Integrate gh-aw-firewall v0.17.2 and enable Codex LLM gateway

[Copilot]

Integrates gh-aw-firewall v0.17.2 and enables LLM gateway support for the Codex engine using port 10001.

Changes

Firewall version bump

• Updated DefaultFirewallVersion from v0.17.1 to v0.17.2
• Recompiled all workflow lock files (154 workflows)

Codex LLM gateway support

• Changed CodexEngine.supportsLLMGateway from false to true
• Updated SupportsLLMGateway() to return constants.CodexLLMGatewayPort (10001)

This enables Codex workflows to use the AWF api-proxy container for API key isolation, matching the architecture used by Claude and other LLM gateway-enabled engines.

Test updates

• Updated strict mode validation tests to expect LLM gateway support for Codex
• Updated Docker image collection tests to include api-proxy image for Codex
• Updated AWF flag tests to expect --enable-api-proxy for Codex

// Before
func (e *CodexEngine) SupportsLLMGateway() int {
    return -1  // No LLM gateway support
}

// After
func (e *CodexEngine) SupportsLLMGateway() int {
    return constants.CodexLLMGatewayPort  // Port 10001
}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ire (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw description,releapi (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -json GO111MODULE /usr/bin/git GOINSECURE GOMOD GOMODCACHE git -c log.showsignature=false log /usr/bin/infocmp --format=%H:%ct GOWORK 64/bin/go infocmp (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile /usr/bin/git -json GO111MODULE 908488/b395/math--show-toplevel git rev-�� --show-toplevel 908488/b395/mathutil.test /usr/bin/git t0 GO111MODULE (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel 908488/b368/cli.rev-parse /usr/bin/git git rev-�� */*.ts' '**/*.json' --ignore-path ../../../.prettierignore git /usr/bin/git --show-toplevel go 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v2
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha --local .cfg 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha --local .cfg r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha --local .cfg 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GO111MODULE cfg GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linuorigin (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json cfg tartedAt,updated--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha nner/work/gh-aw/gh-aw/actions/setup/sh/sanitize_path.sh' ':::/usr/bin:/usr/local/bin' && echo "$git git x_amd64/compile --show-toplevel go /usr/bin/git x_amd64/compile rev-�� --show-toplevel git odules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node --show-toplevel go /usr/bin/git git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha SameOutput2804181196/001/stability-test.md GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha 908488/b389/gitutil.test cfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha GOMODCACHE go /opt/hostedtoolcache/node/24.13.0/x64/bin/node IQU6/nBEC_-kbkJhgit GO111MODULE 64/bin/go node /tmp�� /tmp/TestHashConsistency_WithImports2546020510/001/main.md hanges) /usr/bin/git che/go-build/db/git **/*.cjs 64/bin/go git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 6d/bi_dp8_6qsrFmconfig (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha /tmp/go-build448908488/b371/fileutil.test -importcfg ache/node/24.13.0/x64/bin/node -s -w -buildmode=exe git t-34�� bility_SameInputSameOutput2804181196/001/stability-test.md config /usr/bin/git remote.origin.urgit GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --git-dir node /usr/bin/git prettier --check 64/bin/go git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/xGO111MODULE /usr/bin/infocmp ub/workflows -trimpath 64/bin/go infocmp (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha celain --ignore-submodules | head -n 10 .cfg 64/pkg/tool/linux_amd64/vet user.email (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha HEAD (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha se 9549711/b043/vet.cfg .cfg 1 1 /var/log/sysstat-c ache/go/1.25.0/x64/pkg/tool/linurev-parse (http block)
• https://api.github.com/repos/actions/download-artifact/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v6 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v6 --jq .object.sha se 9549711/b060/vet.cfg ndor/bin/sh a/action_pins.jsdocker journal-or-kmsg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v6 --jq .object.sha se 9549711/b134/vet.cfg pilot-client/node_modules/.bin/node (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha HEAD (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha cli/install.sh..." (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha heck '**/*.cjs' GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build448908488/b385/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil_test.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build448908488/b389/importcfg -pack /tmp/go-build448908488/b389/_testmain.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha --noprofile (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha G-zicVen1 GO111MODULE 908488/b383/importcfg.link GOINSECURE GOMOD GOMODCACHE rtcfg stlo�� g/styles/theme.go g/styles/theme_test.go 908488/b383/_pkg_.a GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel go x_amd64/vet 01/test2.md GO111MODULE ache/go/1.25.0/x--show-toplevel x_amd64/vet rev-�� --show-toplevel go /usr/bin/gh -json GO111MODULE /opt/hostedtoolc--show-toplevel gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha ./../pkg/workflow/js/**/*.json' --ignore-path git x_amd64/vet --show-toplevel go /usr/bin/git x_amd64/vet rev-�� --show-toplevel git ules/.bin/node --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git /usr/lib/git-core/git (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha get --global $name) { hasDiscussionsEnabled } } http.https://git/usr/bin/unpigz (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha g_.a --global 64/pkg/tool/linux_amd64/vet http.https://gitgit er (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha k/_temp/copilot-developer-action-main/dist/index.js (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha e-v0-17-2-update --local 64/pkg/tool/linux_amd64/vet user.email (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha UGHoYtrm6 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env g/stringutil/identifiers.go g/stringutil/paths.go 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE Nh/Bm7uKdK4iqIrsU6yc0Iq/7ke3SHNzSPcPlwT207m1 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel go x_amd64/vet /ref/tags/v8 GO111MODULE ache/go/1.25.0/x--show-toplevel x_amd64/vet rev-�� --show-toplevel (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha ./../pkg/workflow/js/**/*.json' --ignore-path --package-lock-only x_amd64/vet --show-toplevel go /usr/bin/git x_amd64/vet rev-�� --show-toplevel git tions/node_modules/.bin/node --show-toplevel 64/pkg/tool/linurev-parse /opt/hostedtoolc--show-toplevel git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha assword=$GITHUB_TOKEN"; }; f store assword=$GITHUB_TOKEN"; }; f store $name) { hasDiscussionsEnabled } } (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha e-v0-17-2-update .cfg 64/pkg/tool/linux_amd64/vet user.email (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v6 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v6 --jq .object.sha way\|llm.*gateway.*codex (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v6 --jq .object.sha .go o x_amd64/vet (http block)
