chore: upgrade and recompile all workflows to gh-aw v0.69.2#4297
Conversation
Recompile all 31 workflows with gh-aw v0.69.2. Key version bumps: - gh-aw compiler: v0.68.2 → v0.69.2 - gh-aw-actions/setup: v0.68.2 → v0.69.2 - gh-aw-firewall: 0.25.20 → 0.25.26 - gh-aw-mcpg: v0.2.19 → v0.2.26 - github-mcp-server: v0.32.0 → v1.0.0 - actions/cache: v5.0.4 → v5.0.5 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Upgrades the repository’s agentic workflow toolchain to gh-aw v0.69.2 and recompiles the generated workflow lockfiles to match updated compiler/runtime behavior.
Changes:
- Recompiled all agentic workflow
.lock.ymlfiles with gh-aw v0.69.2, updating action SHAs and container versions. - Updated the agentic maintenance workflow to v0.69.2 generation output and added additional maintenance operations plus
workflow_call. - Updated the actions lockfile and agent documentation links to point at v0.69.2.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/agentics-maintenance.yml | Regenerated maintenance workflow and added new operations + workflow_call support. |
| .github/aw/actions-lock.json | Updated pinned action entries/SHAs for gh-aw-actions v0.69.2 (incl. setup-cli). |
| .github/agents/agentic-workflows.agent.md | Updated documentation links to gh-aw v0.69.2. |
| .github/workflows/daily-compliance-checker.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/duplicate-code-detector.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/gateway-issue-dispatcher.lock.yml | Recompiled lockfile; updated safe-outputs tool schema (incl. reply_to_id). |
| .github/workflows/ghcr-download-tracker.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/github-mcp-guard-coverage-checker.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/integrity-filtering-audit.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/issue-monster.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/mcp-gateway-log-analyzer.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/nightly-docs-reconciler.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/rust-guard-improver.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/semantic-function-refactor.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/go-fan.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/go-logger.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/gpl-dependency-checker.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/guard-status-tracker.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/large-payload-tester.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/nightly-schema-updater.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/nightly-workflow-compiler.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/plan.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/release.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/repo-assist.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/smoke-allowonly.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/smoke-copilot.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/smoke-proxy-github-script.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/smoke-safeoutputs-discussions.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/smoke-safeoutputs-issues.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/smoke-safeoutputs-labels.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/smoke-safeoutputs-prs.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/smoke-safeoutputs-reviews.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/test-coverage-improver.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
| .github/workflows/test-improver.lock.yml | Recompiled lockfile with updated actions/containers and runtime scripts. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 33/34 changed files
- Comments generated: 11
| "github": { | ||
| "type": "stdio", | ||
| "container": "ghcr.io/github/github-mcp-server:v0.32.0", | ||
| "container": "ghcr.io/github/github-mcp-server:v1.0.0", |
There was a problem hiding this comment.
The GitHub MCP Server container is referenced by the mutable v1.0.0 tag (no digest pin). For supply-chain safety and reproducibility, pin this image to an immutable digest (e.g., ...:v1.0.0@sha256:...) and update the download list/manifest accordingly.
| "github": { | ||
| "type": "stdio", | ||
| "container": "ghcr.io/github/github-mcp-server:v0.32.0", | ||
| "container": "ghcr.io/github/github-mcp-server:v1.0.0", |
There was a problem hiding this comment.
The GitHub MCP Server container is referenced by the mutable v1.0.0 tag (no digest pin). For supply-chain safety and reproducibility, pin this image to an immutable digest (e.g., ...:v1.0.0@sha256:...) and update the download list/manifest accordingly.
| "github": { | ||
| "type": "stdio", | ||
| "container": "ghcr.io/github/github-mcp-server:v0.32.0", | ||
| "container": "ghcr.io/github/github-mcp-server:v1.0.0", |
There was a problem hiding this comment.
The GitHub MCP Server container is referenced by the mutable v1.0.0 tag (no digest pin). For supply-chain safety and reproducibility, pin this image to an immutable digest (e.g., ...:v1.0.0@sha256:...) and update the download list/manifest accordingly.
| "github": { | ||
| "type": "stdio", | ||
| "container": "ghcr.io/github/github-mcp-server:v0.32.0", | ||
| "container": "ghcr.io/github/github-mcp-server:v1.0.0", |
There was a problem hiding this comment.
