Skip to content

Fix tests after sandbox: false deprecation #14895

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pelikhan merged 3 commits into from
Feb 11, 2026
Merged

Fix tests after sandbox: false deprecation #14895

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7904741
Initial plan
Copilot Feb 11, 2026
30d417c
Fix tests after sandbox: false removal
Copilot Feb 11, 2026
86ce194
Verify test fixes and complete validation
Copilot Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 14 additions & 11 deletions docs/src/content/docs/reference/frontmatter-full.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -909,37 +909,40 @@ network:
# example.com itself) and ecosystem names like 'python', 'node'.

# Sandbox configuration for AI engines. Controls agent sandbox (AWF or Sandbox
# Runtime) and MCP gateway.
# Runtime) and MCP gateway. The MCP gateway is always enabled and cannot be
# disabled.
# (optional)
# This field supports multiple formats (oneOf):

# Option 1: Set to false to completely disable sandbox features (firewall and
# gateway). Warning: This removes important security protections and should only
# be used in controlled environments. Not allowed in strict mode.
sandbox: true

# Option 2: Legacy string format for sandbox type: 'default' for no sandbox,
# Option 1: Legacy string format for sandbox type: 'default' for no sandbox,
# 'sandbox-runtime' or 'srt' for Anthropic Sandbox Runtime, 'awf' for Agent
# Workflow Firewall
sandbox: "default"

# Option 3: Object format for full sandbox configuration with agent and mcp
# Option 2: Object format for full sandbox configuration with agent and mcp
# options
sandbox:
# Legacy sandbox type field (use agent instead)
# (optional)
type: "default"

# Agent sandbox type: 'awf' uses AWF (Agent Workflow Firewall), 'srt' uses
# Anthropic Sandbox Runtime. Defaults to 'awf' if not specified.
# Anthropic Sandbox Runtime, or false to disable agent sandbox. Defaults to 'awf'
# if not specified. Note: Disabling the agent sandbox (false) removes firewall
# protection but keeps the MCP gateway enabled.
# (optional)
# This field supports multiple formats (oneOf):

# Option 1: Sandbox type: 'awf' for Agent Workflow Firewall, 'srt' for Sandbox
# Option 1: Set to false to disable the agent sandbox (firewall). Warning: This
# removes firewall protection but keeps the MCP gateway enabled. Not allowed in
# strict mode.
agent: true

# Option 2: Sandbox type: 'awf' for Agent Workflow Firewall, 'srt' for Sandbox
# Runtime
agent: "awf"

# Option 2: Custom sandbox runtime configuration
# Option 3: Custom sandbox runtime configuration
agent:
# Agent identifier (replaces 'type' field in new format): 'awf' for Agent Workflow
# Firewall, 'srt' for Sandbox Runtime
Expand Down
4 changes: 2 additions & 2 deletions pkg/workflow/firewall_default_enablement_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -440,7 +440,7 @@ func TestStrictModeFirewallValidation(t *testing.T) {
if err == nil {
t.Error("Expected error when sandbox.agent is false in strict mode for copilot")
}
expectedMsg := "sandbox: false"
expectedMsg := "sandbox.agent: false"
if !strings.Contains(err.Error(), expectedMsg) {
t.Errorf("Expected error message to contain '%s', got: %v", expectedMsg, err)
}
Expand All @@ -467,7 +467,7 @@ func TestStrictModeFirewallValidation(t *testing.T) {
if err == nil {
t.Error("Expected error for non-copilot engine with sandbox.agent: false in strict mode")
}
expectedMsg := "sandbox: false"
expectedMsg := "sandbox.agent: false"
if !strings.Contains(err.Error(), expectedMsg) {
t.Errorf("Expected error message to contain '%s', got: %v", expectedMsg, err)
}
Expand Down
35 changes: 21 additions & 14 deletions pkg/workflow/workflow_run_validation_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,8 @@ on:
types: [completed]
tools:
github: false
sandbox: false
sandbox:
agent: false
---

# Workflow Run Without Branches
Expand All @@ -45,7 +46,7 @@ Test workflow content.`,
strictMode: false,
expectError: false,
expectWarning: true,
warningCount: 2, // 1 for workflow_run without branches + 1 for sandbox: false
warningCount: 2, // 1 for workflow_run without branches + 1 for sandbox.agent: false
},
{
name: "workflow_run without branches - strict mode - should error",
Expand Down Expand Up @@ -80,7 +81,8 @@ on:
- develop
tools:
github: false
sandbox: false
sandbox:
agent: false
---

# Workflow Run With Branches
Expand All @@ -89,7 +91,7 @@ Test workflow content.`,
strictMode: false,
expectError: false,
expectWarning: false,
warningCount: 1, // 1 for sandbox: false
warningCount: 1, // 1 for sandbox.agent: false
},
{
name: "workflow_run with branches - strict mode - should pass",
Expand Down Expand Up @@ -122,7 +124,8 @@ on:
branches: [main]
tools:
github: false
sandbox: false
sandbox:
agent: false
---

# Push Workflow
Expand All @@ -131,7 +134,7 @@ Test workflow content.`,
strictMode: false,
expectError: false,
expectWarning: false,
warningCount: 1, // 1 for sandbox: false
warningCount: 1, // 1 for sandbox.agent: false
},
{
name: "mixed triggers with workflow_run without branches - should warn/error",
Expand All @@ -145,7 +148,8 @@ on:
types: [completed]
tools:
github: false
sandbox: false
sandbox:
agent: false
---

# Mixed Triggers
Expand All @@ -154,7 +158,7 @@ Test workflow content.`,
strictMode: false,
expectError: false,
expectWarning: true,
warningCount: 2, // 1 for workflow_run without branches + 1 for sandbox: false
warningCount: 2, // 1 for workflow_run without branches + 1 for sandbox.agent: false
},
{
name: "workflow_run with empty branches array - should warn/error",
Expand All @@ -167,7 +171,8 @@ on:
branches: []
tools:
github: false
sandbox: false
sandbox:
agent: false
---

# Workflow Run With Empty Branches
Expand All @@ -176,7 +181,7 @@ Test workflow content.`,
strictMode: false,
expectError: false,
expectWarning: false,
warningCount: 1, // 1 for sandbox: false
warningCount: 1, // 1 for sandbox.agent: false
},
}

Expand Down Expand Up @@ -236,14 +241,15 @@ strict: false
on: push
tools:
github: false
sandbox: false
sandbox:
agent: false
---

# No On Field
Test workflow content.`,
filename: "no-on-field.md",
expectError: false,
warningCount: 1, // 1 for sandbox: false
warningCount: 1, // 1 for sandbox.agent: false
},
{
name: "multiple workflow_run configs - first without branches - should warn",
Expand All @@ -255,14 +261,15 @@ on:
types: [completed]
tools:
github: false
sandbox: false
sandbox:
agent: false
---

# Multiple Workflows
Test workflow content.`,
filename: "multiple-workflows.md",
expectError: false,
warningCount: 2, // 1 for workflow_run without branches + 1 for sandbox: false
warningCount: 2, // 1 for workflow_run without branches + 1 for sandbox.agent: false
},
}

Expand Down
Loading