Bump DefaultFirewallVersion to v0.25.35

[Copilot]

Bumps the default Agent Workflow Firewall (AWF) version from v0.25.29 to v0.25.35.

Changes

• pkg/constants/version_constants.go: DefaultFirewallVersion updated to v0.25.35
• 208 lock files (.github/workflows/*.lock.yml): recompiled to reference the new AWF version

// Before
const DefaultFirewallVersion Version = "v0.25.29"

// After
const DefaultFirewallVersion Version = "v0.25.35"

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv get --local repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } credential.helpegit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ithub/workflows --local repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } credential.helpegit (http block)
• https://api.github.com/repos/actions/download-artifact/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv ns.json and pkg/workflow/data/action_pins.json..." (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv tions-lock.json pkg/actionpins/data/action_pins.json; \ cp .github/aw/actions-lock.json pkg/worgit (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ns.json and pkg/workflow/data/action_pins.json..." (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ithub/workflows --local (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/docker/metadata-action/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch ithub/workflows --local /home/REDACTED/.lo-f user.email (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

---

✨ PR Review Safe Output Test - Run 25263690532

💥 [THE END] — Illustrated by Smoke Claude · ● 312.4K · ◷

[github-actions]

Hey @copilot-swe-agent 👋 — thanks for picking up the firewall version bump to v0.25.35! The intent is clear and this is exactly the kind of routine maintenance this project needs.

A couple of things to address before this can move forward:

• No code changes yet — the PR currently has 0 files changed and 0 lines diff. The checklist items in the body are all still unchecked, meaning the actual version bump in pkg/constants/version_constants.go hasn't been committed yet.
• Missing tests — once the version constant is updated, verify whether any existing test fixtures or lock file snapshots reference the old version string v0.25.29 and need to be regenerated via make recompile.
• WIP description — the body is a pre-work task list rather than a summary of what was done. Once the changes are committed, update the description to reflect what was changed and why.

When you're ready to execute, you can assign this prompt to the agent:

Complete the firewall version bump in github/gh-aw:
1. In `pkg/constants/version_constants.go`, update `DefaultFirewallVersion` from `v0.25.29` to `v0.25.35`.
2. Run `make build` to rebuild the binary.
3. Run `make recompile` to regenerate lock files so they reference the new version.
4. Run `make agent-finish` to validate all checks pass.
5. Update the PR body to summarize the change made (what was bumped and why).
6. Mark the PR as ready for review (remove WIP/draft status).

Generated by Contribution Check · ● 1.2M · ◷

[lpcox]

@copilot merge main and recompile

[Copilot]

@copilot merge main and recompile

Done — merged main, resolved conflicts in the 9 conflicting lock files, rebuilt the binary, and recompiled all lock files. Commit: edbe6e6.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ml (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv get --local repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } user.email (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ithub/workflows --local repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } committer.name (http block)
• https://api.github.com/repos/actions/download-artifact/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv ns.json and pkg/workflow/data/action_pins.json..." (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -main/dist/index.js (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ithub/workflows --local nfig/composer/vendor/bin/bash user.email (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/docker/metadata-action/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch ithub/workflows --local /snap/bin/git gpg.program (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

⚠️ Smoke Crush failed. Crush encountered unexpected challenges...

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

🚀 Smoke OpenCode MISSION COMPLETE! OpenCode delivered. 🔥

[github-actions]

⚠️ Smoke Gemini failed. Gemini encountered unexpected challenges...

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.53.0
jq	✅	1.7
yq	✅	v4.52.5
curl	✅	8.5.0
gh	✅	2.89.0
node	✅	v22.22.2
python3	✅	3.10.16 (PyPy 7.3.19)
go	✅	1.24.13
java	✅	10.0.201
dotnet	✅	10.0.201

Result: 12/12 tools available ✅ PASS

🔧 Tool validation by Agent Container Smoke Test · ● 174.8K · ◷

[github-actions]

PRs: #29833 feat: add pi_steering_extension.cjs with automatic injection and cpi.yml integration tests; #29804 feat: surface missing_tool and missing_data as agent failures in failure issue comments
Tests: 1✅ 2✅ 3✅ 4❌ 5✅ 6✅ 7✅ 8✅ 9✅
Overall: FAIL
Run: https://github.com/github/gh-aw/actions/runs/25263690507

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• chatgpt.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "chatgpt.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · ◷

[github-actions]

Comment Memory

Silent checks compile
Cold cache remembers the run
Smoke fades into green

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• chatgpt.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "chatgpt.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · ◷

[github-actions]

Smoke test caveman was here! Me test tools. Me bang rocks together. Tools work good! 🦴

📰 BREAKING: Report filed by Smoke Copilot · ● 1M · ◷

[github-actions]

Me review! Firewall version bump from 0.25.29 to 0.25.35. All lock files updated. Look good to caveman!

