You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Link to the gh-aw PR: github/gh-aw#45006 — Add docker-sbx runtime support to compiler
PR #45006 adds docker-sbx as a valid sandbox.agent.runtime value, running the agent inside a KVM-isolated Docker sbx microVM. This is a substantially different execution model from the existing gvisor and default runtimes, with no E2E test coverage.
Proposed test
Workflow file: test-copilot-docker-sbx-runtime.md
Trigger: workflow_dispatch
Engine: copilot
Safe output: create-issue
Variant: standard (nosandbox would defeat the purpose)
Minimal test prompt sketch
Using sandbox.agent.runtime: docker-sbx (and sudo: true) in frontmatter, instruct the agent to create a GitHub issue with a fixed title confirming it ran inside the docker-sbx microVM. This validates the KVM pre-flight, sbx install, daemon startup, Docker Hub auth, smoke test, and agent execution end-to-end.
New fixtures or secrets needed
Requires two new repository secrets: DOCKER_PAT and DOCKER_USERNAME (Docker Hub credentials used by the compiler-generated docker login step). The runner host must expose /dev/kvm. Whether GitHub-hosted runners in e2e.yml support KVM is the main open question before this test can be implemented.
Notes
The existing test-copilot-network-isolation.md tests sandbox network policy but not the runtime layer. The open suggestion #6559 covers gvisor. This test specifically exercises the new docker-sbx path from github/gh-aw#45006.
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpg
To allow these domains, add them to the network.allowed list in your workflow frontmatter:
Motivation
Link to the gh-aw PR: github/gh-aw#45006 — Add
docker-sbxruntime support to compilerPR #45006 adds
docker-sbxas a validsandbox.agent.runtimevalue, running the agent inside a KVM-isolated Docker sbx microVM. This is a substantially different execution model from the existinggvisorand default runtimes, with no E2E test coverage.Proposed test
test-copilot-docker-sbx-runtime.mdworkflow_dispatchcreate-issueMinimal test prompt sketch
Using
sandbox.agent.runtime: docker-sbx(andsudo: true) in frontmatter, instruct the agent to create a GitHub issue with a fixed title confirming it ran inside the docker-sbx microVM. This validates the KVM pre-flight, sbx install, daemon startup, Docker Hub auth, smoke test, and agent execution end-to-end.New fixtures or secrets needed
Requires two new repository secrets:
DOCKER_PATandDOCKER_USERNAME(Docker Hub credentials used by the compiler-generateddocker loginstep). The runner host must expose/dev/kvm. Whether GitHub-hosted runners ine2e.ymlsupport KVM is the main open question before this test can be implemented.Notes
The existing
test-copilot-network-isolation.mdtests sandbox network policy but not the runtime layer. The open suggestion #6559 covers gvisor. This test specifically exercises the newdocker-sbxpath from github/gh-aw#45006.Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpgSee Network Configuration for more information.