chore: upgrade to firewall v0.25.29 and mcpg v0.3.1#2271
Merged
Conversation
- Add sandbox.agent.version: v0.25.29 to all 30 workflows - Update sandbox.mcp.version: v0.3.1 in 3 non-strict smoke workflows (strict-mode workflows use the compiler default) - Recompile all lock files and post-process Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Contributor
Smoke Test: GitHub Actions Services Connectivity
Overall: FAIL —
|
Contributor
There was a problem hiding this comment.
Pull request overview
Upgrades the Agentic Workflows workflow sources and compiled lock files to use gh-aw-firewall v0.25.29 (and intends to bump gh-aw-mcpg to v0.3.1) across the repository’s automation workflows.
Changes:
- Add
sandbox.agent.version: v0.25.29to many workflow source (*.md) frontmatters. - Regenerate multiple compiled workflow lock files (
*.lock.yml) to reference firewall 0.25.29. - Update MCP version to v0.3.1 in a subset of smoke workflow sources (and corresponding locks in some cases).
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/update-release-notes.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/update-release-notes.lock.yml | Regenerated lock; updates firewall version references and runtime scripts. |
| .github/workflows/test-coverage-improver.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/smoke-services.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/smoke-services.lock.yml | Regenerated lock; updates firewall version references and runtime scripts. |
| .github/workflows/smoke-opencode.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/smoke-gemini.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/smoke-copilot.md | Pins agent version to v0.25.29 and MCP version to v0.3.1. |
| .github/workflows/smoke-copilot-byok.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/smoke-copilot-byok.lock.yml | Regenerated lock; updates firewall version references and runtime scripts. |
| .github/workflows/smoke-codex.md | Pins agent version to v0.25.29 and MCP version to v0.3.1. |
| .github/workflows/smoke-claude.md | Pins agent version to v0.25.29 and MCP version to v0.3.1. |
| .github/workflows/smoke-chroot.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/security-review.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/security-review.lock.yml | Regenerated lock; updates firewall version references and runtime scripts. |
| .github/workflows/security-guard.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/secret-digger-copilot.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/secret-digger-codex.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/secret-digger-claude.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/plan.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/plan.lock.yml | Regenerated lock; updates firewall version references and runtime scripts. |
| .github/workflows/pelis-agent-factory-advisor.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/issue-monster.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/issue-monster.lock.yml | Regenerated lock; updates firewall version references and runtime scripts. |
| .github/workflows/issue-duplication-detector.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/issue-duplication-detector.lock.yml | Regenerated lock; updates firewall version references and runtime scripts. |
| .github/workflows/firewall-issue-dispatcher.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/firewall-issue-dispatcher.lock.yml | Regenerated lock; updates firewall version references and runtime scripts. |
| .github/workflows/doc-maintainer.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/doc-maintainer.lock.yml | Regenerated lock; updates firewall version references and runtime scripts. |
| .github/workflows/dependency-security-monitor.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/dependency-security-monitor.lock.yml | Regenerated lock; updates firewall version references and runtime scripts. |
| .github/workflows/copilot-token-usage-analyzer.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/copilot-token-usage-analyzer.lock.yml | Regenerated lock; updates firewall version references and runtime scripts. |
| .github/workflows/copilot-token-optimizer.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/copilot-token-optimizer.lock.yml | Regenerated lock; updates firewall version references and runtime scripts. |
| .github/workflows/cli-flag-consistency-checker.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/cli-flag-consistency-checker.lock.yml | Regenerated lock; updates firewall version references and runtime scripts. |
| .github/workflows/claude-token-usage-analyzer.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/claude-token-usage-analyzer.lock.yml | Regenerated lock; updates firewall version references and runtime scripts. |
| .github/workflows/claude-token-optimizer.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/claude-token-optimizer.lock.yml | Regenerated lock; updates firewall version references and runtime scripts. |
| .github/workflows/ci-doctor.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/ci-doctor.lock.yml | Regenerated lock; updates firewall version references and runtime scripts. |
| .github/workflows/ci-cd-gaps-assessment.md | Pins sandbox agent version to v0.25.29. |
| .github/workflows/build-test.md | Pins sandbox agent version to v0.25.29. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comments suppressed due to low confidence (3)
.github/workflows/update-release-notes.lock.yml:43
- The firewall container images are no longer digest-pinned (agent/api-proxy/squid are tag-only). If these tags are ever republished, the workflow becomes non-reproducible and could unintentionally run different code. Prefer keeping
@sha256:...pins (or restoring the prior--image-tag ...=sha256:approach) for these images.
