Update AWF firewall to v0.11.2 with ACT agent container

[Copilot]

• Merge origin/main with --allow-unrelated-histories
• Resolve all merge conflicts
• Re-apply AWF v0.11.2 changes:
  • Update DefaultFirewallVersion to v0.11.2
  • Add --agent-image act flag
  • Add /opt/hostedtoolcache:/opt/hostedtoolcache:ro mount
• Recompile all 139 workflow lock files
• Fix constants_test.go version expectations

Original prompt

update the awf firewall to v0.11.2 https://github.com/githubnext/gh-aw-firewall/releases/tag/v0.11.2

change the agent container to act (see: githubnext/gh-aw-firewall#397)

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

---

Changeset

• Type: patch
• Description: Updated the AWF firewall to v0.11.2 and switched the AWF agent container to act.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

---

Changeset

• Type: patch
• Description: Updated the AWF firewall to v0.11.2 and switched the AWF agent container to act.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

[Mossaka]

@copilot merge origin/main and regenerate

[Copilot]

@copilot merge origin/main and regenerate

Done. Merged origin/main and regenerated all lock files in commit 6f6e0f2. AWF v0.11.2 with --agent-image act flag is now applied to all workflows.

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Add copilot-setup.md prompt for automated repository configuration ✅
Update workflows to actions/checkout v6 ✅
Safeinputs gh pr list ✅
Serena activate_project ✅
Playwright GitHub title ✅
Tavily search ✅
File write+cat ✅
Discussion comment ✅
Overall status: PASS

AI generated by Smoke Codex

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

Smoke Test Results

PRs: #11959 (maxItems constraints), #11956 (workflow authoring docs)

• ✅ GitHub MCP
• ✅ Safe Inputs GH CLI
• ✅ Serena MCP
• ✅ Playwright
• ✅ File Writing
• ✅ Bash Tool
• ✅ Discussion Interaction

Status: PASS

@Mossaka @Copilot

AI generated by Smoke Copilot

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

GitHub MCP: ✅ Add maxItems constraints to workflow schema arrays for resource safety; Update workflow authoring docs to emphasize GitHub web interface
Safeinputs GH: ✅ [WIP] Review MCP registry lookup and package resolution support; Update AWF firewall to v0.11.2 with ACT agent container
Serena activate: ✅
Playwright title: ✅
Tavily search: ✅
File write: ✅
Bash cat: ✅
Discussion comment: ✅
Overall: PASS

AI generated by Smoke Codex

[github-actions]

Smoke Test: Claude - 21376503156

✅ GitHub MCP
✅ Safe Inputs GH CLI (#11960, #11567)
✅ Serena MCP
✅ Make Build
✅ Playwright
✅ Tavily
✅ File Writing
✅ Bash Tool
✅ Discussion Interaction

Overall Status: PASS ✅

Run: https://github.com/githubnext/gh-aw/actions/runs/21376503156

AI generated by Smoke Claude

[github-actions]

✅ Dev Hawk Report - Success

Workflow: #3233

• Status: success
• Commit: 043ce37

Dev workflow completed successfully! 🎉

AI generated by Dev Hawk

[github-actions]

✅ Dev Hawk Report - Success

Workflow: #3234

• Status: ✅ success
• Commit: c82400e
• Duration: ~5 minutes (activation: 5s, agent: 4m20s)

Summary

Dev workflow completed successfully! 🎉

Job Performance

• Activation Job: ✅ Completed in 5 seconds
• Agent Job: ✅ Completed in 4m20s
  • Repository checkout: ✅
  • Go and Node.js setup: ✅
  • GitHub Copilot CLI installation: ✅
  • AWF binary installation: ✅
  • MCP gateway: ✅ Started and stopped successfully
  • All 36 steps completed successfully

What Was Tested

This Dev workflow tested the changes from commit c82400e:

• "Add Go and Node runtimes to dev workflow"
• Ensures the agent has access to Go and Node.js for building and testing

The workflow validated that the runtime setup works correctly with the updated AWF firewall (v0.11.2) and the new ACT agent container.

---

✨ All systems operational! This PR is ready for the next steps in the review process.

