Bump gh-aw-firewall to v0.27.31 and refresh AWF pin/schema artifacts#45176
Conversation
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
|
✅ PR Code Quality Reviewer completed the code quality review. |
|
✅ Design Decision Gate 🏗️ completed the design decision gate check. No ADR enforcement needed: PR #45176 does not have the 'implementation' label and has 0 new lines of code in business logic directories (threshold: 100). |
|
✅ Test Quality Sentinel completed test quality analysis. |
|
@copilot remove all the recompiled lock.yml files from this pr. They should not be updated |
There was a problem hiding this comment.
Clean version bump — no issues found
This PR is a mechanical refresh of gh-aw-firewall from v0.27.30 → v0.27.31. I verified:
- All new SHA256 digests in
actions-lock.jsonare well-formed (64-hex chars) - Digests are consistent across all 21 embedded
gh-aw-manifestlines in the regenerated.lock.ymlfiles - Digests match between
actions-lock.jsonand the lock-file manifests — no drift - No stale
v0.27.30references remain in the tree - No source, schema, or test logic changed — pure artifact refresh
🔎 Code quality review by PR Code Quality Reviewer · 52.6 AIC · ⌖ 4.32 AIC · ⊞ 5.4K
Comment /review to run again
There was a problem hiding this comment.
Pull request overview
Updates gh-aw to AWF v0.27.31, aligning compiler schemas, container pins, tests, and generated workflows.
Changes:
- Bumps the default AWF version and container digests.
- Syncs
containerRuntimeschema support forgvisorandsbx. - Refreshes validation tests, golden files, lockfiles, and release metadata.
Show a summary per file
| File | Description |
|---|---|
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden |
Refreshes AWF references. |
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden |
Refreshes AWF references. |
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden |
Refreshes AWF references. |
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden |
Refreshes AWF references. |
pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden |
Updates Pi golden output. |
pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden |
Updates Gemini golden output. |
pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden |
Updates Copilot golden output. |
pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden |
Updates Codex golden output. |
pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden |
Updates Claude golden output. |
pkg/workflow/schemas/awf-config.schema.json |
Syncs runtime enum and description. |
pkg/workflow/docker_firewall_pin_compile_test.go |
Updates expected image digests. |
pkg/workflow/data/action_pins.json |
Refreshes embedded workflow pins. |
pkg/workflow/awf_config_test.go |
Adds sbx schema validation coverage. |
pkg/constants/version_constants.go |
Bumps default AWF to v0.27.31. |
pkg/actionpins/data/action_pins.json |
Refreshes embedded package pins. |
.github/workflows/example-permissions-warning.lock.yml |
Recompiles workflow with new AWF pins. |
.github/workflows/codex-github-remote-mcp-test.lock.yml |
Recompiles workflow with new AWF pins. |
.github/workflows/bot-detection.lock.yml |
Recompiles workflow with new AWF pins. |
.github/aw/actions-lock.json |
Updates cached AWF image pins. |
.changeset/patch-bump-awf-v0-27-31.md |
Records the patch release change. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 35/273 changed files
- Comments generated: 2
- Review effort level: Medium
| "ghcr.io/github/gh-aw-firewall/agent-act:0.27.31": { | ||
| "image": "ghcr.io/github/gh-aw-firewall/agent-act:0.27.31", | ||
| "digest": "sha256:58fee05c1c54ba5ca1e7056b3aaea30281841d5899093002e2c650710c50540f", | ||
| "pinned_image": "ghcr.io/github/gh-aw-firewall/agent-act:0.27.31@sha256:58fee05c1c54ba5ca1e7056b3aaea30281841d5899093002e2c650710c50540f" |
| @@ -572,7 +572,8 @@ | |||
| }, | |||
| "containerRuntime": { | |||
| "type": "string", | |||
| "description": "OCI runtime for the agent container. Set to \"gvisor\" to run the agent under gVisor's runsc runtime for additional kernel-level isolation. AWF translates \"gvisor\" to \"runsc\" internally. Requires AWF >= v0.27.30." | |||
| "enum": ["gvisor", "sbx"], | |||
🧪 Test Quality Sentinel Report
📊 Metrics (1 test)
Note: Verdict
References: Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
There was a problem hiding this comment.
Skills-Based Review 🧠
Applied /tdd and /codebase-design — commenting on two non-blocking observations. The bulk of this PR (273 generated lock files) is mechanical and correct.
📋 Key Themes & Highlights
Key Themes
- Schema enum gap:
containerRuntimetightened from free-form string to["gvisor", "sbx"]— good, but the two-sided test contract is incomplete:gvisoris untested against the new enum, and there's no rejection test for invalid values. - Dead enum value:
"sbx"is now in the schema, butgetAgentContainerRuntime()never emits it (docker-sbx goes via CLI flag--container-runtime sbx). The schema description doesn't explain this split, which may confuse future contributors.
