Skip to content

Bump pinned agentic CLI/MCP tool versions for 2026-07-13#45215

Merged
pelikhan merged 6 commits into
mainfrom
copilot/cli-version-updates
Jul 13, 2026
Merged

Bump pinned agentic CLI/MCP tool versions for 2026-07-13#45215
pelikhan merged 6 commits into
mainfrom
copilot/cli-version-updates

Conversation

Copilot AI commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Refresh the default pinned versions for the latest low-risk CLI/MCP releases in pkg/constants/version_constants.go, including the Codex 0.144.3 bump and the Playwright CLI cooldown release to 0.1.17. This also updates generated workflow outputs and golden fixtures that embed those pinned versions.

  • Version constants

    • Update pinned defaults for:
      • Claude Code 2.1.2012.1.207
      • Copilot CLI 1.0.681.0.70
      • Copilot SDK 1.0.51.0.6
      • Codex 0.142.50.144.3
      • Pi 0.80.30.80.6
      • Playwright MCP 0.0.770.0.78
      • Playwright CLI 0.1.150.1.17
  • Playwright CLI cooldown metadata

    • Advance TestDefaultPlaywrightCLIVersionOutsideCooldownWindow to the new expected version.
    • Update the published timestamp used to enforce the 72h npm release-age window.
  • Generated artifacts

    • Recompile .lock.yml workflows so embedded install steps and GH_AW_INFO_VERSION metadata reflect the new pins.
    • Refresh affected wasm golden fixtures that snapshot compiled workflow output.
const DefaultCopilotVersion Version = "1.0.70"
const DefaultCodexVersion Version = "0.144.3"
const DefaultPlaywrightCLIVersion Version = "0.1.17"


✨ PR Review Safe Output Test - Run 29231270254

💥 [THE END] — Illustrated by Smoke Claude · 108.1 AIC · ⌖ 31.8 AIC · ⊞ 8.4K ·
Comment /smoke-claude to run again

Copilot AI and others added 2 commits July 13, 2026 06:57
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Update CLI tools version constants Bump pinned agentic CLI/MCP tool versions for 2026-07-13 Jul 13, 2026
Copilot AI requested a review from pelikhan July 13, 2026 07:11
@pelikhan pelikhan marked this pull request as ready for review July 13, 2026 07:11
Copilot AI review requested due to automatic review settings July 13, 2026 07:11
@pelikhan pelikhan added the smoke label Jul 13, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates default agent CLI/MCP pins and regenerates workflows and golden fixtures.

Changes:

  • Bumps seven tool versions and Playwright cooldown metadata.
  • Refreshes generated workflow and wasm golden outputs.
  • Also introduces automatic CLI-proxy lockdown in three workflows, outside the stated scope.
Show a summary per file
File Description
pkg/constants/version_constants.go Updates default version pins.
pkg/constants/version_constants_test.go Updates Playwright release-age metadata.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden Refreshes Copilot fixture.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden Refreshes Copilot fixture.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden Refreshes Copilot and Playwright CLI pins.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden Refreshes Copilot fixture.
pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden Refreshes Pi fixture.
pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden Refreshes Copilot fixture.
pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden Refreshes Codex fixture.
pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden Refreshes Claude fixture.
.github/workflows/workflow-skill-extractor.lock.yml Updates generated Copilot pin.
.github/workflows/video-analyzer.lock.yml Updates generated Copilot pin.
.github/workflows/smoke-gemini.lock.yml Changes generated proxy policy.
.github/workflows/smoke-ci.lock.yml Updates generated Copilot metadata.
.github/workflows/smoke-antigravity.lock.yml Changes generated proxy policy.
.github/workflows/schema-feature-coverage.lock.yml Updates generated Codex pin.
.github/workflows/research.lock.yml Updates generated Copilot pin.
.github/workflows/repo-tree-map.lock.yml Updates generated Copilot pin.
.github/workflows/issue-triage-agent.lock.yml Updates generated Copilot pin.
.github/workflows/hippo-embed.lock.yml Updates Pi and proxy policy.
.github/workflows/grumpy-reviewer.lock.yml Updates generated Codex pin.
.github/workflows/go-pattern-detector.lock.yml Updates generated Claude pin.
.github/workflows/github-remote-mcp-auth-test.lock.yml Updates generated Copilot pin.
.github/workflows/github-mcp-tools-report.lock.yml Updates generated Claude pin.
.github/workflows/firewall.lock.yml Updates Copilot CLI and SDK pins.
.github/workflows/example-permissions-warning.lock.yml Updates generated Copilot pin.
.github/workflows/example-failure-category-filter.lock.yml Updates generated Copilot pin.
.github/workflows/duplicate-code-detector.lock.yml Updates generated Codex pin.
.github/workflows/daily-team-status.lock.yml Updates generated Copilot pin.
.github/workflows/daily-team-evolution-insights.lock.yml Updates generated Claude pin.
.github/workflows/daily-regulatory.lock.yml Updates generated Copilot pin.
.github/workflows/daily-max-ai-credits-test.lock.yml Updates generated Copilot pin.
.github/workflows/daily-malicious-code-scan.lock.yml Updates Copilot CLI and SDK pins.
.github/workflows/copilot-centralization-drilldown.lock.yml Updates generated Copilot pin.
.github/workflows/codex-github-remote-mcp-test.lock.yml Updates generated Codex pin.
.github/workflows/cli-version-checker.lock.yml Updates generated Claude pin.
.github/workflows/changeset.lock.yml Updates generated Codex pin.
.github/workflows/bot-detection.lock.yml Updates generated Copilot pin.
.github/workflows/blog-auditor.lock.yml Updates Claude and Playwright CLI pins.
.github/workflows/ai-moderator.lock.yml Updates generated Codex pin.
.github/workflows/ace-editor.lock.yml Updates generated Copilot pin.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 120/265 changed files
  • Comments generated: 3
  • Review effort level: Medium

