (expected),
whether dotnet CLI is available, and what env vars are exposed.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions

github-actions Bot commented Mar 31, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/maui/main/eng/scripts/get-maui-pr.sh | bash -s -- 34762

Or

  • Run remotely in PowerShell:
iex "& { $(irm https://raw.githubusercontent.com/dotnet/maui/main/eng/scripts/get-maui-pr.ps1) } 34762"

@github-actions github-actions Bot mentioned this pull request Apr 1, 2026
Closed
@github-actions
Switch experiment to modify evaluate-tests for dispatch
938ce54 
Adds build environment test as first step in evaluate-tests prompt.
Removes standalone build-test workflow since it can't be dispatched
from a non-default branch.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions

github-actions Bot commented Apr 1, 2026

Copy link
Copy Markdown
Contributor

🧪 Build Environment Experiment Results

Here are the results from the build environment test:

=== Step 1: Check .NET SDK ===
10.0.201

=== Step 2: Check env vars containing TOKEN (names only, redacted values) ===
LD_PRELOAD=(REDACTED)
COPILOT_TOKEN=(REDACTED)
AWF_ONE_SHOT_TOKENS=(REDACTED)

=== Step 3: Network test - api.nuget.org ===
(empty response / BLOCKED)

=== Step 4: Network test - api.github.com ===
{
  "current_user_url": "https://api.github.com/user",
  "current_user_authorizations_html_url": "ht...  (truncated at 100 chars)

=== Step 5: Try dotnet build (no restore) ===
MSBUILD : error MSB1009: Project file does not exist.
Switch: src/Controls/tests/TestCases.HostApp/Maui.Controls.Sample.HostApp.csproj

=== Step 6: Try dotnet build (with restore) ===
MSBUILD : error MSB1009: Project file does not exist.
Switch: src/Controls/tests/TestCases.HostApp/Maui.Controls.Sample.HostApp.csproj

Summary

Check Result
.NET SDK version 10.0.201
TOKEN env vars LD_PRELOAD, COPILOT_TOKEN, AWF_ONE_SHOT_TOKENS
api.nuget.org ❌ BLOCKED (empty response)
api.github.com ✅ Reachable
dotnet build (no restore) ❌ Project file not found
dotnet build (with restore) ❌ Project file not found

Notes:

  • NuGet network access appears to be blocked (firewall restriction)
  • GitHub API is reachable
  • The HostApp .csproj file path does not exist at the expected location — the project file may be named differently or located in a different path on this branch

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • api.nuget.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "api.nuget.org"

See Network Configuration for more information.

🧪 Test evaluation by Evaluate PR Tests

@github-actions
Add dotnet network + tools, fix project path detection
1740020 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions

github-actions Bot commented Apr 1, 2026

Copy link
Copy Markdown
Contributor

🔬 Build Environment Experiment Results

Results from the build environment experiment requested for PR #34762.

Step 1: Check .NET SDK

10.0.201
```
✅ .NET SDK 10.0.201 is available.

---

### Step 2: Check env vars containing TOKEN (names only, redacted values)
```
AWF_ONE_SHOT_TOKENS=(REDACTED)
COPILOT_TOKEN=(REDACTED)
LD_PRELOAD=(REDACTED)
```
(Note: `LD_PRELOAD` matched the grep pattern coincidentally — not a token var)

---

### Step 3: Network test - api.nuget.org
```
BLOCKED (curl: Permission denied)
```
❌ Network access to `api.nuget.org` is **blocked** by the firewall.

---

### Step 4: Find HostApp project
```
./src/Controls/tests/TestCases.HostApp/Controls.TestCases.HostApp.csproj
```
✅ HostApp project found (note: the filename is `Controls.TestCases.HostApp.csproj`, not `Maui.Controls.Sample.HostApp.csproj`).

---

### Step 5: Try dotnet restore

❌ **FAILED** — Missing workloads. Key errors (all similar):

```
error NETSDK1147: To build this project, the following workloads must be installed: android
  [Controls.TestCases.HostApp.csproj::TargetFramework=net10.0-android]

error NETSDK1147: To build this project, the following workloads must be installed: android
  [Core.csproj::TargetFramework=net10.0-android36.0]

error NETSDK1147: To build this project, the following workloads must be installed: android
  [Controls.Core.csproj::TargetFramework=net10.0-android36.0]
  ... (repeated for all Android TFM projects)
```

The `android`, `ios`, and other platform workloads are **not installed** in this environment.

---

### Step 6: Try dotnet build (Android, no restore)

❌ **FAILED** — Same workload error even without `--no-restore`:

```
error NETSDK1147: To build this project, the following workloads must be installed: android
  [Controls.TestCases.HostApp.csproj::TargetFramework=net10.0-android]

Build FAILED.
  0 Warning(s)
  1 Error(s)

Time Elapsed 00:00:00.57

Summary

Check Result
.NET SDK version ✅ 10.0.201
Token env vars present AWF_ONE_SHOT_TOKENS, COPILOT_TOKEN
Network access (nuget.org) ❌ BLOCKED
HostApp project found Controls.TestCases.HostApp.csproj
dotnet restore ❌ Missing android/ios workloads
dotnet build (Android) ❌ Missing android workload

Conclusion: The build environment has .NET 10 SDK but lacks MAUI platform workloads (android, ios, maccatalyst, windows) and has no network access to install them. Automated compilation-based test validation is not possible in this environment.

🧪 Test evaluation by Evaluate PR Tests

@PureWeen PureWeen mentioned this pull request Apr 23, 2026
Open
@kubaflo kubaflo closed this May 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PureWeen @kubaflo