Raise agent sandbox hardening baseline to 50% of eligible workflows#41786
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
|
|
|
✅ Design Decision Gate 🏗️ completed the design decision gate check. No ADR enforcement needed: PR #41786 does not have the 'implementation' label and has 0 new lines of code in business logic directories (threshold: 100). |
|
✅ Test Quality Sentinel completed test quality analysis. No test files were added or modified in this PR. Test Quality Sentinel skipped. PR #41786 ('Raise agent sandbox hardening baseline to 50% of eligible workflows') only modifies GitHub Actions workflow .md and .lock.yml files — no Go or JavaScript test files were touched. |
There was a problem hiding this comment.
Pull request overview
This pull request updates the gh-aw workflow fleet to raise the agent sandbox hardening baseline by adding sandbox.agent.sudo: false to additional eligible workflow markdown definitions under .github/workflows/, and syncing the compiled .lock.yml outputs accordingly.
Changes:
- Added
sandbox.agent.sudo: falseto additional workflow markdown sources to increase coverage toward the 50% baseline. - Regenerated corresponding workflow
.lock.ymlfiles so compiled outputs reflect the updated sandbox configuration. - As part of regenerated outputs, several lockfiles reflect rootless / network-isolation-related runtime adjustments alongside the sudo-disable setting.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/daily-model-inventory.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-mcp-concurrency-analysis.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-max-ai-credits-test.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-max-ai-credits-test.lock.yml | Regenerated compiled workflow to reflect updated sandbox configuration. |
| .github/workflows/daily-issues-report.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-function-namer.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-formal-spec-verifier.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-firewall-report.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-fact.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-experiment-report.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-doc-updater.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-credit-limit-test.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-credit-limit-test.lock.yml | Regenerated compiled workflow to reflect updated sandbox configuration. |
| .github/workflows/daily-compiler-threat-spec-optimizer.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-community-attribution.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-code-metrics.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-cli-tools-tester.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-cli-tools-tester.lock.yml | Regenerated compiled workflow to reflect updated sandbox configuration. |
| .github/workflows/daily-choice-test.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-caveman-optimizer.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-cache-strategy-analyzer.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-awf-spec-compiler-surfacing.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-aw-cross-repo-compile-check.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-assign-issue-to-user.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-architecture-diagram.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-architecture-diagram.lock.yml | Regenerated compiled workflow to reflect updated sandbox configuration. |
| .github/workflows/daily-ambient-context-optimizer.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/daily-agentrx-trace-optimizer.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/craft.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/copilot-session-insights.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/copilot-pr-merged-report.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/copilot-pr-merged-report.lock.yml | Regenerated compiled workflow to reflect updated sandbox configuration. |
| .github/workflows/copilot-cli-deep-research.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/copilot-centralization-optimizer.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/copilot-centralization-optimizer.lock.yml | Regenerated compiled workflow to reflect updated sandbox configuration. |
| .github/workflows/copilot-centralization-drilldown.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/copilot-centralization-drilldown.lock.yml | Regenerated compiled workflow to reflect updated sandbox configuration. |
| .github/workflows/copilot-agent-analysis.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/contribution-check.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/commit-changes-analyzer.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/codex-github-remote-mcp-test.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Regenerated compiled workflow to reflect updated sandbox configuration. |
| .github/workflows/code-simplifier.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/cloclo.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/cli-version-checker.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/claude-code-user-docs-review.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/chaos-pr-bundle-fuzzer.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/breaking-change-checker.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/brave.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/bot-detection.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/bot-detection.lock.yml | Regenerated compiled workflow to reflect updated sandbox configuration. |
| .github/workflows/ace-editor.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/ace-editor.lock.yml | Regenerated compiled workflow to reflect updated sandbox configuration. |
| .github/workflows/aw-failure-investigator.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/architecture-guardian.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/architecture-guardian.lock.yml | Regenerated compiled workflow to reflect updated sandbox configuration. |
| .github/workflows/approach-validator.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/api-consumption-report.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/agentic-token-trend-audit.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/agent-persona-explorer.md | Adds sandbox.agent.sudo: false to the workflow definition. |
| .github/workflows/agent-performance-analyzer.md | Adds sandbox.agent.sudo: false to the workflow definition. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 88/100 changed files
- Comments generated: 1
- Review effort level: Low
| env: | ||
| GH_HOST: github.com | ||
| - name: Install AWF binary | ||
| run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.11 | ||
| run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.11 --rootless | ||
| - name: Determine automatic lockdown mode for GitHub MCP Server |
There was a problem hiding this comment.
