Conversation
…0.26.0 to v0.25.3 Agent-Logs-Url: https://github.com/github/gh-aw/sessions/a0787beb-38f3-48d8-a3a9-dfa8ce0aed0b Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix workflow normalizer failure in agentic workflows
fix: downgrade DefaultFirewallVersion and AWFExcludeEnvMinVersion from v0.26.0 to v0.25.3
Mar 29, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes workflow failures caused by pinning the AWF (gh-aw-firewall) version to a nonexistent release by downgrading the default/version gates to the latest available AWF release (v0.25.3) and recompiling workflow lock files accordingly.
Changes:
- Downgrade
DefaultFirewallVersionandAWFExcludeEnvMinVersionfromv0.26.0tov0.25.3. - Update AWF version references in comments and tests, including adding a boundary test for
v0.25.3. - Recompile workflow
.lock.ymlfiles so AWF binary installs and image tags usev0.25.3/0.25.3.
Reviewed changes
Copilot reviewed 111 out of 182 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/constants/constants.go | Set default AWF version and --exclude-env minimum version to v0.25.3. |
| pkg/workflow/awf_helpers.go | Update inline documentation to reflect --exclude-env availability from v0.25.3. |
| pkg/workflow/awf_helpers_test.go | Update test docs and add explicit v0.25.3 min-boundary test case. |
| pkg/workflow/gh_cli_mount_test.go | Update comment to reflect --exclude-env security fix starting in v0.25.3. |
| .github/workflows/workflow-health-manager.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/workflow-generator.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/test-workflow.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/test-project-url-default.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/test-dispatcher.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/smoke-gemini.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/security-compliance.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/repo-tree-map.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/refiner.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/pr-triage-agent.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/poem-bot.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/plan.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/notion-issue-summary.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/metrics-collector.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/jsweep.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/issue-triage-agent.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/issue-monster.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/gpclean.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/github-remote-mcp-auth-test.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/firewall.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/example-permissions-warning.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/dictation-prompt.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/dev.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/dependabot-go-checker.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/dependabot-burner.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/daily-team-status.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/daily-secrets-analysis.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/daily-malicious-code-scan.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/daily-assign-issue-to-user.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/craft.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/contribution-check.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/constraint-solving-potd.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/code-simplifier.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/changeset.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/brave.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/bot-detection.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/ai-moderator.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
| .github/workflows/ace-editor.lock.yml | Recompiled to install AWF v0.25.3 and use 0.25.3 image tags. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This was referenced Mar 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Workflow Normalizer (and all firewall-enabled workflows) were failing at "Install AWF binary" with HTTP 404 because
DefaultFirewallVersionwas set tov0.26.0, which was never released — the latestgh-aw-firewallrelease isv0.25.3.The
--exclude-envflag (PR #1482) was shipped inv0.25.3, notv0.26.0as assumed when the security feature was added.Changes
pkg/constants/constants.go: UpdateDefaultFirewallVersionandAWFExcludeEnvMinVersionfromv0.26.0→v0.25.3pkg/workflow/awf_helpers.go: Update version references in commentspkg/workflow/awf_helpers_test.go: UpdateTestAWFSupportsExcludeEnvcomment; add explicitv0.25.3test case (min version boundary)pkg/workflow/gh_cli_mount_test.go: Update version reference in comment.lock.ymlfiles: Recompiled — all workflows now installv0.25.3instead of the non-existentv0.26.0Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/graphql/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw(http block)/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ase,codename,all-atomic(http block)/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw description,releapi(http block)https://api.github.com/orgs/test-owner/actions/secrets/usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name rite '**/*.cjs' '**/*.ts' '**/*.remote.origin.url cfg 64/pkg/tool/linux_amd64/vet(http block)https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linuconfig /usr/bin/git ithub/workflows 169283/b193/vet.rev-parse ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linuconfig /usr/bin/gh b/workflows :latest repository(owne--show-toplevel gh(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v3/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha xterm-color 590806/b418/_testmain.go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linu--limit *.json' '!../../git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v5/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha thub/workflows -buildtags(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha inputs.version 351440/b001/workflow.test /usr/bin/git ithub/workflows m0s ker/cli-plugins/--show-toplevel git rev-�� --show-toplevel _QUvJx9/udQqw-GTJ_pvEl_0q8G_ /usr/bin/git ty-test.md /tmp/go-build697rev-parse me: String!) { --show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel git /usr/bin/git /home/REDACTED/worgit rev-parse k/_temp/ghcca-no--show-toplevel git rev-�� --show-toplevel /usr/bin/gh /usr/bin/git graphql -f 590806/b424/logg--show-toplevel git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v6/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha k/gh-aw/gh-aw/.github/workflows/auto-triage-issues.md -importcfg /usr/bin/git -s -w -buildmode=exe git chec�� .github/workflows/test.md -extld=gcc /usr/bin/git 0DC_/JWjfekxMoOegit(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha uts.version 64/pkg/tool/linu-trimpath /usr/bin/git se 169283/b017/vet.rev-parse r: $owner, name:--show-toplevel git rev-�� --git-dir ache/go/1.25.0/xrev-parse /usr/bin/git se 169283/b101/vet.rev-parse me: String!) { --show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel