chore: bump DefaultFirewallVersion to v0.25.43#31379
Conversation
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
|
Hey
If you'd like a hand completing the remaining work, you can assign this prompt to your coding agent:
|
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
|
|
🌑 The shadows whisper... Smoke Codex failed to deliver outputs. The oracle requires further meditation... |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
Smoke Test Codex 25641551131: FAIL
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment.
|
💥 Smoke Test: Claude — Run §25641551150Overall: ✅ PASS (with 2
Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · ● 4.8M
| "gh-aw": patch | ||
| --- | ||
|
|
||
| Bump the default firewall version to v0.25.43. This release adds ARC/DinD support (`dockerHostPathPrefix`), an `apiProxy.maxRuns` hard cap, OIDC-based cloud credential exchange (`apiProxy.auth`), `hidepid=2` on the host procfs mount, and several bug fixes including GPT-5 BYOK wire API alignment and high-severity babel/fast-uri patches. |
There was a problem hiding this comment.
📌 Smoke-test review comment (Run 25641551150): consider linking to the firewall v0.25.43 release notes for downstream consumers.
| @@ -0,0 +1,5 @@ | |||
| --- | |||
| "gh-aw": patch | |||
There was a problem hiding this comment.
📌 Smoke-test review comment (Run 25641551150): changeset front-matter looks good — patch bump is appropriate for a firewall version sync.
|
🤖 Beep boop! The smoke test agent was here! I have verified that all systems are go — the robots are running, the bits are flowing, and the CI pipeline hums with the harmonious chorus of green checkmarks. Carry on, dear workflow! 🚀✨ Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Smoke Test Results 🤖Run: §25641551127
Overall: PR: "chore: bump DefaultFirewallVersion to v0.25.43" by Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
Reviewed this firewall version bump PR. The changeset is accurate and lock file regeneration appears correct. Two minor inline suggestions: explicitly label hidepid=2 as a security fix, and confirm the patch semver choice is appropriate for the scope.
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot · ● 21.7M
| "gh-aw": patch | ||
| --- | ||
|
|
||
| Bump the default firewall version to v0.25.43. This release adds ARC/DinD support (`dockerHostPathPrefix`), an `apiProxy.maxRuns` hard cap, OIDC-based cloud credential exchange (`apiProxy.auth`), `hidepid=2` on the host procfs mount, and several bug fixes including GPT-5 BYOK wire API alignment and high-severity babel/fast-uri patches. |
There was a problem hiding this comment.
The changeset description is thorough and well-written. One small note: the list of bug fixes mentions hidepid=2 which is a security hardening feature — consider noting this explicitly as a security fix in the changelog for better visibility.
| @@ -0,0 +1,5 @@ | |||
| --- | |||
| "gh-aw": patch | |||
There was a problem hiding this comment.
Good: the changeset type is correctly set to patch. This bump regenerates 218 lock files which is a significant automated change, but the patch semver is appropriate since it is a version bump with backwards-compatible changes.
|
📰 DEVELOPING STORY: Smoke Copilot reports failed to deliver outputs. Our correspondents are investigating the incident... |
There was a problem hiding this comment.
Pull request overview
Bumps the default Agent Workflow Firewall (AWF) version from v0.25.42 to v0.25.43 and updates the generated workflow lock files accordingly, plus a Changesets entry to capture the bump in the next release.
Changes:
- Update
DefaultFirewallVersionconstant tov0.25.43. - Regenerate/update workflow
.lock.ymlfiles to reference the new AWF container tags, schema URL, and AWF install version. - Add a Changesets patch entry documenting the AWF bump and notable upstream changes.
