Skip to content

fix: explicitly default sandbox.agent to awf in strict mode when id is not specified#30355

Merged
pelikhan merged 4 commits intomainfrom
copilot/update-strict-mode-default-id
May 5, 2026
Merged

fix: explicitly default sandbox.agent to awf in strict mode when id is not specified#30355
pelikhan merged 4 commits intomainfrom
copilot/update-strict-mode-default-id

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 5, 2026
edited
Loading

Summary

Removes the strict mode check that rejected sandbox.agent configurations without an explicit id field, and instead explicitly sets the agent type to awf when none is specified. Previously, users would see:

strict mode: 'sandbox.agent' must specify an explicit 'id' (e.g., id: awf)

Now, sandbox.agent without an id is explicitly defaulted to awf during strict mode validation, making the behavior unambiguous and consistent with non-strict mode (via applySandboxDefaults).

Changes

  • pkg/workflow/strict_mode_sandbox_validation.go: Replaced the rejection check with an explicit agent.Type = SandboxTypeAWF assignment when the agent has no recognised id/type. Removed the unused errors import and updated the doc comment.
  • pkg/workflow/strict_mode_sandbox_validation_test.go: Updated two test cases that previously expected an error (sandbox.agent without id is rejected in strict mode, empty sandbox.agent is rejected in strict mode) to now expect success. Added TestValidateStrictSandboxCustomizationSetsAWFDefault to verify that sandbox.Agent.Type is explicitly set to SandboxTypeAWF after strict mode validation for both a version-only agent and an empty agent config.

Copilot AI and others added 3 commits May 5, 2026 12:58
@pelikhan
chore: prepare for sandbox.agent id defaulting fix
5c6b07f 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/e8273d71-b787-4a08-9ed6-0803b71440bf

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
fix: default sandbox.agent id to awf instead of requiring explicit id…
6882fab 
… in strict mode

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/e8273d71-b787-4a08-9ed6-0803b71440bf

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
fix: capitalize AWF consistently in comments
736cf94 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/e8273d71-b787-4a08-9ed6-0803b71440bf

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI requested a review from pelikhan May 5, 2026 13:05
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented May 5, 2026

