Bump default AWF firewall image set to v0.25.40

[Copilot]

gh-aw was compiling workflows with default AWF v0.25.39, and embedded container pin data still included older 0.25.29 entries for AWF images. This updates the default AWF version and container pin data so newly compiled lock files resolve to 0.25.40 with digest pins for all AWF sidecars used by default flows, including cli-proxy.

• Default AWF version bump

  • Updated DefaultFirewallVersion from v0.25.39 to v0.25.40 in pkg/constants/version_constants.go.
  • This changes the default image tag emitted in AWF config (container.imageTag) and related schema/version wiring.

• Container pin source update

  • Added 0.25.40 entries (image + digest + pinned_image) for:
    • ghcr.io/github/gh-aw-firewall/agent
    • ghcr.io/github/gh-aw-firewall/api-proxy
    • ghcr.io/github/gh-aw-firewall/squid
    • ghcr.io/github/gh-aw-firewall/cli-proxy
  • Updated .github/aw/actions-lock.json as the source-of-truth lock.

• Synced embedded pin datasets

  • Propagated lock updates to:
    • pkg/actionpins/data/action_pins.json
    • pkg/workflow/data/action_pins.json
  • Keeps compiler/runtime pin resolution aligned with .github/aw/actions-lock.json.

• Golden output refresh for compiler fixtures

  • Updated affected wasm compile goldens to match new default AWF version output in compiled workflows.

// pkg/constants/version_constants.go
const DefaultFirewallVersion Version = "v0.25.40"

[!WARNING]

---

Changeset

• Type: patch
• Description: Bump the default AWF firewall image set to v0.25.40 with updated digest pins.

Generated by Changeset Generator for issue #30406 · ◷

---

---

✨ PR Review Safe Output Test - Run 25398480809

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · ● 266.1K · ◷

[Copilot]

Pull request overview

Updates the default Agent Workflow Firewall (AWF) version and refreshes the embedded container pin datasets and compiler golden fixtures to align newly compiled workflows with AWF v0.25.40.

Changes:

• Bumps DefaultFirewallVersion to v0.25.40.
• Adds container digest pins for AWF agent, api-proxy, and squid at 0.25.40 and propagates them into embedded pin datasets.
• Refreshes WASM compile fixture goldens to reflect the new default AWF version in emitted workflow YAML.

Show a summary per file

File	Description
pkg/constants/version_constants.go	Bumps the default AWF version to v0.25.40.
.github/aw/actions-lock.json	Adds 0.25.40 digest pins for AWF images (source-of-truth pin set).
pkg/actionpins/data/action_pins.json	Syncs embedded pin dataset with the updated lock pins.
pkg/workflow/data/action_pins.json	Syncs workflow-embedded pin dataset with the updated lock pins.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden	Updates expected compiled YAML output to v0.25.40.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden	Updates expected compiled YAML output to v0.25.40.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden	Updates expected compiled YAML output to v0.25.40.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden	Updates expected compiled YAML output to v0.25.40.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 8/8 changed files
• Comments generated: 2

[github-actions]

🤖 Smoke test agent was also here! Replying to confirm the review comment chain is working correctly. All systems nominal! ✅

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · ● 1.7M

[lpcox]

@copilot address review feedback

[Copilot]

