feat(docker): pre-seed Maven/Gradle/sbt proxy config in agent container#991
feat(docker): pre-seed Maven/Gradle/sbt proxy config in agent container#991
Conversation
Java build tools do not honor HTTP_PROXY/HTTPS_PROXY env vars and need explicit proxy configuration. Pre-seed these files in the container entrypoint so JVM-based builds work automatically: - ~/.m2/settings.xml (Maven proxy) - ~/.gradle/gradle.properties (Gradle proxy) - JAVA_TOOL_OPTIONS with proxy JVM flags (sbt/generic Java) This unblocks Java, Kotlin, Clojure, and Scala builds without requiring the agent to discover the proxy configuration. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
There was a problem hiding this comment.
Pull request overview
This PR aims to improve Java ecosystem build reliability inside the AWF agent container by automatically pre-seeding proxy configuration for common JVM build tools that don’t consistently honor HTTP_PROXY/HTTPS_PROXY.
Changes:
- Create
~/.m2/settings.xmlwith Maven proxy settings during agent container startup. - Create
~/.gradle/gradle.propertieswith Gradle proxy settings during agent container startup. - Append JVM proxy
-Dflags toJAVA_TOOL_OPTIONSfor sbt and other JVM tools.
Comments suppressed due to low confidence (1)
containers/agent/entrypoint.sh:215
- This overwrites ~/.gradle/gradle.properties unconditionally, which may clobber existing Gradle configuration (e.g., org.gradle.jvmargs, build cache settings, private repo credentials). Safer options are: only create if missing, or append/update just the proxy-related systemProp keys when they aren't already set.
# Gradle proxy config (~/.gradle/gradle.properties)
mkdir -p "${JVM_HOME_PREFIX}/.gradle"
cat > "${JVM_HOME_PREFIX}/.gradle/gradle.properties" << GRADLE_EOF
systemProp.http.proxyHost=${PROXY_HOST}
systemProp.http.proxyPort=${PROXY_PORT}
systemProp.https.proxyHost=${PROXY_HOST}
systemProp.https.proxyPort=${PROXY_PORT}
GRADLE_EOF
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
containers/agent/entrypoint.sh
Outdated
| # Extract proxy host and port from HTTP_PROXY (format: http://IP:PORT) | ||
| PROXY_HOST="${HTTP_PROXY#http://}" | ||
| PROXY_HOST="${PROXY_HOST%:*}" | ||
| PROXY_PORT="${SQUID_PROXY_PORT:-3128}" | ||
|
|
There was a problem hiding this comment.
The proxy host extraction from HTTP_PROXY is brittle (doesn't handle https:// scheme, credentials like user:pass@, IPv6, or paths) and ignores the actual port embedded in HTTP_PROXY. Since the agent env already provides SQUID_PROXY_HOST/SQUID_PROXY_PORT, prefer using those directly (or parse HTTP_PROXY more robustly) so the generated configs always point at the intended proxy.
| # Extract proxy host and port from HTTP_PROXY (format: http://IP:PORT) | |
| PROXY_HOST="${HTTP_PROXY#http://}" | |
| PROXY_HOST="${PROXY_HOST%:*}" | |
| PROXY_PORT="${SQUID_PROXY_PORT:-3128}" | |
| # Determine proxy host and port for JVM tools. | |
| # Prefer SQUID_PROXY_HOST/SQUID_PROXY_PORT if provided; otherwise, parse HTTP_PROXY robustly. | |
| if [ -n "$SQUID_PROXY_HOST" ] && [ -n "$SQUID_PROXY_PORT" ]; then | |
| PROXY_HOST="$SQUID_PROXY_HOST" | |
| PROXY_PORT="$SQUID_PROXY_PORT" | |
| else | |
| PROXY_INFO="$(python3 - << 'PYEOF' | |
| import os, sys | |
| from urllib.parse import urlparse | |
| url = os.environ.get("HTTP_PROXY") or os.environ.get("http_proxy") | |
| if not url: | |
| sys.exit(1) | |
| if "://" not in url: | |
| url = "http://" + url | |
| parsed = urlparse(url) | |
| host = parsed.hostname or "" | |
| port = parsed.port or 3128 | |
| if not host: | |
| sys.exit(1) | |
| print(f"{host}:{port}") | |
| PYEOF | |
| )" || PROXY_INFO="" | |
| PROXY_HOST="${PROXY_INFO%:*}" | |
| PROXY_PORT="${PROXY_INFO##*:}" | |
| fi |
There was a problem hiding this comment.
