chore: bump gh-aw-firewall to v0.27.28#44467
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…ock files Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
| @@ -1,171 +1,4 @@ | |||
| { | |||
| "entries": { | |||
There was a problem hiding this comment.
@copilot fix code that rewrites/sync this file to ensure that fields are stored.
There was a problem hiding this comment.
Fixed in the latest commit. The root cause was that sync-action-pins used jq . which sorts keys alphabetically (putting containers before entries), conflicting with ActionCache.marshalSorted() which always emits entries first.
Changes:
Makefilesync-action-pins— updated to usejq '{entries: .entries} + if ... then {containers: .containers} else {} end'to preserve canonical section ordering.github/aw/actions-lock.json— rewritten withentriesbeforecontainerspkg/actionpins/data/action_pins.jsonandpkg/workflow/data/action_pins.json— re-synced with correct ordering
TestActionsLockJSONFieldsAreSorted now passes for both sub-tests.
…and actions-lock.json Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
❌ Smoke Copilot Small failed. Please review the logs for details. |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing... |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ |
|
🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨ |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Smoke Test Results\n✅ GitHub MCP Testing\n✅ Web Fetch Testing\n✅ File Writing Testing\n✅ Bash Tool Testing\n❌ Build gh-aw\nOverall status: FAILWarning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
|
Smoke tests:
Overall: FAIL Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
|
Smoke Test Summary:\n\n1. ✅ Test1\n2. ❌ Test2\n3. ❌ Test3\n4. ❌ Test4\n5. ❌ Test5\n6. ❌ Test6\n7. ❌ Test7\n8. ❌ Test8\n9. ❌ Test9\n10. ❌ Test10\n11. ❌ Test11\n12. ❌ Test12\n13. ❌ Test13\n14. ❌ Test14\n15. ❌ Test15\n\nOverall status: FAIL\nAuthor:
|
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
|
✅ Test Quality Sentinel completed test quality analysis. |
|
|
|
✅ Design Decision Gate 🏗️ completed the design decision gate check. No ADR enforcement needed: PR #44467 does not have the 'implementation' label and has 0 new lines of code in business logic directories (threshold: 100). |
Smokechore: bump gh-aw-firewall to v0.27.28 Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
Smoke run §28996054925 completed; inline notes mark validated diff anchors.
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot · 129.6 AIC · ⌖ 4.89 AIC · ⊞ 19.8K
Comment /smoke-copilot to run again
Add label smoke to run again
There was a problem hiding this comment.
Pull request overview
This PR bumps the embedded/default gh-aw-firewall (AWF) version from v0.27.27 to v0.27.28, and updates the repo’s pinned container digests, embedded schema, and regenerated workflow artifacts to match the new firewall release.
Changes:
- Bump
DefaultFirewallVersiontov0.27.28and update compiled/golden fixtures to reflect the new AWF version. - Sync updated AWF config JSON schema text and update firewall container digest pins (including tests asserting digests).
- Regenerate workflow lock artifacts and update the action/container lock JSON sources used for pinning.
Show a summary per file
| File | Description |
|---|---|
| pkg/constants/version_constants.go | Bumps the default AWF version constant to v0.27.28. |
| pkg/workflow/schemas/awf-config.schema.json | Updates embedded upstream schema text (incl. runner.topology description). |
| .github/aw/actions-lock.json | Adds/updates pinned container digests for AWF 0.27.28 images. |
| pkg/actionpins/data/action_pins.json | Syncs embedded action/container pin data (includes new 0.27.28 container digests). |
| pkg/workflow/data/action_pins.json | Syncs workflow package’s embedded action/container pin data (includes new 0.27.28 container digests). |
| Makefile | Adjusts sync-action-pins to only emit entries (+ containers when present). |
| pkg/workflow/docker_firewall_pin_compile_test.go | Updates hardcoded digest assertions to the v0.27.28 SHAs. |
| .changeset/patch-bump-awf-v0-27-28.md | Adds a patch changeset for the AWF bump and regenerated artifacts. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden | Updates golden output to reference AWF v0.27.28 and 0.27.28 images. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden | Updates golden output to reference AWF v0.27.28 and 0.27.28 images. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden | Updates golden output to reference AWF v0.27.28 and 0.27.28 images. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden | Updates golden output to reference AWF v0.27.28 and 0.27.28 images. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden | Updates golden output to reference AWF v0.27.28 and 0.27.28 images. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden | Updates golden output to reference AWF v0.27.28 and 0.27.28 images. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden | Updates golden output to reference AWF v0.27.28 and 0.27.28 images. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden | Updates golden output to reference AWF v0.27.28 and 0.27.28 images. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden | Updates golden output to reference AWF v0.27.28 and 0.27.28 images. |
| .github/workflows/example-permissions-warning.lock.yml | Regenerated lock workflow with AWF v0.27.28 pins and updated container digests. |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Regenerated lock workflow with AWF v0.27.28 pins and updated container digests. |
| .github/workflows/bot-detection.lock.yml | Regenerated lock workflow with AWF v0.27.28 pins and updated container digests. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 36/273 changed files
- Comments generated: 1
- Review effort level: Low
| @@ -738,7 +738,7 @@ | |||
| "topology": { | |||
| "type": "string", | |||
| "enum": ["standard", "arc-dind"], | |||
| "description": "Runner deployment topology. 'standard' (default) = GitHub-hosted VM or self-hosted runner with local Docker. 'arc-dind' = ARC (Actions Runner Controller) with Docker-in-Docker sidecar, where the runner and Docker daemon have separate filesystems. When set to 'arc-dind', AWF enables sysroot staging (a sysroot-stage init container copies the build-tools image into a named volume mounted at /host:rw on the agent) and emits a warning when RUNNER_TOOL_CACHE points under /opt (which is typically invisible to the DinD daemon). Other ARC/DinD settings such as container.dockerHostPathPrefix, dind.preStageDirs, and network.isolation are configured explicitly through their own fields." | |||
| "description": "Runner deployment topology. 'standard' (default) = GitHub-hosted VM or self-hosted runner with local Docker. 'arc-dind' = ARC (Actions Runner Controller) with Docker-in-Docker sidecar, where the runner and Docker daemon have separate filesystems. When set to 'arc-dind', AWF enables sysroot staging (a sysroot-stage init container copies the build-tools image into a named volume mounted at /host:rw on the agent) and emits a warning when RUNNER_TOOL_CACHE points under /opt (which is typically invisible to the DinD daemon). Other ARC/DinD settings such as container.dockerHostPathPrefix, dind.preStageDirs, and network.isolation are configured explicitly through their own fields. See docs/arc-dind.md for a complete guide." | |||
🧪 Test Quality Sentinel Report✅ Test Quality Score: 100/100 — Excellent
📊 Metrics (2 tests)
Verdict
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
There was a problem hiding this comment.