• https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0
  • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha HEAD (http block)
  • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha --noprofile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha --noprofile .cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha HEAD (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha cp .github/aw/acremote.origin.url (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --noprofile (http block)
• https://api.github.com/repos/docker/login-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha --noprofile 64/src/testing/internal/testdeps/deps.go ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha --noprofile .cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha --noprofile (http block)
• https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha HEAD .cfg .cfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --noprofile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --noprofile .cfg r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go stlo�� -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs ache/go/1.25.0/x64/bin/go **/*.json --ignore-path run-script/lib/n--show-toplevel go (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 git de_modules/.bin/git --show-toplevel 64/pkg/tool/linurev-parse ode-gyp-bin/git ache/node/24.13.0/x64/bin/node /hom�� ache/go/1.25.0/xfeaturewhoami git 64/pkg/tool/linux_amd64/vet mport-meta-resolgit go k/gh-aw/gh-aw/ac--show-toplevel 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c "prettier" --check '**/*.cjs' '**/*.ts' '**/*.jsGOSUMDB GOPROXY 64/pkg/tool/linux_amd64/vet GOSUMDB GOWORK run-script/lib/n--show-toplevel 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 Update"; echo hacked tions/setup/js/node_modules/.bin/git --show-toplevel go /usr/bin/git ache/node/24.13.test@example.com /hom�� ache/go/1.25.0/xfeature$(whoami) git k/gh-aw/gh-aw/actions/node_modules/.bin/go mport-meta-resolgit go k/gh-aw/gh-aw/actions/setup/js/nuser.email k/gh-aw/gh-aw/actions/setup/js/ntest@example.com (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ty-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c "prettier" --check '**/*.cjs' '**/*.ts' '**/*.js--format=%H:%ct GOPROXY 64/pkg/tool/linux_amd64/vet GOSUMDB GOWORK 64/bin/go 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 Update"; echo hacked tions/setup/node_modules/.bin/git --show-toplevel go /usr/bin/gh ache/node/24.13.0/x64/bin/node /hom�� bot-detection.md gh k/gh-aw/gh-aw/node_modules/.bin/go mport-meta-resolgit go k/gh-aw/gh-aw/ac--git-dir k/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/dist/workers/-dwarf=false (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env ty-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs ache/go/1.25.0/x64/bin/go **/*.json --ignore-path ../../../.pretti--show-toplevel go (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 git d4bdd3687732c95a10831af0fb7b112473cb11647eefa4e5-d --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git ache/node/24.13.0/x64/bin/node /hom�� ache/go/1.25.0/xfeaturewhoami git 64/pkg/tool/linux_amd64/vet mport-meta-resolgit go k/gh-aw/gh-aw/ac--show-toplevel 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs ache/go/1.25.0/x64/bin/go **/*.json --ignore-path ../../../.pretti--show-toplevel go (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 git ules/.bin/git --show-toplevel 64/pkg/tool/linurev-parse run-script/lib/n--show-toplevel ache/node/24.13.0/x64/bin/node /hom�� ache/go/1.25.0/xfeaturewhoami git 64/pkg/tool/linux_amd64/vet mport-meta-resolgit go k/gh-aw/gh-aw/ac--show-toplevel 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs ache/go/1.25.0/x64/bin/go **/*.json --ignore-path ../../../.pretti--show-toplevel go (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 git bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git ache/node/24.13.0/x64/bin/node /hom�� ache/go/1.25.0/xfeaturewhoami git 64/pkg/tool/linux_amd64/vet mport-meta-resolgit go k/gh-aw/gh-aw/ac--show-toplevel 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go stlo�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs ache/go/1.25.0/x64/bin/go **/*.json --ignore-path ../../../.pretti--show-toplevel go (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 git it --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git ache/node/24.13.0/x64/bin/node ortc�� ache/go/1.25.0/xfeaturewhoami lex.go 64/pkg/tool/linux_amd64/link mport-meta-resolgit go k/gh-aw/gh-aw/ac--show-toplevel 64/pkg/tool/linux_amd64/link (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE go stlo�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github%2Fworkflows%2Faudit-workflows.md
  • Triggering command: /opt/hostedtoolcache/node/24.13.0/x64/bin/node /opt/hostedtoolcache/node/24.13.0/x64/bin/node --conditions node --conditions development --experimental-import-meta-resolve --require /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/suppress-warnings.cjs /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/dist/workers/forks.js GO111MODULE ache/go/1.25.0/x-m git ode_�� --show-toplevel go /usr/bin/git -json GO111MODULE ache/node/24.13.node git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuorigin (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel go /opt/hostedtoolcache/node/24.13.0/x64/bin/node -json GO111MODULE x_amd64/vet /opt/hostedtoolcache/node/24.13.0/x64/bin/node /tmp�� GOMODCACHE x_amd64/vet /usr/bin/git -json GO111MODULE At,event,headBra--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha gh-aw/actions/setup/sh/sanitize_path.sh' ':::/usr/bin:/usr/local/bin' && echo "$PATH" /usr/bin/git /usr/bin/git --get-regexp ^remote\..*\.gh--c /usr/bin/gh git rev-�� --show-toplevel gh modules/@npmcli/run-script/lib/node-gyp-bin/node view owner/test-repo /usr/bin/git git (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha get --global $name) { hasDiscussionsEnabled } } upport (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE Xu/X6R5OoPF4X40d7UERB47/kI2eOA--origin (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOSUMDB GOWORK 64/bin/go 64/pkg/tool/linux_amd64/asm -o /tmp/go-build1597294469/b359/_pkg_.a -trimpath ache/go/1.25.0/x64/bin/go -p main -lang=go1.25 go (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion mport-meta-resolgit test@example.comrev-parse k/gh-aw/gh-aw/ac--show-toplevel 0/x64/bin/node /hom�� 4183126/b001/exe/no-input x_amd64/vet in/git ve current (local crev-parse tions/setup/js/n--show-toplevel tions/setup/js/node_modules/vitest/dist/workers/remote.origin.url (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go m/_n�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE de/node/bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name ; rm -rf / git t --get remote.origin.urrev-parse /usr/bin/git rBRis0s/6u6debDTONgC9MnXSVxi rev-�� abbrev-ref HEAD git bin/node GOMODCACHE go /usr/bin/git git (http block)
• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE ortcfg env g/logger/exampleGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE ortcfg env g/repoutil/repouGOINSECURE g/repoutil/repouGOMOD 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[pelikhan]

