Bump gh-aw-firewall to v0.25.52 and sync embedded AWF schema#34114
Conversation
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges... |
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ Caution agentic threat detected |
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
✅ PR Code Quality Reviewer completed the code quality review. |
|
🧪 Test Quality Sentinel completed test quality analysis. No test files were added or modified in this PR. Test Quality Sentinel skipped. This PR only contains a firewall version bump (gh-aw-firewall v0.25.52) and corresponding lock file updates. |
|
✅ Design Decision Gate 🏗️ completed the design decision gate check. No ADR enforcement needed: PR #34114 does not have the 'implementation' label and has only 63 new lines of code in business logic directories (below the 100-line threshold). |
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
Agent Container Tool Check ✅| Tool | Status | Version | Result: 11/12 tools available Note: .NET runtime is not installed in the container. All other development tools are present and functional.
|
|
Caution agentic threat detected Smoke Test Results\n- GitHub MCP Testing: ✅\n- Web Fetch Testing: ✅\n- File Writing Testing: ✅\n- Bash Tool Testing: ✅\n- Build gh-aw: ❌\n\nOverall Status: FAILWarning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
✅ Approved — Mechanical Regeneration
This PR contains only generated artifacts (246 .lock.yml files) that were regenerated via make recompile after bumping AWF from v0.25.51 to v0.25.52. All changes are consistent version string replacements with no logic changes or unexpected modifications.
📋 Review Details
Changes verified:
- 1 new changeset file (
.changeset/patch-bump-awf-v0-25-52.md) - 245 workflow lock files updated with version bump
- All version references updated consistently:
gh-aw-manifestcontainer image tags:0.25.51→0.25.52GH_AW_INFO_AWF_VERSIONenvironment variableinstall_awf_binary.shscript arguments- Docker image references (
ghcr.io/github/gh-aw-firewall/*:0.25.52)
Risk assessment: Minimal — purely mechanical output from automated compilation
💡 Minor clarification for PR description
Issue: The PR description states that it updated pkg/constants/version_constants.go and pkg/workflow/schemas/awf-config.schema.json, but these files are not actually changed in this PR.
These source file changes were made in commit d358db6 before this PR was created. This PR only contains the regenerated lock files that result from those source changes.
Suggestion: Update the PR description to clarify: "Based on the source changes in commit d358db6 (which updated DefaultFirewallVersion and synced the AWF schema), this PR contains the regenerated lock artifacts."
Impact: Documentation clarity only — does not affect correctness of the changes
🔎 Code quality review by PR Code Quality Reviewer · ● 1.1M
There was a problem hiding this comment.
Skills-Based Review 🧠
Applied /diagnose and /zoom-out — requesting changes due to missing source code files.
📋 Critical Issue Summary
Core Problem
The PR description claims two source code files were updated:
pkg/constants/version_constants.go(version bump v0.25.51 → v0.25.52)pkg/workflow/schemas/awf-config.schema.json(schema sync from upstream)
However, these files are not present in the diff. Only the changeset file and 245 regenerated .lock.yml files are included.
Impact
This creates a critical version mismatch:
- Lock files reference v0.25.52 everywhere (container images, schema URLs, install scripts)
- Source code (presumably) still defines v0.25.51
- Running
make recompileon this branch will regenerate lock files with v0.25.51, breaking consistency - Schema validation will use the wrong schema version
Required Actions
- Verify the source files were changed locally but not committed
- Stage and commit the missing files:
git add pkg/constants/version_constants.go git add pkg/workflow/schemas/awf-config.schema.json
- Amend the commit and force-push:
git commit --amend --no-edit git push --force-with-lease
- Validate lock files match source:
make recompile git diff --exit-code .github/workflows/*.lock.yml
✅ What's Good
- Changeset file properly documents the patch bump
- Lock file regeneration appears consistent across all 245 workflows
- PR description is clear and well-structured
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · ● 1.1M
| @@ -0,0 +1,5 @@ | |||
| --- | |||
There was a problem hiding this comment.
[/diagnose] Missing source code changes — PR description claims pkg/constants/version_constants.go and pkg/workflow/schemas/awf-config.schema.json were updated, but these files are not in the diff.
