Bump firewall to v0.27.6 and mcpg to v0.3.27#40132
Conversation
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
|
✅ Test Quality Sentinel completed test quality analysis. No test files were added or modified in this PR. PR #40132 ('Bump firewall to v0.27.6 and mcpg to v0.3.27') only modifies .lock.yml workflow files and .github/aw/actions-lock.json — no *_test.go, *.test.cjs, or *.test.js files were changed. Test Quality Sentinel skipped. |
|
✅ PR Code Quality Reviewer completed the code quality review. |
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
|
✅ Design Decision Gate 🏗️ completed the design decision gate check. No ADR enforcement needed: PR #40132 does not have the 'implementation' label and has 0 new lines of code in business logic directories (≤100 threshold). |
There was a problem hiding this comment.
Pull request overview
This pull request bumps the pinned default versions for the gh-aw-firewall (AWF) runtime and gh-aw-mcpg (MCP Gateway) and propagates those version updates through the repository’s pinned image catalogs and generated workflow artifacts (lockfiles + golden outputs).
Changes:
- Bump default AWF version to
v0.27.6and MCP Gateway version tov0.3.27. - Add/update SHA-256 digest pins for the new firewall + mcpg container images in the shared pin catalogs.
- Regenerate workflow lock outputs and test golden files to reflect the new versions, schema URL, and image references.
Show a summary per file
| File | Description |
|---|---|
pkg/constants/version_constants.go |
Updates default pinned versions for AWF and MCP Gateway. |
.github/aw/actions-lock.json |
Adds digest pins for gh-aw-firewall:*:0.27.6 and gh-aw-mcpg:v0.3.27. |
pkg/actionpins/data/action_pins.json |
Syncs new container digest pins into the actionpins dataset. |
pkg/workflow/data/action_pins.json |
Syncs new container digest pins into the workflow dataset. |
.github/workflows/test-workflow.lock.yml |
Regenerated lock workflow referencing updated AWF/MCPG versions and digests. |
.github/workflows/example-permissions-warning.lock.yml |
Regenerated lock workflow referencing updated AWF/MCPG versions and digests. |
.github/workflows/codex-github-remote-mcp-test.lock.yml |
Regenerated lock workflow referencing updated AWF/MCPG versions and digests. |
.github/workflows/bot-detection.lock.yml |
Regenerated lock workflow referencing updated AWF/MCPG versions and digests. |
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden |
Updates expected compiled output strings to AWF v0.27.6 and MCPG v0.3.27. |
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden |
Updates expected compiled output strings to AWF v0.27.6 and MCPG v0.3.27. |
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden |
Updates expected compiled output strings to AWF v0.27.6 and MCPG v0.3.27. |
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden |
Updates expected compiled output strings to AWF v0.27.6 and MCPG v0.3.27. |
pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden |
Updates expected compiled output strings to AWF v0.27.6 and MCPG v0.3.27. |
pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden |
Updates expected compiled output strings to AWF v0.27.6 and MCPG v0.3.27. |
pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden |
Updates expected compiled output strings to AWF v0.27.6 and MCPG v0.3.27. |
pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden |
Updates expected compiled output strings to AWF v0.27.6 and MCPG v0.3.27. |
pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden |
Updates expected compiled output strings to AWF v0.27.6 and MCPG v0.3.27. |
.changeset/patch-bump-awf-v0-27-6-mcpg-v0-3-27.md |
Adds a patch changeset describing the version bumps and motivation. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 34/264 changed files
- Comments generated: 0
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨ |
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing... |
There was a problem hiding this comment.
Skills-Based Review 🧠
Applied /zoom-out and /diagnose — approving. Clean, well-executed version bump that fixes a silent production regression.
📋 Key Themes & Highlights
Verification
- ✅ Three-way pin consistency: all 5 new image digests (
agent,api-proxy,cli-proxy,squidat0.27.6;gh-aw-mcpgatv0.3.27) are identical across.github/aw/actions-lock.json,pkg/actionpins/data/action_pins.json, andpkg/workflow/data/action_pins.json. - ✅ Golden files correct: 14 updated snapshots reference
v0.27.6/v0.3.27; no stale0.27.4/v0.3.26strings remain. - ✅ Two-recompile process followed:
GH_AW_INFO_AWF_VERSIONandimageTagin golden files confirm the double-pass ran correctly. - ✅ Changeset is
patchwith accurate root-cause description (missingtoken-tracker-shared.js/ OTEL modules from api-proxy Docker COPY list). - ✅ Old pins preserved:
0.27.4/v0.3.26entries remain in lock files for workflows still pinned to prior versions.
