Add byok-copilot feature flag for Copilot offline BYOK mode wiring and bump default firewall to v0.25.21

[Copilot]

This introduces a first-class features.byok-copilot switch so Copilot offline BYOK mode no longer requires manual, error-prone frontmatter composition. Enabling it now composes the expected compiler/runtime setup for AWF API-proxy + CLI-proxy usage.

• Feature flag surface

  • Added byok-copilot to feature constants.
  • Added a shared dummy key constant: dummy-byok-key-for-offline-mode.

• Compiler/runtime behavior

  • byok-copilot now implicitly enables cli-proxy for engine: copilot.
  • Copilot execution env now injects:
    • COPILOT_API_KEY: dummy-byok-key-for-offline-mode
    • (to trigger AWF BYOK detection/runtime offline path)
  • Copilot installer flow now forces CLI install version to latest when BYOK is enabled (ignores pinned engine version in this mode).

• Firewall default update (review feedback)

  • Bumped DefaultFirewallVersion from v0.25.20 to v0.25.21.
  • Updated affected workflow compile golden fixtures to reflect the new default AWF image/install version.

• Coverage updates

  • Added focused tests for:
    • byok-copilot ⇒ implicit cli-proxy (copilot-only)
    • AWF args include CLI-proxy flags under BYOK
    • Copilot execution step includes dummy COPILOT_API_KEY
    • Copilot install step uses latest under BYOK

• Docs

  • Updated glossary entry for features to include byok-copilot semantics.

engine: copilot
features:
  byok-copilot: true

With this flag enabled, workflow authors no longer need to manually wire the dummy key + CLI proxy + latest installer behavior for BYOK mode.

> [!WARNING]
>
>

[lpcox]

@copilot update the firewall version to v0.25.21

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 72/100

⚠️ Acceptable — with suggestions

Metric	Value
New/modified tests analyzed	5
✅ Design tests (behavioral contracts)	5 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	2 (40%)
Duplicate test clusters	0
Test inflation detected	Yes (test lines >> production lines added)
🚨 Coding-guideline violations	None

---

Test Classification Details

View All Test Classifications (5 tests)

Test	File	Classification	Issues Detected
TestBuildAWFArgsCliProxy → subtest "includes cli-proxy flags when byok-copilot is enabled"	pkg/workflow/awf_helpers_test.go	✅ Design	Happy-path only; no error/nil case
TestCopilotEngineByokFeatureSetsDummyAPIKey	pkg/workflow/copilot_engine_test.go	✅ Design	Happy-path only; no test without the flag
TestCopilotInstallerByokFeatureUsesLatestVersion	pkg/workflow/copilot_installer_test.go	✅ Design	Has both positive and negative assertions ✅
TestIsFeatureEnabledWithData → "byok-copilot implicitly enables cli-proxy for copilot engine"	pkg/workflow/features_test.go	✅ Design	Happy-path for the implication
TestIsFeatureEnabledWithData → "byok-copilot does not imply cli-proxy for non-copilot engine"	pkg/workflow/features_test.go	✅ Design	Engine-specific edge case ✅

---

Flagged Tests — Suggested Improvements

⚠️ TestBuildAWFArgsCliProxy — "includes cli-proxy flags when byok-copilot is enabled"

Classification: Design test (passes check)
Issue: Tests only the happy path (byok-copilot=true, flags present). Doesn't verify the absence of these flags when byok-copilot is not set, which is the default contract for all other users.
Suggested improvement: Add a paired t.Run("does not include difc-proxy flags without byok-copilot", ...) subtest to verify the flags are absent in a default AWFCommandConfig. This mirrors the existing pattern in this test function where positive and negative cases are both covered.

⚠️ TestCopilotEngineByokFeatureSetsDummyAPIKey

Classification: Design test (passes check)
Issue: Only exercises the byok-copilot=true branch. A behavioral regression where the dummy key leaks into non-BYOK workflows would not be caught.
Suggested improvement: Add an assertion that when byok-copilot is absent from Features, the execution step does not contain COPILOT_API_KEY. Protects against accidental key injection in the default path.

