Closed
Conversation
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/66ab5ca4-3f88-4740-be3f-bb4c584b4a3d Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Collaborator
|
@copilot bump to v0.25.20 |
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/66ab5ca4-3f88-4740-be3f-bb4c584b4a3d Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Bump Agent Workflow Firewall from v0.25.18 to v0.25.19
chore: bump AWF from v0.25.18 to v0.25.19
Apr 13, 2026
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/4b252026-d647-45a7-8df7-c001920251a4 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Contributor
Author
Done — bumped to Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Copilot
AI
changed the title
chore: bump AWF from v0.25.18 to v0.25.19
chore: bump AWF from v0.25.18 to v0.25.20
Apr 13, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Routine bump of the Agent Workflow Firewall (AWF) version used by this repo’s tooling and generated GitHub Actions workflows.
Changes:
- Bump
DefaultFirewallVersionfromv0.25.18tov0.25.20. - Recompile workflow lock files to reference
0.25.20firewall container tags andv0.25.20AWF binary installs.
Show a summary per file
| File | Description |
|---|---|
| pkg/constants/version_constants.go | Updates the default AWF binary version to v0.25.20. |
| .github/workflows/workflow-generator.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/test-workflow.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/schema-feature-coverage.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/refiner.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/pr-triage-agent.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/plan.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/metrics-collector.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/issue-triage-agent.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/gpclean.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/github-remote-mcp-auth-test.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/firewall.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/example-permissions-warning.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/dev.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/daily-malicious-code-scan.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/contribution-check.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/code-simplifier.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/changeset.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/bot-detection.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/ai-moderator.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
| .github/workflows/ace-editor.lock.yml | Updates workflow lock to use AWF v0.25.20 and firewall image tags 0.25.20. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 65/188 changed files
- Comments generated: 2
| @@ -1,5 +1,5 @@ | |||
| # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"cfd7f6135eab81d11cbd703b3436241bc379da2ede370ecb3285f2186bde6d06","strict":true,"agent_id":"copilot"} | |||
| # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_AGENT_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.18","digest":"sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18","digest":"sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.18","digest":"sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.2.17","digest":"sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8"},{"image":"ghcr.io/github/github-mcp-server:v0.32.0","digest":"sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28","pinned_image":"ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28"},{"image":"node:lts-alpine","digest":"sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b","pinned_image":"node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b"}]} | |||
| # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_AGENT_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.20"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.20"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.20"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.2.17","digest":"sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8"},{"image":"ghcr.io/github/github-mcp-server:v0.32.0","digest":"sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28","pinned_image":"ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28"},{"image":"node:lts-alpine","digest":"sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b","pinned_image":"node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b"}]} | |||
There was a problem hiding this comment.
The gh-aw-manifest container entries for the gh-aw-firewall images no longer include resolved digests / pinned_image fields (they’re now tag-only, e.g. ghcr.io/github/gh-aw-firewall/agent:0.25.20). This weakens the repository’s intended deterministic, supply-chain-safe container pinning (see pkg/workflow/docker.go:14-17 and pkg/workflow/action_cache.go:30-32). Please update the container pin cache (typically .github/aw/actions-lock.json) to include the 0.25.20 digests and recompile so the lock file records @sha256 pins for these images.
This issue also appears on line 418 of the same file.
| @@ -1,5 +1,5 @@ | |||
| # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c1289924ef5c241c6bf7aede9e9822e6fe5e48cd5d6242834bb75725a19e6fd8","strict":true,"agent_id":"copilot"} | |||
| # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.18","digest":"sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18","digest":"sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.18","digest":"sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.2.17","digest":"sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8"},{"image":"ghcr.io/github/github-mcp-server:v0.32.0","digest":"sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28","pinned_image":"ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28"}]} | |||
| # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.20"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.20"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.20"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.2.17","digest":"sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8"},{"image":"ghcr.io/github/github-mcp-server:v0.32.0","digest":"sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28","pinned_image":"ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28"}]} | |||
There was a problem hiding this comment.
The gh-aw-manifest header no longer includes digest/pinned_image information for the gh-aw-firewall images, leaving them tag-only. This reduces determinism and supply-chain integrity for compiled workflows; please ensure the 0.25.20 firewall images are digest-pinned via the container pin cache and then recompile the lock files.
This issue also appears on line 352 of the same file.
Collaborator
|
Closing in favor of #25975 which includes SHA256 digest pins for all v0.25.20 container images. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Routine version bump of the Agent Workflow Firewall (AWF) binary.
Changes
pkg/constants/version_constants.go—DefaultFirewallVersion:v0.25.18→v0.25.20agent,api-proxy,squid) updated from0.25.18→0.25.20