Bump gh-aw-firewall to v0.27.12 and gh-aw-mcpg to v0.3.31

[Copilot]

This updates gh-aw to the latest gh-aw-firewall and gh-aw-mcpg releases, and refreshes the generated assets that carry those defaults through compiled workflows. It also syncs the embedded AWF config schema copy with the upstream release.

• Version pins

  • Bump DefaultFirewallVersion to v0.27.12
  • Bump DefaultMCPGatewayVersion to v0.3.31

• AWF schema sync

  • Refresh the embedded awf-config.schema.json copy to match the upstream v0.27.12 release content where it drifted

• Container pin refresh

  • Add the new AWF and MCPG image digests to actions-lock.json
  • Sync the embedded action/container pin data used by the compiler and tests

• Generated artifact updates

  • Recompile workflow lock files so compiled outputs reference the new AWF/MCPG versions and pinned images
  • Update existing wasm golden fixtures that embed the default image/version outputs

const DefaultFirewallVersion Version = "v0.27.12"
const DefaultMCPGatewayVersion Version = "v0.3.31"

---

---

✨ PR Review Safe Output Test - Run 28303361477

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 78.2 AIC · ⌖ 25.6 AIC · ⊞ 8.7K · ◷

---

pr-sous-chef run 28311797805

Generated by 👨‍🍳 PR Sous Chef · 111.6 AIC · ⌖ 0.953 AIC · ⊞ 17.2K · ◷

[github-actions]

🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

[github-actions]

🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨

Smoke test completed with partial failures (GitHub MCP and Build tests). Results reported via issue and PR comment.

[github-actions]

🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨

[github-actions]

✅ Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR does not have the 'implementation' label and has ≤100 new lines of code in business logic directories.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

✅ PR Code Quality Reviewer completed the code quality review.

[github-actions]

✅ Test Quality Sentinel completed test quality analysis.

No test files were added or modified in this PR. PR #41945 is a dependency bump (gh-aw-firewall v0.27.12, gh-aw-mcpg v0.3.31) that regenerated workflow lock files only. Test Quality Sentinel skipped.

[github-actions]

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing...

[github-actions]

📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing...

[Copilot]

Pull request overview

This pull request updates gh-aw’s default pinned versions for the gh-aw firewall (AWF) and MCP gateway (MCPG), and refreshes the generated/embedded artifacts (schema, container pins, compiled lockfiles, and wasm goldens) that reflect those defaults across workflows and tests.

Changes:

• Bump default pins to gh-aw-firewall v0.27.12 and gh-aw-mcpg v0.3.31.
• Sync embedded AWF config JSON schema copy to the upstream v0.27.12 content.
• Refresh container/action pin data and regenerate compiled workflow / wasm golden fixtures to match the new versions and digests.

Show a summary per file

File	Description
pkg/constants/version_constants.go	Updates DefaultFirewallVersion and DefaultMCPGatewayVersion constants to the new releases.
pkg/workflow/schemas/awf-config.schema.json	Syncs schema descriptions to match upstream AWF v0.27.12.
pkg/workflow/data/action_pins.json	Adds new digest pins for AWF 0.27.12 images and MCPG v0.3.31.
pkg/actionpins/data/action_pins.json	Mirrors the updated container pin set for runtime/compiler usage.
.github/aw/actions-lock.json	Updates the embedded pin registry used for compiled workflows/assets.
.github/workflows/test-workflow.lock.yml	Regenerates compiled workflow to reference AWF 0.27.12 + MCPG v0.3.31 and updated digests.
.github/workflows/example-permissions-warning.lock.yml	Regenerates compiled workflow to reference updated AWF/MCPG versions and digests.
.github/workflows/codex-github-remote-mcp-test.lock.yml	Regenerates compiled workflow to reference updated AWF/MCPG versions and digests.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden	Updates wasm golden fixture outputs for AWF/MCPG version bump.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden	Updates wasm golden fixture outputs for AWF/MCPG version bump.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden	Updates wasm golden fixture outputs for AWF/MCPG version bump.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden	Updates wasm golden fixture outputs for AWF/MCPG version bump.
pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden	Updates all-engines golden fixture to AWF 0.27.12 and MCPG v0.3.31.
pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden	Updates all-engines golden fixture to AWF 0.27.12 and MCPG v0.3.31.
pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden	Updates all-engines golden fixture to AWF 0.27.12 and MCPG v0.3.31.
pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden	Updates all-engines golden fixture to AWF 0.27.12 and MCPG v0.3.31.
pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden	Updates all-engines golden fixture to AWF 0.27.12 and MCPG v0.3.31.
.changeset/patch-bump-awf-v0-27-12-mcpg-v0-3-31.md	Adds a changeset entry documenting the default pin bump and regenerated artifacts.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 34/268 changed files
• Comments generated: 0
• Review effort level: Low