The GitHub MCP Server container is referenced by the mutable v1.0.0 tag (no digest pin). For supply-chain safety and reproducibility, pin this image to an immutable digest (e.g., ...:v1.0.0@sha256:...) and update the download list/manifest accordingly.
| "container": "ghcr.io/github/github-mcp-server:v1.0.0", | ||
| "env": { |
There was a problem hiding this comment.
The GitHub MCP Server container is no longer pinned to an immutable digest (it’s referenced by the mutable v1.0.0 tag). This is a supply-chain risk because the tag could be retagged and change what runs in CI. Pin the image to a specific digest (e.g., ghcr.io/github/github-mcp-server:v1.0.0@sha256:...) and update the manifest/download list accordingly.
| "github": { | ||
| "type": "stdio", | ||
| "container": "ghcr.io/github/github-mcp-server:v0.32.0", | ||
| "container": "ghcr.io/github/github-mcp-server:v1.0.0", |
There was a problem hiding this comment.
The GitHub MCP Server container is referenced by the mutable v1.0.0 tag (no digest pin). For supply-chain safety and reproducibility, pin this image to an immutable digest (e.g., ...:v1.0.0@sha256:...) and update the download list/manifest accordingly.
| run: bash "${RUNNER_TEMP}/gh-aw/actions/parse_guard_list.sh" | ||
| - name: Download container images | ||
| run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.20 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.20 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.20 ghcr.io/github/gh-aw-firewall/squid:0.25.20 ghcr.io/github/gh-aw-mcpg:v0.2.19 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28 node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b | ||
| run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.26 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.26 ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.26 ghcr.io/github/gh-aw-firewall/squid:0.25.26 ghcr.io/github/gh-aw-mcpg:v0.2.26 ghcr.io/github/github-mcp-server:v1.0.0 node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b |
There was a problem hiding this comment.
The workflow downloads ghcr.io/github/github-mcp-server:v1.0.0 by tag only (no digest). Pin this image to a specific digest to avoid executing a retagged image and to keep runs reproducible.
| "github": { | ||
| "type": "stdio", | ||
| "container": "ghcr.io/github/github-mcp-server:v0.32.0", | ||
| "container": "ghcr.io/github/github-mcp-server:v1.0.0", |
There was a problem hiding this comment.
The GitHub MCP Server container is referenced by the mutable v1.0.0 tag (no digest pin). For supply-chain safety and reproducibility, pin this image to an immutable digest (e.g., ...:v1.0.0@sha256:...) and update the download list/manifest accordingly.
| "github": { | ||
| "type": "stdio", | ||
| "container": "ghcr.io/github/github-mcp-server:v0.32.0", | ||
| "container": "ghcr.io/github/github-mcp-server:v1.0.0", |
There was a problem hiding this comment.
The GitHub MCP Server container is referenced by the mutable v1.0.0 tag (no digest pin). For supply-chain safety and reproducibility, pin this image to an immutable digest (e.g., ...:v1.0.0@sha256:...) and update the download list/manifest accordingly.
| "github": { | ||
| "type": "stdio", | ||
| "container": "ghcr.io/github/github-mcp-server:v0.32.0", | ||
| "container": "ghcr.io/github/github-mcp-server:v1.0.0", |
There was a problem hiding this comment.
The GitHub MCP Server container is referenced by the mutable v1.0.0 tag (no digest pin). For supply-chain safety and reproducibility, pin this image to an immutable digest (e.g., ...:v1.0.0@sha256:...) and update the download list/manifest accordingly.
Summary
Recompiles all 31 agentic workflows with gh-aw v0.69.2 (previously v0.68.2).
Version Bumps
Changes
.lock.ymlfiles recompiled.github/aw/actions-lock.jsonwith new action SHAs.github/workflows/agentics-maintenance.yml.github/agents/agentic-workflows.agent.mdCompile Output
All workflows compiled successfully with 0 errors and 2 warnings (pre-existing: missing
pull-requests: readon guard-coverage-checker, andsafe-inputson shared/go-make).