---

Score Breakdown

Component	Score	Notes
Behavioral Coverage (40 pts)	40/40	All 5 tests verify observable output or state, not internals
Error/Edge Case Coverage (30 pts)	12/30	Only 2 of 5 tests cover a negative/edge case scenario
Low Duplication (20 pts)	20/20	No copy-paste patterns detected
Proportional Growth (10 pts)	0/10	Test additions significantly exceed production code additions (e.g. 35 test lines vs 4 production lines for installer); this is not necessarily bad engineering, but triggers the penalty

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 5 tests — all unit (//go:build !integration)
• 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). All new tests verify behavioral contracts. The main opportunity for improvement is adding negative/default-path tests alongside the positive BYOK cases.

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §24490726922

🧪 Test quality analysis by Test Quality Sentinel · ● 374.6K · ◷

[github-actions]

✅ Test Quality Sentinel: 72/100. Test quality is acceptable — 0% of new tests are implementation tests (threshold: 30%). All 5 new tests verify behavioral contracts. See the comment above for suggestions to strengthen edge-case coverage.

[Copilot]

Pull request overview

Introduces a first-class features.byok-copilot flag to wire Copilot offline BYOK mode automatically (dummy API key injection, implicit CLI proxy enablement, and forcing Copilot CLI install to latest), plus accompanying tests and docs.

Changes:

• Add byok-copilot feature flag and dummy BYOK API key constant.
• Implicitly enable cli-proxy for Copilot workflows when byok-copilot is enabled; inject dummy COPILOT_API_KEY; force installer version to latest.
• Add/extend tests covering the new implication, AWF args, env injection, and installer behavior; update glossary docs.

Show a summary per file

File	Description
pkg/workflow/features.go	Adds byok-copilot ⇒ implicit cli-proxy enablement logic for Copilot engine workflows.
pkg/workflow/features_test.go	Extends feature-flag tests to cover BYOK implication behavior.
pkg/workflow/copilot_engine_installation.go	Forces Copilot CLI install version to latest when BYOK is enabled.
pkg/workflow/copilot_engine_execution.go	Injects dummy COPILOT_API_KEY env var when BYOK is enabled.
pkg/workflow/copilot_installer_test.go	Adds test asserting latest is used for installs under BYOK.
pkg/workflow/copilot_engine_test.go	Adds test asserting dummy COPILOT_API_KEY injection under BYOK.
pkg/workflow/awf_helpers_test.go	Adds test asserting CLI-proxy-related AWF args are present under BYOK.
pkg/constants/feature_constants.go	Defines ByokCopilotFeatureFlag and documents its semantics.
pkg/constants/engine_constants.go	Defines CopilotBYOKDummyAPIKey constant.
docs/src/content/docs/reference/glossary.md	Documents byok-copilot in the feature flags glossary entry.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 10/10 changed files
• Comments generated: 2

[Copilot]

In BYOK mode, COPILOT_API_KEY is set before custom env vars are merged in from workflowData.EngineConfig.Env / agentConfig.Env later in this function. If a workflow still has legacy/manual wiring that sets COPILOT_API_KEY in engine.env, that later maps.Copy will overwrite the dummy key and break the intended offline BYOK path. Consider applying the BYOK injection after all env merges (or explicitly overriding COPILOT_API_KEY when byok-copilot is enabled) so the feature flag reliably enforces the dummy value.

[Copilot]

GH_AW_FEATURES is only set for subtests when envValue != "". For cases expecting an empty env, the test will inherit whatever GH_AW_FEATURES is set to in the outer process environment, which can make these assertions flaky. It’s safer to always call t.Setenv("GH_AW_FEATURES", tt.envValue) (including empty string) for each subtest.

[github-actions]

Commit pushed: bfad5d1

🏗️ ADR gate enforced by Design Decision Gate 🏗️

[github-actions]

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (154 new lines in pkg/) but does not have a linked Architecture Decision Record (ADR).

AI has analyzed the PR diff and generated a draft ADR to help you get started:

📄 Draft ADR: docs/adr/26544-byok-copilot-feature-flag-composition.md

The draft captures three interrelated design decisions this PR makes implicitly:

• Using a single high-level feature flag (byok-copilot) to compose multiple lower-level behaviors, rather than requiring manual frontmatter wiring
• Implementing implicit cross-flag dependency (byok-copilot → cli-proxy) inside isFeatureEnabled, scoped to the Copilot engine
• Using a well-known sentinel/dummy key as the BYOK activation signal rather than conditional logic or a separate runtime config path

What to do next

1. Review the draft ADR committed to your branch at docs/adr/26544-byok-copilot-feature-flag-composition.md
2. Complete any missing context — verify the rationale, fill in [TODO: verify] markers if any, and confirm the alternatives reflect what was actually considered
3. Reference the ADR in this PR body by adding a line such as:

   ADR: ADR-26544: BYOK-Copilot Feature Flag as a Composing Abstraction

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

Why ADRs Matter

"AI made me procrastinate on key design decisions. Because refactoring was cheap, I could always say 'I'll deal with this later.' Deferring decisions corroded my ability to think clearly."

ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you.

---

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

• Context — What is the problem? What forces are at play?
• Decision — What did you decide? Why?
• Alternatives Considered — What else could have been done?
• Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number (e.g., 26544-byok-copilot-feature-flag-composition.md for PR #26544).

🔒 This PR cannot merge until an ADR is linked in the PR body.

References:

• §24490726928

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

• Add byok-copilot feature flag for Copilot offline BYOK mode wiring and bump default firewall to v0.25.21 #26544 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · ● 173.1K · ◷

[Copilot]

@copilot update the firewall version to v0.25.21

Updated in commit fc62301: default firewall version is now v0.25.21, and the affected workflow golden fixtures were updated accordingly.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw edcfg ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git 4615-32412/test-git aqNl/Sak5XWYSYfQrev-parse e/git git (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw rev-parse 570380/b455=> git rev-�� e:]]*"\([^"]*\)".*/\1/p git bject.type] | @tsv OGPo/_kz8wMEZNDzgit config /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw remote /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel l /usr/bin/git git (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE y.s (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/infocmp tmatter-with-envgit GO111MODULE 64/pkg/tool/linu--show-toplevel infocmp -1 xterm-color 64/pkg/tool/linu-extld=gcc /usr/bin/git g_.a GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/pkg/cli go /usr/bin/git -json GO111MODULE 64/bin/go git -C /tmp/gh-aw-test-runs/20260416-034615-32412/test-3768060959/custom/workflows config om/org1/repo1.git remote.origin.urgit GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv til.test GO111MODULE rtcfg.link GOINSECURE GOMOD GOMODCACHE fEmuZxTCue0RDK6B^remote\..*\.gh-resolved$ stlo�� 7492839/b070/_pkg_.a rg/x/text@v0.36.0/internal/tag/tag.go _.a GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linutest@example.com (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq /usr/bin/git l.go l_test.go x_amd64/compile git rev-�� it/ref/tags/v4 x_amd64/compile sv _.a GFI5vTWRl x_amd64/compile git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuremote.origin.url /usr/bin/git licyBlockedUsersgit -trimpath /opt/hostedtoolc--show-toplevel git 1/x6�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuTest User /usr/bin/git /tmp/go-build459git 570380/b432/_tesrev-parse /bin/sh git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git 7492839/b035/_pkgrep om/goccy/go-yaml-qE ache/go/1.25.8/x"type"[[:space:]]*:[[:space:]]*"(create_pull_request|push_to_pull_request_branch-nxv git rev-�� tags/v3 ache/go/1.25.8/x^remote\..*\.gh-resolved$ sv 7492839/b135/_pkgit mzm6/OoEDtIx27ZHrev-parse ache/go/1.25.8/x--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build1717492839/b243/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/text@v0.36.0/internal/language/compact/compact.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD e_wasm.s go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv om/owner/repo.git origin /usr/bin/git rity1181591443/0git GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json @v1.1.3/internalrev-parse 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /github.com/owner/repo.git remote.origin.url /opt/hostedtoolcache/node/24.14.1/x64/bin/node ay_c1058908203/0git GO111MODULE x_amd64/link node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/agent-persona-explorer.md x_amd64/link /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 64/pkg/tool/linu--show-toplevel node (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 570380/b434/_pkg_.a -trimpath ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -p b/gh-aw/pkg/slicrev-parse -lang=go1.25 ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile push�� 570380/b450/_pkg_.a my-default 570380/b450=> go1.25.8 -c=4 -nolocalimports 570380/b434/importcfg (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/gh-aw-test-/bin/sh config om/org1/repo1.gicommand -v debian-sa1 > /dev/null && debian-sa1 1 1 git rev-�� --show-toplevel git /usr/bin/git user.email test@example.com-C ache/node/24.14./home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /v1.0.0 rev-parse sv git rev-�� --show-toplevel node /usr/bin/git /tmp/TestHashCon/usr/bin/gh go ache/node/24.14.graphql git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --get remote.upstream.url /usr/bin/git repo149970749/00git GO111MODULE 64/bin/go git conf�� user.email test@example.com /usr/bin/gh -json GO111MODULE x_amd64/link gh (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv sistency_GoAndJavaScript3287179368/001/test-complex-frontmatter-with-tools.md -trimpath 1/x64/bin/node -p github.com/githurev-parse -lang=go1.25 infocmp t-ha�� ithub/workflows/approach-validator.md -goversion /usr/bin/git -c=4 -nolocalimports -importcfg git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv sistency_GoAndJavaScript3287179368/001/test-complex-frontmatter-with-tools.md -test.v=true /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -ato�� -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name 0/internal/langu-nolocalimports 64/pkg/tool/linu-importcfg GOINSECURE GOMOD abis 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/pkg/timeutil/format_test.go 64/s�� 3640674195 sYAOo28ie ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE util GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 rotocol/go-sdk@v1.5.0/mcp/client.