Bump AWF to v0.25.44 and add firewall.effective-token-steering compiler support#31796
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
firewall.effective-token-steering compiler support
|
@copilot enable feature flag on 30% of agentic workflows |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
@copilot enable this feature on 50% of daily agentic workflows |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
@copilot merge main and recompile |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates gh-aw’s AWF integration to v0.25.44 and adds compiler/frontmatter support for firewall.effective-token-steering, emitting it into generated AWF config as apiProxy.enableTokenSteering with version gating.
Changes:
- Bump default AWF version to
v0.25.44and refresh generated lock + golden artifacts to match. - Add
firewall.effective-token-steeringparsing/schema support and propagate to AWF config asapiProxy.enableTokenSteering(gated to AWF >=v0.25.44). - Add unit tests for extraction, orchestration preservation, version gating, and schema validation.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden | Updates golden output to AWF v0.25.44 pins/metadata. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden | Updates golden output to AWF v0.25.44 pins/metadata. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden | Updates golden output to AWF v0.25.44 pins/metadata. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden | Updates golden output to AWF v0.25.44 pins/metadata. |
| pkg/workflow/schemas/awf-config.schema.json | Adds schema support for apiProxy.enableTokenSteering. |
| pkg/workflow/engine.go | Parses firewall.effective-token-steering into EngineConfig. |
| pkg/workflow/engine_config_test.go | Adds tests validating extraction of token steering config. |
| pkg/workflow/compiler_orchestrator_engine.go | Preserves token steering across string-engine import expansion. |
| pkg/workflow/compiler_orchestrator_engine_test.go | Adds regression test ensuring preservation of token steering. |
| pkg/workflow/awf_helpers.go | Adds AWF version gate helper for token steering support. |
| pkg/workflow/awf_helpers_test.go | Adds tests for token steering version gating behavior. |
| pkg/workflow/awf_config.go | Emits apiProxy.enableTokenSteering with AWF min-version gating. |
| pkg/workflow/awf_config_test.go | Adds tests for emission/omission of enableTokenSteering. |
| pkg/parser/schemas/main_workflow_schema.json | Extends frontmatter schema to allow firewall.effective-token-steering. |
| pkg/parser/schema_test.go | Adds schema validation tests for the new firewall frontmatter field. |
| pkg/constants/version_constants.go | Bumps default firewall version and adds AWFTokenSteeringMinVersion. |
| pkg/constants/spec_test.go | Adds spec assertion for AWFTokenSteeringMinVersion. |
| .github/workflows/test-workflow.lock.yml | Refreshes locked workflow to AWF 0.25.44 images/version. |
| .github/workflows/smoke-opencode.lock.yml | Refreshes locked workflow to AWF 0.25.44 images/version. |
| .github/workflows/smoke-ci.lock.yml | Refreshes locked workflow to AWF 0.25.44 images/version. |
| .github/workflows/release.lock.yml | Refreshes locked workflow to AWF 0.25.44 images/version. |
| .github/workflows/hippo-embed.lock.yml | Refreshes locked workflow to AWF 0.25.44 images/version. |
| .github/workflows/gpclean.lock.yml | Refreshes locked workflow to AWF 0.25.44 images/version. |
| .github/workflows/github-remote-mcp-auth-test.lock.yml | Refreshes locked workflow to AWF 0.25.44 images/version. |
| .github/workflows/firewall.lock.yml | Refreshes locked workflow to AWF 0.25.44 images/version. |
| .github/workflows/example-permissions-warning.lock.yml | Refreshes locked workflow to AWF 0.25.44 images/version. |
| .github/workflows/bot-detection.lock.yml | Refreshes locked workflow to AWF 0.25.44 images/version. |
| .github/workflows/copilot-token-optimizer.lock.yml | Refreshes locked workflow to AWF 0.25.44 images/version (incl. cli-proxy). |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Refreshes locked workflow to AWF 0.25.44 images/version. |
| .github/workflows/code-simplifier.lock.yml | Refreshes locked workflow to AWF 0.25.44 images/version. |
| .github/workflows/changeset.lock.yml | Refreshes locked workflow to AWF 0.25.44 images/version. |
| .github/workflows/ai-moderator.lock.yml | Refreshes locked workflow to AWF 0.25.44 images/version. |
| .github/workflows/agentic_commands.yml | Updates generated centralized commands metadata (compiler version field). |
| .github/workflows/daily-mcp-concurrency-analysis.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-malicious-code-scan.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-issues-report.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-hippo-learn.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-grafana-otel-instrumentation-advisor.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-geo-optimizer.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-function-namer.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-firewall-report.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-file-diet.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-fact.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-experiment-report.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-doc-updater.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-doc-healer.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-compiler-threat-spec-optimizer.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-compiler-quality.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-community-attribution.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-code-metrics.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-cli-tools-tester.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-cli-performance.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-choice-test.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-caveman-optimizer.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-cache-strategy-analyzer.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-aw-cross-repo-compile-check.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-astrostylelite-markdown-spellcheck.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-assign-issue-to-user.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-architecture-diagram.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/daily-agentrx-trace-optimizer.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/cloclo.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/brave.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/archie.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/approach-validator.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .github/workflows/ace-editor.md | Enables firewall.effective-token-steering in workflow frontmatter. |