util.test /usr/bin/git k/gh-aw/gh-aw/.ggit docker.io/mcp/brrev-parse(http block)https://api.github.com/repos/actions/github-script/git/ref/tags/v8/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --noprofile(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --noprofile cfg r: $owner, name: $name) { hasDiscussionsEnabled } }(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha te 'scripts/**/*.js' --ignore-path .prettierigno-errorsas cfg 64/pkg/tool/linux_amd64/vet(http block)https://api.github.com/repos/actions/setup-go/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha /tmp/TestCompileErrorFormatting936427829/001 rev-parse /usr/bin/git se 169283/b013/vet.rev-parse cfg git -C /tmp/gh-aw-test-runs/20260328-235859-15664/test-3697408596 status /opt/hostedtoolcache/node/24.14.0/x64/bin/node .github/workflowgit(http block)https://api.github.com/repos/actions/setup-node/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha k/gh-aw/gh-aw/.github/workflows/blog-auditor.md ache/go/1.25.0/x-trimpath /usr/bin/git se 169283/b012/vet.rev-parse cfg git rev-�� --git-dir ache/go/1.25.0/xrev-parse /usr/bin/git ithub/workflows 169283/b097/vet.rev-parse ache/go/1.25.0/x--show-toplevel git(http block)https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha inspect ghcr.io/github/serena-mcp-server:latest 590806/b316/vet.cfg version\|AWFVersgit k/gh-aw/gh-aw/pkrev-parse x_amd64/vet git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse cfg */*.json' '!../.git main x_amd64/compile /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet(http block)https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b/usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha th .prettierigno-errorsas --local es/.bin/node credential.helpebash(http block)https://api.github.com/repos/github/gh-aw/usr/bin/gh gh api /repos/github/gh-aw --jq .visibility /*.js' --ignore-path .prettierig-errorsas core.hooksPath x_amd64/vet(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha th .prettierigno-errorsas --local es/.bin/node credential.usernmake(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha -test.paniconexit0 -test.v=true /usr/bin/git -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel git comm�� nt/action/git/ref/tags/v999.999.999 Add workflow /usr/bin/git se 169283/b127/vet.rev-parse ache/go/1.25.0/x--show-toplevel git(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha 5859-15664/test-3697408596 x_amd64/vet(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha KalLpCxFj ghcr.io/github/serena-mcp-server:latest 590806/b380/vet.cfg l committer.email x_amd64/vet git rtcf�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows tmain.go ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet remote.origin.urgit(http block)https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts/usr/bin/gh gh run download 1 --dir test-logs/run-1 rsion=5dc823f-dirty(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts/usr/bin/gh gh run download 12345 --dir test-logs/run-12345 :latest 169283/b307/vet.cfg(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts/usr/bin/gh gh run download 12346 --dir test-logs/run-12346 /tmp/go-build697-nolocalimports x_amd64/compile(http block)https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts/usr/bin/gh gh run download 2 --dir test-logs/run-2 /tmp/go-build697169283/b171/vet.-w 169283/b322/vet.cfg(http block)https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts/usr/bin/gh gh run download 3 --dir test-logs/run-3 /tmp/go-build697-c=4 x_amd64/vet ent=data['logs_cgit %H %ct %D 8f787f1b828ce481--show-toplevel x_amd64/vet -uns�� k/gh-aw/gh-aw/.github/workflows /tmp/go-build697169283/b196/vet.-c=4 me: String!) { repository(owne-nolocalimports k/_temp/copilot-git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts/usr/bin/gh gh run download 4 --dir test-logs/run-4 -buildtags x_amd64/link -errorsas -ifaceassert -nilfunc x_amd64/link -uns�� k/gh-aw/gh-aw/.github/workflows /tmp/go-build697169283/b191/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet ath ../../../.prgit(http block)https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts/usr/bin/gh gh run download 5 --dir test-logs/run-5 -trimpath me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -p github.com/stretrev-parse ed } } /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linuconfig -uns�� ithub/workflows /tmp/go-build697169283/b193/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet l -nolocalimports -importcfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linuconfig(http block)https://api.github.com/repos/github/gh-aw/actions/workflows/usr/bin/gh gh workflow list --json name,state,path rite '**/*.cjs' '**/*.ts' '**/*.-f cfg 64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 -j DROP ache/go/1.25.0/x64/pkg/tool/linurev-parse(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git -unreachable=falgit /tmp/go-build697rev-parse At,event,headBra--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linuconfig /usr/bin/git k/gh-aw/gh-aw/.gsed -buildtags /opt/hostedtoolcache/go/1.25.0/x--show-toplevel git(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha ithub/workflows /tmp/go-build697169283/b129/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linu-f(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --noprofile(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha --noprofile(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha te '../../../**/*.json' '!../../remote.origin.url(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha te '../../../**/remote.origin.url(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha --noprofile(http block)https://api.github.com/repos/githubnext/agentics/git/ref/tags//usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha ../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore --local $name) { hasDiscussionsEnabled } } gpg.program(http block)https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ithub/workflows /tmp/go-build697169283/b127/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -c=4 -nolocalimports ed } } /opt/hostedtoolcache/go/1.25.0/xrev-parse -uns�� ithub/workflows /tmp/go-build697169283/b265/vet.cfg er: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabl--show-toplevel(http block)https://api.github.com/repos/nonexistent/repo/actions/runs/12345/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion(http block)https://api.github.com/repos/owner/repo/actions/workflows/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo r: $owner, name:-f he 'error' sectigit(http block)/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/pkg/tool/linux_amd64/vet(http block)https://api.github.com/repos/owner/repo/contents/file.md/tmp/go-build747590806/b403/cli.test /tmp/go-build747590806/b403/cli.test -test.testlogfile=/tmp/go-build747590806/b403/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true(http block)https://api.github.com/repos/test-owner/test-repo/actions/secrets/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name rite '**/*.cjs' remote.origin.url cfg 64/pkg/tool/linux_amd64/vet he install AWF bdocker(http block)If you need me to access, download, or install something from one of these locations, you can either:
💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.