fix: debug logging for GITHUB_PATH merge + document setup-* tool availability in chroot

[Copilot]

readGitHubPathEntries() silently returned [] when GITHUB_PATH was unset or unreadable, making it impossible to diagnose why tools installed by setup-* actions (e.g. astral-sh/setup-uv) resolved as command not found inside the AWF chroot.

Changes

• src/docker-manager.ts — readGitHubPathEntries(): emit debug-level log messages for the two previously silent failure paths:

  • GITHUB_PATH env var not set (includes a note that sudo PATH reset may be the cause)
  • GITHUB_PATH file path set but unreadable (logs the attempted path)

  With --log-level debug you now see one of:

  [DEBUG] Merged 3 path(s) from $GITHUB_PATH into AWF_HOST_PATH
  [DEBUG] GITHUB_PATH env var is not set; skipping $GITHUB_PATH file merge …
  [DEBUG] GITHUB_PATH file at '/home/runner/_work/_temp/_runner_file_commands/add_path_…' could not be read; skipping file merge
  

• docs/environment.md — New "GitHub Actions setup-* Tool Availability" section documenting:

  • The GITHUB_PATH → AWF_HOST_PATH → chroot PATH pipeline (introduced in v0.60.0)
  • Fallback behaviour when GITHUB_PATH is absent (relies on process.env.PATH which sudo may have reset)
  • --log-level debug troubleshooting guidance with expected log output

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

Documentation Preview

Documentation build failed for this PR. View logs.

Built from commit b89d711

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.72%	82.83%	📈 +0.11%
Statements	82.38%	82.49%	📈 +0.11%
Functions	81.50%	81.50%	➡️ +0.00%
Branches	76.19%	76.25%	📈 +0.06%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	86.0% → 86.5% (+0.46%)	85.5% → 85.9% (+0.45%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

🔮 Oracle Smoke Ledger
PR titles reviewed: "rename awf-issue-auditor → firewall-issue-dispatcher and prefix created issues with [awf]"; "feat: add --env-file support for injecting env vars from a file"
GitHub MCP review (last 2 merged PRs): ✅
safeinputs-gh PR query (2 PRs): ❌ (tool unavailable in runtime)
Playwright github.com title contains "GitHub": ✅
Tavily search "GitHub Agentic Workflows Firewall": ❌ (tool unavailable in runtime)
File write + bash cat verification: ✅
Discussion query + mystical discussion comment: ❌ (required discussion query/comment tool path unavailable)
Build (npm ci && npm run build): ✅
Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

Warning

⚠️ Firewall blocked 5 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• api.github.com
• chatgpt.com
• github.com
• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "api.github.com"
    - "chatgpt.com"
    - "github.com"
    - "registry.npmjs.org"

See Network Configuration for more information.

[Copilot]

Pull request overview

Adds diagnosability and documentation around how AWF makes GitHub Actions setup-* installed tools available inside the chroot by merging $GITHUB_PATH into AWF_HOST_PATH.

Changes:

• Add debug-level logs when $GITHUB_PATH is unset or unreadable in readGitHubPathEntries().
• Document the $GITHUB_PATH → AWF_HOST_PATH → chroot PATH pipeline and troubleshooting steps in docs/environment.md.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
src/docker-manager.ts	Adds debug logs for previously silent $GITHUB_PATH read/merge failure paths.
docs/environment.md	Documents setup-* tool availability inside chroot and adds debug troubleshooting guidance.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This doc claims the behavior was introduced in awf v0.60.0, but the repo’s current package version is 0.23.1 (package.json). Unless there’s a separate versioning scheme for the released CLI, this looks incorrect/misleading—suggest removing the specific version or updating it to the correct AWF release version that introduced the feature.

Suggested change

	This behavior was introduced in **awf v0.60.0** and is active automatically — no extra flags are required.
	This behavior is active automatically — no extra flags are required.

[Copilot]

The troubleshooting snippet’s debug line (GITHUB_PATH env var is not set; skipping $GITHUB_PATH file merge …) doesn’t match the actual log message emitted in readGitHubPathEntries() (it includes the parenthetical sudo/PATH note and no ellipsis). To avoid confusing users, update the docs to match the exact emitted message(s) (including the unreadable-file case).

[Copilot]

In the unreadable-file path, the catch block discards the underlying error (e.g., ENOENT vs EACCES). Since the goal here is diagnosability, consider capturing the error (catch (error)) and including it in the debug log (as a second arg) so users can tell why the file couldn't be read.

Suggested change

	} catch {
	// File doesn't exist or isn't readable — expected outside GitHub Actions
	logger.debug(`GITHUB_PATH file at '${githubPathFile}' could not be read; skipping file merge`);
	} catch (error) {
	// File doesn't exist or isn't readable — expected outside GitHub Actions
	logger.debug(`GITHUB_PATH file at '${githubPathFile}' could not be read; skipping file merge`, error);