Problem
The agent harness rebuilds PATH by prepending every */bin directory found under /opt/hostedtoolcache via a blunt find command. This discards the version ordering already established by $GITHUB_PATH from setup-* actions (e.g., ruby/setup-ruby). The wrong Ruby version wins the PATH race, causing bundle exec to fail with a version mismatch on the first invocation. The agent then spends 6+ tool calls diagnosing before manually prepending the correct toolcache bin on every subsequent Ruby command.
Context
Original report: github/gh-aw#32044
Versions: gh-aw-firewall v0.25.41, engine copilot/claude-sonnet-4.6, ruby/setup-ruby@v1.307.0.
Root Cause
In containers/agent/entrypoint.sh, the sandbox PATH-rebuild logic uses:
export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 4 -type d -name bin | tr '\n' ':')$PATH"
This prepends all discovered bin dirs in filesystem traversal order, overriding the toolchain priority already written to $GITHUB_PATH by setup-* actions (gh-aw-firewall#1359 propagates $GITHUB_PATH, but this find prepend runs after and clobbers it).
Proposed Solution
In containers/agent/entrypoint.sh, skip the find-prepend when $GITHUB_PATH is non-empty, or append discovered bins after $PATH rather than prepending them. This preserves setup-* action priority while still making other toolcache bins available.
Generated by Firewall Issue Dispatcher · ● 8.1M · ◷
Problem
The agent harness rebuilds
PATHby prepending every*/bindirectory found under/opt/hostedtoolcachevia a bluntfindcommand. This discards the version ordering already established by$GITHUB_PATHfromsetup-*actions (e.g.,ruby/setup-ruby). The wrong Ruby version wins thePATHrace, causingbundle execto fail with a version mismatch on the first invocation. The agent then spends 6+ tool calls diagnosing before manually prepending the correct toolcache bin on every subsequent Ruby command.Context
Original report: github/gh-aw#32044
Versions: gh-aw-firewall v0.25.41, engine copilot/claude-sonnet-4.6,
ruby/setup-ruby@v1.307.0.Root Cause
In
containers/agent/entrypoint.sh, the sandbox PATH-rebuild logic uses:This prepends all discovered
bindirs in filesystem traversal order, overriding the toolchain priority already written to$GITHUB_PATHbysetup-*actions (gh-aw-firewall#1359 propagates$GITHUB_PATH, but thisfindprepend runs after and clobbers it).Proposed Solution
In
containers/agent/entrypoint.sh, skip thefind-prepend when$GITHUB_PATHis non-empty, or append discovered bins after$PATHrather than prepending them. This preservessetup-*action priority while still making other toolcache bins available.