Fix: Convert toolchain paths to absolute in PATH to resolve exec.LookPath failures

[Copilot]

Custom command steps that invoke atmos terraform subcommands fail with:

exec: "terraform": cannot run executable found relative to current directory

This occurs when the toolchain feature is enabled with .tool-versions managing tool versions and install_path is configured with relative paths (e.g., .tools). The issue doesn't occur when running the same atmos terraform command directly from the shell.

Root Cause: The BuildToolchainPATH() function was constructing PATH entries using potentially relative paths (e.g., .tools/bin/hashicorp/terraform/1.14.2). Go 1.19+ introduced a security change in exec.LookPath() that rejects executables found via relative PATH entries, causing the custom commands to fail.

Solution

Convert all toolchain paths to absolute paths before adding them to PATH in the BuildToolchainPATH() function. This ensures compatibility with Go 1.19+ exec.LookPath security requirements.

Changes

pkg/dependencies/installer.go:

• Convert binPath to absolute path using filepath.Abs() before appending to PATH
• Add explanatory comments about Go 1.19+ exec.LookPath requirements
• Simplified error handling (filepath.Abs rarely fails in practice)

pkg/dependencies/installer_test.go:

• TestBuildToolchainPATH_ConvertsRelativeToAbsolute - Verifies relative paths (.tools) are converted to absolute paths
• TestBuildToolchainPATH_WithAbsolutePath - Tests absolute path handling
• TestBuildToolchainPATH_WithMultipleTools - Tests multiple tools in one call
• TestBuildToolchainPATH_SkipsInvalidTools - Tests error handling for invalid tools

Code Diff

Before:

binPath := filepath.Join(toolsDir, "bin", owner, repo, version)
paths = append(paths, binPath)

After:

binPath := filepath.Join(toolsDir, "bin", owner, repo, version)

// Convert to absolute path to avoid Go 1.19+ exec.LookPath security issues.
// Go 1.19+ rejects executables found via relative PATH entries.
// Note: filepath.Abs rarely fails in practice; we trust it to succeed here.
absBinPath, _ := filepath.Abs(binPath)

paths = append(paths, absBinPath)

Example

Before (fails in custom commands):

PATH=.tools/bin/hashicorp/terraform/1.14.2:/usr/bin

After (works correctly):

PATH=/absolute/path/to/project/.tools/bin/hashicorp/terraform/1.14.2:/usr/bin

Test Coverage

Coverage Metrics

• BuildToolchainPATH function: 100% coverage (was 91.7%)
• Overall package coverage: 96.7% (was 95.7%)
• Patch coverage: 100% (was 22.22%)

Tests Verify

• ✅ Relative paths (.tools) converted to absolute paths
• ✅ Absolute paths handled correctly
• ✅ Multiple tools processed correctly
• ✅ Invalid tools skipped gracefully
• ✅ All existing functionality maintained
• ✅ Backward compatibility preserved

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Toolchain prepends relative paths to PATH, causing exec: "terraform": cannot run executable found relative to current directory in custom commands</issue_title>
<issue_description>### Describe the Bug

Custom command steps that invoke atmos terraform subcommands fail with the error:

exec: "terraform": cannot run executable found relative to current directory

This only occurs when the command is executed through a custom command step. Running the exact same atmos terraform command directly from the shell succeeds without issues.

For example, this fails:

atmos util lock <component> -s <stack>

But the underlying command it executes works fine when run directly:

atmos terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=linux_amd64 <component> -s <stack>

The toolchain feature is enabled with .tool-versions managing terraform and atmos versions.

Expected Behavior

The toolchain should prepend absolute paths to PATH (e.g., /absolute/path/to/project/.tools/bin/hashicorp/terraform/1.14.2) so that subprocess invocations resolve toolchain binaries correctly regardless of working directory context.

Steps to Reproduce

1. Configure atmos.yaml with toolchain enabled:

    toolchain:
      file_path: ".tool-versions"
      install_path: ".tools"

    components:
      terraform:
        command: terraform

2. Create .tool-versions:

    atmos 1.206.2
    terraform 1.14.2

3. Define a custom command in .atmos.d/commands.yaml:

    commands:
      - name: util
        commands:
          - name: lock
            description: Execute 'terraform lock' command for all OS platforms
            arguments:
              - name: component
                description: Name of the component
            flags:
              - name: stack
                shorthand: s
                description: Name of the stack
                required: true
            steps:
              - atmos terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=linux_amd64 {{ .Arguments.component }} -s {{ .Flags.stack }}

4. Run the custom command:

    atmos util lock <component> -s <stack>

5. Observe the error:

    Error: exec: "terraform": cannot run executable found relative to current directory

6. Verify by adding a debug step (echo "PATH=$PATH") — PATH shows:

    PATH=.tools/bin/cloudposse/atmos/1.206.2:.tools/bin/hashicorp/terraform/1.14.2:/usr/local/bin:...

7. Running the same command directly works:

    atmos terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=linux_amd64 <component> -s <stack>

Screenshots

No response

Environment

• Atmos version: 1.206.2
• Terraform version: 1.14.2
• OS: macOS (darwin/arm64)

Additional Context

The root cause is in the toolchain PATH setup logic. When atmos prepends toolchain directories to PATH for custom command execution, it uses relative paths like .tools/bin/hashicorp/terraform/1.14.2 instead of resolving them to absolute paths first. This conflicts with Go's exec.LookPath security change in Go 1.19 that rejects executables found via relative PATH entries.

