Include and pin safe-outputs gh-aw-node image in default container predownload and manifest#39644
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
@copilot run pr-finisher skill |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Ran a finisher pass. No unresolved review threads are open, and local |
| # - ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.4@sha256:72c378c029d2fad4684847ab44c329e526ac6b1a78cdf97656870ea11d201545 | ||
| # - ghcr.io/github/gh-aw-firewall/squid:0.27.4@sha256:87979038897e40caed22245b64d1daa796390d2dca289b99d3d1174c85740af8 | ||
| # - ghcr.io/github/gh-aw-mcpg:v0.3.26@sha256:d3b03f54eee3a8176818c9a52087623e45b7f644a28814337fcc0838e2534490 | ||
| # - ghcr.io/github/gh-aw-node |
There was a problem hiding this comment.
@copilot make sure the container is versioned or pinned to a hash
There was a problem hiding this comment.
Addressed in 1d493a4. The safe-outputs gh-aw-node image now resolves through an embedded digest pin, and the generated MCP config, predownload step, manifest header, and regenerated lock files all use the pinned reference.
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This pull request makes the Safe Outputs runtime container (ghcr.io/github/gh-aw-node) a first-class, digest-pinned dependency in gh-aw by (1) collecting it into the default predownload image set when safe-outputs is enabled, (2) emitting it into gh-aw-manifest container pin data, and (3) ensuring generated MCP config references the pinned image.
Changes:
- Add
ghcr.io/github/gh-aw-nodeto Docker image collection when safe-outputs is enabled, and ensure manifest pin data is recorded via the existing pinning pipeline. - Add an embedded container pin for
ghcr.io/github/gh-aw-nodeand aresolveContainerImagehelper; use it when rendering the Safe Outputs MCP container reference. - Update tests and regenerate workflow
.lock.ymlfiles so predownload steps, manifest headers, and MCP config reflect the pinnedgh-aw-nodeimage.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/action_pins.go | Add resolveContainerImage helper to prefer cached/embedded container pins. |
| pkg/workflow/docker.go | Collect gh-aw-node into the default Docker predownload set when safe-outputs is enabled. |
| pkg/workflow/docker_pin_test.go | Add coverage for embedded gh-aw-node pin usage and safe-outputs image collection/manifest pin assertions. |
| pkg/workflow/docker_predownload_test.go | Assert predownload step includes pinned gh-aw-node and manifest header includes the base image. |
| pkg/workflow/mcp_renderer_builtin.go | Render Safe Outputs MCP container via pinned image resolution (JSON + TOML paths). |
| pkg/workflow/mcp_renderer_test.go | Update renderer tests to expect the pinned gh-aw-node container reference. |
| pkg/workflow/mcp_setup_generator_test.go | Update MCP setup generation expectations to match pinned gh-aw-node container usage. |
| pkg/workflow/mcp_config_refactor_test.go | Update shared config helper tests to expect pinned gh-aw-node container references. |
| pkg/workflow/mcp_api_key_masking_test.go | Update safe-outputs MCP config assertions to match pinned container reference. |
| pkg/workflow/safe_outputs_mcp_integration_test.go | Update integration assertions to validate pinned gh-aw-node in generated lock output. |
| pkg/workflow/data/action_pins.json | Add embedded container pin entry for ghcr.io/github/gh-aw-node. |
| pkg/actionpins/data/action_pins.json | Add embedded container pin entry for ghcr.io/github/gh-aw-node. |
| .github/aw/actions-lock.json | Record gh-aw-node pin in the repo-local pins cache file. |
| .github/workflows/video-analyzer.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/test-workflow.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/test-dispatcher.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/smoke-pi.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload. |
| .github/workflows/smoke-copilot-sdk.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/smoke-ci.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/research.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/repo-tree-map.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/issue-triage-agent.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/gpclean.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/github-remote-mcp-auth-test.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/firewall.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/example-permissions-warning.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/daily-team-status.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/daily-syntax-error-quality.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/daily-max-ai-credits-test.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/daily-credit-limit-test.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/daily-byok-ollama-test.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/copilot-pr-merged-report.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/copilot-centralization-optimizer.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/copilot-centralization-drilldown.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/bot-detection.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
| .github/workflows/ace-editor.lock.yml | Regenerated lock file to include pinned gh-aw-node in manifest + predownload + MCP config. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 102/262 changed files
- Comments generated: 0
|
@copilot merge main and recompile |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
💫 TO BE CONTINUED... Smoke Claude failed to deliver outputs! Our hero faces unexpected challenges... |
|
🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨ |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing... |
|
Smoke test results: 1-4 ✅, 5 ❌. Overall: FAIL. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
Smoke test 27655260778\nPRs: #39689 "fix: restore MCP CLI concept explanation and fix safeoutputs framing"; #39687 "Record compiler ref in lock metadata for compiles"\nResults: #1-#9 ✅\n#10 skipped (no editable issue fields available)\nOverall: PASS Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
🧪 Smoke Test: Claude — Run 27655260785Core tests #1-12: ✅ all passed PR review tests:
Overall: PARTIAL (core PASS; #18 env-blocked, #19 skipped) Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude
| "digest": "sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388", | ||
| "pinned_image": "ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388" | ||
| }, | ||
| "ghcr.io/github/gh-aw-node": { |
There was a problem hiding this comment.
Good — pinning the gh-aw-node image by digest here ensures reproducible, tamper-evident container resolution. ✅
| }, | ||
| "ghcr.io/github/gh-aw-node": { | ||
| "image": "ghcr.io/github/gh-aw-node", | ||
| "digest": "sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b", |
There was a problem hiding this comment.
Consider adding a brief comment near this digest entry documenting when/how it should be refreshed, to ease future maintenance. 🔧
|
PR: Include and pin safe-outputs gh-aw-node image in default container predownload and manifest Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
Smoke review done.
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot
|
@copilot review all comments and address the note about documenting when the pinned gh-aw-node digest should be refreshed. Then refresh this branch and rerun checks.
|
|
Smoke Test Results:
|
Safe-outputs runs in
ghcr.io/github/gh-aw-node, but that image was not part of the default container set used for predownload or recorded in the compiledgh-aw-manifest. This change makes the safe-outputs runtime image first-class in both places so generated workflows prefetch it and lock headers describe it accurately, and it resolves through embedded container pin data for predownload/manifest paths.Container collection
ghcr.io/github/gh-aw-nodeto the default collected container set whenever safe-outputs is enabled.Manifest/header coverage
workflowData.DockerImagePins, so compiled lock files include it undergh-aw-manifest.containers.Pinned runtime config + MCP gateway compatibility
ghcr.io/github/gh-aw-node.image[:tag]format formcpServers.safeoutputs.container(instead ofimage@sha256:...).Regression coverage
Download container imagesstep includes the pinnedgh-aw-nodeimagegh-aw-manifestheader includesgh-aw-nodegh-aw-nodecontainer referencenode:lts-alpine✨ PR Review Safe Output Test - Run 27655260785
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.