Bump AWF Firewall to v0.27.4 and MCP Gateway to v0.3.26#39486
Merged
Conversation
…rsion to v0.3.26 - Update DefaultFirewallVersion from v0.27.2 to v0.27.4 - Update DefaultMCPGatewayVersion from v0.3.25 to v0.3.26 - Run make build && make recompile && make recompile to update lock files - Resolve and pin container SHA for ghcr.io/github/gh-aw-mcpg:v0.3.26 - Update wasm golden test fixtures to reflect new AWF version Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Bump MCPG to v0.3.26 and AWF Firewall to v0.27.4
Bump AWF Firewall to v0.27.4 and MCP Gateway to v0.3.26
Jun 16, 2026
This was referenced Jun 16, 2026
Collaborator
|
@copilot merge main and recompile workflows |
…v0326 # Conflicts: # .github/workflows/objective-impact-report.lock.yml Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Contributor
Author
Done — merged main (resolved the single lock file conflict in |
Collaborator
|
@copilot merge main, recompile, fix conflicts |
…v0326 # Conflicts: # .github/workflows/ab-testing-advisor.lock.yml # .github/workflows/ace-editor.lock.yml # .github/workflows/agent-performance-analyzer.lock.yml # .github/workflows/agent-persona-explorer.lock.yml # .github/workflows/agentic-token-audit.lock.yml # .github/workflows/agentic-token-optimizer.lock.yml # .github/workflows/agentic-token-trend-audit.lock.yml # .github/workflows/ai-moderator.lock.yml # .github/workflows/api-consumption-report.lock.yml # .github/workflows/approach-validator.lock.yml # .github/workflows/archie.lock.yml # .github/workflows/architecture-guardian.lock.yml # .github/workflows/artifacts-summary.lock.yml # .github/workflows/audit-workflows.lock.yml # .github/workflows/auto-triage-issues.lock.yml # .github/workflows/avenger.lock.yml # .github/workflows/aw-failure-investigator.lock.yml # .github/workflows/blog-auditor.lock.yml # .github/workflows/bot-detection.lock.yml # .github/workflows/brave.lock.yml # .github/workflows/breaking-change-checker.lock.yml # .github/workflows/changeset.lock.yml # .github/workflows/chaos-pr-bundle-fuzzer.lock.yml # .github/workflows/ci-coach.lock.yml # .github/workflows/ci-doctor.lock.yml # .github/workflows/claude-code-user-docs-review.lock.yml # .github/workflows/cli-consistency-checker.lock.yml # .github/workflows/cli-version-checker.lock.yml # .github/workflows/cloclo.lock.yml # .github/workflows/code-scanning-fixer.lock.yml # .github/workflows/code-simplifier.lock.yml # .github/workflows/codex-github-remote-mcp-test.lock.yml # .github/workflows/commit-changes-analyzer.lock.yml # .github/workflows/constraint-solving-potd.lock.yml # .github/workflows/contribution-check.lock.yml # .github/workflows/copilot-agent-analysis.lock.yml # .github/workflows/copilot-centralization-drilldown.lock.yml # .github/workflows/copilot-centralization-optimizer.lock.yml # .github/workflows/copilot-cli-deep-research.lock.yml # .github/workflows/copilot-opt.lock.yml # .github/workflows/copilot-pr-merged-report.lock.yml # .github/workflows/copilot-pr-nlp-analysis.lock.yml # .github/workflows/copilot-pr-prompt-analysis.lock.yml # .github/workflows/copilot-session-insights.lock.yml # .github/workflows/craft.lock.yml # .github/workflows/daily-agent-of-the-day-blog-writer.lock.yml # .github/workflows/daily-agentrx-trace-optimizer.lock.yml # .github/workflows/daily-ambient-context-optimizer.lock.yml # .github/workflows/daily-architecture-diagram.lock.yml # .github/workflows/daily-assign-issue-to-user.lock.yml # .github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml # .github/workflows/daily-aw-cross-repo-compile-check.lock.yml # .github/workflows/daily-awf-spec-compiler-surfacing.lock.yml # .github/workflows/daily-byok-ollama-test.lock.yml # .github/workflows/daily-cache-strategy-analyzer.lock.yml # .github/workflows/daily-caveman-optimizer.lock.yml # .github/workflows/daily-choice-test.lock.yml # .github/workflows/daily-cli-performance.lock.yml # .github/workflows/daily-cli-tools-tester.lock.yml # .github/workflows/daily-code-metrics.lock.yml # .github/workflows/daily-community-attribution.lock.yml # .github/workflows/daily-compiler-quality.lock.yml # .github/workflows/daily-compiler-threat-spec-optimizer.lock.yml # .github/workflows/daily-credit-limit-test.lock.yml # .github/workflows/daily-doc-healer.lock.yml # .github/workflows/daily-doc-updater.lock.yml # .github/workflows/daily-experiment-report.lock.yml # .github/workflows/daily-fact.lock.yml # .github/workflows/daily-file-diet.lock.yml # .github/workflows/daily-firewall-report.lock.yml # .github/workflows/daily-formal-spec-verifier.lock.yml # .github/workflows/daily-function-namer.lock.yml # .github/workflows/daily-geo-optimizer.lock.yml # .github/workflows/daily-hippo-learn.lock.yml # .github/workflows/daily-issues-report.lock.yml # .github/workflows/daily-malicious-code-scan.lock.yml # .github/workflows/daily-max-ai-credits-test.lock.yml # .github/workflows/daily-mcp-concurrency-analysis.lock.yml # .github/workflows/daily-model-inventory.lock.yml # .github/workflows/daily-multi-device-docs-tester.lock.yml # .github/workflows/daily-news.lock.yml # .github/workflows/daily-observability-report.lock.yml # .github/workflows/daily-performance-summary.lock.yml # .github/workflows/daily-regulatory.lock.yml # .github/workflows/daily-reliability-review.lock.yml # .github/workflows/daily-rendering-scripts-verifier.lock.yml # .github/workflows/daily-repo-chronicle.lock.yml # .github/workflows/daily-safe-output-integrator.lock.yml # .github/workflows/daily-safe-output-optimizer.lock.yml # .github/workflows/daily-safe-outputs-conformance.lock.yml # .github/workflows/daily-safeoutputs-git-simulator.lock.yml # .github/workflows/daily-secrets-analysis.lock.yml # .github/workflows/daily-security-observability.lock.yml # .github/workflows/daily-security-red-team.lock.yml # .github/workflows/daily-semgrep-scan.lock.yml # .github/workflows/daily-sentrux-report.lock.yml # .github/workflows/daily-skill-optimizer.lock.yml # .github/workflows/daily-spdd-spec-planner.lock.yml # .github/workflows/daily-syntax-error-quality.lock.yml # .github/workflows/daily-team-evolution-insights.lock.yml # .github/workflows/daily-team-status.lock.yml # .github/workflows/daily-testify-uber-super-expert.lock.yml # .github/workflows/daily-token-consumption-report.lock.yml # .github/workflows/daily-windows-terminal-integration-builder.lock.yml # .github/workflows/daily-workflow-updater.lock.yml # .github/workflows/dataflow-pr-discussion-dataset.lock.yml # .github/workflows/dead-code-remover.lock.yml # .github/workflows/deep-report.lock.yml # .github/workflows/delight.lock.yml # .github/workflows/dependabot-burner.lock.yml # .github/workflows/dependabot-campaign.lock.yml # .github/workflows/dependabot-go-checker.lock.yml # .github/workflows/dependabot-repair.lock.yml # .github/workflows/dependabot-worker.lock.yml # .github/workflows/deployment-incident-monitor.lock.yml # .github/workflows/design-decision-gate.lock.yml # .github/workflows/designer-drift-audit.lock.yml # .github/workflows/dev-hawk.lock.yml # .github/workflows/dev.lock.yml # .github/workflows/developer-docs-consolidator.lock.yml # .github/workflows/dictation-prompt.lock.yml # .github/workflows/discussion-task-miner.lock.yml # .github/workflows/docs-noob-tester.lock.yml # .github/workflows/draft-pr-cleanup.lock.yml # .github/workflows/duplicate-code-detector.lock.yml # .github/workflows/example-permissions-warning.lock.yml # .github/workflows/example-workflow-analyzer.lock.yml # .github/workflows/firewall-escape.lock.yml # .github/workflows/firewall.lock.yml # .github/workflows/functional-pragmatist.lock.yml # .github/workflows/github-mcp-structural-analysis.lock.yml # .github/workflows/github-mcp-tools-report.lock.yml # .github/workflows/github-remote-mcp-auth-test.lock.yml # .github/workflows/glossary-maintainer.lock.yml # .github/workflows/go-fan.lock.yml # .github/workflows/go-logger.lock.yml # .github/workflows/go-pattern-detector.lock.yml # .github/workflows/gpclean.lock.yml # .github/workflows/grumpy-reviewer.lock.yml # .github/workflows/hippo-embed.lock.yml # .github/workflows/hourly-ci-cleaner.lock.yml # .github/workflows/instructions-janitor.lock.yml # .github/workflows/issue-arborist.lock.yml # .github/workflows/issue-monster.lock.yml # .github/workflows/issue-triage-agent.lock.yml # .github/workflows/jsweep.lock.yml # .github/workflows/layout-spec-maintainer.lock.yml # .github/workflows/lint-monster.lock.yml # .github/workflows/linter-miner.lock.yml # .github/workflows/lockfile-stats.lock.yml # .github/workflows/mattpocock-skills-reviewer.lock.yml # .github/workflows/mcp-inspector.lock.yml # .github/workflows/mergefest.lock.yml # .github/workflows/metrics-collector.lock.yml # .github/workflows/necromancer.lock.yml # .github/workflows/notion-issue-summary.lock.yml # .github/workflows/objective-impact-report.lock.yml # .github/workflows/org-health-report.lock.yml # .github/workflows/outcome-collector.lock.yml # .github/workflows/pdf-summary.lock.yml # .github/workflows/plan.lock.yml # .github/workflows/poem-bot.lock.yml # .github/workflows/portfolio-analyst.lock.yml # .github/workflows/pr-code-quality-reviewer.lock.yml # .github/workflows/pr-description-caveman.lock.yml # .github/workflows/pr-nitpick-reviewer.lock.yml # .github/workflows/pr-sous-chef.lock.yml # .github/workflows/pr-triage-agent.lock.yml # .github/workflows/prompt-clustering-analysis.lock.yml # .github/workflows/python-data-charts.lock.yml # .github/workflows/q.lock.yml # .github/workflows/refactoring-cadence.lock.yml # .github/workflows/refiner.lock.yml # .github/workflows/release.lock.yml # .github/workflows/repo-audit-analyzer.lock.yml # .github/workflows/repo-tree-map.lock.yml # .github/workflows/repository-quality-improver.lock.yml # .github/workflows/research.lock.yml # .github/workflows/ruflo-backed-task.lock.yml # .github/workflows/safe-output-health.lock.yml # .github/workflows/schema-consistency-checker.lock.yml # .github/workflows/schema-feature-coverage.lock.yml # .github/workflows/scout.lock.yml # .github/workflows/security-compliance.lock.yml # .github/workflows/security-review.lock.yml # .github/workflows/semantic-function-refactor.lock.yml # .github/workflows/sergo.lock.yml # .github/workflows/slide-deck-maintainer.lock.yml # .github/workflows/smoke-agent-all-merged.lock.yml # .github/workflows/smoke-agent-all-none.lock.yml # .github/workflows/smoke-agent-public-approved.lock.yml # .github/workflows/smoke-agent-public-none.lock.yml # .github/workflows/smoke-agent-scoped-approved.lock.yml # .github/workflows/smoke-antigravity.lock.yml # .github/workflows/smoke-call-workflow.lock.yml # .github/workflows/smoke-ci.lock.yml # .github/workflows/smoke-claude.lock.yml # .github/workflows/smoke-codex.lock.yml # .github/workflows/smoke-copilot-aoai-apikey.lock.yml # .github/workflows/smoke-copilot-aoai-entra.lock.yml # .github/workflows/smoke-copilot-arm.lock.yml # .github/workflows/smoke-copilot-sdk.lock.yml # .github/workflows/smoke-copilot.lock.yml # .github/workflows/smoke-create-cross-repo-pr.lock.yml # .github/workflows/smoke-crush.lock.yml # .github/workflows/smoke-gemini.lock.yml # .github/workflows/smoke-multi-pr.lock.yml # .github/workflows/smoke-opencode.lock.yml # .github/workflows/smoke-otel-backends.lock.yml # .github/workflows/smoke-pi.lock.yml # .github/workflows/smoke-project.lock.yml # .github/workflows/smoke-service-ports.lock.yml # .github/workflows/smoke-temporary-id.lock.yml # .github/workflows/smoke-test-tools.lock.yml # .github/workflows/smoke-update-cross-repo-pr.lock.yml # .github/workflows/smoke-workflow-call-with-inputs.lock.yml # .github/workflows/smoke-workflow-call.lock.yml # .github/workflows/spec-enforcer.lock.yml # .github/workflows/spec-extractor.lock.yml # .github/workflows/spec-librarian.lock.yml # .github/workflows/stale-pr-cleanup.lock.yml # .github/workflows/stale-repo-identifier.lock.yml # .github/workflows/static-analysis-report.lock.yml # .github/workflows/step-name-alignment.lock.yml # .github/workflows/sub-issue-closer.lock.yml # .github/workflows/super-linter.lock.yml # .github/workflows/technical-doc-writer.lock.yml # .github/workflows/terminal-stylist.lock.yml # .github/workflows/test-create-pr-error-handling.lock.yml # .github/workflows/test-dispatcher.lock.yml # .github/workflows/test-project-url-default.lock.yml # .github/workflows/test-quality-sentinel.lock.yml # .github/workflows/test-workflow.lock.yml # .github/workflows/tidy.lock.yml # .github/workflows/typist.lock.yml # .github/workflows/ubuntu-image-analyzer.lock.yml # .github/workflows/uk-ai-operational-resilience.lock.yml # .github/workflows/unbloat-docs.lock.yml # .github/workflows/update-astro.lock.yml # .github/workflows/video-analyzer.lock.yml # .github/workflows/visual-regression-checker.lock.yml # .github/workflows/weekly-blog-post-writer.lock.yml # .github/workflows/weekly-editors-health-check.lock.yml # .github/workflows/weekly-issue-summary.lock.yml # .github/workflows/weekly-safe-outputs-spec-review.lock.yml # .github/workflows/workflow-generator.lock.yml # .github/workflows/workflow-health-manager.lock.yml # .github/workflows/workflow-normalizer.lock.yml # .github/workflows/workflow-skill-extractor.lock.yml # pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden # pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden # pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden # pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden # pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden # pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden # pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden # pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Collaborator
|
@copilot merge main |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Done — merged main (resolved 257 conflicts across lock files and golden fixtures by taking main's versions, then recompiled twice to re-apply the version bumps). All 249 workflows compiled successfully. Commit: |
Contributor
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
Contributor
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
Contributor
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
Contributor
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ |
Contributor
|
🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨ |
Contributor
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
Contributor
|
📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing... |
Contributor
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
…v0326 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Contributor
|
📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing... |
Contributor
There was a problem hiding this comment.
✅ Ready to approve
The changes are consistent, mechanical version/pin updates with regenerated lockfiles and fixtures aligning to the new defaults, with no contradictory schema usage found in the edited workflows.
Note: this review does not count toward required approvals for merging.
Pull request overview
This PR updates gh-aw’s default infrastructure component versions (AWF Firewall and MCP Gateway), refreshes container digest pins for the new versions, and regenerates compiled workflow artifacts and golden fixtures to reflect the new defaults.
Changes:
- Bump
DefaultFirewallVersiontov0.27.4andDefaultMCPGatewayVersiontov0.3.26. - Add container digest pins for AWF Firewall
0.27.4images and MCP Gatewayv0.3.26across the repo’s pin datasets. - Regenerate compiled
.lock.ymlworkflows and WASM golden fixtures to reference the updated versions/tags/digests.
