feat(agentsh): add agentsh execution-layer security Dev Container Feature #35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Test Dev Container Features" | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - "src/**" | |
| - "test/**" | |
| pull_request: | |
| branches: [main] | |
| paths: | |
| - "src/**" | |
| - "test/**" | |
| workflow_dispatch: | |
| jobs: | |
| test-autogenerated: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - feature: ai-clis | |
| baseImage: mcr.microsoft.com/devcontainers/javascript-node:22 | |
| - feature: modern-cli-tools | |
| baseImage: mcr.microsoft.com/devcontainers/base:ubuntu | |
| - feature: node-dev-tools | |
| baseImage: mcr.microsoft.com/devcontainers/javascript-node:22 | |
| - feature: rust-dev-tools | |
| baseImage: mcr.microsoft.com/devcontainers/rust:latest | |
| - feature: github-actions-tools | |
| baseImage: mcr.microsoft.com/devcontainers/base:ubuntu | |
| - feature: python-tools | |
| baseImage: mcr.microsoft.com/devcontainers/python:latest | |
| # NOTE: agentsh is intentionally NOT in the autogenerated matrix. | |
| # Its production default replaces /bin/sh with the agentsh shim, but | |
| # `devcontainer features test` bootstraps every container through | |
| # /bin/sh, so a shimmed default container cannot start under the | |
| # harness. agentsh install/config/policy behavior is covered by the | |
| # scenario tests below (which set installShellShims=false), and real | |
| # shim mediation + REST auth are covered by the dedicated Docker | |
| # integration jobs (agentsh-shim-integration, agentsh-rest-auth). | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "22" | |
| - name: Install DevContainer CLI | |
| run: npm install -g @devcontainers/cli | |
| - name: Run auto-generated tests | |
| run: devcontainer features test --features ${{ matrix.feature }} --base-image ${{ matrix.baseImage }} . | |
| test-scenarios: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| feature: | |
| - ai-clis | |
| - modern-cli-tools | |
| - node-dev-tools | |
| - rust-dev-tools | |
| - github-actions-tools | |
| - python-tools | |
| - agentsh | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "22" | |
| - name: Install DevContainer CLI | |
| run: npm install -g @devcontainers/cli | |
| - name: Run scenario tests | |
| run: devcontainer features test --features ${{ matrix.feature }} --skip-autogenerated . | |
| shellcheck-agentsh: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run shellcheck for agentsh scripts | |
| run: shellcheck src/agentsh/install.sh src/agentsh/install-main.sh src/agentsh/scripts/start-server.sh test/agentsh/integration/shim_integration_test.sh test/agentsh/integration/rest_auth_test.sh test/agentsh/integration/overlay_test.sh | |
| - name: Run policy merge smoke checks | |
| run: test/agentsh/policy_merge_test.sh | |
| # agentsh needs a special CI path: it intentionally changes /bin/sh, while | |
| # `devcontainer features test` uses /bin/sh to bootstrap containers. These | |
| # jobs build the feature image directly with Docker and probe it through the | |
| # unshimmed /bin/sh.real, validating behavior the harness cannot. | |
| agentsh-shim-integration: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Validate real shell-shim mediation | |
| run: test/agentsh/integration/shim_integration_test.sh | |
| - name: Validate policy overlay selection and self-protection | |
| run: test/agentsh/integration/overlay_test.sh | |
| agentsh-rest-auth: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Validate external REST API key authentication | |
| run: test/agentsh/integration/rest_auth_test.sh | |
| agentsh-release-architecture: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| platform: | |
| - linux/amd64 | |
| - linux/arm64 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Document architecture validation strategy | |
| run: | | |
| echo "agentsh release validation target: ${{ matrix.platform }}" | |
| echo "Native arm64 GitHub-hosted runners are used when available; otherwise maintainers must validate with Docker buildx/QEMU before publish." | |
| test-global: | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "22" | |
| - name: Install DevContainer CLI | |
| run: npm install -g @devcontainers/cli | |
| - name: Run global scenario tests | |
| run: devcontainer features test --global-scenarios-only . |