Skip to content

fix: MCP gateway ARC/DinD support — DOCKER_HOST propagation, TCP socket, K8s cgroup ID detection#4814

Merged
lpcox merged 2 commits intomainfrom
copilot/fix-mcp-gateway-arc-runners
Apr 29, 2026
Merged

fix: MCP gateway ARC/DinD support — DOCKER_HOST propagation, TCP socket, K8s cgroup ID detection#4814
lpcox merged 2 commits intomainfrom
copilot/fix-mcp-gateway-arc-runners

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 29, 2026
edited
Loading

On ARC self-hosted runners using Docker-in-Docker sidecars, the MCP gateway fails at startup due to three bugs: Kubernetes pod names in cgroups triggering a confusing WARN, TCP DOCKER_HOST values being stat'd as socket paths, and the gateway container launched without DOCKER_HOST or the correct socket mount/GID.

run_containerized.sh

  • Drop WARN for non-hex container IDs: Kubernetes cgroup entries contain pod names (arc-gaw-xzpj8-runner-8lthc), not Docker hex IDs. validate_container_id silently returns false for these — no log noise.
  • TCP Docker host support in check_docker_socket: DOCKER_HOST=tcp://localhost:2375 can't be stat'd as a socket file. Added an early-return path that skips the file existence check and verifies connectivity via docker info only.

All 32 .lock.yml workflow files

The MCP_GATEWAY_DOCKER_COMMAND previously hardcoded /var/run/docker.sock for both the volume mount and GID detection, and never passed -e DOCKER_HOST. Replaced with a dynamic detection block:

_MCP_GW_SOCK="${DOCKER_HOST:-}"
if [ -z "${_MCP_GW_SOCK}" ] || echo "${_MCP_GW_SOCK}" | grep -q '^unix://'; then
  _MCP_GW_SOCK="${_MCP_GW_SOCK#unix://}"
  _MCP_GW_SOCK="${_MCP_GW_SOCK:-/var/run/docker.sock}"
  DOCKER_SOCK_GID=$(stat -c '%g' "${_MCP_GW_SOCK}" 2>/dev/null || echo '0')
  _MCP_GW_SOCK_MOUNT="-v ${_MCP_GW_SOCK}:${_MCP_GW_SOCK}"
else
  # TCP Docker host — no socket file to mount
  DOCKER_SOCK_GID='0'
  _MCP_GW_SOCK_MOUNT=""
fi
_MCP_GW_DOCKER_HOST_FLAG=""
if [ -n "${DOCKER_HOST:-}" ]; then _MCP_GW_DOCKER_HOST_FLAG="-e DOCKER_HOST"; fi

