chore: bump Claude Code → 2.1.160, Copilot CLI → 1.0.57, Codex → 0.136.0, GitHub MCP Server → v1.1.2 and refresh affected lock files#36704
Conversation
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
…57, Codex 0.136.0, MCP Server v1.1.2) Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
|
🧪 Test Quality Sentinel completed test quality analysis. No test files were added or modified in this PR. PR #36704 is a dependency version bump (Claude Code → 2.1.160, Copilot CLI → 1.0.57, Codex → 0.136.0, GitHub MCP Server → v1.1.2) with no test changes. Test Quality Sentinel skipped. |
|
✅ Design Decision Gate 🏗️ completed the design decision gate check. No ADR enforcement needed: PR #36704 does not have the 'implementation' label (has_implementation_label=false) and has only 4 new lines of code in business logic directories (default_business_additions=4), which is well under the 100-line threshold. This PR is a routine tooling/skill-script update, not a significant architectural change. |
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
|
|
There was a problem hiding this comment.
Pull request overview
Bumps the repository’s default versions for several agentic CLI tools (Claude Code, GitHub Copilot CLI, Codex, GitHub MCP Server) by updating centralized version constants used by the compiler/runtime configuration.
Changes:
- Update default Claude Code CLI version to
2.1.160. - Update default GitHub Copilot CLI version to
1.0.57and Codex to0.136.0. - Update default GitHub MCP Server image tag to
v1.1.2.
Show a summary per file
| File | Description |
|---|---|
pkg/constants/version_constants.go |
Bumps default tool version constants used when generating/running workflows. |
.github/workflows/deep-report.lock.yml |
Updates only the embedded lock metadata body_hash (no corresponding manifest/version pin updates). |
.github/workflows/daily-ambient-context-optimizer.lock.yml |
Updates only the embedded lock metadata body_hash (no corresponding manifest/version pin updates). |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 3
|
|
||
| // DefaultGitHubMCPServerVersion is the default version of the GitHub MCP server Docker image | ||
| const DefaultGitHubMCPServerVersion Version = "v1.1.0" | ||
| const DefaultGitHubMCPServerVersion Version = "v1.1.2" |
| @@ -1,4 +1,4 @@ | |||
| # gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"b1378e3a94dc80144c9098262e28b1643aa88cc03737e623786dd73e87d8319f","body_hash":"d9aeb7d1ad73b83d345a7b34a53f3878ebc8fb846420f8e7cf5bb129711c0a4e","strict":true,"agent_id":"claude"} | |||
| # gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"b1378e3a94dc80144c9098262e28b1643aa88cc03737e623786dd73e87d8319f","body_hash":"998dc32188e283fc86b37ca07bef72bd4c957f0282c50af482395434a8b2cb66","strict":true,"agent_id":"claude"} | |||
| @@ -1,4 +1,4 @@ | |||
| # gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"d03347fe2b0a6d6902b4f96751e9b621a092c711e8dfb72b1284f763795b369d","body_hash":"5fdf204a238cc84f6f75f2ab43abfb33da61e072c5d679e905b37a588cf99804","strict":true,"agent_id":"copilot"} | |||
| # gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"d03347fe2b0a6d6902b4f96751e9b621a092c711e8dfb72b1284f763795b369d","body_hash":"18c7700688ea94c6b2f14a2a3a5183248e84b658a5a32d9c2b683e9162487d90","strict":true,"agent_id":"copilot"} | |||
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Skills-Based Review 🧠
Applied /zoom-out — clean version-bump chore with one observation.
📋 Key Themes & Highlights
Key Themes
- Lock file / constant skew: Both lock files still embed
github-mcp-server:v1.1.0in their manifest while the Go constant moves tov1.1.2. Worth a quick confirmation that this is intentional (separate container-pin management) or thatmake recompilewill resolve it.
Positive Highlights
- ✅ Minimal, focused change — only
version_constants.goand the two body-hashes that must update as a consequence - ✅ No lock files accidentally committed (as called out in the PR description)
- ✅ Excellent PR description: version table, per-tool notable changes, and a callout about the security-relevant
RepoAccessCachefix in GitHub MCP Server v1.1.2 - ✅ Copilot upgrade comment in the source file already documents the MCP-loading / PAT
/modelsverification gates
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · sonnet46 843.8K
| @@ -1,4 +1,4 @@ | |||
| # gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"d03347fe2b0a6d6902b4f96751e9b621a092c711e8dfb72b1284f763795b369d","body_hash":"5fdf204a238cc84f6f75f2ab43abfb33da61e072c5d679e905b37a588cf99804","strict":true,"agent_id":"copilot"} | |||
| # gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"d03347fe2b0a6d6902b4f96751e9b621a092c711e8dfb72b1284f763795b369d","body_hash":"18c7700688ea94c6b2f14a2a3a5183248e84b658a5a32d9c2b683e9162487d90","strict":true,"agent_id":"copilot"} | |||
There was a problem hiding this comment.
