Bump gh-aw-firewall to v0.27.12 and gh-aw-mcpg to v0.3.31

[Copilot]

This updates gh-aw to the latest gh-aw-firewall and gh-aw-mcpg releases, and refreshes the generated assets that carry those defaults through compiled workflows. It also syncs the embedded AWF config schema copy with the upstream release.

• Version pins

  • Bump DefaultFirewallVersion to v0.27.12
  • Bump DefaultMCPGatewayVersion to v0.3.31

• AWF schema sync

  • Refresh the embedded awf-config.schema.json copy to match the upstream v0.27.12 release content where it drifted

• Container pin refresh

  • Add the new AWF and MCPG image digests to actions-lock.json
  • Sync the embedded action/container pin data used by the compiler and tests

• Generated artifact updates

  • Recompile workflow lock files so compiled outputs reference the new AWF/MCPG versions and pinned images
  • Update existing wasm golden fixtures that embed the default image/version outputs

const DefaultFirewallVersion Version = "v0.27.12"
const DefaultMCPGatewayVersion Version = "v0.3.31"

---

---

✨ PR Review Safe Output Test - Run 28303361477

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 78.2 AIC · ⌖ 25.6 AIC · ⊞ 8.7K · ◷

---

pr-sous-chef run 28311797805

Generated by 👨‍🍳 PR Sous Chef · 111.6 AIC · ⌖ 0.953 AIC · ⊞ 17.2K · ◷

[github-actions]

🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

[github-actions]

🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨

Smoke test completed with partial failures (GitHub MCP and Build tests). Results reported via issue and PR comment.

[github-actions]

🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨

[github-actions]

✅ Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR does not have the 'implementation' label and has ≤100 new lines of code in business logic directories.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

✅ PR Code Quality Reviewer completed the code quality review.

[github-actions]

✅ Test Quality Sentinel completed test quality analysis.

No test files were added or modified in this PR. PR #41945 is a dependency bump (gh-aw-firewall v0.27.12, gh-aw-mcpg v0.3.31) that regenerated workflow lock files only. Test Quality Sentinel skipped.

[github-actions]

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing...

[github-actions]

📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing...

[Copilot]

Pull request overview

This pull request updates gh-aw’s default pinned versions for the gh-aw firewall (AWF) and MCP gateway (MCPG), and refreshes the generated/embedded artifacts (schema, container pins, compiled lockfiles, and wasm goldens) that reflect those defaults across workflows and tests.

Changes:

• Bump default pins to gh-aw-firewall v0.27.12 and gh-aw-mcpg v0.3.31.
• Sync embedded AWF config JSON schema copy to the upstream v0.27.12 content.
• Refresh container/action pin data and regenerate compiled workflow / wasm golden fixtures to match the new versions and digests.

Show a summary per file

File	Description
pkg/constants/version_constants.go	Updates DefaultFirewallVersion and DefaultMCPGatewayVersion constants to the new releases.
pkg/workflow/schemas/awf-config.schema.json	Syncs schema descriptions to match upstream AWF v0.27.12.
pkg/workflow/data/action_pins.json	Adds new digest pins for AWF 0.27.12 images and MCPG v0.3.31.
pkg/actionpins/data/action_pins.json	Mirrors the updated container pin set for runtime/compiler usage.
.github/aw/actions-lock.json	Updates the embedded pin registry used for compiled workflows/assets.
.github/workflows/test-workflow.lock.yml	Regenerates compiled workflow to reference AWF 0.27.12 + MCPG v0.3.31 and updated digests.
.github/workflows/example-permissions-warning.lock.yml	Regenerates compiled workflow to reference updated AWF/MCPG versions and digests.
.github/workflows/codex-github-remote-mcp-test.lock.yml	Regenerates compiled workflow to reference updated AWF/MCPG versions and digests.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden	Updates wasm golden fixture outputs for AWF/MCPG version bump.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden	Updates wasm golden fixture outputs for AWF/MCPG version bump.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden	Updates wasm golden fixture outputs for AWF/MCPG version bump.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden	Updates wasm golden fixture outputs for AWF/MCPG version bump.
pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden	Updates all-engines golden fixture to AWF 0.27.12 and MCPG v0.3.31.
pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden	Updates all-engines golden fixture to AWF 0.27.12 and MCPG v0.3.31.
pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden	Updates all-engines golden fixture to AWF 0.27.12 and MCPG v0.3.31.
pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden	Updates all-engines golden fixture to AWF 0.27.12 and MCPG v0.3.31.
pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden	Updates all-engines golden fixture to AWF 0.27.12 and MCPG v0.3.31.
.changeset/patch-bump-awf-v0-27-12-mcpg-v0-3-31.md	Adds a changeset entry documenting the default pin bump and regenerated artifacts.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 34/268 changed files
• Comments generated: 0
• Review effort level: Low

