chore: upgrade all workflows to gh-aw v0.68.6 by lpcox · Pull Request #2043 · github/gh-aw-firewall

lpcox · 2026-04-17T02:34:44Z

Upgrades all agentic workflows from gh-aw v0.68.1/v0.68.4 to v0.68.6.

Action updates:

github/gh-aw/actions/setup: v0.68.1 → v0.68.6
github/gh-aw-actions/setup: v0.68.4 → v0.68.6
actions/github-script: v8/v9 → v9.0.0 (SHA-pinned)
softprops/action-gh-release: v2.6.1 → v3.0.0

Container image pins:

17 container images pinned with digest hashes (AWF agent/squid/api-proxy/cli-proxy, mcpg, GitHub MCP server, Playwright MCP, Node)

Workflows recompiled: All 30 workflows recompiled and post-processed.

Generated via gh aw upgrade + npx tsx scripts/ci/postprocess-smoke-workflows.ts.

- Updated gh-aw setup action from v0.68.1 to v0.68.6 - Updated gh-aw-actions/setup from v0.68.4 to v0.68.6 - Updated actions/github-script to v9.0.0 - Updated softprops/action-gh-release to v3.0.0 - Pinned 17 container images with digest hashes - Recompiled all 30 workflows and ran post-processing Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

github-actions · 2026-04-17T02:35:37Z

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	84.33%	84.41%	📈 +0.08%
Statements	83.56%	83.64%	📈 +0.08%
Functions	87.39%	87.39%	➡️ +0.00%
Branches	74.78%	74.82%	📈 +0.04%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
`src/docker-manager.ts`	86.8% → 87.1% (+0.30%)	86.4% → 86.7% (+0.29%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

Copilot

Pull request overview

Upgrades the repository’s generated agentic workflow lock files and supporting agent/docs to gh-aw v0.68.6, including updated pinned action SHAs and refreshed runtime/container wiring used by the workflows.

Changes:

Recompiled agentic workflow .lock.yml files to gh-aw v0.68.6 (new setup action pin, updated github-script/upload-artifact pins, updated AWF/AW MCP gateway scripts/paths).
Updated workflow runtime behavior (new Copilot error detection, prompt passing via --prompt-file, additional artifacts like /tmp/gh-aw/base, new outputs for Copilot error categories).
Updated repo-level action lockfile and agent documentation links to point at gh-aw v0.68.6.

Show a summary per file

File	Description
.github/workflows/update-release-notes.lock.yml	Recompiled lock with v0.68.6 pins; updates MCP gateway startup, artifacts, and Copilot error detection outputs.
.github/workflows/smoke-codex.lock.yml	Recompiled lock with v0.68.6 pins; updates Codex/MCP gateway wiring and artifact behavior.
.github/workflows/security-review.lock.yml	Recompiled lock with v0.68.6 pins; updates Copilot error detection outputs and container download pins.
.github/workflows/plan.lock.yml	Recompiled lock with v0.68.6 pins; updates Copilot error detection outputs and container download pins.
.github/workflows/firewall-issue-dispatcher.lock.yml	Recompiled lock with v0.68.6 pins; updates container download pins and Copilot error detection outputs.
.github/workflows/copilot-token-usage-analyzer.lock.yml	Recompiled lock with v0.68.6 pins; updates container download pins and Copilot error detection outputs.
.github/workflows/copilot-token-optimizer.lock.yml	Recompiled lock with v0.68.6 pins; updates container download pins and Copilot error detection outputs.
.github/workflows/cli-flag-consistency-checker.lock.yml	Recompiled lock with v0.68.6 pins; updates container download pins and Copilot error detection outputs.
.github/workflows/claude-token-usage-analyzer.lock.yml	Recompiled lock with v0.68.6 pins; updates container download pins and Copilot error detection outputs.
.github/workflows/ci-cd-gaps-assessment.lock.yml	Recompiled lock with v0.68.6 pins; updates container download pins and Copilot error detection outputs.
.github/aw/actions-lock.json	Updates pinned action SHAs/versions and extends lockfile structure with container pins.
.github/agents/agentic-workflows.agent.md	Updates documentation links to reference gh-aw v0.68.6 templates/prompts.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files reviewed: 31/31 changed files
Comments generated: 1

Copilot · 2026-04-17T02:40:02Z

+      - name: Clean up engine output files
+        run: |
+          rm -fr ${{ runner.temp }}/gh-aw/mcp-config/logs/


This step deletes ${{ runner.temp }}/gh-aw/mcp-config/logs/, but the workflow later attempts to upload that same directory in the “Upload agent artifacts” step. As written, the artifact will be missing Codex/MCP logs (and troubleshooting data). Remove this cleanup, or move it to after artifact upload / target a different path that isn’t meant to be preserved.

Suggested change

- name: Clean up engine output files

run: |

rm -fr ${{ runner.temp }}/gh-aw/mcp-config/logs/

- Update AWF container images from 0.25.22 to 0.25.23 - Fix COPILOT_MODEL fallback: 'claude-opus-4.6' instead of empty string (empty string overrides workflow-level default, causing Copilot CLI to fail with 'BYOK providers require an explicit model') Fixes #2048 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

github-actions · 2026-04-17T03:28:43Z

Smoke Test Results

Test	Result
GitHub MCP: Last 2 merged PRs	✅
Playwright: github.com title check	✅
File write: smoke-test-claude-24546091768.txt	✅
Bash: file verification	✅

PRs reviewed: "Fix BYOK smoke workflow COPILOT_MODEL fallback override in postprocessing" · "fix: allow package.json/lock in dep security monitor PRs"

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

github-actions · 2026-04-17T03:29:10Z

🔥 Smoke Test Results

Test	Result
GitHub MCP (list PRs)	✅
GitHub.com connectivity (HTTP 200)	✅
File write/read	❌ (pre-step template vars not resolved)

Overall: FAIL

PR: chore: upgrade all workflows to gh-aw v0.68.6 — author: @lpcox, no assignees.

📰 BREAKING: Report filed by Smoke Copilot

github-actions · 2026-04-17T03:29:33Z

Smoke Test: GitHub Actions Services Connectivity ✅

All checks passed:

Check	Result
Redis `PING` → `host.docker.internal:6379`	✅ `PONG`
`pg_isready` → `host.docker.internal:5432`	✅ accepting connections
`psql SELECT 1` → `smoketest` db as `postgres`	✅ returned `1`

Note: redis-cli was unavailable (no apt access in sandbox); Redis connectivity verified via raw socket (nc).

🔌 Service connectivity validated by Smoke Services

github-actions · 2026-04-17T03:29:42Z

🔥 BYOK Smoke Test — PASS

Test	Result
MCP: `github-list_pull_requests`	✅ PR #2049 "Fix BYOK smoke workflow COPILOT_MODEL fallback override in postprocessing"
GitHub.com connectivity	✅ HTTP 200
File write/read	✅ Verified `/tmp/gh-aw/agent/smoke-test-copilot-byok-24546091771.txt`
BYOK inference	✅ Agent responding via api-proxy → api.githubcopilot.com

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.
cc @lpcox

🔑 BYOK report filed by Smoke Copilot BYOK

github-actions · 2026-04-17T03:30:58Z

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #2043 · ● 652.7K · ◷

lpcox requested a review from Mossaka as a code owner April 17, 2026 02:34

Copilot AI review requested due to automatic review settings April 17, 2026 02:34

Copilot started reviewing on behalf of lpcox April 17, 2026 02:35 View session

This was referenced Apr 17, 2026

[aw] Smoke Codex failed #2044

Open

[aw] Smoke OpenCode failed #2045

Open