chore: bump DefaultFirewallVersion to v0.24.5#21873
Conversation
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/6df5eb90-8ea8-498f-ad66-4793b4e2ac30
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/6df5eb90-8ea8-498f-ad66-4793b4e2ac30
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
There was a problem hiding this comment.
Pull request overview
This PR bumps the default Agentic Workflow Firewall (AWF) version to v0.24.5 to reduce workflow runtime by eliminating container shutdown delays, and updates compiled workflow lock files to reference the new AWF version.
Changes:
- Bump
DefaultFirewallVersionfromv0.24.3tov0.24.5. - Update compiled GitHub Actions
.lock.ymlworkflows to usev0.24.5(and0.24.5container image tags).
Reviewed changes
Copilot reviewed 130 out of 178 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| pkg/constants/constants.go | Bumps the default AWF version constant to v0.24.5. |
| .github/workflows/workflow-health-manager.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/workflow-generator.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/weekly-safe-outputs-spec-review.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/weekly-blog-post-writer.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/test-workflow.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/test-project-url-default.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/test-dispatcher.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/smoke-gemini.lock.yml | Updates AWF install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/smoke-call-workflow.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/smoke-agent-scoped-approved.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/smoke-agent-public-none.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/smoke-agent-public-approved.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/smoke-agent-all-none.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/smoke-agent-all-merged.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/security-compliance.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/schema-feature-coverage.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/repo-tree-map.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/refiner.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/pr-triage-agent.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/poem-bot.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/plan.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/notion-issue-summary.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/metrics-collector.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/issue-triage-agent.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/issue-monster.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/issue-arborist.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/grumpy-reviewer.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/gpclean.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/github-remote-mcp-auth-test.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/firewall.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/example-permissions-warning.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/duplicate-code-detector.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/dictation-prompt.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/dev.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/daily-team-status.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/daily-secrets-analysis.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/daily-observability-report.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/daily-malicious-code-scan.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/daily-issues-report.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/daily-fact.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/craft.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/contribution-check.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/code-simplifier.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/changeset.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/brave.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/bot-detection.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/ai-moderator.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
| .github/workflows/ace-editor.lock.yml | Updates AWF version, install step, image tags, and --image-tag usage to 0.24.5. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -349,7 +349,7 @@ const DefaultGitHubMCPServerVersion Version = "v0.32.0" | |||
| const DefaultGitHubLockdown = false | |||
|
|
|||
| // DefaultFirewallVersion is the default version of the gh-aw-firewall (AWF) binary | |||
| const DefaultFirewallVersion Version = "v0.24.3" | |||
| const DefaultFirewallVersion Version = "v0.24.5" | |||
There was a problem hiding this comment.
PR description says all .lock.yml files were recompiled to pick up v0.24.5, but there is still at least one workflow lock file pinned to v0.24.3 (e.g. pkg/cli/workflows/example-blocked-domains.lock.yml contains GH_AW_INFO_AWF_VERSION v0.24.3 and uses 0.24.3 image tags). This leaves parts of the repo on the old firewall version and undermines the intended runtime savings. Please recompile/update the remaining lock file(s) so there are no v0.24.3/0.24.3 references left.
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
Smoke Test Results — §23323063927 ✅ GitHub MCP | ✅ GH CLI | ❌ Serena MCP (not configured) | ✅ Playwright | ✅ Web Fetch | ✅ File Write | ✅ Bash | ✅ Discussion | ✅ Build | ✅ Discussion Create | ✅ Workflow Dispatch | ✅ PR Review Overall: PR author: Note 🔒 Integrity filtering filtered 1 itemIntegrity filtering activated and filtered the following item during workflow execution.
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Straightforward version bump of DefaultFirewallVersion from v0.24.3 → v0.24.5 across all compiled lock files. Changes are mechanical and consistent — all four reference points (env var, install script, docker image tags, awf --image-tag) are updated in lockstep. LGTM.
Note
🔒 Integrity filtering filtered 1 item
Integrity filtering activated and filtered the following item during workflow execution.
This happens when a tool call accesses a resource that does not meet the required integrity or secrecy level of the workflow.
📰 BREAKING: Report filed by Smoke Copilot
| GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' | ||
| GH_AW_INFO_FIREWALL_ENABLED: "true" | ||
| GH_AW_INFO_AWF_VERSION: "v0.24.3" | ||
| GH_AW_INFO_AWF_VERSION: "v0.24.5" |
There was a problem hiding this comment.
Version bump looks consistent — GH_AW_INFO_AWF_VERSION updated from v0.24.3 → v0.24.5. 🚀
| GH_HOST: github.com | ||
| - name: Install AWF binary | ||
| run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.24.3 | ||
| run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.24.5 |
There was a problem hiding this comment.
Install script arg bumped to v0.24.5 — matches the GH_AW_INFO_AWF_VERSION env var above. Consistency ✅
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
Smoke Test (Codex)
Warning
|
|
Commit pushed:
|
|
@copilot why is this CI failed? https://github.com/github/gh-aw/actions/runs/23322783177/job/67838284543?pr=21873 |
Smoke Test Results — Run §23323063974 — PARTIALCore tests #1–11: ✅✅
Note 🔒 Integrity filtering filtered 1 itemIntegrity filtering activated and filtered the following item during workflow execution.
|
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/c4cbbe58-464d-41ff-9a9f-a010294dc4a1
The CI failure was caused by two missed files that still referenced
Both are addressed in commit Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
v0.24.5 eliminates a 10s container shutdown delay per AWF invocation, saving ~20s per workflow run (main agent + threat detection combined).
Changes
pkg/constants/constants.go:DefaultFirewallVersionv0.24.3→v0.24.5.lock.ymlfiles: Recompiled to pick up the new versionWhat's in v0.24.4–v0.24.5 since v0.24.3
flatted,markdownlint-cli2)CMD, addsshutdown_lifetime 0to squid config, setsstop_grace_period: 2son both containersWarning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/graphql/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw(http block)/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw w/sessions/6df5eb90-8ea8-498f-ad66-4793b4e2ac30(http block)/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -embedcfg /tmp/go-build2551712299/b295/embedcfg -pack(http block)https://api.github.com/repos/actions/setup-node/git/ref/tags/v6/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha(http block)https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b/usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha(http block)https://api.github.com/repos/github/gh-aw/usr/bin/gh gh api /repos/github/gh-aw --jq .visibility(http block)https://api.github.com/repos/githubnext/agentics/git/ref/tags//usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha(http block)If you need me to access, download, or install something from one of these locations, you can either:
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.
✨ PR Review Safe Output Test - Run 23323063974
Note
🔒 Integrity filtering filtered 1 item
Integrity filtering activated and filtered the following item during workflow execution.
This happens when a tool call accesses a resource that does not meet the required integrity or secrecy level of the workflow.
pull_request_read: Resource 'pr:chore: bump DefaultFirewallVersion to v0.24.5 #21873' has lower integrity than agent requires. Agent would need to drop integrity tags [unapproved:all approved:all] to trust this resource.)