The gateway container's docker run command then uses '"${_MCP_GW_DOCKER_HOST_FLAG}"' '"${_MCP_GW_SOCK_MOUNT}"' in place of the hardcoded -v /var/run/docker.sock:/var/run/docker.sock, correctly handling standard GitHub-hosted, ARC unix-socket, and ARC TCP-DinD setups.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • example.com
    • Triggering command: /tmp/go-build3017819353/b513/launcher.test /tmp/go-build3017819353/b513/launcher.test -test.testlogfile=/tmp/go-build3017819353/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s 0530�� .cfg elemetry.io/otel-ifaceassert x_amd64/vet . --gdwarf2 --64 x_amd64/vet 0530�� .cfg aw-mcpg/internal/proxy/graphql_rewrite.go x_amd64/vet --gdwarf-5 .io/otel/exporte--version -o x_amd64/vet (dns block)
  • invalid-host-that-does-not-exist-12345.com
    • Triggering command: /tmp/go-build3017819353/b495/config.test /tmp/go-build3017819353/b495/config.test -test.testlogfile=/tmp/go-build3017819353/b495/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build3017819353/b393/vet.cfg /idna/go118.go /idna/idna10.0.0.go x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet -I g_.a om/tetratelabs/w-ifaceassert x_amd64/vet --gdwarf-5 dns -o x_amd64/vet (dns block)
  • nonexistent.local
    • Triggering command: /tmp/go-build3017819353/b513/launcher.test /tmp/go-build3017819353/b513/launcher.test -test.testlogfile=/tmp/go-build3017819353/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s 0530�� .cfg elemetry.io/otel-ifaceassert x_amd64/vet . --gdwarf2 --64 x_amd64/vet 0530�� .cfg aw-mcpg/internal/proxy/graphql_rewrite.go x_amd64/vet --gdwarf-5 .io/otel/exporte--version -o x_amd64/vet (dns block)
  • slow.example.com
    • Triggering command: /tmp/go-build3017819353/b513/launcher.test /tmp/go-build3017819353/b513/launcher.test -test.testlogfile=/tmp/go-build3017819353/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s 0530�� .cfg elemetry.io/otel-ifaceassert x_amd64/vet . --gdwarf2 --64 x_amd64/vet 0530�� .cfg aw-mcpg/internal/proxy/graphql_rewrite.go x_amd64/vet --gdwarf-5 .io/otel/exporte--version -o x_amd64/vet (dns block)
  • this-host-does-not-exist-12345.com
    • Triggering command: /tmp/go-build3017819353/b522/mcp.test /tmp/go-build3017819353/b522/mcp.test -test.testlogfile=/tmp/go-build3017819353/b522/testlog.txt -test.paniconexit0 -test.timeout=10m0s -W .cfg olang.org/protobuf@v1.36.11/internal/encoding/json/decode_number.go x_amd64/vet . --gdwarf2 --64 x_amd64/vet .cfg�� 0530991/b396/_pkg_.a pkg/mod/go.opentelemetry.io/otel/sdk@v1.43.0/instrumentation/libgithub.com/grpc-ecosystem/grpc-g-qE x_amd64/vet e.go g/grpc/codes -o x_amd64/vet (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 29, 2026 that may be closed by this pull request
bug: MCP gateway fails on ARC self-hosted runners — DOCKER_HOST not propagated, container ID detection fails #4795
Closed
@lpcox
fix: ARC self-hosted runner support — DOCKER_HOST propagation, TCP so…
343361c 
…cket, container ID detection

- Remove confusing WARN for non-hex container ID formats (K8s pod names)
  on ARC/containerd environments in run_containerized.sh
- Add TCP Docker host support in check_docker_socket (handles
  DOCKER_HOST=tcp://... used in ARC/DinD sidecar setups)
- Update all 32 .lock.yml workflow files to:
  - Auto-detect Docker socket GID from actual DOCKER_HOST path
  - Dynamically compute socket volume mount from DOCKER_HOST
  - Propagate DOCKER_HOST env var into the gateway container

Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/da0f6a11-7020-43a8-b9a8-48b483ea9c10

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix MCP gateway failure on ARC self-hosted runners fix: MCP gateway ARC/DinD support — DOCKER_HOST propagation, TCP socket, K8s cgroup ID detection Apr 29, 2026
Copilot AI requested a review from lpcox April 29, 2026 16:52
@lpcox lpcox marked this pull request as ready for review April 29, 2026 17:27
Copilot AI review requested due to automatic review settings April 29, 2026 17:27
@lpcox lpcox merged commit 3b02450 into main Apr 29, 2026
16 checks passed
@lpcox lpcox deleted the copilot/fix-mcp-gateway-arc-runners branch April 29, 2026 17:27
@github-actions github-actions Bot mentioned this pull request Apr 29, 2026
Closed
Copilot AI reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Improves MCP gateway startup and GitHub Actions container launch behavior on ARC self-hosted runners (including Docker-in-Docker setups) by correctly handling non-Docker cgroup IDs, TCP DOCKER_HOST values, and propagating Docker connectivity settings into the gateway container.

Changes:

