chore: upgrade all agentic workflows#4819
Merged
Merged
Conversation
Run gh aw upgrade + postprocess-smoke-workflows.ts to: - Update agent files and action pins - Regenerate all lock files with latest gh-aw version - Ensure smoke/build-test workflows use local build (--build-local) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR upgrades the repository’s agentic GitHub Actions workflows to newer gh-aw / AWF versions and refreshes regenerated .lock.yml workflow outputs, including updated action pins and container image pinning.
Changes:
- Regenerated multiple
.github/workflows/*.lock.ymlfiles togh-awcompilerv0.79.6and AWFv0.27.2, updating action SHAs and container image digests. - Updated
.github/aw/actions-lock.jsonto match the new pinned action versions. - Applied a codemod change to
.github/workflows/smoke-claude.md(removingengine.max-turns), which impacts turn-limit enforcement.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/test-coverage-improver.lock.yml | Workflow regen to gh-aw v0.79.6 / AWF v0.27.2, updated pins and added unknown-model AI credits plumbing. |
| .github/workflows/smoke-gemini.lock.yml | Workflow regen to newer gh-aw/AWF versions; updated action/container pins and added unknown-model AI credits plumbing. |
| .github/workflows/smoke-claude.md | Codemod update to the smoke Claude workflow definition (turn-limit config affected). |
| .github/workflows/smoke-claude.lock.yml | Workflow regen to newer gh-aw/AWF versions; updated action/container pins and added unknown-model AI credits plumbing. |
| .github/workflows/security-review.lock.yml | Workflow regen to newer gh-aw/AWF versions; updated action/container pins and added unknown-model AI credits plumbing. |
| .github/workflows/refactoring-scanner.lock.yml | Workflow regen to newer gh-aw/AWF versions; updated action/container pins and added unknown-model AI credits plumbing. |
| .github/workflows/firewall-issue-dispatcher.lock.yml | Workflow regen to newer gh-aw/AWF versions; updated action/container pins and added unknown-model AI credits plumbing. |
| .github/workflows/duplicate-code-detector.lock.yml | Workflow regen to newer gh-aw/AWF versions; updated action/container pins and added unknown-model AI credits plumbing. |
| .github/workflows/doc-maintainer.lock.yml | Workflow regen plus local AWF build/install + --build-local invocation changes. |
| .github/workflows/dependency-security-monitor.lock.yml | Workflow regen to newer gh-aw/AWF versions; updated action/container pins and added unknown-model AI credits plumbing. |
| .github/workflows/cli-flag-consistency-checker.lock.yml | Workflow regen to newer gh-aw/AWF versions; updated action/container pins and added unknown-model AI credits plumbing. |
| .github/aw/actions-lock.json | Updated action lock entries to v0.79.6 pins and removed older version entries. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 43/44 changed files
- Comments generated: 3
Comment on lines
16
to
20
| @@ -17,7 +17,6 @@ max-turns: 5 | |||
| engine: | |||
| id: claude | |||
| model: claude-haiku-4-5 | |||
| max-turns: 2 | |||
| sandbox: | |||
| fi | ||
| # shellcheck disable=SC1003 | ||
| sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_TOOL_CACHE_MOUNT:+--mount "$GH_AW_TOOL_CACHE_MOUNT"} ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --tty --env-all --exclude-env ANTHROPIC_API_KEY --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \ | ||
| sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_TOOL_CACHE_MOUNT:+--mount "$GH_AW_TOOL_CACHE_MOUNT"} ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --tty --env-all --exclude-env ANTHROPIC_API_KEY --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --session-state-dir /tmp/gh-aw/sandbox/agent/session-state --enable-host-access --allow-host-ports 80,443,8080 --build-local \ |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Collaborator
Author
|
@copilot address review feedback |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Contributor
Addressed in 18449e5.
|
Contributor
🔬 Smoke Test Results
Overall: PASS PR by @lpcox.
|
Contributor
🔬 Smoke Test Results — Auth mode: PAT (COPILOT_GITHUB_TOKEN)PR: chore: upgrade all agentic workflows — @lpcox
Overall: PASS
|
Contributor
|
chore: upgrade all agentic workflows Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Contributor
|
Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra Overall: PASS
|
Contributor
|
Smoke Test Results: Copilot BYOK (Direct Mode)
Status: PASS — Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy → api.githubcopilot.com Author: @lpcox | Assignees: none
|
Contributor
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
Contributor
|
@lpcox chore: upgrade all agentic workflows ✅ MCP PR fetch Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) Overall: PASS
|
Contributor
Smoke Test Results — Services Connectivity
Overall: ❌ FAILService containers appear unreachable from this runner environment.
|
lpcox
added a commit
that referenced
this pull request
Jun 12, 2026
…4809) * test: cover retry/timeout/kill branches in container-lifecycle.ts Add 14 focused Jest unit tests targeting previously-uncovered paths: - startContainers retry failures (api-proxy fails both attempts → specific throw) - startContainers squid retry falls through to handleHealthcheckError - startContainers cli-proxy first-attempt failure (no retry, specific throw) - startContainers cli-proxy failure during retry attempt - startContainers graceful handling of runComposeDown failure before retry - runAgentCommand timeout path (agentTimeoutMinutes, exitCode 124, docker stop called) - runAgentCommand externally-killed short-circuit (isAgentExternallyKilled, skips squid analysis) - fastKillAgentContainer: default/custom stop timeout, silent error handling, marks agent killed All container-startup-diagnostics and squid-log-reader calls are mocked for deterministic, fast tests without Docker or filesystem dependencies. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * chore: sync workflow files with main to fix stale lock file CI check * chore: re-sync with main after workflow upgrade (#4819) * chore: recompile smoke-chroot lock file to fix stale frontmatter hash * fix: update gh-aw-actions/setup pin in workflow tests from v0.79.4 to v0.79.6 --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Landon Cox <landon.cox@microsoft.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgrades all agentic workflows to the latest gh-aw version and applies post-processing.
What was done:
gh aw upgrade— updated agents, action pins, codemods, and recompiled all lock filesnpx ts-node scripts/ci/postprocess-smoke-workflows.ts— ensured all smoke/build-test workflows use--build-local(local source build, not released binary)Changes (44 files):
.github/aw/actions-lock.json— updated action SHA pins.github/workflows/*.lock.yml— all regenerated with latest gh-aw.github/workflows/smoke-claude.md— codemod fix appliedVerified:
--build-local--skip-pullor sparse-checkout remains--session-state-dirinjected in all AWF invocations