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linutest@example.com env 1423938028/.github/workflows GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE er GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name rotocol/go-sdk@v1.5.0/internal/xcontext/xcontext.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a kLZAPaMu6 /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 ohNRO1y8b 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a 3GMM57Ps3 64/pkg/tool/linux_amd64/link GOINSECURE pproxy GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name rotocol/go-sdk@v1.5.0/internal/jsonrpc2/conn.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a LZuHOSZyr x_amd64/vet GOINSECURE go-sdk/internal/init GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 0/internal/language/common.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE pguts GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name ik_mNb6yT 64/pkg/tool/linu-nolocalimports GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/tmp/go-build459570380/b446/_testmain.go env 3640674195 DfcRFzBGz ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE til GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-buildtags (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 rotocol/go-sdk@v1.5.0/auth/auth.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env g_.a tVIFB3NxN k GOINSECURE go-sdk/mcp GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name 4/apic.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile env 3640674195 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE age/compact GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 5.0/deviceauth.go 64/pkg/tool/linux_amd64/compile GOINSECURE (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name til.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile env 3640674195 bt7zDc9ZF 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 5.0/internal/doc.go 64/pkg/tool/linux_amd64/compile GOINSECURE 64 abis 64/pkg/tool/linux_amd64/compile env g_.a ortcfg 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name l.go 64/pkg/tool/linux_amd64/compile GOINSECURE essage 64/src/internal/user.email 64/pkg/tool/linutest@example.com env 3640674195 ke8fejfLv ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-importcfg (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 rotocol/go-sdk@v1.5.0/oauthex/auth_meta.go 64/pkg/tool/linux_amd64/compile GOINSECURE o8601 64/src/internal//home/REDACTED/work/gh-aw/gh-aw/.github/workflows/agent-performance-analyzer.md 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE go-sdk/auth GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -c=4 -nolocalimports -importcfg /tmp/go-build459570380/b414/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE x_amd64/compile GOINSECURE 0o/B-ilV_ph4eyfb-C GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env l.go l_test.go x_amd64/compile GOINSECURE a20 64/src/syscall/j--show-toplevel x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json aNsjT_hWR x_amd64/link git rev-�� --show-toplevel x_amd64/link /usr/bin/git ortcfg GO111MODULE cfg git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv g_.a z-hV-eFae 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile stlo�� _.a v4b3viMTA x_amd64/compile GOINSECURE tants GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build459570380/b425/importcfg -pack /tmp/go-build459570380/b425/_testmain.go env 4972315/001 4972315/002/work x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env Gitmain_branch2224972315/001' Gitmain_branch2224972315/001' x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git -bool -buildtags /usr/bin/git git rev-�� 40\} ster.patch /usr/bin/git /tmp/gh-aw-test-git resolved$ /usr/bin/git git (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv l.go l_test.go x_amd64/compile GOINSECURE a20 64/src/syscall/j--show-toplevel x_amd64/compile env _.a GFI5vTWRl x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE er GOMODCACHE 64/pkg/tool/linux_amd64/vet env PefC8rlji GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build459570380/b400/cli.test /tmp/go-build459570380/b400/cli.test -test.testlogfile=/tmp/go-build459570380/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build1717492839/b224/importcfg -pack env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)