Review: chore: bump gh-aw-firewall to v0.27.28
LGTM. This is a well-structured routine version bump.
Verified:
DefaultFirewallVersioncorrectly updated tov0.27.28inpkg/constants/version_constants.go- All 5 image digests are consistent across
actions-lock.jsonanddocker_firewall_pin_compile_test.go:agent:sha256:53225868...api-proxy:sha256:9c409216...cli-proxy:sha256:65f9b00a...squid:sha256:41d20c77...build-tools:sha256:4f982795...
- No
AWF*MinVersiongates need updating (release is refactor + bug fixes only, no new CLI flags) - Schema sync is cosmetic (enum array formatting +
arc-dinddescription links to docs) - Changeset added and 260 lock files regenerated as expected
🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 50.6 AIC · ⌖ 5.86 AIC · ⊞ 4.8K
There was a problem hiding this comment.
Clean version bump — LGTM
All 5 v0.27.28 image digests are internally consistent across actions-lock.json, the test assertions in docker_firewall_pin_compile_test.go, and all 260 regenerated lock files. No stale v0.27.27 references remain in any added line. The double-recompile process was correctly followed across three commits. No actionable issues found.
🔎 Code quality review by PR Code Quality Reviewer · 135.9 AIC · ⌖ 6.42 AIC · ⊞ 5.4K
Comment /review to run again
There was a problem hiding this comment.
Skills-Based Review 🧠
Applied /tdd and /codebase-design — this is a clean mechanical version bump; approving.
📋 Review Summary
What was reviewed
This PR bumps gh-aw-firewall from v0.27.27 → v0.27.28 (refactoring + bug fixes only, no new CLI flags or MinVersion gates).
Key observations
- ✅ SHA consistency verified — all 5 image digests (
agent,api-proxy,cli-proxy,squid,build-tools) are consistent acrossactions-lock.json, the test file assertions, and the 260 regeneratedlock.ymlfiles - ✅ Double-recompile protocol followed —
pkg/constants/version_constants.godocumentsmake build && make recompile && make recompileand the PR description confirmsmake recompile × 2was executed - ✅ Regression tests updated —
docker_firewall_pin_compile_test.gohardcodes the new v0.27.28 SHAs and tests pinning for the default version,arc-dindtopology, and the legacy v0.27.0 path - ✅ Schema sync —
awf-config.schema.jsonupdates thearc-dindtopology description to linkdocs/arc-dind.md, consistent with existing vocabulary - ✅ Changeset present — patch-level changeset file included
Positive highlights
- The test structure is solid: separate test functions per scenario (default version, arc-dind, older pinned version), each with a clear Arrange/Act/Assert shape
- Hardcoding expected SHAs directly in the test is the right call for this type of supply-chain pin regression — it makes drift immediately visible
- Version constant comment with the
⚠️ IMPORTANTwarning and exactmakecommands is excellent operational documentation
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 97.5 AIC · ⌖ 6.68 AIC · ⊞ 6.6K
Comment /matt to run again
Integrates gh-aw-firewall v0.27.28 (from v0.27.27). Release is refactoring + bug fixes only — no new CLI flags, no new
AWF*MinVersiongates needed.Changes
pkg/constants/version_constants.go— bumpDefaultFirewallVersiontov0.27.28pkg/workflow/schemas/awf-config.schema.json— sync upstream schema: enum array formatting normalization +arc-dindtopology description now links todocs/arc-dind.md.github/aw/actions-lock.json— add SHA digest pins for all 5 v0.27.28 images (agent,api-proxy,cli-proxy,squid,build-tools)pkg/workflow/docker_firewall_pin_compile_test.go— update hardcoded digest assertions to v0.27.28 SHAs.changeset/patch-bump-awf-v0-27-28.md— patch changeset*.lock.yml— all 260 workflow lock files regenerated (make recompile × 2)Release highlights (v0.27.28)
COPILOT_MODELnow validated after alias resolution, not beforeSUPPORTED_COPILOT_MODELSdrift from pricing catalog✨ PR Review Safe Output Test - Run 28996017246
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.