@@ -958,7 +958,7 @@ jobs:
GITHUB_GRAPHQL_URL: ${{ env.GITHUB_GRAPHQL_URL }}
GITHUB_COPILOT_BASE_URL: ${{ env.GITHUB_COPILOT_BASE_URL }}
GH_AW_NETWORK_ISOLATION: 'true'
CLI_PROXY_POLICY: '{"allow-only":{"repos":"all","min-integrity":"none"}}'
CLI_PROXY_POLICY: '{"allow-only":{"repos":"${{ steps.determine-automatic-lockdown.outputs.repos }}","min-integrity":"${{ steps.determine-automatic-lockdown.outputs.min_integrity }}"}}'
@@ -953,7 +953,7 @@ jobs:
GITHUB_GRAPHQL_URL: ${{ env.GITHUB_GRAPHQL_URL }}
GITHUB_COPILOT_BASE_URL: ${{ env.GITHUB_COPILOT_BASE_URL }}
GH_AW_NETWORK_ISOLATION: 'true'
CLI_PROXY_POLICY: '{"allow-only":{"repos":"all","min-integrity":"none"}}'
CLI_PROXY_POLICY: '{"allow-only":{"repos":"${{ steps.determine-automatic-lockdown.outputs.repos }}","min-integrity":"${{ steps.determine-automatic-lockdown.outputs.min_integrity }}"}}'
@@ -862,7 +862,7 @@ jobs:
GITHUB_GRAPHQL_URL: ${{ env.GITHUB_GRAPHQL_URL }}
GITHUB_COPILOT_BASE_URL: ${{ env.GITHUB_COPILOT_BASE_URL }}
GH_AW_NETWORK_ISOLATION: 'true'
CLI_PROXY_POLICY: '{"allow-only":{"repos":"all","min-integrity":"none"}}'
CLI_PROXY_POLICY: '{"allow-only":{"repos":"${{ steps.determine-automatic-lockdown.outputs.repos }}","min-integrity":"${{ steps.determine-automatic-lockdown.outputs.min_integrity }}"}}'
@github-actions

Copy link
Copy Markdown
Contributor

🤖 PR Triage

Field Value
Category chore
Risk 🟢 Low
Score 61/100 (impact:20 urgency:25 quality:16)
Action auto_merge

Rationale: Routine pinned-version bump across 30 generated .lock.yml files. CI reviewer approved (success). Low risk — pure version pin refresh. Ready to auto-merge once CI is confirmed green.

Generated by 🔧 PR Triage Agent · 181 AIC · ⌖ 5.14 AIC · ⊞ 5.6K ·

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR #45215 does not have the 'implementation' label and has ≤100 new lines of code in business logic directories (58 additions detected).

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧

No PR comment/label applied: workflow context does not provide a usable triggering PR target for safeoutputs add_comment/add_labels.