.github/workflows/update-release-notes.lock.yml:698 - This lock file switches the AWF invocation from using prebuilt, digest-pinned images (
--image-tag ... --skip-pull) to--build-local. That’s a significant behavioral change (longer runtime, dependence on local Docker builds) beyond a version bump; if the intent is only to upgrade to v0.25.29/v0.3.1, consider keeping the prior image-pinning flow.
.github/workflows/update-release-notes.lock.yml:424 - This workflow now runs
awf --build-locallater, which builds the firewall images from the repo’s Dockerfiles. Downloading the published GHCR firewall images here (agent/api-proxy/squid) looks redundant and will slow the job; consider removing them from this download step (or switching the workflow back to using GHCR images instead of--build-local).
- Files reviewed: 60/60 changed files
- Comments generated: 6
| # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"2a564093eee8759c176d370dedea6b8b4bd0923dc0b105b32cda34305aaf395c","compiler_version":"v0.71.1","strict":true,"agent_id":"copilot"} | ||
| # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"239aec45b78c8799417efdd5bc6d8cc036629ec1","version":"v0.71.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.28","digest":"sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.28@sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28","digest":"sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28@sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.28","digest":"sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.28@sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.0","digest":"sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.0@sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d"},{"image":"ghcr.io/github/github-mcp-server:v1.0.2","digest":"sha256:26db03408086a99cf1916348dcc4f9614206658f9082a8060dc7c81ad787f4ba","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.2@sha256:26db03408086a99cf1916348dcc4f9614206658f9082a8060dc7c81ad787f4ba"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} | ||
| # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"04db2270b08dcf82e84bccdf825a1d17bb9165320a472eee1f7b8c1d150415ad","compiler_version":"v0.71.1","strict":true,"agent_id":"copilot"} | ||
| # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"239aec45b78c8799417efdd5bc6d8cc036629ec1","version":"v0.71.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.29"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.29"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.29"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.0","digest":"sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.0@sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d"},{"image":"ghcr.io/github/github-mcp-server:v1.0.2","digest":"sha256:26db03408086a99cf1916348dcc4f9614206658f9082a8060dc7c81ad787f4ba","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.2@sha256:26db03408086a99cf1916348dcc4f9614206658f9082a8060dc7c81ad787f4ba"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} |
There was a problem hiding this comment.
The PR claims an upgrade to mcpg v0.3.1, but the generated manifest still references ghcr.io/github/gh-aw-mcpg:v0.3.0 here. This will keep running the old gateway unless the workflow pins sandbox.mcp.version: v0.3.1 and the lock file is regenerated.