@copilot upgrade to v0.18.0

[Copilot]

Pull request overview

This PR integrates gh-aw-firewall v0.17.2 and enables LLM gateway support for the Codex engine. The Codex engine now supports API key isolation through the AWF api-proxy container on port 10001, matching the architecture used by Claude and other LLM gateway-enabled engines. This is a comprehensive update affecting the core engine configuration, test suite, and all 154 workflow lock files.

Changes:

• Updated DefaultFirewallVersion constant from v0.17.1 to v0.17.2
• Changed Codex engine's supportsLLMGateway from false to true and updated SupportsLLMGateway() to return port 10001
• Updated all test expectations to reflect Codex now supporting LLM gateway
• Recompiled all workflow lock files with new firewall version and api-proxy image for Codex workflows

Reviewed changes

Copilot reviewed 155 out of 155 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/constants/constants.go	Updated DefaultFirewallVersion from v0.17.1 to v0.17.2
pkg/workflow/codex_engine.go	Enabled LLM gateway support and changed return value from -1 to port 10001
pkg/workflow/strict_mode_llm_gateway_test.go	Updated test names and expectations for Codex LLM gateway support
pkg/workflow/enable_api_proxy_test.go	Updated test to expect --enable-api-proxy flag for Codex
pkg/workflow/docker_api_proxy_test.go	Updated test to expect api-proxy image for Codex workflows
.github/workflows/*.lock.yml (154 files)	Recompiled workflow lock files with v0.17.2 and api-proxy image for Codex

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.