Skip to content

Update agentic workflows (gh aw v0.81.6) — preserve container pins#9537

Merged
Evangelink merged 1 commit into
microsoft:mainfrom
YuliiaKovalova:ykovalova/aw-update-preserve-containers
Jun 30, 2026
Merged

Update agentic workflows (gh aw v0.81.6) — preserve container pins#9537
Evangelink merged 1 commit into
microsoft:mainfrom
YuliiaKovalova:ykovalova/aw-update-preserve-containers

Conversation

@YuliiaKovalova

Copy link
Copy Markdown
Contributor

What

Refreshes the agentic workflows by running gh aw update with gh-aw v0.81.6, and — more importantly — does so with a version that no longer deletes the containers section of .github/aw/actions-lock.json.

Why: gh aw update was wiping the containers pin

Running gh aw update was removing the entire "containers" block from actions-lock.json on every run — specifically the binlog MCP image pin used by build-failure-analysis:

mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux-3.0-binlog-mcp-amd64

Root cause (a known, fixed gh-aw bug)

UpdateContainerPins prunes any container pin whose key isn't referenced by a download_docker_images.sh line in the compiled .lock.yml files (PruneStaleContainerPins). Once workflows are compiled, those lines carry digest-pinned refs (image:tag@sha256:…), but the pin keys in actions-lock.json are plain base tags (image:tag, no digest). The prune compared the full @sha256:… strings against base-tag keys, matched nothing, and deleted the whole section on every run.

This is tracked and fixed upstream in github/gh-aw#41262 ("fix: UpdateContainerPins wipes containers section on every gh aw update run"), introduced by #39770.

Affected versions (verified against gh-aw source at each tag)

Version Behavior
≤ v0.80.2 No prune — not affected
v0.80.3 → v0.81.2 Buggy — wipes containers
v0.81.3+ (fix #41262) Fixed

The lock files here were last compiled by v0.80.9 (squarely in the buggy range), which is why anyone running gh aw update from that era of CLI kept dropping the pin.

What changed in this PR

Produced by gh aw update with v0.81.6:

  • containers pin preserved — the azurelinux-3.0-binlog-mcp-amd64 digest pin is intact.
  • Bumped github/gh-aw-actions/setup and setup-cli v0.80.9 → v0.81.6 in actions-lock.json.
  • Recompiled the 15 source-managed workflows; bundled infra images bumped and digest-pinned: gh-aw-firewall 0.27.7 → 0.27.11, gh-aw-mcpg v0.3.27 → v0.3.30.
  • Only .lock.yml files and actions-lock.json changed; no .md sources were modified. Local (non-source) workflows such as build-failure-analysis were not recompiled and keep their existing binlog container pin.

Note

Two source-managed workflows (dependabot-issue-bundler, dependabot-pr-bundler) could not be refreshed during this run (transient githubnext/agentics source-fetch failure) and are intentionally left unchanged.

Recommendation

Keep gh aw at ≥ v0.81.3 (ideally latest) wherever gh aw update runs (local + CI), so the container pin isn't dropped again. Upgrade with gh extension upgrade aw.

Ran `gh aw update` with gh-aw v0.81.6, which includes the fix for the container-pin wipe bug (github/gh-aw#41262). The actions-lock.json `containers` section (the binlog-mcp image pin) is now preserved instead of being deleted on every update.

Bumps github/gh-aw-actions/setup(-cli) v0.80.9 -> v0.81.6 and recompiles source-managed workflows (firewall 0.27.7 -> 0.27.11, mcpg v0.3.27 -> v0.3.30, all digest-pinned).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 30, 2026 14:25
@Evangelink Evangelink merged commit 5a96d11 into microsoft:main Jun 30, 2026
23 checks passed

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repo’s gh-aw compiled workflow lock files and .github/aw/actions-lock.json to align with gh-aw v0.81.6, with an emphasis on preserving the containers pin(s) in actions-lock.json (notably the binlog MCP image) while refreshing action/container digests referenced by compiled workflows.

Changes:

  • Recompiled workflow .lock.yml files with gh-aw v0.81.6, updating embedded action SHAs and container image digests.
  • Updated .github/aw/actions-lock.json to reference github/gh-aw-actions/* v0.81.6 and retained the containers section.
  • Introduced additional runtime env wiring in compiled workflows (e.g., GH_AW_RUNTIME_FEATURES, updated AWF tooling versions, and updated MCP gateway wiring).

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 9 comments.

Show a summary per file
File Description
.github/workflows/sub-issue-closer.lock.yml Recompiled lock; updates action/container pins and adjusts detection + MCP config wiring.
.github/workflows/pr-fix.lock.yml Recompiled lock; updates action/container pins and adjusts detection + MCP config wiring.
.github/workflows/malicious-code-scan.lock.yml Recompiled lock; updates action/container pins and adjusts detection + MCP config wiring.
.github/workflows/duplicate-code-detector.lock.yml Recompiled lock; updates action/container pins and adjusts detection + MCP config wiring.
.github/aw/actions-lock.json Bumps gh-aw setup actions to v0.81.6 and preserves container pin metadata.

Comment on lines +729 to +730
"GITHUB_HOST": "${GITHUB_SERVER_URL}",
"GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_MCP_SERVER_TOKEN}",
- agent
if: >
always() && needs.agent.result != 'skipped' && (needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true')
if: always() && needs.agent.result != 'skipped'
Comment on lines 640 to 642
"labels": {
"type": "array",
"itemType": "string",
"itemSanitize": true,
"itemMaxLength": 128
"type": "array"
},
Comment on lines +798 to +799
"GITHUB_HOST": "${GITHUB_SERVER_URL}",
"GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_MCP_SERVER_TOKEN}",
- agent
if: >
always() && needs.agent.result != 'skipped' && (needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true')
if: always() && needs.agent.result != 'skipped'
Comment on lines +696 to +697
"GITHUB_HOST": "${GITHUB_SERVER_URL}",
"GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_MCP_SERVER_TOKEN}",
- agent
if: >
always() && needs.agent.result != 'skipped' && (needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true')
if: always() && needs.agent.result != 'skipped'
Comment on lines +699 to +700
"GITHUB_HOST": "${GITHUB_SERVER_URL}",
"GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_MCP_SERVER_TOKEN}",
- agent
if: >
always() && needs.agent.result != 'skipped' && (needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true')
if: always() && needs.agent.result != 'skipped'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants