chore: bump gh-aw-mcpg from v0.2.22 to v0.2.26

[lpcox]

Bumps gh-aw-mcpg from v0.2.22 to v0.2.26 across all 28 lock files.

Why

Debugging the GraphQL 404 issue where gh pr list and other GraphQL-backed gh commands fail through the DIFC CLI proxy (tracked in github/gh-aw-mcpg#4276). Bumping to the latest mcpg release to check if the fix is included.

Changes

• Updated ghcr.io/github/gh-aw-mcpg from v0.2.22@sha256:5345f80d... to v0.2.26@sha256:bfb444fa... in all .github/workflows/*.lock.yml files (28 files)

Verification

grep -c "gh-aw-mcpg:v0.2.26" .github/workflows/*.lock.yml | grep -v ":0" | wc -l
# → 29 (28 lock files + 1 counted twice for manifest line)

[github-actions]

🔥 Smoke Test Results

Test	Result
GitHub MCP (list_pull_requests) — latest merged: "fix: inject OPENAI_API_KEY/CODEX_API_KEY placeholders for Codex api-proxy routing"	✅
GitHub.com connectivity (HTTP 200)	✅
File write/read (smoke-test-copilot-24741076618.txt)	✅

Overall: PASS

PR: chore: bump gh-aw-mcpg from v0.2.22 to v0.2.26 — author @lpcox, no assignees.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test Results

✅ GitHub MCP - Last 2 merged PRs retrieved
✅ Playwright - github.com navigated, title verified
✅ File Writing - Test file created at /tmp/gh-aw/agent/
✅ Bash Verification - File content confirmed

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔥 Smoke Test: Copilot BYOK (Offline) — PASS

Test	Result
GitHub MCP (list_pull_requests)	✅ PR #2136 returned
GitHub.com connectivity	✅ HTTP 200/301
File write/read	✅ /tmp/gh-aw/agent/smoke-test-copilot-byok-24741076693.txt verified
BYOK inference (agent → api-proxy → api.githubcopilot.com)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

Overall: PASS — @lpcox (no assignees)

🔑 BYOK report filed by Smoke Copilot BYOK

[Copilot]

Pull request overview

Updates the GitHub Actions compiled lock workflows to use a newer ghcr.io/github/gh-aw-mcpg image version, intended to help validate whether recent mcpg releases address the GraphQL 404 behavior seen when running GraphQL-backed gh commands through the DIFC CLI proxy.

Changes:

• Bump ghcr.io/github/gh-aw-mcpg from v0.2.22 to v0.2.26 in workflow lock files.
• Update the pinned image digest references for the gh-aw-mcpg container where applicable.

Show a summary per file

File	Description
.github/workflows/update-release-notes.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/test-coverage-improver.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/smoke-copilot.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/smoke-copilot-byok.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/smoke-codex.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow (but currently has an internal digest inconsistency—see comment).
.github/workflows/security-review.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/security-guard.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/secret-digger-claude.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/plan.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/issue-monster.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/issue-duplication-detector.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/firewall-issue-dispatcher.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/doc-maintainer.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/dependency-security-monitor.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/copilot-token-usage-analyzer.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/copilot-token-optimizer.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/cli-flag-consistency-checker.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/claude-token-usage-analyzer.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/claude-token-optimizer.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/ci-doctor.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/build-test.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/ci-cd-gaps-assessment.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/pelis-agent-factory-advisor.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/secret-digger-copilot.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/secret-digger-codex.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/smoke-chroot.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/smoke-claude.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/smoke-opencode.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.
.github/workflows/smoke-services.lock.yml	Updates gh-aw-mcpg image tag/digest used by the workflow.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 29/29 changed files
• Comments generated: 1

[Copilot]

In the workflow manifest, the gh-aw-mcpg container entry has digest set to sha256:bfb444... but pinned_image still points to @sha256:41c20.... This makes the lock file internally inconsistent and likely causes the workflow to pull a different image than intended. Update the pinned_image (and any other references in this lock file like the container list / download step) so all gh-aw-mcpg:v0.2.26 digests match.

