Bump gh-aw-firewall to v0.25.54 and align embedded AWF schema#34568
Conversation
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ Smoke test completed with some failures. |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
Agent Container Tool Check
Result: 11/12 tools available Overall Status: FAIL —
|
Smoke Test Results
Overall Status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
Smoke Claude — Run §26383812734Core #1–#13: ✅ all pass · PR Review #14–#19: ✅ (#17 Overall: PARTIAL (2 skips, 0 failures) Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
![github-actions[bot]](https://ghub.bbstale.com/avatars/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · opus47 4.9M
| "gh-aw": patch | ||
| --- | ||
|
|
||
| Bump the default gh-aw-firewall version to v0.25.54 and sync the embedded AWF config schema. |
There was a problem hiding this comment.
Consider linking to the AWF release notes for v0.25.54 so reviewers can quickly see what changed in the firewall and schema bump.
| @@ -0,0 +1,5 @@ | |||
| --- | |||
| "gh-aw": patch | |||
There was a problem hiding this comment.
Patch level looks correct here — this is purely a dependency bump with no API surface changes.
|
Smoke Copilot 26383812738: FAIL Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
Smoke review completed: checked the version bump and changeset wiring; no blocking findings from this validation pass.
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot · gpt55 5.4M
| "gh-aw": patch | ||
| --- | ||
|
|
||
| Bump the default gh-aw-firewall version to v0.25.54 and sync the embedded AWF config schema. |
There was a problem hiding this comment.
Smoke review note: the release note clearly captures both the AWF version bump and embedded schema sync.
| @@ -67,7 +67,7 @@ const DefaultGitHubMCPServerVersion Version = "v1.0.4" | |||
| // | |||
| // The first recompile regenerates all lock files using the new version; the second recompile | |||
| // refreshes the container SHA pins that were resolved during the first pass. | |||
| const DefaultFirewallVersion Version = "v0.25.53" | |||
| const DefaultFirewallVersion Version = "v0.25.54" | |||
There was a problem hiding this comment.
Smoke review note: the default firewall version pin now matches the intended v0.25.54 release.
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
@copilot make sure the codex model env var is passed along to the awf container |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR bumps the pinned gh-aw-firewall (AWF) default from v0.25.53 to v0.25.54, syncs the embedded AWF config JSON schema with the upstream release, and regenerates the repository’s pinned workflow artifacts / golden fixtures to reflect the new AWF version. It also adds a Codex engine unit test to assert the model env-var wiring into the generated AWF execution step.
Changes:
- Update
DefaultFirewallVersiontov0.25.54. - Replace the embedded
awf-config.schema.jsonwith the upstreamv0.25.54schema (including removal of deprecatedapiProxy.enableOpenCode). - Regenerate workflow lockfiles and WASM golden fixtures to reference the new AWF image tags / schema URL; add a Codex engine test for model env var injection.
Show a summary per file
| File | Description |
|---|---|
| pkg/constants/version_constants.go | Bumps the default AWF/firewall version constant to v0.25.54. |
| pkg/workflow/schemas/awf-config.schema.json | Syncs embedded AWF config schema with upstream v0.25.54 (drops deprecated field, formatting updates). |
| pkg/workflow/codex_engine_test.go | Adds a test validating Codex model env-var injection into the AWF execution step. |
| .changeset/patch-bump-awf-v0-25-54.md | Documents the AWF bump + schema sync as a patch changeset. |
| .github/workflows/test-workflow.lock.yml | Regenerated lock workflow manifest/images/schema URL for AWF 0.25.54. |
| .github/workflows/smoke-opencode.lock.yml | Regenerated lock workflow manifest/images/schema URL for AWF 0.25.54. |
| .github/workflows/smoke-crush.lock.yml | Regenerated lock workflow manifest/images/schema URL for AWF 0.25.54. |
| .github/workflows/firewall.lock.yml | Regenerated lock workflow manifest/images/schema URL for AWF 0.25.54. |
| .github/workflows/example-permissions-warning.lock.yml | Regenerated lock workflow manifest/images/schema URL for AWF 0.25.54. |
| .github/workflows/daily-malicious-code-scan.lock.yml | Regenerated lock workflow manifest/images/schema URL for AWF 0.25.54. |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Regenerated lock workflow manifest/images/schema URL for AWF 0.25.54. |
| .github/workflows/bot-detection.lock.yml | Regenerated lock workflow manifest/images/schema URL for AWF 0.25.54. |
| .github/workflows/agentic-token-optimizer.lock.yml | Regenerated lock workflow manifest/images/schema URL for AWF 0.25.54. |
| .github/workflows/ace-editor.lock.yml | Regenerated lock workflow manifest/images/schema URL for AWF 0.25.54. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden | Updates golden fixture output to reference AWF v0.25.54 / images. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden | Updates golden fixture output to reference AWF v0.25.54 / images. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden | Updates golden fixture output to reference AWF v0.25.54 / images. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden | Updates golden fixture output to reference AWF v0.25.54 / images. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden | Updates golden fixture output to reference AWF v0.25.54 / images. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden | Updates golden fixture output to reference AWF v0.25.54 / images. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden | Updates golden fixture output to reference AWF v0.25.54 / images. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden | Updates golden fixture output to reference AWF v0.25.54 / images. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden | Updates golden fixture output to reference AWF v0.25.54 / images. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 50/248 changed files
- Comments generated: 1
| { | ||
| name: "detection job uses detection model env var", | ||
| safeOutputs: nil, | ||
| expectedModelEnv: constants.EnvVarModelDetectionCodex, | ||
| }, |
This updates
gh-awfromgh-aw-firewall v0.25.53tov0.25.54, primarily to pick up the API proxy deprecated-header retry fix that now applies across provider paths (including Copilot). It also reconciles local AWF config schema drift against the upstream release.Version pin update
DefaultFirewallVersioninpkg/constants/version_constants.go:v0.25.53→v0.25.54AWF*MinVersiongates unchanged (no new/changed gated flags required for this release).Schema sync with upstream AWF release
pkg/workflow/schemas/awf-config.schema.jsonwith thev0.25.54schema fromgh-aw-firewall.apiProxy.enableOpenCodefrom the embedded schema to match upstream.Regenerated pinned workflow artifacts
0.25.54.Release metadata
✨ PR Review Safe Output Test - Run 26383812734
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.