Skip to content

chore: bump gh-aw-firewall to v0.25.2#23181

Draft
Copilot wants to merge 2 commits intomainfrom
copilot/bump-gh-aw-firewall-to-v0-25-2
Draft

chore: bump gh-aw-firewall to v0.25.2#23181
Copilot wants to merge 2 commits intomainfrom
copilot/bump-gh-aw-firewall-to-v0-25-2

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 26, 2026
edited
Loading

Bump DefaultFirewallVersion from v0.25.1 to v0.25.2.

What's new in v0.25.2:

  • --allow-host-service-ports: new CLI flag allowing agents to reach GitHub Actions services: containers (PostgreSQL, Redis, MySQL) on the host, restricted to host gateway IPs only

Changes:

  • Updated DefaultFirewallVersion constant in pkg/constants/constants.go
  • Added changeset
  • Recompiled all workflow lock files

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/access_log.go /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/actionlint.go (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE ules/.bin/node git rev-�� --show-toplevel go /usr/bin/git 24/001/test-compgit GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� h ../../../.prettierignore **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti--write go (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel go /usr/bin/git json' --ignore-pgit GO111MODULE 64/bin/go git init�� GOMODCACHE go /opt/hostedtoolcache/node/24.14.0/x64/bin/node ub/workflows GO111MODULE -d /opt/hostedtoolcache/node/24.14.0/x64/bin/node (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha "prettier" --write '../../../**/*.json' '!../../../pkg/workflow/-errorsas ache/go/1.25.0/xGO111MODULE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet rror GO111MODULE 64/bin/go ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE bin/sh GOINSECURE GOMOD GOMODCACHE go env *.json' '!../../--workflow GO111MODULE 64/pkg/tool/linu--limit GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha xterm-color go /usr/bin/git le-frontmatter.mgit GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 86_64/node git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git 1433-46146/test-git GO111MODULE k/gh-aw/gh-aw/ac--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json on ache/go/1.25.0/x--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/go-build4101807315/b449/_pkg_.a -trimpath /usr/bin/git -p github.com/githurev-parse -lang=go1.25 git -C /tmp/gh-aw-test-runs/20260326-231433-46146/test-878429351 rev-parse /usr/bin/git @{u} -nolocalimports -importcfg git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha ts.result config /usr/bin/git remote.origin.urgit GO111MODULE 64/bin/go git add .github/workflows/test.md go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/link /usr/bin/git outil.test GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a GO111MODULE g_.a git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti"prettier" --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' ---p go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha ath ../../../.pr**/*.json GOPROXY er GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.0/xGO111MODULE -o /tmp/go-build3761662528/b375/_pkGOINSECURE -trimpath 64/bin/go -p main -lang=go1.25 go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build4101807315/b423/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/logger/doc.go /home/REDACTED/work/gh-aw/gh-aw/pkg/logger/logger.go er -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha /tmp/TestHashStability_SameInputSameOutput2339878682/001/stability-test.md go /usr/bin/git js/**/*.json' --git GO111MODULE 64/bin/go git rev-�� --show-toplevel go /opt/hostedtoolcache/node/24.14.0/x64/bin/node -json GO111MODULE odules/npm/node_--show-toplevel node (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /tmp/TestHashStability_SameInputSameOutput2339878682/001/stability-test.md go /usr/bin/git js/**/*.json' --git GO111MODULE 64/bin/go git add .github/workflows/test.md go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha prettier --write 0/x64/bin/node **/*.ts **/*.json --ignore-path node t-ha�� ithub/workflows/agentic-observability-kit.md scripts/**/*.js /usr/bin/make .prettierignore --log-level=errorev-parse 64/bin/go make (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha -bool -buildtags (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha ry=1 GOPROXY g_.a GOSUMDB GOWORK 64/bin/go sh -c npx prettier --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path l ache/node/24.14.0/x64/bin/node ck 'scripts/**/*git GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha 1433-46146/test-878429351 --write /home/REDACTED/work/gh-aw/gh-aw/actions/setup/node_modules/.bin/sh **/*.ts **/*.json --ignore-path sh ortc�� k/gh-aw/gh-aw/.github/workflows stmain.go 0/x64/bin/node ck 'scripts/**/*git GO111MODULE 64/bin/go ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env '**/*.ts' '**/*.json' --ignore-premote.origin.url GO111MODULE 64/bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env '**/*.ts' '**/*.json' --ignore-pgo1.25.0 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE de/node/bin/sh GOINSECURE GOMOD GOMODCACHE go env '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 0/x64/bin/sh GOINSECURE GOMOD GOMODCACHE go env '**/*.ts' '**/*.json' --ignore-pgo1.25.0 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� '**/*.ts' '**/*.json' --ignore-premote.origin.url GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE stat -f h ../../../.prettierignore /sys/fs/cgroup 64/bin/go GOSUMDB GOWORK 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GO111MODULE 64/bin/go go env js/**/*.json' ---errorsas GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE 0/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node GOINSECURE GOMOD GOMODCACHE 8A/RFr094xa-M6ehmK-ZS-f/-nXLG8d-CyxHzcGHNa9W (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git ty-test.md GO111MODULE 0/x64/lib/node_m--show-toplevel git rev-�� --show-toplevel go /usr/bin/git */*.ts' '**/*.jssed GO111MODULE ache/go/1.25.0/x64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha ty-test.md GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env y_with_repos_array_c904593312/001 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --check scripts/**/*.js 64/bin/go .prettierignore GO111MODULE 64/bin/go go env js/**/*.json' ---s GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha --check scripts/**/*.js 64/bin/go .prettierignore GO111MODULE 64/bin/go go env js/**/*.json' ---errorsas GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha re --log-level=e!../../../pkg/workflow/js/**/*.json go 64/bin/go -json GO111MODULE 64/bin/go go env js/**/*.json' ---s GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha re --log-level=e!../../../pkg/workflow/js/**/*.json go 64/bin/go -json GO111MODULE 64/bin/go go env js/**/*.json' ---test.timeout=10m0s GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha --check scripts/**/*.js 64/bin/go .prettierignore GO111MODULE 64/bin/go go env js/**/*.json' ---p GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE At,event,headBranch,headSha,displayTitle GOINSECURE GOMOD GOMODCACHE go env ithout_min-integrity2987198177/001 GO111MODULE n-dir/node GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go 0/x6�� 3022148271/.github/workflows GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo modules/@npmcli/run-script/lib/node-gyp-bin/sh GOSUMDB GOWORK 64/bin/go ls -alF�� h ../../../.pret.prettierignore go 64/bin/go -json GO111MODULE 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go ls -alF�� h ../../../.pret.prettierignore go 64/bin/go -json GO111MODULE 64/bin/go go (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build4101807315/b403/cli.test /tmp/go-build4101807315/b403/cli.test -test.testlogfile=/tmp/go-build4101807315/b403/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE sh -c ath ../../../.pr**/*.json GOPROXY 64/bin/go GOSUMDB GOWORK run-script/lib/n"prettier" --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' ---errorsas git (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti../../../**/*.json go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI linked an issue Mar 26, 2026 that may be closed by this pull request
chore: bump gh-aw-firewall to v0.25.2 #23051
Open
@Mossaka
chore: bump gh-aw-firewall to v0.25.2
fc7ac73 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/ac948765-1945-498f-8326-0a08c55ba4cc