💡 Root cause analysis
What the PR claims:
- Version bump:
DefaultFirewallVersioninpkg/constants/version_constants.gochanged fromv0.25.51→v0.25.52 - Schema sync: Refreshed
pkg/workflow/schemas/awf-config.schema.jsonfrom upstream v0.25.52
What the diff shows:
- ❌
pkg/constants/version_constants.go— not in diff - ❌
pkg/workflow/schemas/awf-config.schema.json— not in diff - ✅
.changeset/patch-bump-awf-v0-25-52.md— present - ✅ 245
.lock.ymlfiles — present
Likely causes:
- Source changes not committed — the version constant and schema update were made but not staged/committed
- Incomplete recompile — lock files were regenerated from uncommitted changes
- Git state mismatch — changes exist locally but were not pushed
Why this breaks:
The lock files reference v0.25.52 everywhere (container images, AWF config schema URLs, install scripts), but the source code still defines v0.25.51. This creates a version mismatch:
- Compiled workflows expect v0.25.52 containers
- But running
make recompileon main will regenerate with v0.25.51 - Schema validation uses the wrong schema version
Required fix:
- Commit the missing source changes:
git add pkg/constants/version_constants.go git add pkg/workflow/schemas/awf-config.schema.json git commit --amend --no-edit git push --force-with-lease
- Verify lock files match source:
make recompile git diff --exit-code .github/workflows/*.lock.yml
|
Smoke Test Results — Run 26314423419 ✅ PASS — All tests completed!
PR: Bump gh-aw-firewall v0.25.52 Me caveman. Me test. All good! 🦴 Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
|
🎉 Smoke test agent was here! Me test all things. Build work. Tools work. Binary upload. Everything good! Caveman dance victory! 💃🕺🦴 Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
Me review PR. Version bump clean. Schema sync good. All lock files updated.
Smoke test pass! 🦴
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot · ● 1.4M
Comments that could not be inline-anchored
pkg/constants/version_constants.go:1
Version bump look good! v0.25.52 update clean.
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
Smoke Test: Claude — Run §26314423415Core #1–13: ✅ ( Status: PARTIAL — all executed tests passed. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · ● 7.6M
| "gh-aw": patch | ||
| --- | ||
|
|
||
| Bump the default gh-aw-firewall (AWF) version to v0.25.52. |
There was a problem hiding this comment.
💡 Smoke-test review: changeset description is clear and concise — nice work bumping AWF to v0.25.52.
| @@ -0,0 +1,5 @@ | |||
| --- | |||
There was a problem hiding this comment.
📝 Smoke-test review: changeset frontmatter looks correct (patch bump). All good!
|
@copilot merge main and recompile |
…wall-version-02552 # Conflicts: # .github/workflows/audit-workflows.lock.yml # .github/workflows/daily-cache-strategy-analyzer.lock.yml # .github/workflows/daily-fact.lock.yml # .github/workflows/daily-observability-report.lock.yml # .github/workflows/duplicate-code-detector.lock.yml # .github/workflows/grumpy-reviewer.lock.yml # .github/workflows/issue-arborist.lock.yml # .github/workflows/necromancer.lock.yml # .github/workflows/schema-feature-coverage.lock.yml # .github/workflows/smoke-call-workflow.lock.yml # .github/workflows/smoke-codex.lock.yml Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
This PR updates
gh-awto usegh-aw-firewallv0.25.52as requested, including regenerated lock artifacts that pin AWF image references. It also aligns the embedded AWF config schema with upstreamv0.25.52to keep local validation in sync.Version bump
DefaultFirewallVersioninpkg/constants/version_constants.go:v0.25.51→v0.25.52Schema sync
pkg/workflow/schemas/awf-config.schema.jsonfrom upstreamv0.25.52apiProxy.modelFallbackschema block and associated schema formatting changesRelease bookkeeping
.changeset/patch-bump-awf-v0-25-52.mdGenerated lock/golden updates
GH_AW_INFO_AWF_VERSION: "v0.25.52"install_awf_binary.sh v0.25.52ghcr.io/github/gh-aw-firewall/{agent,api-proxy,squid}:0.25.52✨ PR Review Safe Output Test - Run 26314423415
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.