Skills-Based Review 🧠
Applied /zoom-out and /improve-codebase-architecture — no blocking issues, but several undocumented compiled-output changes deserve a PR description update before this lands.
📋 Key Themes & Highlights
What's in the diff beyond sandbox.agent.sudo: false
The recompiled lock files carry several changes that are not described in the PR body. All appear intentional and correct, but they constitute real behavioral changes in production workflows:
| Change | Files affected | Risk |
|---|---|---|
install_awf_binary.sh gains --rootless |
All 50 lock files | Low — consistent with no-sudo mode |
--network host → --network bridge on MCP gateway |
Lock files with gateway | Medium — isolates container from host network |
MCP_GATEWAY_DOMAIN: host.docker.internal → awmg-mcpg |
Same lock files | Medium — breaks any hardcoded domain references |
--enable-host-access --allow-host-ports 80,443,8080 removed from awf |
All 50 lock files | Medium — removes host port access for agent sandbox |
sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall removed |
All 50 lock files | Low — correct, files no longer owned by root |
Positive Highlights
- ✅ Clean, minimal source changes — only the
sandbox.agent.sudo: falseblock added to.mdfrontmatter - ✅ Provenance-managed workflows (
source:frontmatter) correctly excluded - ✅ The
--network bridgechange is a meaningful security improvement over--network host - ✅ The coverage math (124/247 = 50.2%) is correctly described
Architecture observation
With half the workflow fleet still running with sudo, the security baseline remains asymmetric. A follow-on PR or a tracking issue for the remaining 50% would make the roadmap to full coverage explicit.
Note on diff truncation
The diff cap (3000 lines) covers only the first 2 of 100 changed files in this PR. The pattern in those files is consistent, but a full review of all 100 would require an uncapped diff.
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 108.4 AIC · ⌖ 11.4 AIC · ⊞ 6.6K
| esac | ||
| DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') | ||
| export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --name awmg-mcpg --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.30' | ||
| export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.30' |
There was a problem hiding this comment.
[/zoom-out] The MCP gateway is now launched with --network bridge instead of --network host, binding on 127.0.0.1:${MCP_GATEWAY_PORT} — this is a meaningful security improvement, but it is not described in the PR body.
💡 Why this matters
--network host made the MCP gateway container share the host network stack. --network bridge with an explicit loopback port binding isolates the container to its own network namespace and narrows the exposed surface to exactly one port.
Because this is an architectural security change beyond the sudo flag, it deserves explicit documentation:
- Add a bullet in the PR description explaining the
--network bridgemigration. - Confirm all 50 recompiled workflows adopt the same bridge mode (the diff cap makes full verification impossible).
- Verify that agent-side code resolving
host.docker.internalhas been updated to useawmg-mcpg(the new container name).
@copilot please address this.
| # Export gateway environment variables for MCP config and gateway script | ||
| export MCP_GATEWAY_PORT="8080" | ||
| export MCP_GATEWAY_DOMAIN="host.docker.internal" | ||
| export MCP_GATEWAY_DOMAIN="awmg-mcpg" |
There was a problem hiding this comment.
[/zoom-out] MCP_GATEWAY_DOMAIN changed from host.docker.internal to awmg-mcpg (the container name on the new bridge network) — this is the agent-visible name for the MCP gateway and is not mentioned in the PR description.
💡 Context
Under --network host, the gateway was reachable at host.docker.internal (the loopback alias for the host). Under --network bridge, Docker resolves container names, so awmg-mcpg (the --name given to the gateway container) is the correct domain. The change is logically consistent, but:
- Any hardcoded reference to
host.docker.internalin agent prompts, tool configs, or documentation would silently break. - The PR description should call this out so reviewers can audit for such references.
@copilot please address this.
| GH_HOST: github.com | ||
| - name: Install AWF binary | ||
| run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.11 | ||
| run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.11 --rootless |
There was a problem hiding this comment.
[/zoom-out] AWF binary install now passes --rootless — this is a compiled artifact of sandbox.agent.sudo: false but is not mentioned in the PR description, making the change set harder to review in full.
💡 Suggestion
The PR description lists three bullet categories (coverage target, workflow source updates, compiled output sync). Adding a sub-bullet like:
- AWF binary installed in rootless mode (`--rootless`), consistent with no-sudo sandbox execution
...would make the compiled diff self-explanatory for future reviewers and bisect operations.
@copilot please address this.
| fi | ||
| # shellcheck disable=SC1003,SC2086 | ||
| sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_TOOL_CACHE_MOUNT:+--mount "$GH_AW_TOOL_CACHE_MOUNT"} ${GH_AW_DOCKER_HOST:+--docker-host "$GH_AW_DOCKER_HOST"} ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \ | ||
| awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_TOOL_CACHE_MOUNT:+--mount "$GH_AW_TOOL_CACHE_MOUNT"} ${GH_AW_DOCKER_HOST:+--docker-host "$GH_AW_DOCKER_HOST"} ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --skip-pull \ |
There was a problem hiding this comment.
[/zoom-out] --enable-host-access --allow-host-ports 80,443,8080 has been removed from the awf invocation — this is a functional behavior change that is not called out in the PR description.
💡 Impact
With --enable-host-access, the agent container could open TCP connections to the host on ports 80, 443, and 8080. Removing it tightens the firewall baseline for these workflows. Combined with the --network bridge change on the MCP gateway, this PR implements a substantially tighter network isolation model than described.
Please add a bullet to the PR description acknowledging this flag removal so reviewers can assess whether any workflow depended on host port access (e.g., a local proxy, test server, or tool expected on the runner's loopback).
@copilot please address this.
| }); | ||
| imports: | ||
| - shared/otlp.md | ||
| sandbox: |
There was a problem hiding this comment.
[/improve-codebase-architecture] The sandbox: block is placed after imports: here, but in other workflows it is placed after engine: — inconsistent positioning makes the frontmatter harder to scan at a glance.
💡 Suggested convention
Consider adopting a canonical frontmatter ordering for all workflow markdown files, for example:
---
# metadata (name, description, on, permissions, etc.)
engine: ...
sandbox:
agent:
sudo: false
imports: ...
tools: ...
---A consistent slot for sandbox: means reviewers and automation can locate it predictably across the ~247 eligible workflows. If the compiler enforces an ordering during make recompile, this would be resolved automatically.
@copilot please address this.
|
@copilot Thanks for the review — please update the PR description to call out the compiled lockfile changes noted in review (rootless install, bridge networking on the MCP gateway, the MCP_GATEWAY_DOMAIN rename, removal of host-access flags, and the firewall chmod cleanup). If the branch is behind main, please refresh/rebase and push the latest commit too. After that, I’ll recheck.
|
…c-workflows Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Updated the PR description to call out the compiled lockfile/runtime behavior changes you listed, and refreshed the branch with latest |
|
@copilot Merge main and recompile. |
|
@copilot please run the
|
…c-workflows # Conflicts: # .github/workflows/aw-failure-investigator.lock.yml # .github/workflows/daily-code-metrics.lock.yml # .github/workflows/daily-issues-report.lock.yml Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done in |
Ran the pr-finisher pass and reviewed unresolved feedback.
Note: CI on the PR head is not re-triggered by Copilot agent activity; a maintainer-triggered re-run is still needed for fresh required-check signals. |
|
@copilot merge main and recompile |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done in |
|
@copilot please run the
|
This updates the workflow fleet to meet the requested baseline: at least 50% of agentic workflows now explicitly disable sudo in agent sandbox config. The change is limited to workflow definitions and their compiled lockfiles.
Coverage target
sandbox.agent.sudo: falseto additional workflow markdown sources under.github/workflows/.source:frontmatter), which were left untouched.Workflow source updates
.mdworkflow definitions.Compiled output sync
.lock.ymlfiles to keep compiled workflows aligned with source markdown.MCP_GATEWAY_DOMAINnaming update\nrun: https://github.com/github/gh-aw/actions/runs/28268269291