@copilot Explicitly set the sandbox agent to awf in strict mode if empty

Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 5, 2026
edited
Loading

@copilot Explicitly set the sandbox agent to awf in strict mode if empty

Done in 188e315. validateStrictSandboxCustomization now explicitly sets agent.Type = SandboxTypeAWF when the agent has no id/type in strict mode, and a new test (TestValidateStrictSandboxCustomizationSetsAWFDefault) verifies the type is set after validation.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login &#43; &#34;/&#34; &#43; .name k/_temp/ghcca-node/node/bin/sh nore (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw --ignore-path ../../../.prettidownload node t-ha�� ithub/workflows/test-logs/run-1 --write on rkflow/js/**/*.jgit --ignore-path erignore bash (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 node sv /actions/secretsgit format:pkg-json r: $owner, name:--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git -bool -buildtags /opt/hostedtoolc/repos/actions/github-script/git/ref/tags/v9 git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv 0:00Z origin /usr/bin/git repo214951138/00gh --local e_modules/.bin/n/repos/actions/github-script/git/ref/tags/v9 git rev-�� --show-toplevel l /usr/bin/infocmp b/workflows --local 1/x64/lib/node_m--show-toplevel infocmp (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv ExpressionCompiledOutput29434346--limit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel node /usr/bin/git /tmp/TestHashStagit -tests /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel node /usr/bin/git r-test1978448153git r-test1978448153rev-parse /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git f/tags/v6 /bin/sh sv git rev-�� /ref/tags/v9 git sv --show-toplevel bash /usr/bin/gh node (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ts.result -buildtags &#34;warnings&#34;:[]}] -errorsas -ifaceassert -nilfunc git conf�� runs/20260505-131705-9373/test-1874022736/custom/workflows Test User /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv run --auto /usr/bin/git --detach (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/infocmp 01 (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv /repos/actions/setup-node/git/ref/tags/v4 --jq /usr/bin/git user.email l /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-current git /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv json&#39; --ignore-path ../../../.pr**/*.json (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv re --log-level=e!../../../pkg/workflow/js/**/*.json (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9.0.0
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv github/workflows .go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv 1 (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv -L current (local changes) /usr/bin/git base (original) -L new (upstream) git rev-�� --show-toplevel /tmp/gh-aw-merge-2604510458/new.md /usr/bin/git prettier --write e/git-upload-pac--show-toplevel git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv user.email l /usr/bin/git on&#39; --ignore-patgit r tions/node_modul--show-toplevel git bran�� --show-current git /usr/bin/git e-analyzer.md --local x_amd64/link git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 --jq sv Onlymin-integritgh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 /usr/bin/git bject.type] | @tsv --get-regexp l /usr/bin/git git rev-�� /ref/tags/v9 git sv runs/20260505-13infocmp remote _id&#34;:222}] gh (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv licyTrustedUsersCompiledOutput2975680372/001 (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /tmp/TestHashConsistency_WithImports1494059452/001/main.md l /usr/bin/git h ../../../.pretgit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260505-131705-9373/test-654776301 config om/org2/repo2.git remote.origin.urgit git 64/bin/node /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -ato�� -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 64/bin/gofmt sv (http block)
  • https://api.github.com/repos/aws-actions/configure-aws-credentials/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git 97768838/001 (http block)
    • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git ons-test97846899gh rev-parse ow-with-reaction/repos/actions/github-script/git/ref/tags/v9 git rev-�� /ref/tags/v9 /opt/hostedtoolcache/node/24.14.1/x64/bin/node sv github.token (http block)
  • https://api.github.com/repos/azure/login/git/ref/tags/v2
    • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /ref/tags/v9.0.0git (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel node /usr/bin/git r-test1978448153git r-test1978448153rev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git git git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel node /usr/bin/git ithub/workflows/gh on rkflow/js/**/*.j/repos/actions/github-script/git/ref/tags/v9 git rev-�� --show-toplevel sh /usr/bin/git ithub-script/gitinfocmp (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/gh ant-4083793246/.git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created &gt;=2026-04-28 (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created &gt;=2026-04-05 (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created &gt;=2026-02-04 (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name commit.gpgsign 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 core.hooksPath cal/bin/bash son (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name gpg.program 64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 stmain.go 64/pkg/tool/linux_amd64/link (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1234567890
    • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name gpg.program 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 gpg.program 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name commit.gpgsign 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 core.hooksPath 64/pkg/tool/linux_amd64/vet son (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name commit.gpgsign 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 core.hooksPath ache/go/1.25.8/x64/bin/bash son (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name commit.gpgsign l_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, creat--show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 core.hooksPath rgo/bin/bash son (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name commit.gpgsign 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 core.hooksPath p/bin/bash son (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 r (http block)
  • https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
    • Triggering command: /tmp/go-build596453522/b404/cli.test /tmp/go-build596453522/b404/cli.test -test.testlogfile=/tmp/go-build596453522/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv iles formatted&#34; (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv 608094260/.github/workflows (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv */*.ts&#39; &#39;**/*.js--detach (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv (http block)
  • https://api.github.com/repos/google-github-actions/auth/git/ref/tags/v2
    • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git ErrorFormatting1git rev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv y_only_defaults_repo637716616/001 (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion erignore (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo sh (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo (http block)
    • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name h ../../../.prettierignore (http block)
  • https://api.github.com/repos/test/repo
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch ExpressionCompiledOutput167845560/001 (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title fix: default sandbox.agent id to awf instead of requiring explicit id in strict mode fix: explicitly default sandbox.agent to awf in strict mode when id is not specified May 5, 2026
@pelikhan pelikhan marked this pull request as ready for review May 5, 2026 13:23
Copilot AI review requested due to automatic review settings May 5, 2026 13:23
@pelikhan pelikhan merged commit b925ea1 into main May 5, 2026
4 checks passed
@pelikhan pelikhan deleted the copilot/update-strict-mode-default-id branch May 5, 2026 13:28
Copilot AI reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates strict-mode handling for sandbox.agent so agent objects without an explicit id are defaulted to AWF instead of being rejected, and refreshes one generated workflow lockfile.

