CI: Multiple workflow failures on main after PR #524 (HTTPS_PROXY removal) #529
Description
Summary
Several CI workflows are failing on main since PR #524 (fix: remove HTTP_PROXY/HTTPS_PROXY env vars from agent container) was merged at 2026-02-05T20:13:41Z. The last fully green run on main was at 18:25 UTC, before that merge.
There are two distinct root causes affecting 4 CI checks.
Failure 1: HTTPS connections fail without HTTPS_PROXY (3 workflows)
Affected workflows
- test-chroot.yml →
Test Chroot Edge CasesandTest Chroot Package Managers - test-examples.yml →
Test Examples(debugging.sh)
Symptom
curl HTTPS requests fail with exit code 35 (SSL handshake error) or exit code 6 (could not resolve host):
[entrypoint] Proxy configuration:
[entrypoint] HTTPS_PROXY=
...
[DEBUG] Agent exit code: 35
Root cause
PR #524 removed both HTTP_PROXY and HTTPS_PROXY from the agent container environment. While HTTP traffic works via iptables intercept mode (DNAT to Squid port 3129), HTTPS requires the CONNECT method through Squid's forward-proxy port (3128). Without HTTPS_PROXY set, curl doesn't know to proxy HTTPS traffic, and the iptables DNAT to port 3129 can't handle HTTPS CONNECT tunneling.
The GHCR-published agent image (agent:latest) still has the old entrypoint that logs HTTPS_PROXY= (empty), confirming the env var is unset.
Evidence on main
| Run ID | Branch | Result | Timestamp |
|---|---|---|---|
| 21723478684 | main | success | 18:25 (before #524) |
| 21726883573 | main | failure | 20:13 (right after #524) |
| 21727648198 | main | failure | 20:39 |
| 21727992354 | main | failure | 20:50 |
| 21728924108 | main | pending | 21:20 |
Failing tests
chroot-edge-cases.test.ts:258— "should allow HTTPS to whitelisted domains" (curl -s -o /dev/null -w "%{http_code}" https://api.github.com)chroot-package-managers.test.ts:89— npm install over HTTPSexamples/debugging.sh—curl -s https://api.github.com/zen
Suggested fix
Restore HTTPS_PROXY in the agent container environment. Only HTTP_PROXY should be removed (intercept mode handles HTTP). HTTPS still needs explicit forward-proxy configuration because the CONNECT tunnel can't be transparently intercepted via DNAT.
// docker-manager.ts — environment block should include:
HTTPS_PROXY: `http://${networkConfig.squidIp}:${SQUID_PORT}`,Also add HTTPS_PROXY / https_proxy back to the exclusion list removal (keep HTTP_PROXY / http_proxy excluded).
Failure 2: Smoke Chroot tsc build fails — sparse checkout missing src/ (1 workflow)
Affected workflow
- smoke-chroot.lock.yml →
agentjob →Build awfstep
Symptom
error TS18003: No inputs were found in config file 'tsconfig.json'.
Specified 'include' paths were '["src/**/*"]' and 'exclude' paths were '["node_modules","dist","**/*.test.ts"]'.
Root cause
The agent job in smoke-chroot.lock.yml uses a sparse checkout that only checks out .github and .agents folders:
- name: Checkout .github and .agents folders
uses: actions/checkout@...
with:
sparse-checkout: |
.github
.agentsBut then runs npm run build (which invokes tsc), which expects src/**/* to exist. The src/ directory is never checked out.
This failure is intermittent because it depends on whether the agent job actually runs (it's gated by an activation step). It may have been masked before PR #527 recompiled the lock files.
Suggested fix
Either:
- Add
src/to the sparse checkout if the build step is needed - Skip the
npm run buildstep for smoke tests (they should use the pre-built GHCR image, not build from source) - Use a full checkout instead of sparse checkout for the agent job
Summary table
| CI Check | Workflow | Root Cause | Introduced By |
|---|---|---|---|
| Test Chroot Edge Cases | test-chroot.yml | HTTPS_PROXY removed | PR #524 |
| Test Chroot Package Managers | test-chroot.yml | HTTPS_PROXY removed | PR #524 |
| Test Examples | test-examples.yml | HTTPS_PROXY removed | PR #524 |
Smoke Chroot agent build |
smoke-chroot.lock.yml | Sparse checkout missing src/ |
Pre-existing / PR #527 |