@copilot address review feedback

Addressed review feedback in ac40289: added the missing gh-aw-firewall/cli-proxy:0.25.40 digest pin to .github/aw/actions-lock.json and synced pkg/actionpins/data/action_pins.json + pkg/workflow/data/action_pins.json. Also clarifying here: the previous default AWF version was v0.25.39; 0.25.29 referred to the older embedded container pin entries.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name bject.type] | @tsv tmatter-with-envgit (http block)
  • Triggering command: /usr/bin/gh gh repo view owner/repo api /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/git (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name h ../../../.prettierignore gh odules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/sh ock.json pkg/wornode owner/repo /usr/bin/gh git rev-�� w/js/**/*.json' --ignore-path gh x_amd64/link ithub-script/gitgit owner/repo bject.type] | @tuser.email x_amd64/link (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel e/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 node sv --write l /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu--json /usr/bin/git -bool -buildtags /usr/bin/git git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv xterm-color (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv WorkflowFiles_WithImports2050082588/001 remote1 /usr/bin/git 489791/001 infocmp 86_64/sh git rev-�� --show-toplevel gh /usr/bin/git add-source-path-git --jq h git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv *.json' '!../../../pkg/workflow/remote.origin.url --local ache/go/1.25.8/x64/pkg/tool/linux_amd64/link gpg.program (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/infocmp --show-toplevel git /usr/bin/git infocmp -1 /ref/tags/v9 git sv --show-toplevel 1/x64/bin/node /usr/bin/git git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv 103177042 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --write ../../../**/*.json /usr/bin/git --ignore-path ../../../.pretticonfig (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv g/cli --format=%(objectname) /usr/bin/git l (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel infocmp (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv /repos/actions/setup-node/git/ref/tags/v4 --jq /usr/bin/git /ref/tags/v9 git sv git rev-�� --show-toplevel git /usr/bin/git -u origin ache/go/1.25.8/x--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -template-expressions.md (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv led-with-body-content.md (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9.0.0
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv cli/install.sh..remote.origin.url (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv ty-test.md (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 git sv /ref/tags/v9 on sv git rev-�� /ref/tags/v9 sh sv bility_SameInputgit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel node /usr/bin/git 3603368307 ../../../**/*.js-1 (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260505-193434-7106/test-2685967239 config e/git remote.origin.urgit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git 3434-7106/test-3infocmp on rkflow/js/**/*.jxterm-color git rev-�� --show-toplevel sh /usr/bin/git npx prettier --wgit git /home/REDACTED/.np--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel /bin/sh /usr/bin/git git-receive-packgit git-receive-packrev-parse /usr/bin/git git rev-�� WorkflowFiles_AlwaysRecompiles3482062383/001 git /usr/bin/gh -n "$GOROOT" ] infocmp config /usr/bin/git gh (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv sistency_GoAndJavaScript4197631197/001/test-complex-frontmatter-with-tools.md (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv runs/20260505-193434-7106/test-2796449161/.github/workflows ../../../**/*.json /usr/bin/git --ignore-path ../../../.pretti-d (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 origin bject.type] | @tsv h ../../../.pretgh (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 remote.origin.url sv re --log-level=egit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv inputs.version git /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet --show-toplevel git 1/x64/lib/node_m--show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -ato�� -bool -buildtags 960062/b404/cli.test -errorsas -ifaceassert -nilfunc 960062/b404/cli.test (http block)
• https://api.github.com/repos/aws-actions/configure-aws-credentials/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel /usr/lib/git-core/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git rev-parse /usr/bin/infocmp--show-toplevel git rev-�� --show-toplevel infocmp /usr/bin/gh xterm-color git _id":200}] gh (http block)
• https://api.github.com/repos/azure/login/git/ref/tags/v2
  • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv -v /opt/hostedtoolcache/node/24.14.1/x64/bin/node /usr/bin/git /ref/tags/v9 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git ons-test11406172git rev-parse ps git rev-�� --show-toplevel ps /usr/bin/infocmp git --jq om/owner/repo.gixterm-color infocmp (http block)
• https://api.github.com/repos/docker/login-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel infocmp /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git /tmp/gh-aw-test-infocmp l /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git 3434-7106/test-3infocmp -v ache/node/24.14.xterm-color git rev-�� --show-toplevel npm /usr/bin/git 3434-7106/test-1infocmp --silent /home/REDACTED/worxterm-color git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel node /usr/bin/git --write on ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x--jq /usr/bin/git run format:cjs e/git git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyMinIntegrityOnlyCompiledOutput1074464588/001 rev-parse /usr/bin/git js/**/*.json' --git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 git sv --show-toplevel infocmp 1/x64/lib/node_m--show-toplevel infocmp -1 xterm-color gh /usr/bin/git th .prettierignogit --jq es/.bin/node git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_repos_array_c1794354925/001 rev-parse /usr/bin/infocmp js/**/*.json' --git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv github.event.inputs.enforce_all == 'true' && 'full-sweep (enforce_all)' git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-28 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-05 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-02-04 (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name remote t it} (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 rev-parse /usr/bin/git w/js/**/*.json' git (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name --jq 64/pkg/tool/linux_amd64/link /repos/actions/ggit --jq gin/feature-bran--show-toplevel 64/pkg/tool/linux_amd64/link rev-�� onpins.test gh rtcfg.link nore --jq /usr/bin/git b5xsDMtE-Hi-SYljkr/OxJpyKgEMDcZ3HUKqeVo/HbsZns2Rorigin (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name remote t (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name git 64/bin/go --show-toplevel r /usr/bin/git git rev-�� rity3150100350/0--limit git sh /../../.prettiergit git /usr/bin/git sh (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1234567890
  • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, re --log-level=error (http block)
  • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, h ../../../.pret.prettierignore git 324ace696f43abbb-d --show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 rev-parse /usr/bin/infocmp 711955993/001' 711955993/001' n-dir/git infocmp -1 xterm-color (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name --jq /usr/bin/infocmp install r (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 l /usr/bin/git w/js/**/*.json' git (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name infocmp 64/pkg/tool/linux_amd64/compile xterm-color git /usr/bin/git 64/pkg/tool/linux_amd64/compile rev-�� ab-testing-advisor.md git ache/uv/0.11.9/x86_64/node --show-toplevel onpins_test /usr/bin/git node (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name l /usr/bin/git it} (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name gh 64/pkg/tool/linux_amd64/vet /repos/actions/ggit --jq /usr/bin/infocmp--git-dir 64/pkg/tool/linux_amd64/vet rev-�� --show-toplevel infocmp 1/x64/bin/node xterm-color git /usr/bin/git node (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name git 64/pkg/tool/linux_amd64/compile --show-toplevel git re-branch 64/pkg/tool/linux_amd64/compile rev-�� _.a git 1/x64/bin/node nore git sv node (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name infocmp 64/pkg/tool/linux_amd64/vet xterm-color git /usr/bin/infocmp--show-toplevel 64/pkg/tool/linux_amd64/vet rev-�� --show-toplevel infocmp 1/x64/bin/node nore git /usr/bin/git node (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
  • Triggering command: /tmp/go-build372683115/b404/cli.test /tmp/go-build372683115/b404/cli.test -test.testlogfile=/tmp/go-build372683115/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true (http block)
  • Triggering command: /tmp/go-build508960062/b404/cli.test /tmp/go-build508960062/b404/cli.test -test.testlogfile=/tmp/go-build508960062/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true --show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv download 4 /usr/bin/infocmp test-logs/run-4 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /tmp/go-build2293554533/b001/_pkg_.a -trimpath tartedAt,updatedAt,event,headBranch,headSha,displayTitle -p main -lang=go1.25 node /hom�� efaultBranchFromLsRemoteWithRealremote.origin.url efaultBranchFromLsRemoteWithRealGitcustom_branch2308911003/001' ache/node/24.14.1/x64/bin/sh **/*.json --ignore-path ../../../.prettiREDACTED sh (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv lGitmain_branch2719129788/001' lGitmain_branch2719129788/001' it/copilot-hooks hub.com/.extrahegit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv iant-360531410 git 86_64/node --show-toplevel infocmp /usr/bin/git git 1/x6�� Gitbranch_with_hyphen1229261552/001' Gitbranch_with_hyphen1229261552/001' (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv report.md (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 dering_test.go ules/.bin/sh _test.go st.go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv Gitmain_branch2719129788/001' Gitmain_branch2719129788/001' sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv ormat:cjs --silent >/dev/null 2>&1 git ules/.bin/sh --show-toplevel /usr/bin/git (http block)
• https://api.github.com/repos/google-github-actions/auth/git/ref/tags/v2
  • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git rev-parse /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel node /usr/bin/git /home/REDACTED/worgit l /usr/bin/git git (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv 3647-19556/test-source-field-variant-360531410/.github/workflows -importcfg k/_temp/uv-python-dir/node -buildmode=exe -buildid=iVb4M3Mrev-parse -s npx ache�� --write scripts/**/*.js cal/bin/sh .prettierignore --log-level=errorev-parse r sh (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --show-toplevel git (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo ndor/bin/git (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state /usr/bin/git (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name ted-objects.md gh /usr/bin/git /repos/actions/gnode --jq /usr/bin/git git rev-�� w/js/**/*.json' --ignore-path git n-dir/bash ithub-script/gitnode git bject.type] | @t/tmp/TestHashConsistency_GoAndJavaScript1760936605/001/test-empty-frontmatter.md--detach gh (http block)
• https://api.github.com/repos/test/repo
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch --get remote.origin.url /usr/bin/infocmp */*.json' '!../.git --local /home/REDACTED/go/--show-toplevel infocmp -1 xterm-color git /usr/bin/infocmp mpiledOutput2591git credential.usernrev-parse k/_temp/uv-pytho--show-toplevel infocmp (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch 3647-19556/test-add-source-path-473496049/.github/workflows git m/_npx/b388654678d519d9/node_modules/.bin/prettier --show-toplevel git /usr/bin/basenamxterm-color sh -c "prettier" --write 'scripts/**/*.js' --ignore-paremote.origin.url basename ache/node/24.14.1/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node--show-toplevel r e/git-remote-httapi bject.type] | @tgraphql node (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧