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.54.0
jq	✅	1.7
yq	✅	4.53.3
curl	✅	8.5.0
gh	✅	2.95.0
node	✅	22.23.0
python3	✅	3.11.15 (PyPy 7.3.23)
go	✅	1.24.13
java	✅	21.0.11
dotnet	✅	10.0.301

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test · 17.7 AIC · ⌖ 8.69 AIC · ⊞ 5.4K · ◷

[github-actions]

Comment Memory

Stone test beats drum
Bot walks smoke through steel and mist
Green sparks guard the path

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 506.2 AIC · ⌖ 16.4 AIC · ⊞ 19.8K · ◷

[github-actions]

Smoke walk left one diff note.

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 506.2 AIC · ⌖ 16.4 AIC · ⊞ 19.8K

[github-actions]

Review: Version bump — gh-aw-firewall v0.27.12 · gh-aw-mcpg v0.3.31

No blocking issues. Changes are mechanical, consistent, and complete.

What was reviewed

Source code changes (pkg/constants/version_constants.go)
Two version string constants updated; no logic altered.

Pin files (.github/aw/actions-lock.json, pkg/actionpins/data/action_pins.json, pkg/workflow/data/action_pins.json)
All three are byte-for-byte identical — new entries for all five image variants carry correct sha256 digests. Notably, cli-proxy at 0.27.11 previously had no pinned digest in the manifest; 0.27.12 now has one, which closes a pre-existing supply-chain gap.

Schema (pkg/workflow/schemas/awf-config.schema.json)
Description-only sync from upstream. The existing allOf constraint (topologyAttach → isolation: true) is preserved. The new description language noting that isolation is not yet supported alongside dnsOverHttps or enableHostAccess is informational; schema-level enforcement would be a separate concern.

Generated artifacts
All 268 lock files regenerated — grep confirms zero residual references to 0.27.11 or v0.3.30. Wasm golden fixtures updated consistently.

🔎 Code quality review by PR Code Quality Reviewer · 171 AIC · ⌖ 7.08 AIC · ⊞ 5.2K

[github-actions]

Smoke Test 28303380257:

Tests: 1✅ 2❌ 3❌ 4❌ 5❌ 6✅ 7❌ 8✅ 9❌ 10✅ 11✅ 12❌ 13✅ 14✅ 15✅

Overall: FAIL

Author: @app/copilot-swe-agent Assignees: @lpcox, @Copilot

📰 BREAKING: Report filed by Smoke Copilot - AOAI (apikey) · 83 AIC · ⌖ 6.71 AIC · ⊞ 17.9K · ◷

[gh-aw-bot]

@copilot please run the pr-finisher skill, address the failing smoke test, and rerun checks after verifying the branch is ready to merge.

Generated by 👨‍🍳 PR Sous Chef · 95.3 AIC · ⌖ 1.05 AIC · ⊞ 17.1K · ◷

[github-actions]

🤖 PR Triage — Run §28307424127

Field	Value
Category	chore
Risk	🟡 Medium
Score	65/100
Score breakdown	Impact 35 + Urgency 25 + Quality 5
Action	👥 batch_review

Summary: Dependency version bump for gh-aw-firewall → v0.27.12 and gh-aw-mcpg → v0.3.31, plus generated-asset refresh (268 files, mostly lock/schema regeneration). ⚠️ CI has 3 failures: Smoke Copilot - AOAI (Entra) and safe_outputs (×2). Failures must be resolved before merge. High-priority once CI is green.

Generated by 🔧 PR Triage Agent · 64.9 AIC · ⌖ 9.76 AIC · ⊞ 5.4K · ◷

[gh-aw-bot]

@copilot please run the pr-finisher skill, address the failing CI feedback, refresh this branch from main, and rerun checks once it is updated.

Generated by 👨‍🍳 PR Sous Chef · 111.6 AIC · ⌖ 0.953 AIC · ⊞ 17.2K · ◷

[github-actions]

PR Triage — Run §28315307719

Category	chore
Risk	medium
Priority	high
Score	58/100 — impact 28 · urgency 18 · quality 12
Action	batch_review

Large generated-asset bump for gh-aw-firewall v0.27.12 and gh-aw-mcpg v0.3.31 (+5307/-5227, 272 files). CI gate pending after latest push. Review together with other infrastructure updates. 10h old.

Generated by 🔧 PR Triage Agent · 82.5 AIC · ⌖ 10.6 AIC · ⊞ 5.4K · ◷