AI generated by Dev Hawk

[github-actions]

✅ Dev Hawk Report - Success

Workflow: Run #3235

• Status: ✅ success
• Commit: b6f7ec4
• Duration: ~6 minutes

---

🎯 Changes Summary

This PR successfully updates the AWF firewall infrastructure and fixes a critical PATH issue:

Core Updates

• AWF Firewall: v0.10.0 → v0.11.2
• Agent Container: Switched to act (via --agent-image act flag)
• hostedtoolcache Mount: Added /opt/hostedtoolcache:/opt/hostedtoolcache:ro read-only mount
• PATH Setup: Added dynamic PATH configuration for hostedtoolcache tools

Additional Updates

• Copilot CLI: v0.0.394 → v0.0.395
• GitHub MCP Server: v0.29.0 → v0.30.1
• MCP Gateway: v0.0.78 → v0.0.80
• Playwright MCP: v0.0.58 → v0.0.60
• Lock Files: Successfully recompiled 139 workflow lock files

---

🔧 Key Technical Changes

1. PATH Configuration Enhancement

The most significant change in the latest commit addresses a critical issue where tools installed via actions/setup-* (Go, Node, Python, etc.) were not accessible inside the AWF container:

Before:

-- /usr/local/bin/copilot [args...]

After:

-- export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\n' ':')$PATH" && /usr/local/bin/copilot [args...]

This change dynamically discovers and adds all bin directories under /opt/hostedtoolcache to the PATH before running the copilot CLI, ensuring GitHub Actions setup tools are available inside the container.

2. ACT Agent Container

The switch to the act agent container (via --agent-image act) aligns with the AWF firewall v0.11.2 updates, providing better compatibility with GitHub Actions tooling.

---

✅ Verification

All workflow jobs completed successfully:

• activation: ✅ Completed in 9s
• agent: ✅ Completed in 5m 48s (includes full Copilot CLI execution)

No errors or warnings detected in the workflow execution.

---

📊 Impact

This PR enables workflows using the Copilot engine to properly access tools installed by GitHub Actions setup actions (setup-go, setup-node, setup-python, etc.) inside the AWF container, resolving potential tool availability issues.

The update to AWF v0.11.2 brings the latest firewall improvements and the ACT agent container integration.

Great work on this update! 🚀

AI generated by Dev Hawk

[github-actions]

✅ Dev Hawk Report - Success

Workflow: #3236

• Status: success
• Commit: a366171

Dev workflow completed successfully! 🎉

Commit Summary

This commit adds automatic runtime ecosystem domain allowlisting to the AWF firewall. When workflows specify runtimes (e.g., node, python, go) in their frontmatter, the corresponding package ecosystem domains are automatically added to the firewall allowlist.

Changes in this commit:

• Modified pkg/workflow/domains.go - Added runtime-to-ecosystem domain mapping logic
• Modified pkg/workflow/domains_test.go - Added comprehensive test coverage for runtime domain mappings
• Modified engine files (claude_engine.go, codex_engine.go, copilot_engine_execution.go) - Updated to use the new domain mapping functionality

Runtime Ecosystem Mappings:

• node, bun, deno → npmjs.org, nodejs.org, etc.
• python, uv → pypi.org, etc.
• go → proxy.golang.org, etc.
• java → maven.apache.org, gradle.org, etc.
• ruby → rubygems.org, etc.
• dotnet → nuget.org, etc.
• haskell → haskell.org, etc.

This enhancement allows workflows to download packages and dependencies without requiring explicit network permission declarations. All tests passed successfully! ✅

AI generated by Dev Hawk

[github-actions]

✅ Dev Hawk Report - Success

Workflow: #3237

• Status: ✅ success
• Commit: 5c0d2bd
• Duration: ~6 minutes

Summary

Dev workflow completed successfully! 🎉

This commit added network allowlist domains for dev workflow tests:

• ghcr.io, pkg-containers.githubusercontent.com: Docker image pulls
• proxy.golang.org, sum.golang.org, storage.googleapis.com: Go modules
• objects.githubusercontent.com, codeload.github.com: GitHub downloads

Also increased timeout to 30 minutes for full test suite.

All steps completed without issues:

• ✅ Activation job (7s)
• ✅ Agent job with full test suite (~6 min)
• ✅ All 32 steps executed successfully

AI generated by Dev Hawk