[Repo Assist] fix(run_containerized): skip port mapping validation for host-networked containers

[github-actions]

🤖 This PR is from Repo Assist, an automated AI assistant for this repository.

Root Cause

When a container is started with --network host, Docker discards published port mappings and sets NetworkSettings.Ports={}. The existing validate_port_mapping function checks .NetworkSettings.Ports for the port key and a HostPort value. Both checks fail for host-networked containers — even when -p flags are present — causing the gateway to exit with:

[ERROR] Port 8080 is not exposed from the container
[ERROR] Add port mapping: -p :8080

This is environment-dependent: on Docker Desktop the get_container_id call often fails, so the entire validation block is skipped and the issue is invisible. On Linux DinD runners the container ID is discoverable, so the bad validation fires.

Fix

Add a HostConfig.NetworkMode check at the top of validate_port_mapping. If the mode is host, log an informational message and return early — ports are directly accessible on the host interface and no mapping validation is needed. Bridge-networked containers are completely unaffected.

+    local network_mode
+    network_mode=$(docker inspect --format '{{.HostConfig.NetworkMode}}' "$container_id" 2>/dev/null || echo "")
+    if [ "$network_mode" = "host" ]; then
+        log_info "Host network mode detected: port $port is directly accessible on the host (no mapping required)"
+        return 0
+    fi

Trade-offs

• No security impact: we're relaxing a startup check that was already skipped in many environments.
• No false negatives: host-networked containers genuinely don't need port mapping; the check would always fail spuriously for them.
• A follow-up could also skip validate_container_config checks that inspect NetworkSettings for host-networked containers if similar issues arise.

Closes #7647

Test Status

⚠️ Infrastructure note: proxy.golang.org is blocked by the environment firewall for this workflow run, preventing go build/go test from running. This is a pre-existing infrastructure constraint affecting all Repo Assist runs — see prior PRs for context. The change is confined to run_containerized.sh; bash -n run_containerized.sh confirms the script has valid syntax.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"

See Network Configuration for more information.

Generated by Repo Assist · 945.8 AIC · ⊞ 50.1K · ◷
_{Comment /repo-assist to run again}

Add this agentic workflows to your repo

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@851905c06e905bf362a9f6cc54f912e3df747d55

[Copilot]

Pull request overview

This PR updates the containerized startup validation script to correctly handle Docker containers running with --network host, where Docker discards published port mappings and leaves .NetworkSettings.Ports empty.

Changes:

• Detect HostConfig.NetworkMode=host in validate_port_mapping and skip port-mapping validation in that case.
• Add explanatory comments and an informational log message for host-networked containers.

Show a summary per file

File	Description
run_containerized.sh	Skips port-mapping validation for host-networked containers to avoid false startup failures.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 1