Skip to content

Raise agent sandbox hardening baseline to 50% of eligible workflows#41786

Merged
pelikhan merged 4 commits into
mainfrom
copilot/update-agentic-workflows
Jun 27, 2026
Merged

Raise agent sandbox hardening baseline to 50% of eligible workflows#41786
pelikhan merged 4 commits into
mainfrom
copilot/update-agentic-workflows

Conversation

Copilot AI commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

This updates the workflow fleet to meet the requested baseline: at least 50% of agentic workflows now explicitly disable sudo in agent sandbox config. The change is limited to workflow definitions and their compiled lockfiles.

  • Coverage target

    • Added sandbox.agent.sudo: false to additional workflow markdown sources under .github/workflows/.
    • Resulting coverage is now 124/247 eligible workflows (50.2%).
    • Eligibility excludes provenance-managed workflow sources (source: frontmatter), which were left untouched.
  • Workflow source updates

    • Applied the sandbox setting in 50 additional .md workflow definitions.
    • Preserved existing sandbox structure where present; inserted the block where missing.
  • Compiled output sync

    • Regenerated corresponding .lock.yml files to keep compiled workflows aligned with source markdown.
    • Regenerated lockfiles also include compiler-derived runtime script/config updates observed in output sync, including:
      • rootless AWF install/run path changes
      • MCP gateway bridge networking adjustments
      • MCP_GATEWAY_DOMAIN naming update
      • removal of host-access flags
      • firewall chmod cleanup
sandbox:
  agent:
    sudo: false

\nrun: https://github.com/github/gh-aw/actions/runs/28268269291

Generated by 👨‍🍳 PR Sous Chef · 61.9 AIC · ⌖ 1.02 AIC · ⊞ 17.2K ·

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title Update 50% of workflows to disable sudo in agent sandbox Raise agent sandbox hardening baseline to 50% of eligible workflows Jun 26, 2026
Copilot AI requested a review from pelikhan June 26, 2026 19:21
@pelikhan pelikhan marked this pull request as ready for review June 26, 2026 19:35
Copilot AI review requested due to automatic review settings June 26, 2026 19:35
@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

⚠️ PR Code Quality Reviewer failed during code quality review.

@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR #41786 does not have the 'implementation' label and has 0 new lines of code in business logic directories (threshold: 100).

@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Test Quality Sentinel completed test quality analysis.

No test files were added or modified in this PR. Test Quality Sentinel skipped. PR #41786 ('Raise agent sandbox hardening baseline to 50% of eligible workflows') only modifies GitHub Actions workflow .md and .lock.yml files — no Go or JavaScript test files were touched.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request updates the gh-aw workflow fleet to raise the agent sandbox hardening baseline by adding sandbox.agent.sudo: false to additional eligible workflow markdown definitions under .github/workflows/, and syncing the compiled .lock.yml outputs accordingly.

Changes:

  • Added sandbox.agent.sudo: false to additional workflow markdown sources to increase coverage toward the 50% baseline.
  • Regenerated corresponding workflow .lock.yml files so compiled outputs reflect the updated sandbox configuration.
  • As part of regenerated outputs, several lockfiles reflect rootless / network-isolation-related runtime adjustments alongside the sudo-disable setting.
Show a summary per file
File Description
.github/workflows/daily-model-inventory.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-mcp-concurrency-analysis.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-max-ai-credits-test.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-max-ai-credits-test.lock.yml Regenerated compiled workflow to reflect updated sandbox configuration.
.github/workflows/daily-issues-report.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-function-namer.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-formal-spec-verifier.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-firewall-report.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-fact.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-experiment-report.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-doc-updater.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-credit-limit-test.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-credit-limit-test.lock.yml Regenerated compiled workflow to reflect updated sandbox configuration.
.github/workflows/daily-compiler-threat-spec-optimizer.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-community-attribution.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-code-metrics.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-cli-tools-tester.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-cli-tools-tester.lock.yml Regenerated compiled workflow to reflect updated sandbox configuration.
.github/workflows/daily-choice-test.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-caveman-optimizer.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-cache-strategy-analyzer.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-awf-spec-compiler-surfacing.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-aw-cross-repo-compile-check.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-assign-issue-to-user.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-architecture-diagram.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-architecture-diagram.lock.yml Regenerated compiled workflow to reflect updated sandbox configuration.
.github/workflows/daily-ambient-context-optimizer.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/daily-agentrx-trace-optimizer.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/craft.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/copilot-session-insights.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/copilot-pr-merged-report.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/copilot-pr-merged-report.lock.yml Regenerated compiled workflow to reflect updated sandbox configuration.
.github/workflows/copilot-cli-deep-research.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/copilot-centralization-optimizer.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/copilot-centralization-optimizer.lock.yml Regenerated compiled workflow to reflect updated sandbox configuration.
.github/workflows/copilot-centralization-drilldown.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/copilot-centralization-drilldown.lock.yml Regenerated compiled workflow to reflect updated sandbox configuration.
.github/workflows/copilot-agent-analysis.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/contribution-check.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/commit-changes-analyzer.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/codex-github-remote-mcp-test.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/codex-github-remote-mcp-test.lock.yml Regenerated compiled workflow to reflect updated sandbox configuration.
.github/workflows/code-simplifier.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/cloclo.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/cli-version-checker.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/claude-code-user-docs-review.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/chaos-pr-bundle-fuzzer.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/breaking-change-checker.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/brave.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/bot-detection.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/bot-detection.lock.yml Regenerated compiled workflow to reflect updated sandbox configuration.
.github/workflows/ace-editor.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/ace-editor.lock.yml Regenerated compiled workflow to reflect updated sandbox configuration.
.github/workflows/aw-failure-investigator.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/architecture-guardian.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/architecture-guardian.lock.yml Regenerated compiled workflow to reflect updated sandbox configuration.
.github/workflows/approach-validator.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/api-consumption-report.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/agentic-token-trend-audit.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/agent-persona-explorer.md Adds sandbox.agent.sudo: false to the workflow definition.
.github/workflows/agent-performance-analyzer.md Adds sandbox.agent.sudo: false to the workflow definition.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 88/100 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment on lines 409 to 413
env:
GH_HOST: github.com
- name: Install AWF binary
run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.11
run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.11 --rootless
- name: Determine automatic lockdown mode for GitHub MCP Server
@github-actions github-actions Bot mentioned this pull request Jun 26, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skills-Based Review 🧠