[github-actions]

⚠️ Smoke Gemini failed. Gemini encountered unexpected challenges...

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Commit pushed: 81a7191

Generated by Changeset Generator

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.53.0
jq	✅	1.7
yq	✅	v4.52.5
curl	✅	8.5.0
gh	✅	2.89.0
node	✅	v22.22.2
python3	✅	3.10.16 (PyPy 7.3.19)
go	✅	1.24.13
java	✅	10.0.201
dotnet	❌	NOT FOUND

Result: 11/12 tools available — FAIL (dotnet missing)

🔧 Tool validation by Agent Container Smoke Test · ● 131.4K · ◷

[pelikhan]

@copilot merge main and recompile

[github-actions]

Smoke Test Codex 25398480751: FAIL
PRs: #30420 chore: update source reference in token optimizer workflows; #30399 docs: add Autoloop callout to landing page
✅ GitHub MCP, ✅ Serena MCP, ✅ Playwright, ❌ Web Fetch
✅ File write, ✅ Bash, ✅ Build, ✅ Comment memory, ✅ Cache memory
Run: https://github.com/github/gh-aw/actions/runs/25398480751

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · ◷

[github-actions]

Comment Memory

Cold keys wait in cache
Browsers bloom on GitHub
Build smoke fades to green

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · ◷

[github-actions]

Smoke Test Results — Run §25398480809

Test	Status
1 GitHub MCP (merged PRs)	✅
2 MCP Scripts GH CLI	✅
3 Serena MCP (symbols)	✅
4 Make Build	✅
5 Playwright (GitHub title)	✅
6 Tavily Search	✅
7 File Writing	✅
8 Bash Tool	✅
9 Discussion Comment	✅
10 AW MCP Status	✅
11 Slack Safe Output	✅
12 Code Scanning Alert	✅
13 Update PR	✅
14 PR Review Comments	✅
15 Submit PR Review	✅
16 Resolve Thread	✅
17 Add Reviewer	✅
18 Push to Branch	✅
19 Close PR	⚠️ skipped

Overall: PARTIAL (test #19 skipped — no safe test PR to close)

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · ● 266.1K · ◷

[github-actions]

💥 Automated smoke test review - all systems nominal! Run 25398480809 — Claude engine validated.

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · ● 266.1K

[github-actions]

✅ Smoke test review comment #1 — Run 25398480809: Version bump from v0.25.39 to v0.25.40 looks correct. Digest pins are consistent across all action_pins.json files.

[github-actions]

✅ Smoke test review comment #2 — Run 25398480809: Changeset entry correctly categorizes this as a patch bump for the AWF firewall image update to v0.25.40.

[github-actions]

🤖 Beep boop! The smoke test agent has arrived at this discussion like a robot crashing a party. All tests running, circuits firing, and vibes: absolutely immaculate. This message was auto-generated by the Copilot smoke test for run 25398480813. 🎉

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · ● 1.7M · ◷

[github-actions]

Smoke Test 25398480813: ✅ PASS

Test	Result
GitHub MCP	✅
MCP Scripts GH CLI	✅
Serena CLI	✅
Playwright	✅
Web Fetch	✅
File Write/Read	✅
Discussion Interaction	✅
Build gh-aw	✅
Upload Artifact	✅
Discussion Creation	✅
Workflow Dispatch	✅
PR Review	✅
Comment Memory	✅
Sub-Agent	✅

Author: @app/copilot-swe-agent · Assignees: @lpcox @Copilot

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · ● 1.7M · ◷

[github-actions]

Comment Memory

# Smoke Test Memory

Tests run as automated checks.

---

Tests run at dawn
Silicon neurons firing
All systems green light

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · ● 1.7M · ◷

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