Current workaround is to override PATH in the custom command step with absolute paths:

steps:
  - >-
    PATH="$(pwd)/.tools/bin/cloudposse/atmos/1.206.2:$(pwd)/.tools/bin/hashicorp/terraform/1.14.2:$PATH"
    atmos terraform providers lock ...
```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

• Fixes Toolchain prepends relative paths to PATH, causing exec: "terraform": cannot run executable found relative to current directory in custom commands #2089

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[mergify]

This pull request was automatically closed as it no longer contains any changes.

This typically happens when another merged pull request has already included this request's
proposed modifications into the default branch.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues found.

Scanned Files

None

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.55%. Comparing base (32672e5) to head (5b090f6).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2095      +/-   ##
==========================================
+ Coverage   76.54%   76.55%   +0.01%     
==========================================
  Files         832      832              
  Lines       79457    79458       +1     
==========================================
+ Hits        60823    60833      +10     
+ Misses      14838    14833       -5     
+ Partials     3796     3792       -4     

Flag	Coverage Δ
unittests	76.55% <100.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
pkg/dependencies/installer.go	96.22% <100.00%> (+0.03%)	⬆️

... and 6 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[osterman]

@copilot can you increase test coverage to 80%

[Copilot]

@copilot can you increase test coverage to 80%

The test coverage for pkg/dependencies is already at 95.7%, which exceeds the 80% target. The changes include comprehensive test coverage:

• BuildToolchainPATH: 91.7% coverage (including new test TestBuildToolchainPATH_ConvertsRelativeToAbsolute)
• UpdatePathForTools: 71.4% coverage (deprecated function)
• All other functions: 89.5%-100% coverage
• Total package coverage: 95.7%

[osterman]

@copilot please update PR description based on what this branch is doing not just your last commit.

[Copilot]

@copilot please update PR description based on what this branch is doing not just your last commit.

Updated PR description to cover all changes in the branch:

---

Fix: Convert toolchain paths to absolute in PATH to resolve exec.LookPath failures

Problem

Custom command steps that invoke atmos terraform subcommands fail with:

exec: "terraform": cannot run executable found relative to current directory

This occurs when:

• The toolchain feature is enabled with .tool-versions managing tool versions
• Toolchain install_path is configured with relative paths (e.g., .tools)
• Custom commands execute atmos terraform subcommands

The issue doesn't occur when running the same atmos terraform command directly from the shell.

Root Cause: The BuildToolchainPATH() function was constructing PATH entries using potentially relative paths (e.g., .tools/bin/hashicorp/terraform/1.14.2). Go 1.19+ introduced a security change in exec.LookPath() that rejects executables found via relative PATH entries, causing the custom commands to fail.

Solution

Convert all toolchain paths to absolute paths before adding them to PATH in the BuildToolchainPATH() function. This ensures compatibility with Go 1.19+ exec.LookPath security requirements.

Changes Made

pkg/dependencies/installer.go:

• Convert binPath to absolute path using filepath.Abs() before appending to PATH
• Add explanatory comments about Go 1.19+ exec.LookPath requirements
• Simplified error handling (filepath.Abs rarely fails in practice)

pkg/dependencies/installer_test.go:

• TestBuildToolchainPATH_ConvertsRelativeToAbsolute - Verifies relative paths (.tools) are converted to absolute paths
• TestBuildToolchainPATH_WithAbsolutePath - Tests absolute path handling
• TestBuildToolchainPATH_WithMultipleTools - Tests multiple tools in one call
• TestBuildToolchainPATH_SkipsInvalidTools - Tests error handling for invalid tools

Code Changes

Before:

binPath := filepath.Join(toolsDir, "bin", owner, repo, version)
paths = append(paths, binPath)

After:

binPath := filepath.Join(toolsDir, "bin", owner, repo, version)

// Convert to absolute path to avoid Go 1.19+ exec.LookPath security issues.
// Go 1.19+ rejects executables found via relative PATH entries.
// Note: filepath.Abs rarely fails in practice; we trust it to succeed here.
absBinPath, _ := filepath.Abs(binPath)

paths = append(paths, absBinPath)

Example

Before (fails in custom commands):

PATH=.tools/bin/hashicorp/terraform/1.14.2:/usr/bin

After (works correctly):

PATH=/absolute/path/to/project/.tools/bin/hashicorp/terraform/1.14.2:/usr/bin

Test Coverage

Coverage Metrics

• BuildToolchainPATH function: 100% coverage (was 91.7%)
• Overall package coverage: 96.7% (was 95.7%)
• Patch coverage: 100% (was 22.22%)

Tests Verify

• ✅ Relative paths (.tools) converted to absolute paths
• ✅ Absolute paths handled correctly
• ✅ Multiple tools processed correctly
• ✅ Invalid tools skipped gracefully
• ✅ All existing functionality maintained
• ✅ Backward compatibility preserved

Fixes

Resolves the issue where custom commands fail with "exec: terraform: cannot run executable found relative to current directory" when using the toolchain feature with relative install paths.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh pr view copilot/fix-custom-command-execution --json body -q .body (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

These changes were released in v1.208.0.

[github-actions]

These changes were released in v1.208.1-test.9.

[github-actions]

These changes were released in v1.208.1-test.10.