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Test Quality Sentinel completed test quality analysis.

No new test functions were added or modified in this PR. Only test constants in TestDefaultPlaywrightCLIVersionOutsideCooldownWindow were updated (version and timestamp). Test Quality Sentinel skipped.

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

PR Code Quality Reviewer completed the code quality review.

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

@github-actions

Copy link
Copy Markdown
Contributor

Agent Container Tool Check

Tool Status Version
bash 5.2.21
sh available
git 2.54.0
jq 1.7
yq 4.53.3
curl 8.5.0
gh 2.96.0
node 22.23.1
python3 3.11.15 (PyPy)
go 1.24.13
java 21.0.11
dotnet 10.0.301

Result: 12/12 tools available ✅

Overall Status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔧 Tool validation by Agent Container Smoke Test · 14.2 AIC · ⌖ 7.81 AIC · ⊞ 4.5K ·
Comment /smoke-test-tools to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skills-Based Review 🧠

Applied /pr-triage — this is a routine version-bump PR.

All 265 changed files are auto-generated .lock.yml outputs. The only substantive change is in pkg/constants/version_constants.go, updating pinned CLI/MCP tool versions. There are no logic changes, new abstractions, or test-coverage concerns to address.

✅ No actionable findings — changes look consistent and mechanical.

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 22.7 AIC · ⌖ 4.29 AIC · ⊞ 6.6K
Comment /matt to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke test FAIL

🔮 The oracle has spoken through Smoke Codex · 8.53 AIC · ⌖ 1.22 AIC · ⊞ 11.5K ·
Comment /smoke-codex to run again

@github-actions

Copy link
Copy Markdown
Contributor

Comment Memory

Silent checks begin
Browsers stumble, builds keep on
Results still record

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

🔮 The oracle has spoken through Smoke Codex · 8.53 AIC · ⌖ 1.22 AIC · ⊞ 11.5K ·
Comment /smoke-codex to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Policy changes bundled in a mechanical version bump — must be separated

This PR includes a systematic CLI_PROXY_POLICY change across a large fraction of the 265 recompiled lock files, converting hardcoded permissive policies (repos:all, min-integrity:none) to dynamic determine-automatic-lockdown step outputs. Three existing review comments flag specific files; the scope extends to at least 14 files in the visible diff and likely much more across the full 265-file recompile.

Findings detail

High: Undisclosed security policy change in version-bump PR

The compiler template (defaultCliProxyPolicyJSONTemplate in compiler_difc_proxy.go:511) was changed prior to this bump, and the recompile now bakes that policy change into all affected lock files. This is a behavioral change to the security posture of running workflows, not a version bump artifact. It needs a dedicated PR with explicit security review.

Files affected: All lock files where the pre-existing source workflow used the default CLI proxy policy. The hardcoded repos:all,min-integrity:none was the compiler default — now replaced by dynamic lockdown. This is potentially most of the 265 files.

Medium: Playwright CLI cooldown timestamp precision loss

publishedAtRFC3339 in version_constants_test.go was previously the exact npm publish timestamp. The new value 2026-07-09T19:11:00Z is rounded to the minute. If the rounding direction is wrong (rounds up), the test could fail near the 72h boundary. Use npm view @playwright/cli@0.1.17 --json | jq .time."0.1.17" to get the exact value.

Version bumps themselves

The core version constant changes (Claude Code, Copilot CLI, SDK, Codex, Pi, Playwright MCP/CLI) are straightforward and look correct.

🔎 Code quality review by PR Code Quality Reviewer · 87 AIC · ⌖ 4.8 AIC · ⊞ 5.4K
Comment /review to run again

Comments that could not be inline-anchored

.github/workflows/ab-testing-advisor.lock.yml:54

Undisclosed security policy change bundled in a version-bump PR: CLI_PROXY_POLICY is changing from the hardcoded permissive policy {&quot;repos&quot;:&quot;all&quot;,&quot;min-integrity&quot;:&quot;none&quot;} to the dynamic determine-automatic-lockdown step outputs across at least 14 lock files visible in the capped diff — and likely the majority of the 265 changed files.

<details>
<summary>💡 Why this matters</summary>

This is not a version-bump artifact. It reflects a change in the compiler's default policy template (`…

pkg/constants/version_constants_test.go:13

Cooldown timestamp rounded down — could cause flaky test near 72h boundary: publishedAtRFC3339 changed from a precise npm publish timestamp (millisecond precision) to a rounded value 2026-07-09T19:11:00Z.

