Problem
The compiler-generated gVisor install step (generateGVisorInstallStep()) pins to release 20250623.0, which returns 404 from storage.googleapis.com/gvisor/releases/release/20250623.0/x86_64/runsc.
This causes all workflows using sandbox.agent.runtime: gvisor to fail immediately at the "Install gVisor (runsc)" step:
curl: (22) The requested URL returned error: 404
##[error]Process completed with exit code 22.
Evidence
Failed runs in github/gh-aw-firewall:
Workaround
Manually editing .lock.yml files to replace 20250623.0 with 20250707.0 fixes the issue — all four workflows pass after the fix:
Workaround PR: github/gh-aw-firewall#6143
Valid releases (as of 2025-07-12)
| Release |
Status |
20250623.0 |
❌ 404 |
20250616.0 |
✅ 200 |
20250707.0 |
✅ 200 |
latest |
✅ 200 |
Suggested fix
Update the pinned version in generateGVisorInstallStep() (likely in copilot_engine_installation.go) to 20250707.0 or a mechanism that resolves a known-good release. Consider using latest with SHA verification, or adding a CI job that validates the pinned release still exists.
Problem
The compiler-generated gVisor install step (
generateGVisorInstallStep()) pins to release20250623.0, which returns 404 fromstorage.googleapis.com/gvisor/releases/release/20250623.0/x86_64/runsc.This causes all workflows using
sandbox.agent.runtime: gvisorto fail immediately at the "Install gVisor (runsc)" step:Evidence
Failed runs in
github/gh-aw-firewall:Workaround
Manually editing
.lock.ymlfiles to replace20250623.0with20250707.0fixes the issue — all four workflows pass after the fix:Workaround PR: github/gh-aw-firewall#6143
Valid releases (as of 2025-07-12)
20250623.020250616.020250707.0latestSuggested fix
Update the pinned version in
generateGVisorInstallStep()(likely incopilot_engine_installation.go) to20250707.0or a mechanism that resolves a known-good release. Consider usinglatestwith SHA verification, or adding a CI job that validates the pinned release still exists.