updated aws

[lpcox]

No description provided.

[Copilot]

Pull request overview

This PR updates a large set of compiled GitHub Agentic Workflows (*.lock.yml) to newer gh-aw/AWF versions and refreshes generated workflow details (cron scatter times, pinned action SHAs, sandbox invocation flags). It also adjusts the Large Payload Tester workflow configuration and updates the agentic-workflows dispatcher agent documentation.

Changes:

• Regenerated many workflow lock files to gh-aw v0.42.2 and awf v0.13.4, including updated setup action SHAs, cron scatter times, and updated sandbox execution flags (e.g., --enable-chroot, --skip-pull).
• Updated container image prefetch lists in some workflows and pinned MCP gateway images to explicit versions.
• Modified Large Payload Tester workflow configuration (mounts/gateway invocation) and changed the agentic-workflows dispatcher agent to reference upstream docs URLs.

Reviewed changes

Copilot reviewed 24 out of 25 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
.github/workflows/test-improver.lock.yml	Regenerated lock file (gh-aw/AWF version bumps, cron scatter, sandbox invocation changes).
.github/workflows/test-coverage-improver.lock.yml	Regenerated lock file (gh-aw/AWF version bumps, cron scatter, sandbox invocation changes).
.github/workflows/smoke-copilot.lock.yml	Regenerated lock file; updates image prefetch list and MCP gateway image pinning.
.github/workflows/smoke-codex.lock.yml	Regenerated lock file; updates setup action pin, awf invocation, allowed domains, and image prefetch list.
.github/workflows/semantic-function-refactor.lock.yml	Regenerated lock file (gh-aw/AWF version bumps, cron scatter, sandbox invocation changes).
.github/workflows/release.lock.yml	Regenerated lock file (gh-aw/AWF version bumps, cron scatter, sandbox invocation changes).
.github/workflows/plan.lock.yml	Regenerated lock file (gh-aw/AWF version bumps, cron scatter, sandbox invocation changes).
.github/workflows/nightly-mcp-stress-test.lock.yml	Regenerated lock file; adds firewall images to prefetch list and updates awf invocation.
.github/workflows/nightly-docs-reconciler.lock.yml	Regenerated lock file (gh-aw/AWF version bumps, cron scatter, sandbox invocation changes).
.github/workflows/mcp-gateway-log-analyzer.lock.yml	Regenerated lock file (gh-aw/AWF version bumps, cron scatter, sandbox invocation changes).
.github/workflows/large-payload-tester.md	Removes payload-related mounts from filesystem/gateway configuration in the source workflow.
.github/workflows/large-payload-tester.lock.yml	Regenerated lock file; updates gateway docker command and filesystem MCP mounts.
.github/workflows/language-support-tester.lock.yml	Regenerated lock file (cron scatter, setup action pin format changes).
.github/workflows/issue-monster.lock.yml	Regenerated lock file (gh-aw/AWF version bumps, cron scatter, sandbox invocation changes).
.github/workflows/go-logger.lock.yml	Regenerated lock file (gh-aw/AWF version bumps, cron scatter, sandbox invocation changes).
.github/workflows/go-fan.lock.yml	Regenerated lock file (gh-aw/AWF version bumps, cron scatter, sandbox invocation changes).
.github/workflows/duplicate-code-detector.lock.yml	Regenerated lock file (gh-aw/AWF version bumps, cron scatter, sandbox invocation changes).
.github/workflows/daily-multi-device-docs-tester.lock.yml	Regenerated lock file (cron scatter, setup action pin format changes).
.github/workflows/daily-compliance-checker.lock.yml	Regenerated lock file (gh-aw/AWF version bumps, cron scatter, sandbox invocation changes).
.github/aw/actions-lock.json	Adds additional action pins (e.g., anchore/sbom-action@v0.20.10) and adds setup@v0.42.9 entries.
.github/agents/upgrade-agentic-workflows.md	Deletes a local agent prompt file (relying on other references instead).
.github/agents/debug-agentic-workflow.agent.md	Deletes a local agent prompt file (relying on other references instead).
.github/agents/create-agentic-workflow.agent.md	Deletes a local agent prompt file (relying on other references instead).
.github/agents/agentic-workflows.agent.md	Updates dispatcher agent docs to reference upstream gh-aw URLs and adds orchestration/projects sections.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The workflow still configures a Serena MCP server (ghcr.io/github/serena-mcp-server:latest) and the AWF invocation uses --skip-pull, but the pre-download step no longer includes the Serena image. This will likely fail at runtime when the Serena container is started. Add ghcr.io/github/serena-mcp-server:latest to the download_docker_images.sh list (or stop using --skip-pull if images are meant to be pulled on demand).

Suggested change

	run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 mcr.microsoft.com/playwright/mcp node:lts-alpine
	run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 mcr.microsoft.com/playwright/mcp node:lts-alpine ghcr.io/github/serena-mcp-server:latest

[Copilot]

The imported test prompt expects agents to read stored payloads by translating /tmp/jq-payloads -> /workspace/mcp-payloads, but this workflow no longer mounts /tmp/jq-payloads into the filesystem MCP server. Without that mount, the agent cannot read stored payload files, so the workflow can’t validate the payload storage feature described in the prompt.

Suggested change

	- "/tmp/mcp-test-fs:/workspace/test-data:ro"
	- "/tmp/mcp-test-fs:/workspace/test-data:ro"
	- "/tmp/jq-payloads:/workspace/mcp-payloads:ro"

[Copilot]

The filesystem MCP server mounts only /tmp/mcp-test-fs, but the large-payload test prompt requires access to the gateway’s stored payload directory (expected to be mounted as /workspace/mcp-payloads). Add a mount for /tmp/jq-payloads (or whatever payload dir the gateway uses) into the filesystem server so the agent can read the stored payload.json referenced by payloadPath.

Suggested change

	"/tmp/mcp-test-fs:/workspace/test-data:ro"
	"/tmp/mcp-test-fs:/workspace/test-data:ro",
	"/tmp/jq-payloads:/workspace/mcp-payloads:ro"

[Copilot]

This gateway container is started with -v /tmp:/tmp:rw, which makes /tmp/mcp-test-fs directly accessible to the gateway. That contradicts the test design in .github/agentics/large-payload-tester.md (it states the test file is NOT accessible to the gateway and must be accessed via MCP). Either adjust the mounts to preserve isolation (store test data outside mounted paths) or update the test prompt/docs so the validation matches the actual architecture.

Suggested change

export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.0.98'

export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.0.98'

[Copilot]

This agent now points to upstream GitHub URLs for the gh-aw instruction/prompt files even though the repository already vendors these files under .github/aw/. This introduces an unnecessary external network dependency and can break in restricted/offline environments. Prefer referencing the local copies (e.g., @.github/aw/github-agentic-workflows.md, @.github/aw/create-agentic-workflow.md, etc.) so the dispatcher works reliably within the repo.