Addressed. Now preferring SQUID_PROXY_HOST/SQUID_PROXY_PORT directly (set by docker-manager.ts), with a more robust fallback parser that handles https://, credentials (user:pass@), and defaults the port. Avoided the Python approach to keep the entrypoint dependency-free.
| # Maven proxy config (~/.m2/settings.xml) | ||
| mkdir -p "${JVM_HOME_PREFIX}/.m2" | ||
| cat > "${JVM_HOME_PREFIX}/.m2/settings.xml" << MAVEN_EOF | ||
| <settings> |
There was a problem hiding this comment.
This always overwrites ~/.m2/settings.xml on container start, which can destroy user/workflow-provided Maven settings (mirrors, repositories, auth, profiles). Consider creating the file only if it doesn't exist, or updating it in a way that preserves existing settings while ensuring the awf proxy entries are present.
This issue also appears on line 208 of the same file.
There was a problem hiding this comment.
Addressed. Both Maven settings.xml and Gradle gradle.properties are now only created if the file does not already exist (if [ ! -f ... ]), preserving any user-provided configuration (mirrors, repositories, auth, profiles, jvmargs, etc.).
containers/agent/entrypoint.sh
Outdated
| export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS:-} -Dhttp.proxyHost=${PROXY_HOST} -Dhttp.proxyPort=${PROXY_PORT} -Dhttps.proxyHost=${PROXY_HOST} -Dhttps.proxyPort=${PROXY_PORT}" | ||
| echo "[entrypoint] ✓ Set JAVA_TOOL_OPTIONS with proxy flags" |
There was a problem hiding this comment.
JAVA_TOOL_OPTIONS sets JVM proxy properties but doesn't set http.nonProxyHosts/https.nonProxyHosts, so JVM tools may attempt to proxy localhost/127.0.0.1 (and other bypass targets listed in NO_PROXY), which can break tests that talk to local services. Consider deriving Java nonProxyHosts from the existing NO_PROXY/no_proxy env (converting comma-separated hosts into Java's '|' pattern) and including it here.
| export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS:-} -Dhttp.proxyHost=${PROXY_HOST} -Dhttp.proxyPort=${PROXY_PORT} -Dhttps.proxyHost=${PROXY_HOST} -Dhttps.proxyPort=${PROXY_PORT}" | |
| echo "[entrypoint] ✓ Set JAVA_TOOL_OPTIONS with proxy flags" | |
| NON_PROXY_RAW="${NO_PROXY:-${no_proxy}}" | |
| if [ -n "$NON_PROXY_RAW" ]; then | |
| # Convert comma-separated NO_PROXY to Java's '|' separated nonProxyHosts format | |
| NON_PROXY_HOSTS=$(printf '%s' "$NON_PROXY_RAW" | tr ',' '|' | tr -d ' ') | |
| export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS:-} -Dhttp.proxyHost=${PROXY_HOST} -Dhttp.proxyPort=${PROXY_PORT} -Dhttps.proxyHost=${PROXY_HOST} -Dhttps.proxyPort=${PROXY_PORT} -Dhttp.nonProxyHosts=${NON_PROXY_HOSTS} -Dhttps.nonProxyHosts=${NON_PROXY_HOSTS}" | |
| echo "[entrypoint] ✓ Set JAVA_TOOL_OPTIONS with proxy and nonProxyHosts flags" | |
| else | |
| export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS:-} -Dhttp.proxyHost=${PROXY_HOST} -Dhttp.proxyPort=${PROXY_PORT} -Dhttps.proxyHost=${PROXY_HOST} -Dhttps.proxyPort=${PROXY_PORT}" | |
| echo "[entrypoint] ✓ Set JAVA_TOOL_OPTIONS with proxy flags" | |
| fi |
There was a problem hiding this comment.