<details>
<summary>💡 Details</summary>

The previous entry used the exact npm registry timestamp (e.g. 2026-06-30T14:53:08.941Z). The new entry dropped sub-second precision (2026-07-09T19:11:00Z). If the actual npm publish time was, say, 19:11:47Z, rounding down to :00Z makes…

@github-actions

Copy link
Copy Markdown
Contributor

🧪 Smoke Test: Claude — Run 29231270254

Overall: FAIL

Core #1-12: 1✅ 2✅ 3✅ 4❌(playwright browser daemon crash) 5✅ 6✅ 7✅ 8✅ 9✅ 10✅ 11✅ 12✅

PR Review #13-19: 13✅ 14✅ 15✅ 16⚠️(GraphQL API unavailable) 17✅ 18❌(push blocked: branch modifies 260+ files outside allowed-files) 19⚠️(no safe PR)

Run

💥 [THE END] — Illustrated by Smoke Claude · 108.1 AIC · ⌖ 31.8 AIC · ⊞ 8.4K ·
Comment /smoke-claude to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude · 108.1 AIC · ⌖ 31.8 AIC · ⊞ 8.4K
Comment /smoke-claude to run again

GH_AW_SETUP_WORKFLOW_NAME: "Daily A/B Testing Advisor"
GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/ab-testing-advisor.lock.yml@${{ github.ref }}
GH_AW_INFO_VERSION: "0.80.3"
GH_AW_INFO_VERSION: "0.80.6"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔍 Smoke test review: version pin bump to 0.80.6 looks consistent here. Nice work keeping GH_AW_INFO_VERSION in sync.

run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.30
- name: Install GitHub Copilot CLI
run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.68
run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.70

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔍 Smoke test review: Copilot CLI install bumped to 1.0.70 — confirm this matches the version constant. Looks good.

@github-actions

Copy link
Copy Markdown
Contributor

Tests 1-2: ✅; Tests 3-15: ❌; Overall: FAIL @pelikhan @Copilot

📰 BREAKING: Report filed by Smoke Copilot - AOAI (apikey) · 37 AIC · ⌖ 2.88 AIC · ⊞ 17.9K ·
Comment /smoke-copilot-aoai-apikey to run again
Add label smoke to run again

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Comment Memory

Smoke fire test run
Bot hit rock, spark jump in dark
Night drum says pass soon

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Generated by 🧪 Smoke CI for #45215 ·

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smoke bot leave short review. Tool chain mostly works.

📰 BREAKING: Report filed by Smoke Copilot · 125.7 AIC · ⌖ 4.67 AIC · ⊞ 19K
Comment /smoke-copilot to run again
Add label smoke to run again

@github-actions

Copy link
Copy Markdown
Contributor

🤖 PR Triage

Field Value
Category chore
Risk low
Score 52/100 (impact:25 urgency:15 quality:12)
Action auto_merge

Routine daily version bump — Claude Code, Codex, Playwright CLI. Pure constant + fixture churn, no logic change. CI passing. Auto-merge when smoke gate clears.

Generated by 🔧 PR Triage Agent · 35.9 AIC · ⌖ 4.4 AIC · ⊞ 5.6K ·

@pelikhan

Copy link
Copy Markdown
Collaborator

@copilot resolve the merge conflicts in this pull request

Copilot AI and others added 2 commits July 13, 2026 14:45
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…7.31 + version bumps

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

@copilot resolve the merge conflicts in this pull request

Merge conflicts resolved. The branch is now up to date with main — all 253 .lock.yml conflicts and 8 golden fixture conflicts have been resolved by:

  1. Merging in origin/main (which brought in firewall v0.27.30 → v0.27.31 and the DefaultFirewallVersion constant bump)
  2. Running make recompile to regenerate all lock files combining both our version bumps (pi 0.80.6, codex 0.144.3, etc.) and the new firewall version (v0.27.31)
  3. Running make update-wasm-golden to refresh the golden test fixtures

Pre-PR validation (make agent-report-progress) passes cleanly.

@pelikhan pelikhan merged commit c794fa9 into main Jul 13, 2026
21 checks passed
@pelikhan pelikhan deleted the copilot/cli-version-updates branch July 13, 2026 14:59
@github-actions

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

3 participants