Skip to content

chore: bump Agent Workflow Firewall from v0.25.18 to v0.25.20#25975

Closed
lpcox wants to merge 1 commit intomainfrom
chore/bump-firewall-v0.25.20
Closed

chore: bump Agent Workflow Firewall from v0.25.18 to v0.25.20#25975
lpcox wants to merge 1 commit intomainfrom
chore/bump-firewall-v0.25.20

Conversation

@lpcox
Copy link
Copy Markdown
Collaborator

@lpcox lpcox commented Apr 13, 2026

Bumps the default Agent Workflow Firewall (AWF) version from v0.25.18 to v0.25.20.

Changes

  • Updated DefaultFirewallVersion constant in pkg/constants/version_constants.go
  • Rebuilt binary and recompiled all 187 workflow lock files

Closes #25925

@lpcox
chore: bump Agent Workflow Firewall from v0.25.18 to v0.25.20
eebe8c5 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 13, 2026 03:00
Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR bumps the default Agent Workflow Firewall (AWF) version from v0.25.18 to v0.25.20, and regenerates workflow lock files to reference the updated AWF version.

Changes:

  • Updated DefaultFirewallVersion to v0.25.20.
  • Regenerated workflow *.lock.yml files to use AWF 0.25.20 for container images and v0.25.20 for AWF binary installation.
Show a summary per file
File Description
pkg/constants/version_constants.go Updates the default AWF version constant to v0.25.20.
.github/workflows/workflow-generator.lock.yml Regenerated lock file to reference AWF 0.25.20 across install/pull/run steps.
.github/workflows/test-workflow.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/schema-feature-coverage.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/refiner.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/pr-triage-agent.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/plan.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/metrics-collector.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/issue-triage-agent.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/gpclean.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/github-remote-mcp-auth-test.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/firewall.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/example-permissions-warning.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/dev.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/daily-malicious-code-scan.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/contribution-check.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/codex-github-remote-mcp-test.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/code-simplifier.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/changeset.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/bot-detection.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/ai-moderator.lock.yml Regenerated lock file to reference AWF 0.25.20.
.github/workflows/ace-editor.lock.yml Regenerated lock file to reference AWF 0.25.20.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 65/188 changed files
  • Comments generated: 1

.github/workflows/workflow-generator.lock.yml
Comment on lines 1 to +2
# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"cfd7f6135eab81d11cbd703b3436241bc379da2ede370ecb3285f2186bde6d06","strict":true,"agent_id":"copilot"}
# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_AGENT_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.18","digest":"sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18","digest":"sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.18","digest":"sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.2.17","digest":"sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8"},{"image":"ghcr.io/github/github-mcp-server:v0.32.0","digest":"sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28","pinned_image":"ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28"},{"image":"node:lts-alpine","digest":"sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b","pinned_image":"node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b"}]}
# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_AGENT_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.20"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.20"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.20"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.2.17","digest":"sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8"},{"image":"ghcr.io/github/github-mcp-server:v0.32.0","digest":"sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28","pinned_image":"ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28"},{"image":"node:lts-alpine","digest":"sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b","pinned_image":"node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b"}]}
Copy link

Copilot AI Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The lock manifest no longer pins the AWF container images to immutable digests (the gh-aw-firewall entries only include a tag, while other containers still include digest/pinned_image). This weakens supply-chain guarantees and makes runs non-reproducible. Please restore digest + pinned_image fields for the AWF images (agent/api-proxy/squid) for this lock file (and other regenerated locks).

This issue also appears in the following locations of the same file:

  • line 44
  • line 417

Copilot uses AI. Check for mistakes.
@github-actions

This comment has been minimized.

Sign in to view
@github-actions github-actions bot mentioned this pull request Apr 13, 2026
Closed
@github-actions

This comment has been minimized.

Sign in to view
@github-actions github-actions bot mentioned this pull request Apr 13, 2026
Open
@github-actions

This comment has been minimized.

Sign in to view
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 13, 2026

Hey @lpcox 👋 — thanks for keeping the Agent Workflow Firewall up to date! Bumping DefaultFirewallVersion and regenerating all 187 lock files in one shot is exactly the kind of housekeeping that keeps the fleet consistent.

A few things worth tidying up before this lands:

  • Version mismatch with the linked issue — Issue chore: bump Agent Workflow Firewall (AWF) from v0.25.18 to v0.25.19 #25925 requested a bump from v0.25.18v0.25.19, but this PR lands on v0.25.20 (skipping .19 entirely). If v0.25.19 was intentionally bypassed, a brief note in the PR body would keep the audit trail clean.
  • Pin the constant in TestConstantValuespkg/constants/constants_test.go already pins specific constant values in a table (e.g., DefaultActivationJobRunnerImage). DefaultFirewallVersion isn't there, so a reviewer can't tell at a glance what the "correct" value is. Adding it would also make accidental double-bumps visible in test failures.
  • Missing changeset file — Every prior AWF bump has a corresponding .changeset/patch-bump-awf-vX-Y-Z.md entry (there are 19 of them). A file like .changeset/patch-bump-awf-v0-25-20.md is expected for this PR.
Fix three small gaps in PR #25975 (AWF bump to v0.25.20):

1. Add a note to the PR body explaining why v0.25.19 was skipped (or open/close a separate issue for it).

2. In pkg/constants/constants_test.go, add DefaultFirewallVersion to the TestConstantValues pin table:
   {"DefaultFirewallVersion", constants.DefaultFirewallVersion, "v0.25.20"},

3. Add .changeset/patch-bump-awf-v0-25-20.md with content:
   ---
   "`@github/gh-aw`": patch
   ---
   chore: bump Agent Workflow Firewall from v0.25.18 to v0.25.20

Run `make agent-finish` to validate.

Generated by Contribution Check · ● 3.2M ·

@lpcox lpcox closed this Apr 13, 2026
@lpcox lpcox mentioned this pull request Apr 13, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

needs-work

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

chore: bump Agent Workflow Firewall (AWF) from v0.25.18 to v0.25.19

2 participants

@lpcox