Show a summary per file
| File | Description |
|---|---|
| pkg/constants/version_constants.go | Bumps DefaultFirewallVersion to v0.25.43. |
| .github/workflows/test-workflow.lock.yml | Updates AWF image tags/schema/install version references to 0.25.43/v0.25.43. |
| .github/workflows/smoke-opencode.lock.yml | Updates AWF image tags/schema/install version references to 0.25.43/v0.25.43. |
| .github/workflows/smoke-crush.lock.yml | Updates AWF image tags/schema/install version references to 0.25.43/v0.25.43. |
| .github/workflows/smoke-ci.lock.yml | Updates AWF image tags/schema/install version references to 0.25.43/v0.25.43. |
| .github/workflows/release.lock.yml | Updates AWF image tags/schema/install version references to 0.25.43/v0.25.43. |
| .github/workflows/hippo-embed.lock.yml | Updates AWF image tags/schema/install version references to 0.25.43/v0.25.43. |
| .github/workflows/gpclean.lock.yml | Updates AWF image tags/schema/install version references to 0.25.43/v0.25.43. |
| .github/workflows/github-remote-mcp-auth-test.lock.yml | Updates AWF image tags/schema/install version references to 0.25.43/v0.25.43. |
| .github/workflows/firewall.lock.yml | Updates AWF image tags/schema/install version references to 0.25.43/v0.25.43. |
| .github/workflows/example-permissions-warning.lock.yml | Updates AWF image tags/schema/install version references to 0.25.43/v0.25.43. |
| .github/workflows/daily-malicious-code-scan.lock.yml | Updates AWF image tags/schema/install version references to 0.25.43/v0.25.43. |
| .github/workflows/copilot-token-optimizer.lock.yml | Updates AWF image tags/schema/install version references to 0.25.43/v0.25.43 (incl. cli-proxy tag). |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Updates AWF image tags/schema/install version references to 0.25.43/v0.25.43. |
| .github/workflows/code-simplifier.lock.yml | Updates AWF image tags/schema/install version references to 0.25.43/v0.25.43. |
| .github/workflows/changeset.lock.yml | Updates AWF image tags/schema/install version references to 0.25.43/v0.25.43. |
| .github/workflows/bot-detection.lock.yml | Updates AWF image tags/schema/install version references to 0.25.43/v0.25.43. |
| .github/workflows/ai-moderator.lock.yml | Updates AWF image tags/schema/install version references to 0.25.43/v0.25.43. |
| .github/workflows/ace-editor.lock.yml | Updates AWF image tags/schema/install version references to 0.25.43/v0.25.43. |
| .changeset/patch-bump-awf-v0-25-43.md | Adds Changesets patch entry for the default AWF bump to v0.25.43. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 55/220 changed files
- Comments generated: 0
Bumps the default AWF version from
v0.25.42tov0.25.43and regenerates all 218 lock files.Changes
pkg/constants/version_constants.go—DefaultFirewallVersion→"v0.25.43".lock.ymlfiles — regenerated viamake build && make recompile && make recompile(double recompile required to resolve container SHA pins from the first pass).changeset/patch-bump-awf-v0-25-43.md— changelog entryWhat's in v0.25.43
ARC/DinD support
container.dockerHostPathPrefix/--docker-host-path-prefix— prefixes bind-mount source paths so DinD daemon can resolve runner-side paths; kernel VFS (/dev,/sys,/proc) excluded automaticallyDOCKER_HOSTUnix sockets instead of assuming/var/run/docker.sockhidepid=2on/host/proc— closes credential isolation race on PID 1 environBug fixes
COPILOT_PROVIDER_WIRE_API=responsesautomatically set for GPT-5-family BYOK runs (fixes Sandboxed Copilot workflows should set responses wire API for GPT-5 models in BYOK/offline mode #31241)--ignore-scriptsfor engine CLI installs in lock files (fixes v0.71.5 dropped --ignore-scripts from compiled npm install steps for claude-code / codex CLIs (supply-chain regression) #30832)New config fields available for future frontmatter exposure
apiProxy.maxRuns— hard cap on LLM invocations per run (HTTP 429max_runs_exceededwhen hit)apiProxy.auth— GitHub OIDC → Azure/AWS/GCP token exchange for keyless cloud LLM access✨ PR Review Safe Output Test - Run 25641551150
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.