File summaries
| File | Description |
|---|---|
| pkg/constants/version_constants.go | Bumps the default AWF Firewall and MCP Gateway version constants used by compilation/runtime defaults. |
| .github/aw/actions-lock.json | Adds pinned container digests for AWF Firewall 0.27.4 and MCP Gateway v0.3.26. |
| pkg/actionpins/data/action_pins.json | Adds the same container digest pins in the actionpins dataset. |
| pkg/workflow/data/action_pins.json | Adds the same container digest pins in the workflow dataset used for compilation/pinning. |
| .github/workflows/test-workflow.lock.yml | Regenerated compiled workflow to reference new AWF/MCPG tags and digests throughout manifest/setup. |
| .github/workflows/example-permissions-warning.lock.yml | Regenerated compiled workflow to reference new AWF/MCPG tags and digests throughout manifest/setup. |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Regenerated compiled workflow to reference new AWF/MCPG tags and digests throughout manifest/setup. |
| .github/workflows/bot-detection.lock.yml | Regenerated compiled workflow to reference new AWF/MCPG tags and digests throughout manifest/setup. |
| .github/workflows/daily-max-ai-credits-test.md | Updates frontmatter to use permissions.copilot-requests: write (schema-supported) and keeps workflow intent unchanged. |
| .github/workflows/copilot-centralization-optimizer.md | Uses step-level env vars for GitHub context values and updates safe-outputs expiry format (30d). |
| .github/workflows/copilot-centralization-drilldown.md | Updates safe-outputs expiry format (30d). |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden | Updates golden output to reflect AWF v0.27.4 and MCPG v0.3.26 in compiled fixture output. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden | Updates golden output to reflect AWF v0.27.4 and MCPG v0.3.26 in compiled fixture output. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden | Updates golden output to reflect AWF v0.27.4 and MCPG v0.3.26 in compiled fixture output. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden | Updates golden output to reflect AWF v0.27.4 and MCPG v0.3.26 in compiled fixture output. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden | Updates golden output to reflect AWF v0.27.4 and MCPG v0.3.26 in compiled fixture output. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden | Updates golden output to reflect AWF v0.27.4 and MCPG v0.3.26 in compiled fixture output. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden | Updates golden output to reflect AWF v0.27.4 and MCPG v0.3.26 in compiled fixture output. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden | Updates golden output to reflect AWF v0.27.4 and MCPG v0.3.26 in compiled fixture output. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden | Updates golden output to reflect AWF v0.27.4 and MCPG v0.3.26 in compiled fixture output. |
Copilot's findings
- Files reviewed: 35/266 changed files
- Comments generated: 0
Note
Your feedback helps us improve the quality of this feature.
Please use 👍 or 👎 to tell us whether this assessment is correct.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This was referenced Jun 16, 2026
Contributor
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
Contributor
Smoke Test Results (Gemini)
Overall Status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
Contributor
Author
Merged main — 1 commit ahead, clean merge (no conflicts). |
Contributor
|
Smoke Test Results:
|
Contributor
|
Smoke test summary Warning Firewall blocked 5 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Collaborator
|
@copilot investigate safeoutputs failure in smoke claude https://github.com/github/gh-aw/actions/runs/27634187346 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps two infrastructure dependency defaults:
DefaultFirewallVersion)v0.27.2v0.27.4DefaultMCPGatewayVersion)v0.3.25v0.3.26Changes
pkg/constants/version_constants.go— updated the two version constants.github/aw/actions-lock.json/pkg/actionpins/data/action_pins.json/pkg/workflow/data/action_pins.json— added SHA pin forghcr.io/github/gh-aw-mcpg:v0.3.26(sha256:d3b03f54...).github/workflows/*.lock.yml(249 files) — recompiled to reference the new container image tags with updated firewall and MCPG versionspkg/workflow/testdata/wasm_golden/— updated golden fixtures to reflectGH_AW_INFO_AWF_VERSION: "v0.27.4"