fix(sandbox): mount GOMODCACHE read-only so air-gapped analysis resolves deps#26
Merged
Conversation
The Semantic Analysis check failed on every PR for two reasons: 1. setup-go installed Go 1.24, but go.mod requires 1.26.3, and sfw runs the loader with GOTOOLCHAIN=local -- so `go list` refused: "go.mod requires go >= 1.26.3 (running go 1.24.13; GOTOOLCHAIN=local)". Use go-version-file: go.mod so CI installs exactly what go.mod requires. 2. BLOCKER mode (fail on ANY semantic change) was applied to every pull_request, so intentional feature changes failed with "Logic change detected in safe refactor!". BLOCKER is now opt-in via a 'semantic-safe' label; all other PRs run in 'check' mode (report the diff, don't fail). Also drop the dead vendoring + GOFLAGS=-mod=vendor (GetHardenedEnv strips GOFLAGS and forces -mod=readonly, so vendoring never took effect), and print sfw's actual error on failure instead of swallowing it.
svczero
force-pushed
the
fix/sandbox-mount-gomodcache
branch
from
8d9f3e8 to
c6f9f56
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
Semantic Analysischeck fails on every PR that touches the analysis engine (#21 and #24 were merged over it). It's a false-fail, not a code defect.Root cause (confirmed empirically): the sandbox mounts
GOROOTandGOCACHEread-only but forcesGOPATH=/tmp/gopath, so the module cache is empty inside the air gap. WithGOPROXY=offand sfw's hardened-mod=readonly, any file importing an external module (golang.org/x/tools/go/ssa, pebble, …) can't build SSA, sosfw differrors on it. The CI's vendoring workaround never took effect becauseGetHardenedEnv()strips inheritedGOFLAGSand force-sets-mod=readonly, which ignoresvendor/.Fix
Mirror the existing
GOCACHEhandling forGOMODCACHE: bind-mount the host module cache read-only at/gomodcacheand pointGOMODCACHEat it.GetHardenedEnv()preserves the inheritedGOMODCACHE, sopackages.Loadresolves dependencies from the mounted cache whileGOPROXY=offkeeps the air gap intact. This completes theGOMODCACHEhandling thatresolveGoToolchain's doc comment already promised.internal/sandbox/manager.go— resolve + mountGOMODCACHEread-only; reserve/gomodcache.internal/sandbox/manager_test.go— assert the mount + env appear in the generated spec..github/workflows/semantic_analysis.yml— drop the now-dead vendoring +GOFLAGS=-mod=vendor; prime the base worktree's module graph sogo.mod-changing PRs resolve on both sides.Validation
failed to build SSA; vendoring does not rescue it).go build ./...,go vet ./...,go test ./internal/sandbox/all pass.sfwwith the fix, so its ownSemantic Analysisrun exercises the corrected sandbox.Security
No reduction in isolation — the module cache is mounted read-only, the
GOPROXY=offair gap is preserved, and there is no new network or write surface. Same posture as the existingGOCACHEmount.