[/zoom-out] The lock file manifest still pins github-mcp-server:v1.1.0 while DefaultGitHubMCPServerVersion is being bumped to v1.1.2. If container image pins are managed separately from the Go constant, that's fine — but it's worth confirming the lockdown-mode RepoAccessCache security fix in v1.1.2 is actually active in this workflow.
💡 What to verify
The manifest embedded in the # gh-aw-manifest: header still contains:
"image":"ghcr.io/github/github-mcp-server:v1.1.0"
If lock files are regenerated from the Go constants via make recompile, this may auto-resolve. If container pins are managed independently, add a note confirming the discrepancy is intentional.
|
@copilot merge main, review all comments and reviews https://github.com/github/gh-aw/actions/runs/26908785716/job/79380931847 |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Merged |
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ |
|
🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨ |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
This comment has been minimized.
This comment has been minimized.
Smoke Test Results
Overall Status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
|
Smoke test results for run 26910034801:
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment.
|
🤖 Smoke Test: Claude — Run 26910035253Core #1–#13: ✅ except #2 Overall: PARTIAL Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · opus48 7.7M
| @@ -1,5 +1,5 @@ | |||
| # gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"ab04e390bb0128359d4820e3f77ef60b2c001b2bf47dccc957a274657d3ee400","body_hash":"c0c6b51ff748c32142fa383ae68e04752e079d02bf22356046bf39761521b93c","strict":true,"agent_id":"copilot"} | |||
There was a problem hiding this comment.
🔍 Smoke test review comment 1 — metadata header looks consistent with the bump. Run 26910035253.
| @@ -1,5 +1,5 @@ | |||
| # gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"ab04e390bb0128359d4820e3f77ef60b2c001b2bf47dccc957a274657d3ee400","body_hash":"c0c6b51ff748c32142fa383ae68e04752e079d02bf22356046bf39761521b93c","strict":true,"agent_id":"copilot"} | |||
| # gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_GRAFANA_AUTHORIZATION","GH_AW_OTEL_GRAFANA_ENDPOINT","GH_AW_OTEL_SENTRY_AUTHORIZATION","GH_AW_OTEL_SENTRY_ENDPOINT","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/cache/save","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.58"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.58"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.58"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.58"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.22"},{"image":"ghcr.io/github/github-mcp-server:v1.1.0"},{"image":"node:lts-alpine","digest":"sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14","pinned_image":"node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14"}]} | |||
| # gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_GRAFANA_AUTHORIZATION","GH_AW_OTEL_GRAFANA_ENDPOINT","GH_AW_OTEL_SENTRY_AUTHORIZATION","GH_AW_OTEL_SENTRY_ENDPOINT","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/cache/save","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.58"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.58"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.58"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.58"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.22"},{"image":"ghcr.io/github/github-mcp-server:v1.1.2"},{"image":"node:lts-alpine","digest":"sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14","pinned_image":"node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14"}]} | |||
There was a problem hiding this comment.
🔍 Smoke test review comment 2 — manifest line updated as expected. Run 26910035253.
|
PR: chore: bump Claude Code → 2.1.160, Copilot CLI → 1.0.57, Codex → 0.136.0, GitHub MCP Server → v1.1.2 and refresh affected lock files Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
|
@copilot fix tests https://github.com/github/gh-aw/actions/runs/26910006379/job/79385171952 update wasm |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Updated wasm golden fixtures in commit |
|
|
Four monitored agentic CLI tools have new stable releases. Updates
pkg/constants/version_constants.goand refreshes the affected generated workflow lock files to keep pinned runtime versions aligned.Version bumps
DefaultClaudeCodeVersion2.1.1562.1.160DefaultCopilotVersion1.0.551.0.57DefaultCodexVersion0.135.00.136.0DefaultGitHubMCPServerVersionv1.1.0v1.1.2Lock file updates
Regenerated/kept in sync after merging latest
main:.github/workflows/deep-report.lock.yml.github/workflows/daily-ambient-context-optimizer.lock.ymlThese lock files now reflect the bumped runtime pins (including
ghcr.io/github/github-mcp-server:v1.1.2) so current workflow executions stay aligned with the updated defaults.All are patch/point releases with no breaking changes. Notable improvements:
RepoAccessCachescoping in lockdown mode — security-positive correctness fix relevant toDefaultGitHubLockdown.archive/unarchivesubcommands; command-safety/sandbox hardening fixes.--contextand--extension-sdk-path(opt-in, no impact on existing workflows).✨ PR Review Safe Output Test - Run 26910035253
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.