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Copilot AI changed the title [WIP] Update gh-aw-firewall version reference to v0.25.2 chore: bump gh-aw-firewall to v0.25.2 Mar 26, 2026
Copilot AI requested a review from Mossaka March 26, 2026 23:19
@github-actions github-actions bot mentioned this pull request Mar 27, 2026
Open
@github-actions

This comment has been minimized.

Sign in to view
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 28, 2026

Hey @Copilot 👋 — great work on this firewall bump! Bumping DefaultFirewallVersion to v0.25.2 and recompiling all 178 lock files is a clean, well-scoped maintenance task, and the PR description clearly explains both the change and what's new in the new version (the --allow-host-service-ports flag for reaching Actions service containers).

One thing to follow up on before marking this ready for review:

  • No test files were modified — while a pure version-constant bump + lock-file recompile doesn't require new tests, the CONTRIBUTING.md mandates running make agent-finish (which includes make test and make build) before completing any PR. Adding confirmation that this was run — or running it now — would validate that all existing tests still pass against v0.25.2 and give reviewers confidence.

If you'd like a hand, you can assign this prompt to your coding agent:

Validate the firewall version bump to v0.25.2 in this PR by running the full quality gate.

Steps:
1. Run `make agent-finish` from the repo root (this runs build, test, lint, recompile, fmt, lint-errors).
2. If any step fails, investigate and fix the root cause before re-running.
3. Once all checks pass, remove the draft status from the PR (mark as ready for review).

The key file changed is `pkg/constants/constants.go` (DefaultFirewallVersion = "v0.25.2").
All 178 .github/workflows/*.lock.yml files should already be recompiled via `make recompile`.

Generated by Contribution Check ·

@github-actions github-actions bot mentioned this pull request Mar 28, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mossaka Mossaka Awaiting requested review from Mossaka

Assignees

@Mossaka Mossaka

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

chore: bump gh-aw-firewall to v0.25.2

2 participants

@Mossaka