feat: add --exclude-env flag to exclude specific vars from --env-all passthrough#1482
feat: add --exclude-env flag to exclude specific vars from --env-all passthrough#1482
Conversation
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 82.72% | 82.81% | 📈 +0.09% |
| Statements | 82.38% | 82.47% | 📈 +0.09% |
| Functions | 81.50% | 81.22% | 📉 -0.28% |
| Branches | 76.19% | 76.08% | 📉 -0.11% |
📁 Per-file Coverage Changes (2 files)
| File | Lines (Before → After) | Statements (Before → After) |
|---|---|---|
src/cli.ts |
61.2% → 61.1% (-0.10%) | 61.6% → 61.5% (-0.10%) |
src/docker-manager.ts |
86.0% → 86.5% (+0.48%) | 85.5% → 86.0% (+0.47%) |
Coverage comparison generated by scripts/ci/compare-coverage.ts
This comment has been minimized.
This comment has been minimized.
…hub.com (#1483) * Initial plan * fix: recompile smoke-codex with gh-aw v0.64.2 to add github.com to allowed domains --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 82.72% | 82.81% | 📈 +0.09% |
| Statements | 82.38% | 82.47% | 📈 +0.09% |
| Functions | 81.50% | 81.22% | 📉 -0.28% |
| Branches | 76.19% | 76.08% | 📉 -0.11% |
📁 Per-file Coverage Changes (2 files)
| File | Lines (Before → After) | Statements (Before → After) |
|---|---|---|
src/cli.ts |
61.2% → 61.1% (-0.10%) | 61.6% → 61.5% (-0.10%) |
src/docker-manager.ts |
86.0% → 86.5% (+0.48%) | 85.5% → 86.0% (+0.47%) |
Coverage comparison generated by scripts/ci/compare-coverage.ts
|
Smoke test results (run 23688357079) ✅ GitHub MCP — Last 2 merged PRs: #1483 "fix: recompile smoke-codex workflow with gh-aw v0.64.2 to unblock github.com", #1470 "rename awf-issue-auditor → firewall-issue-dispatcher and prefix created issues with [awf]" Overall: PASS PR author:
|
|
Smoke test results — PASS
Overall: PASS
|
Chroot Version Comparison Results
Overall: ❌ FAILED — Python and Node.js versions differ between host and chroot.
|
This comment has been minimized.
This comment has been minimized.
* Initial plan * fix: postprocess regex to match gh-aw v0.64.2 install path Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/2fc9b7aa-85e8-4db2-99c3-53b5e7c5c9b9 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 82.72% | 82.81% | 📈 +0.09% |
| Statements | 82.38% | 82.47% | 📈 +0.09% |
| Functions | 81.50% | 81.22% | 📉 -0.28% |
| Branches | 76.19% | 76.08% | 📉 -0.11% |
📁 Per-file Coverage Changes (2 files)
| File | Lines (Before → After) | Statements (Before → After) |
|---|---|---|
src/cli.ts |
61.2% → 61.1% (-0.10%) | 61.6% → 61.5% (-0.10%) |
src/docker-manager.ts |
86.0% → 86.5% (+0.48%) | 85.5% → 86.0% (+0.47%) |
Coverage comparison generated by scripts/ci/compare-coverage.ts
Smoke Test Results✅ GitHub MCP — Last 2 merged PRs: "[WIP] Fix failing GitHub Actions workflow agent" (#1484), "fix: recompile smoke-codex workflow with gh-aw v0.64.2 to unblock github.com" (#1483) Overall: PASS
|
Smoke Test Results — Copilot Engine
Overall: PASS — PR by
|
Chroot Version Comparison Results
Overall: ❌ FAILED — Python and Node.js versions differ between host and chroot.
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
There was a problem hiding this comment.
Pull request overview
Adds a user-configurable exclusion list for --env-all so callers can prevent specific sensitive host environment variables from being passed into the agent container, beyond the built-in hardcoded exclusions.
Changes:
- Introduces
--exclude-env <name>(repeatable) and plumbs it throughWrapperConfig.excludeEnv. - Applies
excludeEnvduring Docker Compose env construction and adds unit tests + CLI docs. - Regenerates/updates the
smoke-codexworkflow (plus a small CI postprocess script tweak).
