chore: recompile workflow lock files for AWF v0.13.5#526
Merged
Conversation
After #524 removed HTTP_PROXY/HTTPS_PROXY from the agent container, the v0.13.4 images break because their setup-iptables.sh DNATs to port 3128 (explicit proxy) instead of 3129 (intercept mode). Recompile all lock files to use v0.13.5 images which have the intercept port fix (PR #520). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
✅ Coverage Check PassedOverall Coverage
Coverage comparison generated by |
There was a problem hiding this comment.
Pull request overview
This pull request recompiles all 23 workflow lock files to use AWF (Agentic Workflow Firewall) v0.13.5 container images, upgrading from v0.13.4. The change addresses a critical proxy configuration issue introduced by PR #524, which removed HTTP_PROXY/HTTPS_PROXY environment variables. AWF v0.13.5 correctly DNATs ports 80/443 to squid port 3129 (intercept mode) instead of port 3128 (explicit proxy mode), allowing transparent traffic handling without requiring the HTTP_PROXY environment variable.
Changes:
- Updated AWF version from v0.13.4 to v0.13.5 across all workflow lock files
- Updated AWMG (MCP Gateway) version from v0.0.98 to v0.0.99
- Updated GitHub Copilot CLI version from 0.0.402 to 0.0.403
- Claude Code version changed from 2.1.31 to 2.1.29 (downgrade - requires verification)
- Added consistent action checkout steps and updated action references
Reviewed changes
Copilot reviewed 23 out of 23 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/update-release-notes.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/test-coverage-improver.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/smoke-copilot.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/smoke-claude.lock.yml | Updated to AWF v0.13.5, Claude Code downgraded to 2.1.29 |
| .github/workflows/smoke-chroot.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/security-review.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/security-guard.lock.yml | Updated to AWF v0.13.5, Claude Code downgraded to 2.1.29 |
| .github/workflows/plan.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/pelis-agent-factory-advisor.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/issue-monster.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/issue-duplication-detector.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/doc-maintainer.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/dependency-security-monitor.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/ci-doctor.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/ci-cd-gaps-assessment.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/build-test-rust.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/build-test-node.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/build-test-java.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/build-test-go.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/build-test-deno.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/build-test-cpp.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
| .github/workflows/build-test-bun.lock.yml | Updated to AWF v0.13.5 with new action checkout patterns |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.5 | ||
| - name: Install Claude Code CLI | ||
| run: npm install -g --silent @anthropic-ai/claude-code@2.1.31 | ||
| run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 |
There was a problem hiding this comment.
Claude Code version appears to be downgraded from 2.1.31 to 2.1.29. This seems inconsistent with the other version bumps in this PR (AWF v0.13.4 → v0.13.5, AWMG v0.0.98 → v0.0.99, Copilot CLI 0.0.402 → 0.0.403). Please verify that this downgrade is intentional and necessary for compatibility with AWF v0.13.5, or if this should be updated to a newer version.
Suggested change
| run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 | |
| run: npm install -g --silent @anthropic-ai/claude-code@2.1.31 |
Mossaka
added a commit
that referenced
this pull request
Feb 5, 2026
PR #526 accidentally compiled with dev action mode (`./actions/setup`) instead of release mode (`github/gh-aw/actions/setup@SHA`). This causes activation jobs to fail because the local actions/setup directory doesn't exist in the firewall repo. Recompile with --action-mode release --action-tag v0.42.0. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
3 tasks
Mossaka
added a commit
that referenced
this pull request
Feb 5, 2026
PR #526 accidentally compiled with dev action mode (`./actions/setup`) instead of release mode (`github/gh-aw/actions/setup@SHA`). This causes activation jobs to fail because the local actions/setup directory doesn't exist in the firewall repo. Recompile with --action-mode release --action-tag v0.42.0. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This was referenced Feb 5, 2026
Mossaka
added a commit
that referenced
this pull request
Feb 6, 2026
Reverts the following PRs which introduced unnecessary complexity: - #520: fix: enable Squid intercept mode for NAT-redirected traffic - v0.13.5 release: chore(release): bump version to 0.13.5 - #524: fix: remove HTTP_PROXY/HTTPS_PROXY env vars from agent container - #526: chore: recompile workflow lock files for AWF v0.13.5 - #527: fix: recompile lock files with release action mode - #522: fix: mount /etc/hosts in chroot and fix HTTP blocking test - #530: fix: restore HTTPS_PROXY, fix chroot hosts/permissions, fix Bun crash - v0.13.6 release: chore(release): bump version to 0.13.6 The intercept mode (#520) was introduced to fix Codex failing with HTTP_PROXY, but the simpler fix is to just not set HTTP_PROXY for Codex. The intercept mode introduced a cascade of breakage: - HTTPS can't be transparently intercepted (needs CONNECT method) - Image version bumps required lock file recompilation - host.docker.internal traffic crashed Squid under load - Multiple PRs needed to fix each regression This reverts to the pre-#520 explicit proxy mode (HTTP_PROXY/HTTPS_PROXY pointing to Squid port 3128) which worked for all engines. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
6 tasks
Mossaka
added a commit
that referenced
this pull request
Feb 6, 2026
Reverts the following PRs which introduced unnecessary complexity: - #520: fix: enable Squid intercept mode for NAT-redirected traffic - v0.13.5 release: chore(release): bump version to 0.13.5 - #524: fix: remove HTTP_PROXY/HTTPS_PROXY env vars from agent container - #526: chore: recompile workflow lock files for AWF v0.13.5 - #527: fix: recompile lock files with release action mode - #522: fix: mount /etc/hosts in chroot and fix HTTP blocking test - #530: fix: restore HTTPS_PROXY, fix chroot hosts/permissions, fix Bun crash - v0.13.6 release: chore(release): bump version to 0.13.6 The intercept mode (#520) was introduced to fix Codex failing with HTTP_PROXY, but the simpler fix is to just not set HTTP_PROXY for Codex. The intercept mode introduced a cascade of breakage: - HTTPS can't be transparently intercepted (needs CONNECT method) - Image version bumps required lock file recompilation - host.docker.internal traffic crashed Squid under load - Multiple PRs needed to fix each regression This reverts to the pre-#520 explicit proxy mode (HTTP_PROXY/HTTPS_PROXY pointing to Squid port 3128) which worked for all engines. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Problem
After #524 removed
HTTP_PROXY/HTTPS_PROXYfrom the agent container environment, the v0.13.4 container images break:v0.13.4
setup-iptables.shDNATs ports 80/443 → squid:3128 (explicit proxy port)Without
HTTP_PROXY, tools make direct connections that get DNAT'd to port 3128Squid's port 3128 expects explicit proxy traffic (
CONNECTmethod), not transparent traffic → connection failuresv0.13.5
setup-iptables.shDNATs ports 80/443 → squid:3129 (intercept port)Squid's port 3129 handles transparent/intercepted traffic correctly → works without HTTP_PROXY
This is why Smoke Claude and Smoke Copilot are broken on main after #524 merged.
Test plan
🤖 Generated with Claude Code