[awf] Bump firewall images to v0.25.66 and MCPG to v0.3.24#37708
[awf] Bump firewall images to v0.25.66 and MCPG to v0.3.24#37708Copilot wants to merge 3 commits into
Conversation
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
|
|
|
|
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
|
💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges... |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
❌ Test Quality Sentinel failed during test quality analysis. |
|
|
|
✅ PR Code Quality Reviewer completed the code quality review. |
|
❌ Design Decision Gate 🏗️ failed during design decision gate check. |
There was a problem hiding this comment.
Pull request overview
This PR bumps gh-aw’s default gh-aw-firewall (AWF) version to v0.25.66 and regenerates the checked-in workflow lock artifacts so they consistently reference the updated firewall container tags and schema URL.
Changes:
- Updated
DefaultFirewallVersiontov0.25.66. - Regenerated workflow
*.lock.ymlfiles to replace0.25.65/v0.25.65references with0.25.66/v0.25.66(images, AWF install step, and$schemaURLs). - Added a patch changeset documenting the bump and lock regeneration.
Show a summary per file
| File | Description |
|---|---|
| pkg/constants/version_constants.go | Bumps the default AWF version constant to v0.25.66. |
| .github/workflows/test-workflow.lock.yml | Regenerated lock to reference AWF v0.25.66 and firewall images 0.25.66. |
| .github/workflows/smoke-opencode.lock.yml | Regenerated lock to reference AWF v0.25.66 and firewall images 0.25.66. |
| .github/workflows/smoke-gemini.lock.yml | Regenerated lock to reference AWF v0.25.66 and firewall images 0.25.66 (including cli-proxy). |
| .github/workflows/smoke-crush.lock.yml | Regenerated lock to reference AWF v0.25.66 and firewall images 0.25.66. |
| .github/workflows/smoke-ci.lock.yml | Regenerated lock to reference AWF v0.25.66 and firewall images 0.25.66. |
| .github/workflows/smoke-antigravity.lock.yml | Regenerated lock to reference AWF v0.25.66 and firewall images 0.25.66 (including cli-proxy). |
| .github/workflows/hippo-embed.lock.yml | Regenerated lock to reference AWF v0.25.66 and firewall images 0.25.66. |
| .github/workflows/firewall.lock.yml | Regenerated lock to reference AWF v0.25.66 and firewall images 0.25.66. |
| .github/workflows/example-permissions-warning.lock.yml | Regenerated lock to reference AWF v0.25.66 and firewall images 0.25.66. |
| .github/workflows/daily-malicious-code-scan.lock.yml | Regenerated lock to reference AWF v0.25.66 and firewall images 0.25.66. |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Regenerated lock to reference AWF v0.25.66 and firewall images 0.25.66. |
| .github/workflows/bot-detection.lock.yml | Regenerated lock to reference AWF v0.25.66 and firewall images 0.25.66. |
| .github/workflows/agentic-token-optimizer.lock.yml | Regenerated lock to reference AWF v0.25.66 and firewall images 0.25.66 (including cli-proxy). |
| .github/workflows/ace-editor.lock.yml | Regenerated lock to reference AWF v0.25.66 and firewall images 0.25.66. |
| .changeset/patch-bump-awf-v0-25-66.md | Adds release note entry for the AWF bump + lock regeneration. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 46/247 changed files
- Comments generated: 0
|
📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing... |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Skills-Based Review 🧠
Applied /zoom-out — approving this routine infrastructure bump.
📋 Key Themes & Highlights
Summary
This is a clean, mechanically correct version bump. The single authored change (DefaultFirewallVersion v0.25.65 → v0.25.66) drove the regeneration of all 245 lock files. No logic, control flow, or feature surface was touched.
Verification Checks
- ✅
DefaultFirewallVersioncorrectly updated tov0.25.66inpkg/constants/version_constants.go - ✅ All 245 lock files regenerated — no stale
0.25.65references remain - ✅ Lock file diffs are structurally uniform: only the 4 firewall container tags and
GH_AW_INFO_AWF_VERSIONenv var changed; action SHA pins and other container digest pins are untouched - ✅ Changeset file present and correctly scoped
⚠️ Note: Thepatchchangeset classification should be confirmed against thegh-aw-firewall v0.25.66release notes (see inline comment)
Positive Highlights
- ✅ Clean, well-scoped PR with a precise description
- ✅ The
make recompiledouble-pass procedure was evidently followed correctly - ✅ No collateral drift in unrelated container pins or secrets
Note on diff truncation
The diff was truncated at the 3,000-line cap; pkg/constants/version_constants.go was not visible in the patch. The file was inspected directly in the workspace and is correctly set to v0.25.66.
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 356.3 AIC · ⌖ 12.8 AIC
| @@ -0,0 +1,5 @@ | |||
| --- | |||
| "gh-aw": patch | |||
There was a problem hiding this comment.
[/zoom-out] The patch semver classification is correct only if v0.25.66 is fully backward-compatible with v0.25.65. Since this file is the only human-authored description of the intent, it is worth confirming the upstream firewall release notes do not include any breaking changes, API additions, or new minimum-version constants that would require a minor bump instead.
💡 How to verify
Check the gh-aw-firewall release notes for v0.25.66 and confirm there are no new feature flags, removed endpoints, or schema changes. If any exist, update this to minor (or major for breaking changes) before merging.
Also note: version_constants.go already defines several AWF*MinVersion sentinel constants (e.g., AWFCliProxyMinVersion, AWFTokenSteeringMinVersion). If v0.25.66 introduces new gated features, a new min-version constant should accompany this bump.
There was a problem hiding this comment.
Clean version bump. All 245 lock files consistently updated from v0.25.65 → v0.25.66. No unexpected changes beyond the firewall version strings (manifest JSON headers, comment blocks, env vars, binary install step, imageTag in AWF config JSON, and schema URL). Pre-existing SHA-pin asymmetry (firewall images tagged-only vs. digest-pinned mcpg/github-mcp-server) is unchanged by this PR and out of scope. Nothing to block.
🔎 Code quality review by PR Code Quality Reviewer · ⌖ 12.9 AIC
|
@copilot bump the mcpg version to https://github.com/github/gh-aw-mcpg/releases/tag/v0.3.24 |
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Updated in commit |
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · 71.2 AIC · ⌖ 25.3 AIC
| "gh-aw": patch | ||
| --- | ||
|
|
||
| Bump the default gh-aw-firewall version to v0.25.66 and regenerate workflow lock files to pick up the updated firewall image tags. |
There was a problem hiding this comment.
Smoke test review: clear changeset description for the firewall version bump. 👍
| @@ -0,0 +1,5 @@ | |||
| --- | |||
| "gh-aw": patch | |||
There was a problem hiding this comment.
Smoke test review: patch-level bump looks appropriate here. 💥
This updates gh-aw’s AWF compiler/lock generation to consume
gh-aw-firewallv0.25.66andgh-aw-mcpgv0.3.24, so generated lock files pin the requested firewall and MCP gateway images at those versions. The bump is limited to version pinning and regenerated lock artifacts.Version pin updates
DefaultFirewallVersioninpkg/constants/version_constants.go:DefaultMCPGatewayVersioninpkg/constants/version_constants.go:Regenerated lock outputs
ghcr.io/github/gh-aw-firewall/agent:0.25.66ghcr.io/github/gh-aw-firewall/api-proxy:0.25.66ghcr.io/github/gh-aw-firewall/squid:0.25.66ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.66ghcr.io/github/gh-aw-mcpg:v0.3.24Release notes entries
✨ PR Review Safe Output Test - Run 27116877691
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.