This issue also appears in the following locations of the same file:
- line 41
- line 424
- line 698
| # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"e5aea52e4e12ee13c911203567dba971d7370617e98676e67d7e317c271ad448","compiler_version":"v0.71.1","strict":true,"agent_id":"copilot"} | ||
| # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"239aec45b78c8799417efdd5bc6d8cc036629ec1","version":"v0.71.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.28","digest":"sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.28@sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28","digest":"sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28@sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.28","digest":"sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.28@sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.0","digest":"sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.0@sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d"},{"image":"ghcr.io/github/github-mcp-server:v1.0.2","digest":"sha256:26db03408086a99cf1916348dcc4f9614206658f9082a8060dc7c81ad787f4ba","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.2@sha256:26db03408086a99cf1916348dcc4f9614206658f9082a8060dc7c81ad787f4ba"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} | ||
| # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"5bc64a1cd7636f67422d4ac81225aa94ce8bf1e02ae82f784ceed215c8473e27","compiler_version":"v0.71.1","strict":true,"agent_id":"copilot"} | ||
| # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"239aec45b78c8799417efdd5bc6d8cc036629ec1","version":"v0.71.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.29"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.29"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.29"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.0","digest":"sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.0@sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d"},{"image":"ghcr.io/github/github-mcp-server:v1.0.2","digest":"sha256:26db03408086a99cf1916348dcc4f9614206658f9082a8060dc7c81ad787f4ba","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.2@sha256:26db03408086a99cf1916348dcc4f9614206658f9082a8060dc7c81ad787f4ba"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} |
There was a problem hiding this comment.
The PR claims an upgrade to mcpg v0.3.1, but this generated manifest still references ghcr.io/github/gh-aw-mcpg:v0.3.0. Pin sandbox.mcp.version: v0.3.1 in the source .md and regenerate this lock file to make the upgrade effective.
Comment on lines
+11
to
+13
| sandbox: | ||
| agent: | ||
| version: v0.25.29 |
There was a problem hiding this comment.
PR title/description says mcpg is upgraded to v0.3.1, but this workflow frontmatter only pins the agent version. Add sandbox.mcp.version: v0.3.1 here (and re-run gh aw compile) so the generated lock file stops using gh-aw-mcpg v0.3.0.
Comment on lines
+38
to
+40
| sandbox: | ||
| agent: | ||
| version: v0.25.29 |
There was a problem hiding this comment.
PR title/description says mcpg is upgraded to v0.3.1, but this workflow only pins the agent version. Add sandbox.mcp.version: v0.3.1 here (and re-run gh aw compile) so the lock file upgrades gh-aw-mcpg from v0.3.0.
Comment on lines
+19
to
22
| sandbox: | ||
| agent: | ||
| version: v0.25.29 | ||
| strict: true |
There was a problem hiding this comment.
This workflow performs “GitHub MCP Testing” but does not pin an MCP gateway version; the generated lock file currently uses gh-aw-mcpg v0.3.0. If this PR is meant to upgrade mcpg to v0.3.1, add sandbox.mcp.version: v0.3.1 alongside the agent version (then re-run gh aw compile).
Comment on lines
+43
to
46
| sandbox: | ||
| agent: | ||
| version: v0.25.29 | ||
| strict: true |
There was a problem hiding this comment.
This workflow includes GitHub MCP testing steps but the frontmatter doesn’t pin an MCP gateway version; the generated lock file currently uses gh-aw-mcpg v0.3.0. If the PR goal is mcpg v0.3.1, add sandbox.mcp.version: v0.3.1 here and regenerate the lock file.
Collaborator
Author
|
@copilot address all feedback for .md files. don't update any .lock.yml files |
…services, smoke-opencode, smoke-gemini Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/ad7672a6-25a7-4238-ac1e-aef262d6075f Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Contributor
Contributor
|
Smoke Test Results: Status: PASS
|
Contributor
🔬 Smoke Test Results
Overall: FAIL — pre-step template variables ( PR: "chore: upgrade to firewall v0.25.29 and mcpg v0.3.1" by @lpcox · Reviewer:
|
Contributor
|
Smoke Test: Copilot BYOK (Offline) Mode
Running in BYOK offline mode ( Overall: PASS (core BYOK path verified) PR by @lpcox · reviewer:
|
Contributor
Chroot Version Comparison Results
Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.
|
Contributor
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
Contributor
|
PR titles: Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
This was referenced Apr 28, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upgrades all 30 workflows to firewall v0.25.29 and mcpg v0.3.1