Suggested change

# gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN","OPENAI_API_KEY","TAVILY_API_KEY"],"actions":[{"repo":"actions/cache","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"f52802884d655622f0a2dfd6d6a2250983c95523","version":"v0.68.7"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.23","digest":"sha256:d91d8c6263597d38da4c9fb3599ea7fed26fc6fcfebe5e92beb9711980bb25ea","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.23@sha256:d91d8c6263597d38da4c9fb3599ea7fed26fc6fcfebe5e92beb9711980bb25ea"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.23","digest":"sha256:6d8d7841a56bcb2a53fae629f9a6b9c77e80fe04af44cf753d13a6003d812120","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.23@sha256:6d8d7841a56bcb2a53fae629f9a6b9c77e80fe04af44cf753d13a6003d812120"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.23","digest":"sha256:113837034dd2cd4c96d8f00f27c910eef3e44384c13bcca2f282b6ca8b457a03","pinned_image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.23@sha256:113837034dd2cd4c96d8f00f27c910eef3e44384c13bcca2f282b6ca8b457a03"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.23","digest":"sha256:989d478749707bd1e81a78bb995f0bc9b96421b1c8c087b6999a860cf05f2845","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.23@sha256:989d478749707bd1e81a78bb995f0bc9b96421b1c8c087b6999a860cf05f2845"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.2.26","digest":"sha256:bfb444facad03587ac5021b3fbb89abd4726aac51d5a0cebfcd14202e8119c57","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.2.26@sha256:41c20d3a366498e883648bbf0c5a23d5c0102ae931e0eaa7b79bbf8e1afab29c"},{"image":"ghcr.io/github/github-mcp-server:v0.32.0","digest":"sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28","pinned_image":"ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28"},{"image":"mcr.microsoft.com/playwright/mcp","digest":"sha256:7b82f29c6ef83480a97f612d53ac3fd5f30a32df3fea1e06923d4204d3532bb2","pinned_image":"mcr.microsoft.com/playwright/mcp@sha256:7b82f29c6ef83480a97f612d53ac3fd5f30a32df3fea1e06923d4204d3532bb2"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}

# gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN","OPENAI_API_KEY","TAVILY_API_KEY"],"actions":[{"repo":"actions/cache","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"f52802884d655622f0a2dfd6d6a2250983c95523","version":"v0.68.7"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.23","digest":"sha256:d91d8c6263597d38da4c9fb3599ea7fed26fc6fcfebe5e92beb9711980bb25ea","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.23@sha256:d91d8c6263597d38da4c9fb3599ea7fed26fc6fcfebe5e92beb9711980bb25ea"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.23","digest":"sha256:6d8d7841a56bcb2a53fae629f9a6b9c77e80fe04af44cf753d13a6003d812120","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.23@sha256:6d8d7841a56bcb2a53fae629f9a6b9c77e80fe04af44cf753d13a6003d812120"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.23","digest":"sha256:113837034dd2cd4c96d8f00f27c910eef3e44384c13bcca2f282b6ca8b457a03","pinned_image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.23@sha256:113837034dd2cd4c96d8f00f27c910eef3e44384c13bcca2f282b6ca8b457a03"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.23","digest":"sha256:989d478749707bd1e81a78bb995f0bc9b96421b1c8c087b6999a860cf05f2845","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.23@sha256:989d478749707bd1e81a78bb995f0bc9b96421b1c8c087b6999a860cf05f2845"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.2.26","digest":"sha256:bfb444facad03587ac5021b3fbb89abd4726aac51d5a0cebfcd14202e8119c57","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.2.26@sha256:bfb444facad03587ac5021b3fbb89abd4726aac51d5a0cebfcd14202e8119c57"},{"image":"ghcr.io/github/github-mcp-server:v0.32.0","digest":"sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28","pinned_image":"ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28"},{"image":"mcr.microsoft.com/playwright/mcp","digest":"sha256:7b82f29c6ef83480a97f612d53ac3fd5f30a32df3fea1e06923d4204d3532bb2","pinned_image":"mcr.microsoft.com/playwright/mcp@sha256:7b82f29c6ef83480a97f612d53ac3fd5f30a32df3fea1e06923d4204d3532bb2"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}

[github-actions]

Smoke Test Results

• Last 2 PRs:
  • fix: inject OPENAI_API_KEY/CODEX_API_KEY placeholders for Codex api-proxy routing
  • Increase Smoke Claude turn budget to prevent premature engine termination
• File Write Test: ✅
• File Read Test: ✅
• AWF Build: ✅

Overall: PASS

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• models.dev

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "models.dev"

See Network Configuration for more information.

🌐 Transmitted by Smoke OpenCode

[github-actions]

Smoke Test Results
PR titles:

• fix: inject OPENAI_API_KEY/CODEX_API_KEY placeholders for Codex api-proxy routing
• Increase Smoke Claude turn budget to prevent premature engine termination
  GitHub MCP testing: ❌
  safeinputs-gh CLI query: ❌
  Playwright title check: ✅
  Tavily web search: ❌
  File write/read + bash verify: ✅
  Discussion comment + AWF build: ✅
  Overall status: FAIL

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

Check	Status	Notes
Redis PING (host.docker.internal:6379)	❌ Failed	redis-cli not available; cannot install (no apt access in sandbox)
PostgreSQL pg_isready (host.docker.internal:5432)	✅ Passed	accepting connections
PostgreSQL SELECT 1 (db: smoketest, user: postgres)	✅ Passed	Returns 1 as expected

Result: 2/3 checks passed. Redis check could not be executed due to missing redis-cli binary.

🔌 Service connectivity validated by Smoke Services

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Note: gh repo clone failed for all repos due to a pthread_create resource limitation in the runner environment. Repos were successfully cloned using git clone directly.
Java Maven required a custom local repo path (-Dmaven.repo.local=/tmp/gh-aw/agent/m2repo) as the default ~/.m2/repository directory was owned by root and not writable.

Generated by Build Test Suite for issue #2140 · ● 619.5K · ◷