Fix copilot agent discovery when running through AWF firewall

[Copilot]

Copilot CLI couldn't find custom agent files when wrapped by AWF because agent files in ${GITHUB_WORKSPACE}/.github/agents/ were inaccessible to the containerized process.

Changes

• Copy agent files to copilot's expected location: When firewall is enabled with a custom agent, copy from AWF's mounted host filesystem (/host${GITHUB_WORKSPACE}/<agent-path>) to /home/runner/.copilot/agents/<identifier>.md
• Conditional execution: Only applies when both isFirewallEnabled(workflowData) and workflowData.AgentFile != ""

Implementation

In pkg/workflow/copilot_engine.go:

// When firewall is enabled and a custom agent is specified, copy the agent file
// to where Copilot CLI expects to find it (/home/runner/.copilot/agents/)
// AWF mounts the host filesystem to /host, so we access the workspace via /host${GITHUB_WORKSPACE}
if isFirewallEnabled(workflowData) && workflowData.AgentFile != "" {
    agentIdentifier := ExtractAgentIdentifier(workflowData.AgentFile)
    
    yaml.WriteString("          mkdir -p /home/runner/.copilot/agents\n")
    yaml.WriteString(fmt.Sprintf("          cp \"/host${GITHUB_WORKSPACE}/%s\" \"/home/runner/.copilot/agents/%s.md\"\n", 
        workflowData.AgentFile, agentIdentifier))
}

Testing

Added pkg/workflow/copilot_agent_firewall_test.go covering:

• Firewall + agent → copies file
• Firewall without agent → no copy
• No firewall + agent → no copy
• Path transformation validation

Fixes https://github.com/githubnext/gh-aw/actions/runs/19542635233/job/55952916706

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: gh api user --jq .login (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>copilot confused about finding custom agents when running through ghafw/npx</issue_title>
<issue_description>In this run, copilot fails to find the custom agent https://github.com/githubnext/gh-aw/actions/runs/19542635233/job/55952916706 . It does find it locally so I am wondering what is the current folder for the agent.</issue_description>

Comments on the Issue (you are @copilot in this section)

@Mossaka @copilot can you investigate if the awf firwall has changed the path for the agent process? the awf should grant the entire filesystem and mount host filesystem to /host.

• Fixes copilot confused about finding custom agents when running through ghafw/npx #4427

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Mossaka]

#4693 should fix it