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.54.0
jq	✅	1.7
yq	✅	4.53.3
curl	✅	8.5.0
gh	✅	2.95.0
node	✅	22.23.0
python3	✅	3.11.15 (PyPy 7.3.23)
go	✅	1.24.13
java	✅	21.0.11
dotnet	✅	10.0.301

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test · 17.7 AIC · ⌖ 8.69 AIC · ⊞ 5.4K · ◷

[github-actions]

Smoke walk left one diff note.

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 506.2 AIC · ⌖ 16.4 AIC · ⊞ 19.8K

[github-actions]

Review: Version bump — gh-aw-firewall v0.27.12 · gh-aw-mcpg v0.3.31

No blocking issues. Changes are mechanical, consistent, and complete.

What was reviewed

Source code changes (pkg/constants/version_constants.go)
Two version string constants updated; no logic altered.

Pin files (.github/aw/actions-lock.json, pkg/actionpins/data/action_pins.json, pkg/workflow/data/action_pins.json)
All three are byte-for-byte identical — new entries for all five image variants carry correct sha256 digests. Notably, cli-proxy at 0.27.11 previously had no pinned digest in the manifest; 0.27.12 now has one, which closes a pre-existing supply-chain gap.

Schema (pkg/workflow/schemas/awf-config.schema.json)
Description-only sync from upstream. The existing allOf constraint (topologyAttach → isolation: true) is preserved. The new description language noting that isolation is not yet supported alongside dnsOverHttps or enableHostAccess is informational; schema-level enforcement would be a separate concern.

Generated artifacts
All 268 lock files regenerated — grep confirms zero residual references to 0.27.11 or v0.3.30. Wasm golden fixtures updated consistently.

🔎 Code quality review by PR Code Quality Reviewer · 171 AIC · ⌖ 7.08 AIC · ⊞ 5.2K

[github-actions]

Smoke Test 28303380257:

Tests: 1✅ 2❌ 3❌ 4❌ 5❌ 6✅ 7❌ 8✅ 9❌ 10✅ 11✅ 12❌ 13✅ 14✅ 15✅

Overall: FAIL

Author: @app/copilot-swe-agent Assignees: @lpcox, @Copilot

📰 BREAKING: Report filed by Smoke Copilot - AOAI (apikey) · 83 AIC · ⌖ 6.71 AIC · ⊞ 17.9K · ◷

[gh-aw-bot]

@copilot please run the pr-finisher skill, address the failing smoke test, and rerun checks after verifying the branch is ready to merge.

Generated by 👨‍🍳 PR Sous Chef · 95.3 AIC · ⌖ 1.05 AIC · ⊞ 17.1K · ◷

[github-actions]

🤖 PR Triage — Run §28307424127

Field	Value
Category	chore
Risk	🟡 Medium
Score	65/100
Score breakdown	Impact 35 + Urgency 25 + Quality 5
Action	👥 batch_review

Summary: Dependency version bump for gh-aw-firewall → v0.27.12 and gh-aw-mcpg → v0.3.31, plus generated-asset refresh (268 files, mostly lock/schema regeneration). ⚠️ CI has 3 failures: Smoke Copilot - AOAI (Entra) and safe_outputs (×2). Failures must be resolved before merge. High-priority once CI is green.

Generated by 🔧 PR Triage Agent · 64.9 AIC · ⌖ 9.76 AIC · ⊞ 5.4K · ◷

[gh-aw-bot]

@copilot please run the pr-finisher skill, address the failing CI feedback, refresh this branch from main, and rerun checks once it is updated.

Generated by 👨‍🍳 PR Sous Chef · 111.6 AIC · ⌖ 0.953 AIC · ⊞ 17.2K · ◷

[github-actions]

PR Triage — Run §28315307719

Category	chore
Risk	medium
Priority	high
Score	58/100 — impact 28 · urgency 18 · quality 12
Action	batch_review

Large generated-asset bump for gh-aw-firewall v0.27.12 and gh-aw-mcpg v0.3.31 (+5307/-5227, 272 files). CI gate pending after latest push. Review together with other infrastructure updates. 10h old.

Generated by 🔧 PR Triage Agent · 82.5 AIC · ⌖ 10.6 AIC · ⊞ 5.4K · ◷

[github-actions]

🎉 This pull request is included in a new release.

Release: v0.82.0