| .changeset/patch-bump-awf-v0-25-44.md | Adds changeset documenting the AWF bump and token steering support. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 80/274 changed files
- Comments generated: 0
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
@copilot merge main and recompile |
…wall-to-v02544 # Conflicts: # .github/workflows/agentic_commands.yml # .github/workflows/api-consumption-report.lock.yml # .github/workflows/audit-workflows.lock.yml # .github/workflows/changeset.lock.yml # .github/workflows/cli-version-checker.lock.yml # .github/workflows/cloclo.lock.yml # .github/workflows/copilot-opt.lock.yml # .github/workflows/daily-issues-report.lock.yml # .github/workflows/daily-news.lock.yml # .github/workflows/daily-security-red-team.lock.yml # .github/workflows/deep-report.lock.yml # .github/workflows/discussion-task-miner.lock.yml # .github/workflows/glossary-maintainer.lock.yml # .github/workflows/issue-arborist.lock.yml # .github/workflows/org-health-report.lock.yml # .github/workflows/prompt-clustering-analysis.lock.yml # .github/workflows/safe-output-health.lock.yml # .github/workflows/scout.lock.yml # .github/workflows/stale-repo-identifier.lock.yml # .github/workflows/technical-doc-writer.lock.yml Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
🌑 The shadows whisper... Smoke Codex failed to deliver outputs. The oracle requires further meditation... |
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ Caution Security scanning requires review for Smoke Gemini DetailsThe threat detection results could not be parsed. The workflow output should be reviewed before merging. Review the workflow run logs for details. |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
Caution Security scanning requires review for Smoke Gemini DetailsThe threat detection results could not be parsed. The workflow output should be reviewed before merging. Review the workflow run logs for details. Smoke Test: Gemini - 25768552824
Overall status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
|
Smoke Test Codex 25768552833: FAIL Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Smoke Test: Claude — Run 25768552851Overall: Core #1–#12: all ✅ Skipped: resolve thread (none unresolved at resolve-time) · close PR (no safe test PR). Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · ● 5.4M
| "gh-aw": patch | ||
| --- | ||
|
|
||
| Bump default `gh-aw-firewall` to `v0.25.44` and add compiler/frontmatter support for `firewall.effective-token-steering` mapped to AWF `apiProxy.enableTokenSteering`. |
There was a problem hiding this comment.
Nit: consider linking to the AWF release notes for v0.25.44 so readers can see what changed upstream.
| @@ -0,0 +1,5 @@ | |||
| --- | |||
There was a problem hiding this comment.
Confirm the changeset bump-type (patch) is correct since this exposes a new compiler frontmatter key.
|
🤖 The smoke test agent stopped by to say hello! This automated comment is brought to you by Copilot smoke testing — here to verify all the agentic workflows are humming along nicely. 👋 Everything looks great from where I stand! Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Smoke Test Results for PR #31796
Overall: Author: Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
Smoke test review: AWF bump to v0.25.44 looks clean — compiler version updated, all lock files recompiled with matching container image versions. LGTM!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot · ● 21.5M
| @@ -1,4 +1,4 @@ | |||
| # gh-aw-commands: {"payload_version":"v1","schema_version":"v1","compiler_version":"796aca5","commands":["ace","approach-validator","archie","brave","cloclo","craft","grumpy","mergefest","nit","plan","poem-bot","review","security-review","summarize","tidy","unbloat"],"workflows":["ace-editor","approach-validator","archie","brave","cloclo","craft","grumpy-reviewer","mergefest","pdf-summary","plan","poem-bot","pr-code-quality-reviewer","pr-nitpick-reviewer","security-review","tidy","unbloat-docs"]} | |||
| # gh-aw-commands: {"payload_version":"v1","schema_version":"v1","compiler_version":"26ba207","commands":["ace","approach-validator","archie","brave","cloclo","craft","grumpy","mergefest","nit","plan","poem-bot","review","security-review","summarize","tidy","unbloat"],"workflows":["ace-editor","approach-validator","archie","brave","cloclo","craft","grumpy-reviewer","mergefest","pdf-summary","plan","poem-bot","pr-code-quality-reviewer","pr-nitpick-reviewer","security-review","tidy","unbloat-docs"]} | |||
There was a problem hiding this comment.
🔍 Smoke test review: compiler_version updated from 17b58a0 to 26ba207 — looks correct for AWF v0.25.44 bump.
| @@ -1,5 +1,5 @@ | |||
| # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"cb0295dc75812c5592ebb592222783ff4bfba5b764686561a2a0e11325d510bc","strict":true,"agent_id":"claude"} | |||
There was a problem hiding this comment.
✅ Lock file updated: gh-aw-firewall container bumped to v0.25.44 across all service images (agent, api-proxy, squid). The frontmatter hash also updated, confirming a clean recompile.
|
📰 DEVELOPING STORY: Smoke Copilot reports failed to deliver outputs. Our correspondents are investigating the incident... |
…rtifact-compat feature flag Add reference documentation for three user-facing surfaces merged in the last 24h that had no prior documentation: - firewall.effective-token-steering (#31796): budget-warning system message injection via AWF v0.25.44+ - concurrency.queue and features.group-concurrency-queue (#31764): queue:max behavior and opt-out for compiler-generated groups - features.ghes-artifact-compat (#31664): per-workflow GHES artifact compatibility opt-in via frontmatter or GH_AW_FEATURES env var Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This updates gh-aw’s AWF integration from
v0.25.43tov0.25.44and wires the new token-steering surface into compiler output. Per issue guidance,--max-model-multiplierfollow-up work is intentionally excluded from this PR.v0.25.44.0.25.44images and AWF install version consistently.firewall.effective-token-steering: trueapiProxy.enableTokenSteering: trueAWFTokenSteeringMinVersion = v0.25.44and gated emission ofenableTokenSteeringfor older pinned AWF versions.apiProxy.enableTokenSteering.firewall.effective-token-steering.