Add AWF --skip-pull flag and pre-download agent/squid images

[Copilot]

AWF was pulling container images at runtime during agent execution. This change pre-downloads AWF images (agent and squid proxy) and uses --skip-pull to avoid runtime pulls, matching how MCP gateway and GitHub MCP server images are already handled.

Changes

• pkg/constants/constants.go: Add DefaultFirewallRegistry constant for ghcr.io/github/gh-aw-firewall
• pkg/workflow/docker.go: Collect AWF squid and agent-act images when firewall is enabled
• pkg/workflow/{copilot,claude,codex}_engine*.go: Add --skip-pull flag to AWF args

Generated workflow example

- name: Download container images
  run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ...

# Later, AWF runs with --skip-pull
sudo -E awf --image-tag 0.13.4 --skip-pull --agent-image act -- ...

Original prompt

update awf to the latest version and use no-pull flag. please pull the agent and proxy images prior to the agent step (similar to the gateway and mcp images)

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Pull request overview

This PR optimizes the AWF (Agentic Workflow Firewall) integration by pre-downloading Docker container images and using the --skip-pull flag to avoid redundant pulls at runtime.

Changes:

• Added DefaultFirewallRegistry constant for AWF container registry
• Implemented AWF image pre-download in docker.go for both squid (proxy) and agent-act containers
• Added --skip-pull flag to AWF invocations in all three engine files (copilot, claude, codex)

Reviewed changes

Copilot reviewed 149 out of 149 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/constants/constants.go	Added DefaultFirewallRegistry constant for AWF container registry URL
pkg/workflow/docker.go	Added logic to collect AWF squid and agent-act images when firewall is enabled
pkg/workflow/copilot_engine_execution.go	Added --skip-pull flag to AWF args
pkg/workflow/claude_engine.go	Added --skip-pull flag to AWF args
pkg/workflow/codex_engine.go	Added --skip-pull flag to AWF args
.github/workflows/*.lock.yml (multiple files)	Updated all workflow lock files with pre-downloaded AWF images and --skip-pull flag

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.52.0
jq	✅	1.7
yq	✅	4.50.1
curl	✅	8.5.0
gh	✅	2.86.0
node	✅	20.20.0
python3	✅	3.12.3
go	✅	1.24.12
java	❌	not found
dotnet	❌	not found

Result: 10/12 tools available ⚠️

Note: Java and .NET runtimes are not available in the container.

AI generated by Agent Container Smoke Test

[github-actions]

Smoke Test: Copilot - 21681629889

PRs Tested:

• Exclude metadata permission from generated workflow YAML #13757 - Exclude metadata permission from generated workflow YAML
• Add AWF --skip-pull flag and pre-download agent/squid images #13756 - Add AWF --skip-pull flag and pre-download agent/squid images

Results:
✅ GitHub MCP
✅ Safe Inputs GH CLI
✅ Serena MCP
✅ Playwright
✅ File Writing
✅ Bash Tool
✅ Discussion Interaction
✅ Build gh-aw
✅ Workflow Dispatch

✅ PASS - All tests passed

@Copilot @Mossaka

AI generated by Smoke Copilot

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