  • run_containerized.sh: stop warning on non-hex “container IDs” (common on Kubernetes/containerd) and add TCP DOCKER_HOST support in the Docker daemon accessibility check.
  • Workflow *.lock.yml: dynamically derive the Unix socket mount/GID from DOCKER_HOST (when applicable) and propagate DOCKER_HOST into the gateway container; skip socket mounts for TCP daemons.
  • Workflow container command construction updated across all lock workflows to use the detected mount/flags instead of hardcoding /var/run/docker.sock.
Show a summary per file
File Description
run_containerized.sh Adds TCP DOCKER_HOST handling and removes noisy warnings for non-hex IDs from cgroup/hostname detection paths.
.github/workflows/daily-compliance-checker.lock.yml Builds gateway docker run command with dynamic Docker socket mount/GID and optional DOCKER_HOST propagation.
.github/workflows/duplicate-code-detector.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/gateway-issue-dispatcher.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/ghcr-download-tracker.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/github-mcp-guard-coverage-checker.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/go-fan.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/go-logger.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/gpl-dependency-checker.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/guard-status-tracker.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/integrity-filtering-audit.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/issue-monster.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/large-payload-tester.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/mcp-gateway-log-analyzer.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/nightly-docs-reconciler.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/nightly-schema-updater.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/nightly-workflow-compiler.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/plan.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/release.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/repo-assist.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/rust-guard-improver.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/semantic-function-refactor.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/smoke-allowonly.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/smoke-copilot.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/smoke-otel-tracing.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/smoke-proxy-github-script.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/smoke-safeoutputs-discussions.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/smoke-safeoutputs-issues.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/smoke-safeoutputs-labels.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/smoke-safeoutputs-prs.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/smoke-safeoutputs-reviews.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/test-coverage-improver.lock.yml Same dynamic Docker connectivity handling for gateway container launch.
.github/workflows/test-improver.lock.yml Same dynamic Docker connectivity handling for gateway container launch.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 33/33 changed files
  • Comments generated: 2

Comment thread .github/workflows/daily-compliance-checker.lock.yml
fi
_MCP_GW_DOCKER_HOST_FLAG=""
if [ -n "${DOCKER_HOST:-}" ]; then _MCP_GW_DOCKER_HOST_FLAG="-e DOCKER_HOST"; fi
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' '"${_MCP_GW_DOCKER_HOST_FLAG}"' '"${_MCP_GW_SOCK_MOUNT}"' -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.30'
Copy link

Copilot AI Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When DOCKER_HOST is TCP, this sets DOCKER_SOCK_GID='0' and still passes --group-add ${DOCKER_SOCK_GID} into the gateway container. That unintentionally adds the root (GID 0) group to the container user, which is unnecessary for TCP and increases privileges. Consider conditionally omitting --group-add when there is no Unix socket mount / when the detected GID is 0 (e.g., build a GROUP_ADD_FLAG only when DOCKER_SOCK_GID is non-zero).

Suggested change
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' '"${_MCP_GW_DOCKER_HOST_FLAG}"' '"${_MCP_GW_SOCK_MOUNT}"' -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.30'
_MCP_GW_GROUP_ADD_FLAG=""
if [ "${DOCKER_SOCK_GID}" != "0" ]; then _MCP_GW_GROUP_ADD_FLAG="--group-add ${DOCKER_SOCK_GID}"; fi
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' '"${_MCP_GW_GROUP_ADD_FLAG}"' '"${_MCP_GW_DOCKER_HOST_FLAG}"' '"${_MCP_GW_SOCK_MOUNT}"' -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.30'

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/test-improver.lock.yml
Comment on lines +640 to +644
_MCP_GW_SOCK_MOUNT=""
fi
_MCP_GW_DOCKER_HOST_FLAG=""
if [ -n "${DOCKER_HOST:-}" ]; then _MCP_GW_DOCKER_HOST_FLAG="-e DOCKER_HOST"; fi
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' '"${_MCP_GW_DOCKER_HOST_FLAG}"' '"${_MCP_GW_SOCK_MOUNT}"' -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.30'
Copy link

Copilot AI Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the TCP DOCKER_HOST branch, DOCKER_SOCK_GID is forced to '0' but the constructed MCP_GATEWAY_DOCKER_COMMAND still always includes --group-add ${DOCKER_SOCK_GID}. This will add the root group to the container user even though no Docker socket file is mounted, which is unnecessary and broadens permissions inside the container. Suggest building --group-add as an optional flag only when a Unix socket path was resolved and the stat-derived GID is non-zero.

Copilot uses AI. Check for mistakes.
@github-actions github-actions Bot mentioned this pull request Apr 29, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lpcox lpcox Awaiting requested review from lpcox

Assignees

@lpcox lpcox

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: MCP gateway fails on ARC self-hosted runners — DOCKER_HOST not propagated, container ID detection fails

3 participants

@lpcox