Addressed. Now reading NO_PROXY/no_proxy env var, converting the comma-separated list to Java's pipe-separated nonProxyHosts format, and including both -Dhttp.nonProxyHosts and -Dhttps.nonProxyHosts in JAVA_TOOL_OPTIONS. This prevents JVM tools from proxying localhost, 127.0.0.1, and the other bypass targets set by docker-manager.ts.
🦀 Rust Build Test Results
Overall: ✅ PASS
|
Deno Build Test Results
Overall: ✅ PASS Test outputoak:
|
|
🤖 Smoke test results for ✅ GitHub MCP — Last 2 merged PRs: #981 "docs: add releasing.md link to CLAUDE.md", #977 "fix: add iptables bypass for container self-traffic" Overall: PASS
|
Go Build Test Results
Overall: PASS
|
.NET Build Test Results
Overall: PASS Run outputhello-world: json-parse:
|
Smoke Test Results
Overall: PASS
|
Bun Build Test Results
Overall: PASS ✅ Tested with Bun v1.3.9
|
C++ Build Test Results
Overall: PASS
|
|
PR titles:
|
Java Build Test Results
Overall: PASS ✅
|
Node.js Build Test Results
Overall: ✅ PASS
|
Chroot Version Comparison Results
Result: Some versions differ between host and chroot. Go matches, but Python and Node.js versions differ. The chroot environment uses the system-installed versions from the Ubuntu image, while the host runner has newer versions.
|
- Use SQUID_PROXY_HOST/SQUID_PROXY_PORT directly instead of brittle HTTP_PROXY parsing; keep improved fallback that handles https://, credentials, and IPv6 - Only create Maven settings.xml and Gradle gradle.properties if they don't already exist, to avoid clobbering user-provided configuration - Derive Java nonProxyHosts from NO_PROXY env var (comma-to-pipe conversion) so JVM tools don't attempt to proxy localhost/127.0.0.1 traffic Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Addressed all review comments in commit 2d8ac64. Changes:
All unit tests pass (795/795). No TypeScript changes in this commit (entrypoint.sh only). |
Mossaka
changed the title
Rust Build Test Results
Overall: ✅ PASS
|
Build Test: Bun ✅
Overall: PASS Bun version:
|
Build Test: Node.js ✅
Overall: PASS
|
Build Test: Deno Results
Overall: ✅ PASS
|
|
Merged PRs: docs: update runner and architecture compatibility; chore: remove _codeql_detected_source_root
|
|
Smoke Test Results ✅ GitHub MCP: #992 docs: update runner and architecture compatibility, #980 chore(deps): bump the all-github-actions group Overall: PASS
|
.NET Build Test Results
Overall: PASS ✅ Run Outputhello-world:
|
C++ Build Test Results
Overall: PASS
|
Go Build Test Results
Overall: ✅ PASS
|
Java Build Test Results
Overall: PASS ✅
|
Chroot Version Comparison Results
Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.
|
Smoke Test Results — Copilot Engine
Overall: PASS (1 expected ❌ — Playwright blocked by firewall) PR author:
|
Summary
HTTP_PROXY/HTTPS_PROXYenv varsChanges
~/.m2/settings.xml— Maven proxy pointing to Squid proxy~/.gradle/gradle.properties— Gradle system proxy propertiesJAVA_TOOL_OPTIONS— JVM proxy flags for sbt and generic Java toolsKey implementation details:
HTTP_PROXYenv var (supports randomized subnets)/host$HOME/in chroot mode,$HOME/otherwise)awfuserfor correct permissionsImpact
From the AWF build/test experiment v4 (173 repos, 19 languages):
The 3 Java repos that succeeded (gson, jackson-databind, HikariCP) did so because the Copilot agent independently discovered Maven proxy settings. Making this automatic eliminates the inconsistency.
Test plan
🤖 Generated with Claude Code