chore: bump AWF firewall to v0.25.53#34321
Conversation
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
|
@copilot merge main |
There was a problem hiding this comment.
Pull request overview
Bumps the default gh-aw firewall (AWF) version from v0.25.52 to v0.25.53, regenerating compiled workflow artifacts (lock files + wasm golden outputs) and updating the embedded container pin expectations to match the rebuilt pins.
Changes:
- Update
DefaultFirewallVersiontov0.25.53. - Refresh workflow lock files / wasm golden fixtures to reflect the new AWF version and rebuilt artifacts.
- Update
TestApplyContainerPinsexpectednode:lts-alpinedigest to the newly embedded pin.
Show a summary per file
| File | Description |
|---|---|
| pkg/constants/version_constants.go | Bumps the default AWF/firewall version constant to v0.25.53. |
| pkg/workflow/docker_pin_test.go | Updates expected embedded node:lts-alpine digest pin used by container pinning logic. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden | Updates wasm golden output to reflect AWF v0.25.53 and regenerated workflow output. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden | Updates wasm golden output to reflect AWF v0.25.53 and regenerated workflow output. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden | Updates wasm golden output to reflect AWF v0.25.53 and regenerated workflow output. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden | Updates wasm golden output to reflect AWF v0.25.53 and regenerated workflow output (including MCP image references). |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden | Updates all-engines wasm golden output for AWF v0.25.53. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden | Updates all-engines wasm golden output for AWF v0.25.53. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden | Updates all-engines wasm golden output for AWF v0.25.53. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden | Updates all-engines wasm golden output for AWF v0.25.53. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden | Updates all-engines wasm golden output for AWF v0.25.53. |
| .github/workflows/ace-editor.lock.yml | Regenerates lock workflow with AWF v0.25.53 container images and updated manifest header. |
| .github/workflows/bot-detection.lock.yml | Regenerates lock workflow with AWF v0.25.53 container images and updated manifest header. |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Regenerates lock workflow with AWF v0.25.53 container images and updated manifest header. |
| .github/workflows/daily-malicious-code-scan.lock.yml | Regenerates lock workflow with AWF v0.25.53 container images and updated manifest header. |
| .github/workflows/dev.lock.yml | Regenerates lock workflow with AWF v0.25.53 container images and updated manifest header. |
| .github/workflows/example-permissions-warning.lock.yml | Regenerates lock workflow with AWF v0.25.53 container images and updated manifest header. |
| .github/workflows/firewall.lock.yml | Regenerates lock workflow with AWF v0.25.53 container images and updated manifest header. |
| .github/workflows/smoke-crush.lock.yml | Regenerates lock workflow with AWF v0.25.53 container images and updated manifest header. |
| .github/workflows/smoke-opencode.lock.yml | Regenerates lock workflow with AWF v0.25.53 container images and updated manifest header. |
| .github/workflows/test-workflow.lock.yml | Regenerates lock workflow with AWF v0.25.53 container images and updated manifest header. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 49/245 changed files
- Comments generated: 1
| @@ -365,7 +365,7 @@ jobs: | |||
| GH_AW_SUB_AGENT_EXT: ".agent.md" | |||
| run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" | |||
| - name: Download container images | |||
| run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.52 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.52 ghcr.io/github/gh-aw-firewall/squid:0.25.52 ghcr.io/github/gh-aw-mcpg:v0.3.18 ghcr.io/github/github-mcp-server:v1.0.5 | |||
| run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.53 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.53 ghcr.io/github/gh-aw-firewall/squid:0.25.53 ghcr.io/github/gh-aw-mcpg:v0.3.18 ghcr.io/github/github-mcp-server:v1.0.4 | |||
…wall-version # Conflicts: # pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden # pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden # pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden # pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden # pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden # pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden # pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden # pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden # pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
|
@copilot merge main and recompile Fix https://github.com/github/gh-aw/actions/runs/26347190296/job/77558972284#step:4:1 |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ Caution agentic threat detected Testing safeoutputs CLI |
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges... |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
@copilot fix tests https://github.com/github/gh-aw/actions/runs/26348454723/job/77562429415 update wasm golden |
|
📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident... |
This comment has been minimized.
This comment has been minimized.
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Fixed in 8563eb8 — regenerated wasm golden files to remove |
|
@copilot make sure the makefile configures the job to install go 1.26 (see https://github.com/github/gh-aw/actions/runs/26348469024/job/77562465505 ) |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Fixed in 8d44cdb — updated |
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ Caution agentic threat detected |
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident... |
|
Caution agentic threat detected Smoke Test Results\n- GitHub MCP: ✅\n- Web Fetch: ✅\n- File Write: ✅\n- Bash Tool: ✅\n- Build gh-aw: ❌\n\nOverall status: FAILWarning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
💥 Smoke Test Claude — Run 26349624985Core (#1-13): ✅✅✅✅✅✅✅✅✅✅✅✅✅ Overall: ✅ PASS Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · ● opu47 6.5M
| @@ -1,5 +1,5 @@ | |||
| # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"36cdbbbe4882806612f8dad2f77146ac361dff5ec231ef9eba66ffb8e0d02ca1","strict":true,"agent_id":"copilot"} | |||
| # gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_GRAFANA_AUTHORIZATION","GH_AW_OTEL_GRAFANA_ENDPOINT","GH_AW_OTEL_SENTRY_AUTHORIZATION","GH_AW_OTEL_SENTRY_ENDPOINT","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/cache/save","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.52"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.52"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.52"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.52"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.18"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4","digest":"sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.4@sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4"},{"image":"node:lts-alpine","digest":"sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14","pinned_image":"node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14"}]} | |||
| # gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_GRAFANA_AUTHORIZATION","GH_AW_OTEL_GRAFANA_ENDPOINT","GH_AW_OTEL_SENTRY_AUTHORIZATION","GH_AW_OTEL_SENTRY_ENDPOINT","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/cache/save","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.53"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.53"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.53"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.53"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.18"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4","digest":"sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.4@sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4"},{"image":"node:lts-alpine","digest":"sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14","pinned_image":"node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14"}]} | |||
There was a problem hiding this comment.
Smoke-test review: the AWF firewall version bump to v0.25.53 is reflected here in the container image tags. ✅
| @@ -1,5 +1,5 @@ | |||
| # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"36cdbbbe4882806612f8dad2f77146ac361dff5ec231ef9eba66ffb8e0d02ca1","strict":true,"agent_id":"copilot"} | |||
There was a problem hiding this comment.
Smoke-test review: metadata header looks well-formed. Consider verifying the frontmatter hash matches a fresh recompile output.
Bumps
DefaultFirewallVersionfromv0.25.52→v0.25.53. This release contains internal refactoring, a claude-token-optimizer bug fix, and Anthropic API retry logic — no new CLI flags or schema changes, so noAWF*MinVersionupdates are needed.Changes
pkg/constants/version_constants.go— bumpDefaultFirewallVersiontov0.25.53make build && make recompile && make recompileto refresh lock files and container SHA pinspkg/workflow/docker_pin_test.go— updated hardcodednode:lts-alpinedigest to match the new embedded pin resolved during recompilepkg/workflow/testdata/wasm_golden/— regenerated golden files via-update✨ PR Review Safe Output Test - Run 26349624985
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.