Add dynamic library dependency detection for AWF container mounts

[Copilot]

Mounting entire /lib and /usr/lib directories in AWF containers increases size and security surface. This implements runtime library detection using ldd to mount only required dependencies.

Implementation

Script (scripts/detect-library-deps.sh)

• Detects dependencies via ldd, resolves symlinks, outputs AWF mount args
• Supports formats: awf-mounts, paths, json
• Caches results in /tmp/gh-aw-lib-deps-cache.txt (per-workflow-run)
• 12 tests covering utilities (curl, jq, git), caching, symlinks, edge cases

Integration (pkg/workflow/)

• Added GenerateLibraryMountArgsCommand() - generates detection command
• Added GetCommonBinaryPaths() - returns standard utility paths
• Integrated into copilot/claude/codex engines
• Libraries detected on runner, passed to AWF via $LIB_MOUNTS

Generated Command

LIB_MOUNTS="$(/opt/gh-aw/scripts/detect-library-deps.sh \
  --cache-file=/tmp/gh-aw-lib-deps-cache.txt \
  --format=awf-mounts \
  /usr/bin/curl /usr/bin/jq ... \
  2>/dev/null || echo '')"
sudo -E awf ... $LIB_MOUNTS -- command

Impact

• Mounts ~40 libraries instead of 10,000+ files
• Reduces container attack surface
• Zero overhead after first detection (cached)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Create helper script to dynamically detect and mount required libraries</issue_title>
<issue_description>## Objective

Implement a shell script that dynamically detects library dependencies for mounted binaries and generates appropriate Docker mount arguments.

Context

Mounting entire library directories (/usr/lib, /lib, /lib64) increases the container size and security surface. A smarter approach is to:

1. Detect what libraries the mounted binaries actually need
2. Generate minimal mount commands for only those libraries
3. Cache results for performance

Approach

1. Create scripts/detect-library-deps.sh that:
   • Takes a list of binaries as input
   • Uses ldd to find library dependencies
   • Outputs Docker mount arguments (e.g., -v /lib/x86_64-linux-gnu/libc.so.6:/lib/x86_64-linux-gnu/libc.so.6:ro)
   • Handles symlinks and library versioning
2. Add caching mechanism to avoid repeated ldd calls
3. Integrate into engine execution code paths
4. Add tests to verify library detection accuracy

Files to Create/Modify

• Create: scripts/detect-library-deps.sh (library detection script)
• Create: scripts/detect-library-deps_test.sh (test script)
• Modify: pkg/workflow/copilot_engine_execution.go (use script output)
• Modify: pkg/workflow/claude_engine.go (use script output)
• Modify: pkg/workflow/codex_engine.go (use script output)

Acceptance Criteria

• Script correctly identifies all library dependencies for given binaries
• Script handles symlinks and library versions properly
• Caching reduces repeated detection overhead
• Integration with engines works across copilot/claude/codex
• Tests verify accuracy for common utilities (curl, jq, git)

Related

Implements dynamic solution proposed in #11972
Related to #11970

AI generated by Plan Command for #11970

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Create helper script to dynamically detect and mount required libraries #12379

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

🔍 PR Triage Results

Category: chore | Risk: high | Priority: 45/100

Scores Breakdown

• Impact: 20/50 - Infrastructure/tooling update
• Urgency: 15/30 - 0 days old, 0 comments
• Quality: 10/20 - Description: good, CI: unknown

📋 Recommended Action: defer

Low impact or work in progress

Note: High risk due to large change scope (711 additions across 7 files). Ensure thorough testing before merge.

---

Triaged by PR Triage Agent on 2026-01-29

AI generated by PR Triage Agent

[github-actions]

🔍 PR Triage Results

Category: feature | Risk: high | Priority: 50/100

Scores Breakdown

• Impact: 30/50 - Library dependency detection for container mounts
• Urgency: 10/30 - 2 days old
• Quality: 10/20 - Draft status, CI pending

📋 Recommended Action: batch_review

Part of Batch #2: Feature Additions (batch-feature-001). Related to PRs #12459, #12444 for container mount functionality.

---

Triaged by PR Triage Agent on 2026-01-31 | Run #21540069309

AI generated by PR Triage Agent

[github-actions]

🔍 PR Triage Results

Category: feature | Risk: high | Priority: 60/100

Scores Breakdown

• Impact: 35/50 - Feature with high risk level
• Urgency: 10/30 - Recent PR (2 days), CI pending
• Quality: 15/20 - CI pending, Draft status

📋 Recommended Action: Batch Review

This PR is recommended for batch review with similar PRs.

📦 Batch Processing

This PR is part of batch-feature-001 with 3 other PR(s): #12130, #12459, #12698

Consider reviewing these PRs together for consistency and efficiency.

---

Triaged by PR Triage Agent on 2026-01-31 12:17 UTC
See full report: PR Triage Discussion

AI generated by PR Triage Agent