Positive Highlights
- ✅ Adding the
enumconstraint is a correctness improvement — previously any string would silently pass schema validation - ✅
TestValidateAWFConfigJSON_AllowsSbxContainerRuntimeis a good regression anchor for the new schema contract - ✅ Version bump, pin refresh, and changeset are all consistent and complete
- ✅ PR description is clear and complete
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 83.7 AIC · ⌖ 4.66 AIC · ⊞ 6.6K
Comment /matt to run again
| @@ -1152,6 +1152,11 @@ func TestValidateAWFConfigJSON_AllowsMaxTurnCacheMisses(t *testing.T) { | |||
| require.NoError(t, err, "maxCacheMisses should pass compile-time schema validation") | |||
| } | |||
|
|
|||
| func TestValidateAWFConfigJSON_AllowsSbxContainerRuntime(t *testing.T) { | |||
| err := validateAWFConfigJSON(`{"container":{"containerRuntime":"sbx"}}`) | |||
| require.NoError(t, err, "container.containerRuntime=sbx should pass compile-time schema validation") | |||
There was a problem hiding this comment.
[/tdd] Missing symmetry: gvisor is not tested against the new enum-restricted schema, and no negative test guards against invalid values like "runc".
Since containerRuntime was previously a free-form string and is now an enum, a typo or unsupported value would be silently accepted by old code but rejected by AWF at runtime.
💡 Suggested additions
func TestValidateAWFConfigJSON_AllowsGVisorContainerRuntime(t *testing.T) {
err := validateAWFConfigJSON(`{"container":{"containerRuntime":"gvisor"}}`)
require.NoError(t, err, "container.containerRuntime=gvisor should pass compile-time schema validation")
}
func TestValidateAWFConfigJSON_RejectsUnknownContainerRuntime(t *testing.T) {
err := validateAWFConfigJSON(`{"container":{"containerRuntime":"runc"}}`)
require.Error(t, err, "container.containerRuntime must only accept enum values")
}This mirrors the existing TestValidateAWFConfigJSON_RejectsInvalidJSON two-sided pattern.
@copilot please address this.
| @@ -572,7 +572,8 @@ | |||
| }, | |||
| "containerRuntime": { | |||
| "type": "string", | |||
| "description": "OCI runtime for the agent container. Set to \"gvisor\" to run the agent under gVisor's runsc runtime for additional kernel-level isolation. AWF translates \"gvisor\" to \"runsc\" internally. Requires AWF >= v0.27.30." | |||
| "enum": ["gvisor", "sbx"], | |||
There was a problem hiding this comment.
[/codebase-design] The schema now restricts containerRuntime to ["gvisor", "sbx"], but getAgentContainerRuntime() in firewall.go returns "" (not "sbx") when the runtime is docker-sbx. This means "sbx" is an accepted enum value that no code path currently writes to the AWF config JSON.
This is intentional if AWF's sbx runtime is configured by the --container-runtime sbx CLI flag (in awf_helpers.go), not via the JSON config field. But if that's the case, the schema description could clarify this to avoid confusion for users.
💡 Suggested clarification
Either:
- Add a note in the schema description:
"sbx" is passed as a CLI flag by gh-aw; do not set this directly. - Or, if
"sbx"in the JSON config is a future/AWF-side feature, add a comment ingetAgentContainerRuntime()explaining why it is excluded.
@copilot please address this.
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Done — all 256 recompiled |
|
Smoke test results: 1✅ 2✅ 3❌ 4✅ 5✅ 6✅ 7❌ 8✅ 9❌ 10✅ 11✅ 12✅ 13✅ 14❌ 15❌. Overall FAIL. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot - AOAI (Entra) · 46.7 AIC · ⌖ 2.08 AIC · ⊞ 17.6K
Comment /smoke-copilot-aoai-entra to run again
Add label smoke to run again
|
Unresolved review threads (newest first):
Run: https://github.com/github/gh-aw/actions/runs/29229130219
|
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
…sbx schema Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Addressed all actionable review threads in commit
For the changeset thread: All local checks pass ( |
|
@copilot merge main and recompile |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done — merged main and recompiled all 257 workflows in commits |
🤖 PR Triage
Rationale:
|
|
🎉 This pull request is included in a new release. Release: |
This updates gh-aw to
gh-aw-firewallv0.27.31and pulls in the upstream AWF schema change shipped with that release. It also refreshes the generated artifacts that depend on the default AWF version and its pinned container metadata.Version + release artifact refresh
DefaultFirewallVersiontov0.27.31AWF schema sync
v0.27.31releasecontainer.containerRuntimeto match the published schema contract, including explicitgvisor/sbxenum supportContainer pin refresh
.github/aw/actions-lock.jsonwith thev0.27.31AWF image digestsRegression coverage
containerRuntime: "sbx"Example of the schema contract now reflected locally:
{ "container": { "containerRuntime": "sbx" } }✨ PR Review Safe Output Test - Run 29225835871
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.