Changes:

  • Changed strict sandbox customization validation to set sandbox.agent.Type = awf when agent config has no recognized type/id.
  • Updated strict-mode sandbox tests to expect success for bare/empty sandbox.agent objects and added assertions for AWF defaulting.
  • Regenerated stale-pr-cleanup.lock.yml, including an AWF version bump from v0.25.38 to v0.25.39.
Show a summary per file
File Description
pkg/workflow/strict_mode_sandbox_validation.go Alters strict-mode sandbox validation behavior for agent configs without explicit type/id.
pkg/workflow/strict_mode_sandbox_validation_test.go Updates expectations and adds coverage for AWF defaulting in strict mode.
.github/workflows/stale-pr-cleanup.lock.yml Regenerates the locked workflow and bumps embedded AWF references to v0.25.39.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

pkg/workflow/strict_mode_sandbox_validation.go:48

  • This now defaults any unsupported agent value, not just the "missing id/type" case described in the PR. Because schema validation is skipped by default and getAgentType() keeps preferring agent.ID, a typo like sandbox.agent.id: awff will pass strict-mode validation here but still be treated as unsupported later, leaving the workflow unsandboxed instead of failing fast. Strict mode should only default when both id and type are absent, and continue rejecting explicit unknown values.
		if !agent.Disabled && !isSupportedSandboxType(getAgentType(agent)) {
			strictModeValidationLog.Printf("sandbox.agent has no id/type in strict mode, defaulting to awf")
			agent.Type = SandboxTypeAWF
  • Files reviewed: 3/3 changed files
  • Comments generated: 3

Comment thread pkg/workflow/strict_mode_sandbox_validation.go
//
// Additionally, a sandbox.agent object without an explicit 'id' field is rejected in
// strict mode: users must be unambiguous about which sandbox they are enabling.
// A sandbox.agent object without an explicit 'id' is explicitly set to AWF in strict mode.
Comment thread .github/workflows/stale-pr-cleanup.lock.yml
@@ -1,5 +1,5 @@
# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"07e071eb8a3e78f3eecb8071e562e1f8291f76cb7a7610e5e007f8d4d12f0a43","strict":true,"agent_id":"copilot"}
# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.38"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.38"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.38"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.38"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.6"},{"image":"ghcr.io/github/github-mcp-server:v1.0.3","digest":"sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}
# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.39"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.39"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.39"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.39"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.6"},{"image":"ghcr.io/github/github-mcp-server:v1.0.3","digest":"sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}
Comment thread pkg/workflow/strict_mode_sandbox_validation_test.go
Comment on lines +215 to +243
// TestValidateStrictSandboxCustomizationSetsAWFDefault verifies that in strict mode
// a sandbox.agent with no id/type is explicitly set to AWF.
func TestValidateStrictSandboxCustomizationSetsAWFDefault(t *testing.T) {
tests := []struct {
name string
agent *AgentSandboxConfig
}{
{
name: "version-only agent gets AWF type",
agent: &AgentSandboxConfig{Version: "v0.25.29"},
},
{
name: "empty agent gets AWF type",
agent: &AgentSandboxConfig{},
},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
compiler := NewCompiler()
compiler.strictMode = true

sandbox := &SandboxConfig{Agent: tt.agent}
err := compiler.validateStrictSandboxCustomization(sandbox)
if err != nil {
t.Errorf("Expected validation to succeed but it failed: %v", err)
}
if sandbox.Agent.Type != SandboxTypeAWF {
t.Errorf("Expected sandbox.agent.Type to be %q after strict mode validation, got %q", SandboxTypeAWF, sandbox.Agent.Type)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan