picod: initialize and validate workspace when --workspace is set

[aaradhychinche-alt]

This PR implements reviewer-requested improvements to PicoD workspace handling.

Changes included:

1. Initialize and validate workspace when --workspace is provided

2. Ensure all file operations are constrained within the workspace

3. Avoid changing global process working directory

4. Create per-request working directories safely

5. Add unit tests covering default and custom workspace behavior

6. Update documentation and example configuration accordingly

Notes:

All PicoD unit tests pass (go test ./pkg/picod/...)

Failures observed in router / workloadmanager / e2e tests are unrelated to PicoD changes and are consistent with existing open issues (e.g. CodeInterpreter warm pool behavior)

No functional changes were made outside PicoD scope
fixes #154

[volcano-sh-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign hzxuzhonghu, yaozengzeng for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• docs/OWNERS
• example/OWNERS
• pkg/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Summary of Changes

Hello @aaradhychinche-alt, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refines PicoD's workspace management by introducing robust initialization, validation, and isolation mechanisms. The changes ensure that PicoD operates within clearly defined and secure boundaries, preventing unauthorized file access and maintaining process integrity. This improves the overall stability and security of the PicoD service, especially when handling multiple execution requests.

Highlights

• Workspace Initialization and Validation: PicoD now initializes and validates the workspace directory when the --workspace flag is provided, ensuring it exists and is a valid directory.
• File Operation Constraints: All file operations are now strictly constrained within the defined workspace, enhancing security and preventing directory traversal.
• Process Working Directory Management: The global process working directory is no longer changed indiscriminately. Instead, per-request working directories are created safely, and the original working directory is preserved and restored.
• Per-Request Working Directories: The system now supports creating per-request working directories dynamically, ensuring isolation and proper context for each execution.
• Unit Test Coverage: New unit tests have been added to cover both default and custom workspace behaviors, including scenarios for non-existent directories and directory traversal attempts.
• Documentation and Example Updates: The docs/getting-started.md and example/code-interpreter/code-interpreter.yaml files have been updated to reflect the new workspace handling and configuration.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces several improvements to workspace handling in PicoD, such as initializing the workspace from the --workspace flag, ensuring file operations are constrained, and adding relevant tests. The changes to the example configuration and documentation are clear and helpful.

However, there are a couple of significant issues in the implementation:

• There is a critical copy-paste error in pkg/picod/files.go which results in duplicated code.
• A major concern is the use of os.Chdir to change the process's working directory. This contradicts one of the stated goals of the PR ("Avoid changing global process working directory") and is a risky practice for server applications due to its global nature, which can lead to concurrency issues. The application should rely on constructing absolute paths from the configured workspace directory rather than changing the process's CWD.

I've left specific comments on the relevant parts of the code with suggestions for improvement. Addressing these points will improve the robustness and maintainability of the code.

[Copilot]

Pull request overview

This PR addresses issue #154 by implementing workspace initialization and validation in PicoD. The changes ensure that code execution works correctly when the --workspace argument is set to a directory other than /root.

Changes:

• Initialize and validate workspace directory at startup, creating it if it doesn't exist
• Change the process working directory to the workspace to ensure relative paths resolve correctly
• Ensure per-request working directories are created automatically when specified
• Add comprehensive unit tests for workspace handling scenarios
• Update documentation and example configurations to reflect the new /workspace default

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
pkg/picod/server.go	Added originalWorkingDir field and RestoreWorkingDirectory() method for test cleanup
pkg/picod/files.go	Enhanced setWorkspace() to create, validate, and change to workspace directory at startup
pkg/picod/execute.go	Added automatic creation of working directories when specified in execution requests
pkg/picod/picod_test.go	Added proper cleanup for working directory changes in tests and new test cases for workspace behavior
example/code-interpreter/code-interpreter.yaml	Updated to use /workspace with an emptyDir volume mount instead of /root
docs/getting-started.md	Added note explaining automatic workspace directory creation and working directory changes

[Copilot]

Line 425 appears to have trailing whitespace. Remove any trailing spaces or tabs at the end of this line.

Suggested change

[Copilot]

This code is duplicated. Lines 426-429 set s.workspaceDir = absDir, and lines 431-436 call os.Chdir(absDir) and log a message. These same operations are then repeated on lines 438-443. Remove the duplicate code block (lines 438-443) and the duplicate comment on line 428.

[Copilot]

Extra blank lines should be removed for consistency with the rest of the codebase. There are unnecessary blank lines at 392-393, 404-405, and 416.

[Copilot]

The PR description states "Avoid changing global process working directory" but this code explicitly changes the global process working directory using os.Chdir(absDir). If the intent is truly to avoid changing the global working directory, this implementation contradicts that goal. The originalWorkingDir field and RestoreWorkingDirectory() method suggest an attempt to make this change reversible, but the working directory is still being changed globally during normal operation. Consider whether this aligns with the intended design, or if the PR description needs to be updated to reflect that the working directory IS being changed.

[Copilot]

The stat verification on lines 417-424 is redundant after os.MkdirAll on line 412 successfully completes. If os.MkdirAll succeeds, the directory is guaranteed to exist and be a directory. This verification adds no value and can be safely removed.

Suggested change

	// Verify path exists and is a directory
	stat, err := os.Stat(absDir)
	if err != nil {
	klog.Fatalf("failed to stat workspace directory %q: %v", absDir, err)
	}
	if !stat.IsDir() {
	klog.Fatalf("workspace path %q is not a directory", absDir)
	}

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 32.14286% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 35.76%. Comparing base (845b798) to head (26c315e).
⚠️ Report is 40 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/picod/files.go	37.50%	5 Missing and 5 partials ⚠️
pkg/picod/execute.go	0.00%	5 Missing and 1 partial ⚠️
pkg/picod/server.go	50.00%	1 Missing and 2 partials ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #196      +/-   ##
==========================================
+ Coverage   35.60%   35.76%   +0.15%     
==========================================
  Files          29       29              
  Lines        2533     2572      +39     
==========================================
+ Hits          902      920      +18     
- Misses       1505     1519      +14     
- Partials      126      133       +7     

Flag	Coverage Δ
unittests	35.76% <32.14%> (+0.15%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[hzxuzhonghu]

we have frequenlty commented on this

[aaradhychinche-alt]

@hzxuzhonghu workspace=/workspace is in the CodeInterpreter example, consistent with earlier feedback. Please let me know if anything else is missing.

[hzxuzhonghu]

Which comment?

Donot mount an emptyDir, confusing to users. Why not using a existing dir?