Update agentic workflows (gh aw v0.81.6) — preserve container pins#9537
Merged
Evangelink merged 1 commit intoJun 30, 2026
Merged
Conversation
Ran `gh aw update` with gh-aw v0.81.6, which includes the fix for the container-pin wipe bug (github/gh-aw#41262). The actions-lock.json `containers` section (the binlog-mcp image pin) is now preserved instead of being deleted on every update. Bumps github/gh-aw-actions/setup(-cli) v0.80.9 -> v0.81.6 and recompiles source-managed workflows (firewall 0.27.7 -> 0.27.11, mcpg v0.3.27 -> v0.3.30, all digest-pinned). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Evangelink
approved these changes
Jun 30, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the repo’s gh-aw compiled workflow lock files and .github/aw/actions-lock.json to align with gh-aw v0.81.6, with an emphasis on preserving the containers pin(s) in actions-lock.json (notably the binlog MCP image) while refreshing action/container digests referenced by compiled workflows.
Changes:
- Recompiled workflow
.lock.ymlfiles with gh-aw v0.81.6, updating embedded action SHAs and container image digests. - Updated
.github/aw/actions-lock.jsonto referencegithub/gh-aw-actions/*v0.81.6 and retained thecontainerssection. - Introduced additional runtime env wiring in compiled workflows (e.g.,
GH_AW_RUNTIME_FEATURES, updated AWF tooling versions, and updated MCP gateway wiring).
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/sub-issue-closer.lock.yml | Recompiled lock; updates action/container pins and adjusts detection + MCP config wiring. |
| .github/workflows/pr-fix.lock.yml | Recompiled lock; updates action/container pins and adjusts detection + MCP config wiring. |
| .github/workflows/malicious-code-scan.lock.yml | Recompiled lock; updates action/container pins and adjusts detection + MCP config wiring. |
| .github/workflows/duplicate-code-detector.lock.yml | Recompiled lock; updates action/container pins and adjusts detection + MCP config wiring. |
| .github/aw/actions-lock.json | Bumps gh-aw setup actions to v0.81.6 and preserves container pin metadata. |
Comment on lines
+729
to
+730
| "GITHUB_HOST": "${GITHUB_SERVER_URL}", | ||
| "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_MCP_SERVER_TOKEN}", |
| - agent | ||
| if: > | ||
| always() && needs.agent.result != 'skipped' && (needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true') | ||
| if: always() && needs.agent.result != 'skipped' |
Comment on lines
640
to
642
| "labels": { | ||
| "type": "array", | ||
| "itemType": "string", | ||
| "itemSanitize": true, | ||
| "itemMaxLength": 128 | ||
| "type": "array" | ||
| }, |
Comment on lines
+798
to
+799
| "GITHUB_HOST": "${GITHUB_SERVER_URL}", | ||
| "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_MCP_SERVER_TOKEN}", |
| - agent | ||
| if: > | ||
| always() && needs.agent.result != 'skipped' && (needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true') | ||
| if: always() && needs.agent.result != 'skipped' |
Comment on lines
+696
to
+697
| "GITHUB_HOST": "${GITHUB_SERVER_URL}", | ||
| "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_MCP_SERVER_TOKEN}", |
| - agent | ||
| if: > | ||
| always() && needs.agent.result != 'skipped' && (needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true') | ||
| if: always() && needs.agent.result != 'skipped' |
Comment on lines
+699
to
+700
| "GITHUB_HOST": "${GITHUB_SERVER_URL}", | ||
| "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_MCP_SERVER_TOKEN}", |
| - agent | ||
| if: > | ||
| always() && needs.agent.result != 'skipped' && (needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true') | ||
| if: always() && needs.agent.result != 'skipped' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Refreshes the agentic workflows by running
gh aw updatewith gh-aw v0.81.6, and — more importantly — does so with a version that no longer deletes thecontainerssection of.github/aw/actions-lock.json.Why:
gh aw updatewas wiping thecontainerspinRunning
gh aw updatewas removing the entire"containers"block fromactions-lock.jsonon every run — specifically the binlog MCP image pin used bybuild-failure-analysis:Root cause (a known, fixed gh-aw bug)
UpdateContainerPinsprunes any container pin whose key isn't referenced by adownload_docker_images.shline in the compiled.lock.ymlfiles (PruneStaleContainerPins). Once workflows are compiled, those lines carry digest-pinned refs (image:tag@sha256:…), but the pin keys inactions-lock.jsonare plain base tags (image:tag, no digest). The prune compared the full@sha256:…strings against base-tag keys, matched nothing, and deleted the whole section on every run.This is tracked and fixed upstream in github/gh-aw#41262 ("fix: UpdateContainerPins wipes containers section on every gh aw update run"), introduced by #39770.
Affected versions (verified against gh-aw source at each tag)
containersThe lock files here were last compiled by v0.80.9 (squarely in the buggy range), which is why anyone running
gh aw updatefrom that era of CLI kept dropping the pin.What changed in this PR
Produced by
gh aw updatewith v0.81.6:containerspin preserved — theazurelinux-3.0-binlog-mcp-amd64digest pin is intact.github/gh-aw-actions/setupandsetup-cliv0.80.9 → v0.81.6 inactions-lock.json..lock.ymlfiles andactions-lock.jsonchanged; no.mdsources were modified. Local (non-source) workflows such asbuild-failure-analysiswere not recompiled and keep their existing binlog container pin.Note
Two source-managed workflows (
dependabot-issue-bundler,dependabot-pr-bundler) could not be refreshed during this run (transientgithubnext/agenticssource-fetch failure) and are intentionally left unchanged.Recommendation
Keep
gh awat ≥ v0.81.3 (ideally latest) wherevergh aw updateruns (local + CI), so the container pin isn't dropped again. Upgrade withgh extension upgrade aw.