Applied /zoom-out and /improve-codebase-architecture — no blocking issues, but several undocumented compiled-output changes deserve a PR description update before this lands.

📋 Key Themes & Highlights

What's in the diff beyond sandbox.agent.sudo: false

The recompiled lock files carry several changes that are not described in the PR body. All appear intentional and correct, but they constitute real behavioral changes in production workflows:

Change Files affected Risk
install_awf_binary.sh gains --rootless All 50 lock files Low — consistent with no-sudo mode
--network host--network bridge on MCP gateway Lock files with gateway Medium — isolates container from host network
MCP_GATEWAY_DOMAIN: host.docker.internalawmg-mcpg Same lock files Medium — breaks any hardcoded domain references
--enable-host-access --allow-host-ports 80,443,8080 removed from awf All 50 lock files Medium — removes host port access for agent sandbox
sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall removed All 50 lock files Low — correct, files no longer owned by root

Positive Highlights

  • ✅ Clean, minimal source changes — only the sandbox.agent.sudo: false block added to .md frontmatter
  • ✅ Provenance-managed workflows (source: frontmatter) correctly excluded
  • ✅ The --network bridge change is a meaningful security improvement over --network host
  • ✅ The coverage math (124/247 = 50.2%) is correctly described

Architecture observation

With half the workflow fleet still running with sudo, the security baseline remains asymmetric. A follow-on PR or a tracking issue for the remaining 50% would make the roadmap to full coverage explicit.

Note on diff truncation

The diff cap (3000 lines) covers only the first 2 of 100 changed files in this PR. The pattern in those files is consistent, but a full review of all 100 would require an uncapped diff.

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 108.4 AIC · ⌖ 11.4 AIC · ⊞ 6.6K

Comment thread .github/workflows/ace-editor.lock.yml Outdated
esac
DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0')
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --name awmg-mcpg --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.30'
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.30'

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/zoom-out] The MCP gateway is now launched with --network bridge instead of --network host, binding on 127.0.0.1:${MCP_GATEWAY_PORT} — this is a meaningful security improvement, but it is not described in the PR body.

💡 Why this matters

--network host made the MCP gateway container share the host network stack. --network bridge with an explicit loopback port binding isolates the container to its own network namespace and narrows the exposed surface to exactly one port.

Because this is an architectural security change beyond the sudo flag, it deserves explicit documentation:

  • Add a bullet in the PR description explaining the --network bridge migration.
  • Confirm all 50 recompiled workflows adopt the same bridge mode (the diff cap makes full verification impossible).
  • Verify that agent-side code resolving host.docker.internal has been updated to use awmg-mcpg (the new container name).

@copilot please address this.

# Export gateway environment variables for MCP config and gateway script
export MCP_GATEWAY_PORT="8080"
export MCP_GATEWAY_DOMAIN="host.docker.internal"
export MCP_GATEWAY_DOMAIN="awmg-mcpg"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/zoom-out] MCP_GATEWAY_DOMAIN changed from host.docker.internal to awmg-mcpg (the container name on the new bridge network) — this is the agent-visible name for the MCP gateway and is not mentioned in the PR description.

💡 Context

Under --network host, the gateway was reachable at host.docker.internal (the loopback alias for the host). Under --network bridge, Docker resolves container names, so awmg-mcpg (the --name given to the gateway container) is the correct domain. The change is logically consistent, but:

  • Any hardcoded reference to host.docker.internal in agent prompts, tool configs, or documentation would silently break.
  • The PR description should call this out so reviewers can audit for such references.

@copilot please address this.

