Conversation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add container image digest entries to actions-lock.json for the three v0.25.20 firewall images (agent, api-proxy, squid). This ensures lock files include immutable digest-pinned references instead of tag-only references. Resolves review feedback about missing digest pins. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
@copilot resolve the merge conflicts in this pull request |
There was a problem hiding this comment.
Pull request overview
Bumps the gh-aw-firewall (AWF) version to v0.25.20 and updates the pinned container image digests used by generated workflow lock files.
Changes:
- Update the default AWF binary version constant to
v0.25.20. - Add pins for AWF
agent,api-proxy, andsquidimages at0.25.20(with digests). - Regenerate multiple GitHub Actions workflow lock files to reference AWF
0.25.20images and tags.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/data/action_pins.json | Adds new pinned AWF container image entries for 0.25.20. |
| pkg/constants/version_constants.go | Bumps DefaultFirewallVersion to v0.25.20. |
| .github/workflows/workflow-generator.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/workflows/test-workflow.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/workflows/schema-feature-coverage.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/workflows/pr-triage-agent.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/workflows/plan.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/workflows/metrics-collector.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/workflows/gpclean.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/workflows/github-remote-mcp-auth-test.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/workflows/firewall.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/workflows/example-permissions-warning.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/workflows/dev.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/workflows/daily-malicious-code-scan.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/workflows/contribution-check.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/workflows/code-simplifier.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/workflows/changeset.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/workflows/bot-detection.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/workflows/ai-moderator.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/workflows/ace-editor.lock.yml | Updates AWF images/tags/digests to 0.25.20. |
| .github/aw/actions-lock.json | Adds pinned AWF container image entries for 0.25.20 (with digests). |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 61/190 changed files
- Comments generated: 2
| }, | ||
| "ghcr.io/github/gh-aw-firewall/agent:0.25.20": { | ||
| "image": "ghcr.io/github/gh-aw-firewall/agent:0.25.20", | ||
| "digest": "sha256:9161f2415a3306a344aca34dd671ee69f122317e0a512e66dc64c94b9c508682", | ||
| "pinned_image": "ghcr.io/github/gh-aw-firewall/agent:0.25.20@sha256:9161f2415a3306a344aca34dd671ee69f122317e0a512e66dc64c94b9c508682" | ||
| }, | ||
| "ghcr.io/github/gh-aw-firewall/api-proxy:0.25.20": { | ||
| "image": "ghcr.io/github/gh-aw-firewall/api-proxy:0.25.20", | ||
| "digest": "sha256:6971639e381e82e45134bcd333181f456df3a52cd6f818a3e3d6de068ff91519", | ||
| "pinned_image": "ghcr.io/github/gh-aw-firewall/api-proxy:0.25.20@sha256:6971639e381e82e45134bcd333181f456df3a52cd6f818a3e3d6de068ff91519" | ||
| }, | ||
| "ghcr.io/github/gh-aw-firewall/squid:0.25.20": { | ||
| "image": "ghcr.io/github/gh-aw-firewall/squid:0.25.20", | ||
| "digest": "sha256:5411d903f73ee597e6a084971c2adef3eb0bd405910df3ed7bf5e3d6bd58a236", | ||
| "pinned_image": "ghcr.io/github/gh-aw-firewall/squid:0.25.20@sha256:5411d903f73ee597e6a084971c2adef3eb0bd405910df3ed7bf5e3d6bd58a236" |
There was a problem hiding this comment.
The new AWF container entries for 0.25.20 were appended at the end of the "containers" map (after semgrep), which breaks the otherwise alphabetical/stable ordering of keys in this file. To keep diffs deterministic and the file easy to scan, place the 0.25.20 gh-aw-firewall entries next to the existing 0.25.18 gh-aw-firewall entries (around lines ~193-207).
| // DefaultFirewallVersion is the default version of the gh-aw-firewall (AWF) binary | ||
| const DefaultFirewallVersion Version = "v0.25.18" | ||
| const DefaultFirewallVersion Version = "v0.25.20" | ||
|
|
There was a problem hiding this comment.
This PR bumps DefaultFirewallVersion to v0.25.20, but there are still AWF pin references to v0.25.18 in the repo (e.g., pkg/cli/workflows/example-blocked-domains.lock.yml). If the intent is to bump the firewall version consistently, update those remaining lock/example workflow pins as well to avoid diverging default vs. example behavior.
…0.25.20 # Conflicts: # .github/workflows/contribution-check.lock.yml Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Resolved the merge conflict in |
|
@copilot resolve the merge conflicts in this pull request |
Update TestWasmGolden_CompileFixtures golden files and docker_cli_proxy_test.go to use v0.25.20 image tags, matching the DefaultFirewallVersion bump. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…0.25.20 # Conflicts: # .github/workflows/daily-doc-updater.lock.yml # .github/workflows/hourly-ci-cleaner.lock.yml Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
…to chore/bump-firewall-v0.25.20 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Resolved the new merge conflicts in |
No description provided.