Bump mcpg (DIFC proxy) to v0.3.8

[Copilot]

Bumps the MCP Gateway (gh-aw-mcpg) container image from v0.3.6 to v0.3.8, picking up the dead_code compiler fix for ORDER_HIGH_TO_LOW.

Changes

• pkg/constants/version_constants.go: DefaultMCPGatewayVersion v0.3.6 → v0.3.8
• 227 .lock.yml files: Regenerated via double make recompile to update container image tags and refresh pinned SHA digests

---

Changeset

• Type: patch
• Description: Bump the MCP gateway image to v0.3.8 so compiled workflows use the updated gh-aw-mcpg container.

Generated by Changeset Generator for issue #32128 · ◷

[pelikhan]

@copilot resolve container sha and recompile

[Copilot]

@copilot resolve container sha and recompile

Done. Resolved ghcr.io/github/gh-aw-mcpg:v0.3.8 → sha256:71e102af76e1ce10b455d2a2ef5717d9cc4c135a5db06fbadcb58e6c1a950cd4, added the pin to actions-lock.json, and recompiled all 227 lock files to embed the pinned digest. Committed in da7bbfc.

[pelikhan]

@copilot merge main and recompile

[Copilot]

Pull request overview

Bumps the default MCP Gateway container from v0.3.6 to v0.3.8 and regenerates workflow lockfiles to use the new pinned image digest.

Changes:

• Updates DefaultMCPGatewayVersion to v0.3.8.
• Refreshes lockfile manifests, image predownload commands, and MCP gateway runtime image tags/digests.

Show a summary per file

File	Description
pkg/constants/version_constants.go	Updates the default MCP Gateway version.
.github/workflows/*.lock.yml	Regenerated workflow lockfiles to reference gh-aw-mcpg:v0.3.8 with the refreshed SHA digest.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 102/231 changed files
• Comments generated: 0

[Copilot]

@copilot merge main and recompile

Done. Merged main (AWF firewall v0.25.46) and recompiled all 227 lock files — they now carry both gh-aw-firewall:0.25.46 and gh-aw-mcpg:v0.3.8@sha256:71e102af76e1ce10b455d2a2ef5717d9cc4c135a5db06fbadcb58e6c1a950cd4.

[github-actions]

✅ Smoke OTEL — OTEL telemetry verified

[github-actions]

⚠️ Security scanning failed for Smoke OTEL Backends. Review the logs for details.

[github-actions]

⚠️ Security scanning failed for Smoke Claude. Review the logs for details.

[github-actions]

⚠️ Security scanning failed for Smoke Gemini. Review the logs for details.

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

Commit pushed: 17c4b5c

Generated by Changeset Generator

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.53.0
jq	✅	1.7
yq	✅	4.52.5
curl	✅	8.5.0
gh	✅	2.89.0
node	✅	22.22.2
python3	✅	3.10.16 (PyPy 7.3.19)
go	✅	1.24.13
java	✅	10.0.201
dotnet	❌	not found

Result: 11/12 tools available ⚠️ FAIL — dotnet is missing

🔧 Tool validation by Agent Container Smoke Test · ● 1.2M · ◷

[github-actions]

PRs: #32136 Add missing pkg/linters package spec and complete pkg/cli dependency list; #32114 fix: insert -- end-of-options separator before prompt to prevent ENAMETOOLONG
Tests 1-5: ✅ GitHub MCP, ✅ Serena, ✅ Playwright, ❌ Web Fetch MCP, ✅ file write
Tests 6-10: ✅ bash verify, ✅ build, ✅ comment memory, ✅ cache memory, ✅ issue field
Overall status: FAIL

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · ◷

[github-actions]

Comment Memory

Steel sky after tests
Quiet logs hold passing light
Dawn signs the build green

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · ◷

[github-actions]

⚠️ Security scanning failed for Smoke Copilot. Review the logs for details.