📰 BREAKING: Report filed by Smoke Copilot · ● 1M

[github-actions]

Me see firewall version change. 0.25.29 gone, 0.25.35 here now. Good bump!

[github-actions]

AWF version env var now v0.25.35. Me approve!

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🤖 Smoke Test Results — Run 25263690532

Tests #1–12	Status
GitHub MCP, GH CLI, Serena, Build, Playwright, Tavily, File, Bash, Discussion, AW-MCP, Slack, Code-Scan	✅ All passed

Tests #13–19	Status
Update PR, Review Comments, Submit Review, Reviewer Added, Push to Branch	✅ Pass
Resolve Review Thread	⚠️ Skipped (no unresolved threads)
Close PR	⚠️ Skipped (no safe test PR)

Overall: PARTIAL (2 skipped, rest passed)

💥 [THE END] — Illustrated by Smoke Claude · ● 312.4K · ◷

[github-actions]

💥 Automated smoke test review - all systems nominal! This PR correctly bumps DefaultFirewallVersion from v0.25.29 to v0.25.35 across 208 lock files. The change is mechanical and consistent throughout.

💥 [THE END] — Illustrated by Smoke Claude · ● 312.4K

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Bumps the default Agent Workflow Firewall (AWF) version from v0.25.29 to v0.25.35 and updates workflow lockfiles to reference the new version.

Changes:

• Update DefaultFirewallVersion constant to v0.25.35
• Recompile workflow lockfiles to reference 0.25.35 container tags and AWF binary version
• Update embedded AWF config JSON in lockfiles to use the new image tag

Show a summary per file

File	Description
pkg/constants/version_constants.go	Bumps DefaultFirewallVersion constant to v0.25.35.
.github/workflows/test-workflow.lock.yml	Updates manifest/container references and runtime AWF version to 0.25.35.
.github/workflows/smoke-opencode.lock.yml	Updates manifest/container references and runtime AWF version to 0.25.35.
.github/workflows/smoke-crush.lock.yml	Updates manifest/container references and runtime AWF version to 0.25.35.
.github/workflows/smoke-ci.lock.yml	Updates manifest/container references and runtime AWF version to 0.25.35.
.github/workflows/release.lock.yml	Updates manifest/container references and runtime AWF version to 0.25.35.
.github/workflows/metrics-collector.lock.yml	Updates manifest/container references (incl. cli-proxy) and runtime AWF version to 0.25.35.
.github/workflows/hippo-embed.lock.yml	Updates manifest/container references and runtime AWF version to 0.25.35.
.github/workflows/gpclean.lock.yml	Updates manifest/container references and runtime AWF version to 0.25.35.
.github/workflows/github-remote-mcp-auth-test.lock.yml	Updates manifest/container references and runtime AWF version to 0.25.35.
.github/workflows/firewall.lock.yml	Updates manifest/container references and runtime AWF version to 0.25.35.
.github/workflows/example-permissions-warning.lock.yml	Updates manifest/container references and runtime AWF version to 0.25.35.
.github/workflows/dev.lock.yml	Updates manifest/container references (incl. cli-proxy) and runtime AWF version to 0.25.35.
.github/workflows/daily-malicious-code-scan.lock.yml	Updates manifest/container references and runtime AWF version to 0.25.35.
.github/workflows/copilot-token-optimizer.lock.yml	Updates manifest/container references (incl. cli-proxy) and runtime AWF version to 0.25.35.
.github/workflows/codex-github-remote-mcp-test.lock.yml	Updates manifest/container references and runtime AWF version to 0.25.35.
.github/workflows/code-simplifier.lock.yml	Updates manifest/container references and runtime AWF version to 0.25.35.
.github/workflows/changeset.lock.yml	Updates manifest/container references and runtime AWF version to 0.25.35.
.github/workflows/bot-detection.lock.yml	Updates manifest/container references and runtime AWF version to 0.25.35.
.github/workflows/ai-moderator.lock.yml	Updates manifest/container references and runtime AWF version to 0.25.35.
.github/workflows/ace-editor.lock.yml	Updates manifest/container references and runtime AWF version to 0.25.35.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 58/209 changed files
• Comments generated: 0