Minor Observation
The bump skips v0.27.5. This is fine given the fast-track patch-on-patch rationale, but a one-liner in the PR description confirming v0.27.5 was never pinned here would be useful provenance context for future readers.
Positive Highlights
- 🎯 Excellent root-cause documentation in both PR body and changeset — the COPY-list omission is clearly named.
- 🔒 Digest pins are additive; prior provenance anchors are correctly preserved.
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 89.9 AIC · ⌖ 8.02 AIC · ⊞ 6.9K
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
✅ GitHub MCP Testing Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
|
Smoke Test: Codex - 27784201719 Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
💥 Smoke Test: Claude — Run 27784201892 — PASSCore #1-12: ✅ all passed Claude engine nominal! 🚀 Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · 70.5 AIC · ⌖ 28 AIC · ⊞ 8.5K
| "gh-aw": patch | ||
| --- | ||
|
|
||
| Bump the default `gh-aw-firewall` version to `v0.27.6` and `gh-aw-mcpg` version to `v0.3.27`, then regenerate pinned workflow artifacts. |
There was a problem hiding this comment.
💥 Smoke test: Clear, concise changeset summary — nicely done!
|
|
||
| Bump the default `gh-aw-firewall` version to `v0.27.6` and `gh-aw-mcpg` version to `v0.3.27`, then regenerate pinned workflow artifacts. | ||
|
|
||
| Firewall v0.27.6 notably fixes the api-proxy AIC=0 token-usage regression (the `token-tracker-shared.js` / OTEL modules were missing from the api-proxy Docker image COPY list, silently disabling all token tracking) and the Copilot cache-write token fidelity accounting. |
There was a problem hiding this comment.
💥 Smoke test: Great detail on the token-tracking regression fix context.
There was a problem hiding this comment.
No blocking issues found. Clean version bump with correct, complete propagation.
Review summary
What was checked
- Version constants (
pkg/constants/version_constants.go):DefaultFirewallVersionv0.27.4→v0.27.6,DefaultMCPGatewayVersionv0.3.26→v0.3.27 — correct. - Pin catalog sync: All three JSON files (
.github/aw/actions-lock.json,pkg/actionpins/data/action_pins.json,pkg/workflow/data/action_pins.json) have identical diffs with consistent SHA-256 digest values — correctly in sync. - Recompile completeness: Zero lock files retain stale
0.27.4orv0.3.26image references. All 142 cli-proxy-referencing workflows updated to0.27.6. Recompile was run fully and is clean. - Golden file accuracy: All version touch-points updated correctly — schema URL,
imageTag,install_awf_binary.shargument,GH_AW_INFO_AWF_VERSIONenv,download_docker_images.shimage list, andMCP_GATEWAY_DOCKER_COMMANDreference. - Version skip v0.27.4→v0.27.6: v0.27.5 has no presence anywhere in the repository (no pins, no references). Consistent with the pin catalog; PR description explicitly documents the jump.
🔎 Code quality review by PR Code Quality Reviewer · 232.2 AIC · ⌖ 7.07 AIC · ⊞ 5.1K
|
PR: Bump firewall to v0.27.6 and mcpg to v0.3.27 Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
Smoke review done. Small notes above.
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot · 417.1 AIC · ⌖ 15 AIC · ⊞ 19.2K
Bumps the pinned default versions for
gh-aw-firewall(v0.27.4 → v0.27.6) andgh-aw-mcpg(v0.3.26 → v0.3.27). Firewall v0.27.6 fixes the api-proxy AIC=0 token-usage regression wheretoken-tracker-shared.js/OTEL modules were missing from the Docker image COPY list, silently zeroing all token tracking, plus Copilot cache-write token fidelity accounting.Changes
pkg/constants/version_constants.go— bumpDefaultFirewallVersionandDefaultMCPGatewayVersion.github/aw/actions-lock.json— add SHA-256 digest pins for the five new images:gh-aw-firewall/{agent,api-proxy,squid,cli-proxy}:0.27.6andgh-aw-mcpg:v0.3.27pkg/{actionpins,workflow}/data/action_pins.json— synced from actions-lock.json.github/workflows/*.lock.yml(~200 files) — recompiled twice to pick up new image tags and digest pinspkg/workflow/testdata/**/*.golden(14 files) — updated expected outputs for new AWF version string, schema URL,imageTag, and firewall image references.changeset/patch-bump-awf-v0-27-6-mcpg-v0-3-27.md— patch changeset✨ PR Review Safe Output Test - Run 27784201892
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.