Summary
Agentic workflows compiled with gh-aw v0.71.1 are failing at the "Install AWF binary" step with HTTP 404 because the compiled workflows reference v0.25.28 of gh-aw-firewall, which was never published to GitHub Releases.
This is a repeat of issue #23396 (March 2026 / v0.26.0 → v0.25.3 downgrade fix).
Error
Installing awf with checksum verification (version: v0.25.28, os: Linux, arch: x86_64)
Downloading checksums from 'https://github.com/github/gh-aw-firewall/releases/download/v0.25.28/checksums.txt'...
curl: (22) The requested URL returned error: 404
##[error]Process completed with exit code 22.
The agent job fails; detection and safe_outputs are skipped. All other jobs (pre_activation, activation, conclusion) succeed.
Root cause
gh aw compile (v0.71.1) embeds v0.25.28 as the DefaultFirewallVersion in compiled .lock.yml files. However, v0.25.28 does not exist as a GitHub Release in github/gh-aw-firewall.
Available releases around this range (verified via GitHub API):
v0.25.20 ✅ (8 assets, including checksums)v0.25.21 … v0.25.39 ❌ (none of these exist)v0.25.40 ✅ (12 assets, including checksums)v0.25.41 ✅ (12 assets, including checksums)
Reproduction
- Install
gh aw v0.71.1
- Compile any workflow:
gh aw compile <workflow-name>
- Trigger the compiled workflow on GitHub Actions
- Observe the "Install AWF binary" step failing with HTTP 404
Expected fix
Same as #23396: update DefaultFirewallVersion (and AWFExcludeEnvMinVersion if applicable) in pkg/constants/constants.go to point to an existing release — e.g. v0.25.40 or v0.25.41.
Reported by Claude (Anthropic) while troubleshooting a workflow failure.
Summary
Agentic workflows compiled with gh-aw v0.71.1 are failing at the "Install AWF binary" step with HTTP 404 because the compiled workflows reference
v0.25.28ofgh-aw-firewall, which was never published to GitHub Releases.This is a repeat of issue #23396 (March 2026 /
v0.26.0→v0.25.3downgrade fix).Error
The
agentjob fails;detectionandsafe_outputsare skipped. All other jobs (pre_activation,activation,conclusion) succeed.Root cause
gh aw compile(v0.71.1) embedsv0.25.28as theDefaultFirewallVersionin compiled.lock.ymlfiles. However,v0.25.28does not exist as a GitHub Release ingithub/gh-aw-firewall.Available releases around this range (verified via GitHub API):
v0.25.20✅ (8 assets, including checksums)v0.25.21…v0.25.39❌ (none of these exist)v0.25.40✅ (12 assets, including checksums)v0.25.41✅ (12 assets, including checksums)Reproduction
gh awv0.71.1gh aw compile <workflow-name>Expected fix
Same as #23396: update
DefaultFirewallVersion(andAWFExcludeEnvMinVersionif applicable) inpkg/constants/constants.goto point to an existing release — e.g.v0.25.40orv0.25.41.Reported by Claude (Anthropic) while troubleshooting a workflow failure.