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/types.ts | Adds WrapperConfig.excludeEnv?: string[] and documents intended behavior. |
| src/cli.ts | Adds --exclude-env CLI option and maps it into WrapperConfig. |
| src/docker-manager.ts | Incorporates excludeEnv into env passthrough exclusion behavior. |
| src/docker-manager.test.ts | Adds unit tests validating env exclusion behavior with --env-all. |
| docs-site/src/content/docs/reference/cli-reference.md | Documents --exclude-env in CLI reference table. |
| scripts/ci/postprocess-smoke-workflows.ts | Updates install-step matching and replacement logging for smoke workflows. |
| .github/workflows/smoke-codex.md | Removes the prior sandbox MCP stanza from the workflow markdown. |
| .github/workflows/smoke-codex.lock.yml | Large regenerated lock workflow update (new versions/structure/jobs/steps). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -30,7 +29,7 @@ | |||
| # - shared/mcp/tavily.md | |||
| # - shared/reporting.md | |||
| # | |||
| # gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"4e90f52021e1c90e79dd139075b622e6533a4d7555cf9340fa36415e3412c288","compiler_version":"v0.58.2","strict":true} | |||
| # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c67bf3be0932087b7113808cd5143f5bf3bf6a4c7dc510c6bda41972642fb37e","compiler_version":"v0.64.2","strict":true,"agent_id":"codex"} | |||
There was a problem hiding this comment.
This PR is described as adding --exclude-env, but it also includes a large regeneration/behavior change of the smoke-codex workflow (new gh-aw compiler/schema version, new jobs/steps, changed action sources/paths, etc.). Please confirm this broad workflow change is intentional and in-scope for this PR; otherwise it would be better split into a separate PR to keep review and rollback risk manageable.
| // If --exclude-env names were specified, add them to the excluded set | ||
| if (config.excludeEnv && config.excludeEnv.length > 0) { | ||
| for (const name of config.excludeEnv) { | ||
| EXCLUDED_ENV_VARS.add(name); | ||
| } | ||
| } |
There was a problem hiding this comment.
excludeEnv is added to EXCLUDED_ENV_VARS unconditionally, which means it also affects --env-file injection (and can have effects even when envAll is false), despite the WrapperConfig.excludeEnv docs stating it only applies to --env-all. Consider scoping excludeEnv to the envAll passthrough only (e.g., use a separate exclusion set for the env-all loop, or only add these names inside the if (config.envAll) block).
See below for a potential fix:
// If --env-all is specified, pass through all host environment variables (except excluded ones)
if (config.envAll) {
// Build a local exclusion set for env-all passthrough:
// start with the global excluded vars, then apply any --exclude-env names.
const envAllExcludedVars = new Set(EXCLUDED_ENV_VARS);
if (config.excludeEnv && config.excludeEnv.length > 0) {
for (const name of config.excludeEnv) {
envAllExcludedVars.add(name);
}
}
for (const [key, value] of Object.entries(process.env)) {
if (
value !== undefined &&
!envAllExcludedVars.has(key) &&
!Object.prototype.hasOwnProperty.call(environment, key)
) {
--env-allpasses all host environment variables into the agent container with no runtime way to exclude specific secrets (e.g.GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN). The only exclusion mechanism was the hardcodedEXCLUDED_ENV_VARSset.Changes
src/types.ts— addedexcludeEnv?: string[]toWrapperConfigsrc/cli.ts— added--exclude-env <name>as a repeatable option adjacent to--env-all; wired intoWrapperConfigsrc/docker-manager.ts— mergesconfig.excludeEnventries intoEXCLUDED_ENV_VARSbefore theenvAllloopsrc/docker-manager.test.ts— 5 new unit tests covering single/multiple exclusions, no-op without--env-all, andGITHUB_TOKENexclusiondocs-site/…/cli-reference.md— added--exclude-envto options tableUsage
⌨️ Start Copilot coding agent tasks without leaving your editor — available in VS Code, Visual Studio, JetBrains IDEs and Eclipse.