GH_HOST: github.com
- name: Install AWF binary
run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.11
run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.11 --rootless

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/zoom-out] AWF binary install now passes --rootless — this is a compiled artifact of sandbox.agent.sudo: false but is not mentioned in the PR description, making the change set harder to review in full.

💡 Suggestion

The PR description lists three bullet categories (coverage target, workflow source updates, compiled output sync). Adding a sub-bullet like:

- AWF binary installed in rootless mode (`--rootless`), consistent with no-sudo sandbox execution

...would make the compiled diff self-explanatory for future reviewers and bisect operations.

@copilot please address this.

fi
# shellcheck disable=SC1003,SC2086
sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_TOOL_CACHE_MOUNT:+--mount "$GH_AW_TOOL_CACHE_MOUNT"} ${GH_AW_DOCKER_HOST:+--docker-host "$GH_AW_DOCKER_HOST"} ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_TOOL_CACHE_MOUNT:+--mount "$GH_AW_TOOL_CACHE_MOUNT"} ${GH_AW_DOCKER_HOST:+--docker-host "$GH_AW_DOCKER_HOST"} ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --skip-pull \

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/zoom-out] --enable-host-access --allow-host-ports 80,443,8080 has been removed from the awf invocation — this is a functional behavior change that is not called out in the PR description.

💡 Impact

With --enable-host-access, the agent container could open TCP connections to the host on ports 80, 443, and 8080. Removing it tightens the firewall baseline for these workflows. Combined with the --network bridge change on the MCP gateway, this PR implements a substantially tighter network isolation model than described.

Please add a bullet to the PR description acknowledging this flag removal so reviewers can assess whether any workflow depended on host port access (e.g., a local proxy, test server, or tool expected on the runner's loopback).

@copilot please address this.

});
imports:
- shared/otlp.md
sandbox:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/improve-codebase-architecture] The sandbox: block is placed after imports: here, but in other workflows it is placed after engine: — inconsistent positioning makes the frontmatter harder to scan at a glance.

💡 Suggested convention

Consider adopting a canonical frontmatter ordering for all workflow markdown files, for example:

---
# metadata (name, description, on, permissions, etc.)
engine: ...
sandbox:
  agent:
    sudo: false
imports: ...
tools: ...
---

A consistent slot for sandbox: means reviewers and automation can locate it predictably across the ~247 eligible workflows. If the compiler enforces an ordering during make recompile, this would be resolved automatically.

@copilot please address this.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot Thanks for the review — please update the PR description to call out the compiled lockfile changes noted in review (rootless install, bridge networking on the MCP gateway, the MCP_GATEWAY_DOMAIN rename, removal of host-access flags, and the firewall chmod cleanup). If the branch is behind main, please refresh/rebase and push the latest commit too. After that, I’ll recheck.

Generated by 👨‍🍳 PR Sous Chef · 106.7 AIC · ⌖ 0.995 AIC · ⊞ 17.2K ·

…c-workflows

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

@copilot Thanks for the review — please update the PR description to call out the compiled lockfile changes noted in review (rootless install, bridge networking on the MCP gateway, the MCP_GATEWAY_D...

Updated the PR description to call out the compiled lockfile/runtime behavior changes you listed, and refreshed the branch with latest main. Latest commit: 421694f9dc.

Copilot AI requested a review from gh-aw-bot June 26, 2026 21:32
@pelikhan

Copy link
Copy Markdown
Collaborator

@copilot Merge main and recompile.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, review and address any unresolved feedback, and rerun checks after the branch refresh is complete.

Generated by 👨‍🍳 PR Sous Chef · 61.9 AIC · ⌖ 1.02 AIC · ⊞ 17.2K ·

…c-workflows

# Conflicts:
#	.github/workflows/aw-failure-investigator.lock.yml
#	.github/workflows/daily-code-metrics.lock.yml
#	.github/workflows/daily-issues-report.lock.yml

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

@copilot Merge main and recompile.

Done in 62a9d4c: merged latest main and recompiled workflows.

Copilot AI commented Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, review and address any unresolved feedback, and rerun checks after the branch refresh is complete.

...

Ran the pr-finisher pass and reviewed unresolved feedback.

  • The runtime-behavior feedback items are already reflected in the current PR description.
  • No additional code changes were required beyond 62a9d4c.
  • Re-ran checks locally on this branch: make fmt, make lint, make test-unit, make test, and make recompile all passed.

Note: CI on the PR head is not re-triggered by Copilot agent activity; a maintainer-triggered re-run is still needed for fresh required-check signals.

@pelikhan

Copy link
Copy Markdown
Collaborator

@copilot merge main and recompile

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

@copilot merge main and recompile

Done in 8ece5c7: merged latest main and recompiled workflows.

@pelikhan pelikhan merged commit 44942c0 into main Jun 27, 2026
@pelikhan pelikhan deleted the copilot/update-agentic-workflows branch June 27, 2026 00:02
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, re-trigger the required Smoke CI and CGO checks, and confirm the branch is ready to merge once those signals are fresh.

Generated by 👨‍🍳 PR Sous Chef · 37 AIC · ⌖ 1.03 AIC · ⊞ 18.4K ·

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants