[review] fix: emit sbx credential refresh step before agent execution#45150
[review] fix: emit sbx credential refresh step before agent execution#45150github-actions[bot] wants to merge 3 commits into
Conversation
Docker Hub OAuth tokens obtained by `sbx login` during the daemon-setup step can expire or be invalidated by the policy-reset cycle. By the time AWF calls `sbx create`, the sbx daemon no longer has valid Docker Hub credentials, causing 'user is not authenticated to Docker' errors. Add a `generateDockerSbxCredentialRefreshStep()` that runs `sbx login` immediately before the agent execution step, ensuring the daemon has fresh credentials when AWF creates the microVM sandbox. The step is emitted in `compiler_yaml_ai_execution.go` (the common compilation path for all engines) so it applies to Copilot, Claude, Codex, and any future engine using docker-sbx runtime. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
|
Hey team 👋 — thanks for getting this changeset for the One thing worth noting before this lands:
If you'd like an agent to help add test coverage for the credential refresh step, here's a ready-to-use prompt:
|
|
Run: https://github.com/github/gh-aw/actions/runs/29220275355
|
Thanks for the review. Addressing both points:
Local validation: |
Caution
agentic threat detected
Threat detection flagged this output in warn mode. Manual review is REQUIRED before any follow-up automation.
Reason: agent_failure
Review the workflow run logs for details.
This PR contains changes that were originally intended for PR #45146 (
fix/docker-sbx-credential-refresh).Please review the changes carefully before merging.