chore: upgrade gh-aw to v0.76.1 by lpcox · Pull Request #3897 · github/gh-aw-firewall

lpcox · 2026-05-27T00:20:19Z

Upgrade agentic workflows from v0.75.4 to v0.76.1.

Changes

Update agent dispatcher references to v0.76.1
Recompile all 35 lock files with new version
Update actions-lock.json with new action pins

Net reduction of ~1,094 lines across lock files (likely from improved compilation output).

The api-proxy container crashes with 'Cannot find module ./deprecated-header-tracker' because the file was not included in the Dockerfile COPY instruction. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Upgrade agentic workflows from v0.75.4 to v0.76.1: - Update agent dispatcher references to v0.76.1 - Recompile all lock files with new version - Update actions-lock.json Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot

Pull request overview

This PR upgrades generated gh-aw workflow locks and dispatcher references from v0.75.4 to v0.76.1, while also extracting some api-proxy request/response helpers into focused modules.

Changes:

Updates gh-aw/action pins, AWF image tags, and generated lock-file content to v0.76.1 / 0.25.55.
Adds support for restored inline skills and updated agent config folder handling in generated workflows.
Refactors api-proxy billing header extraction, deprecated header tracking, and upstream response handling into separate modules.

Show a summary per file

File	Description
`containers/api-proxy/upstream-response.js`	New response-handling helper module for proxy response streaming, retries, metrics, and token tracking.
`containers/api-proxy/proxy-request.js`	Replaces inline helpers with imports from new focused modules.
`containers/api-proxy/Dockerfile`	Updates copied api-proxy source files for the refactor.
`containers/api-proxy/deprecated-header-tracker.js`	New module for learned deprecated header value stripping.
`containers/api-proxy/billing-headers.js`	New module for billing/quota header extraction.
`.github/workflows/smoke-otel-tracing.lock.yml`	Regenerated lock workflow with v0.76.1 pins and new compiler output.
`.github/workflows/smoke-gemini.lock.yml`	Regenerated Gemini smoke workflow lock with updated images/actions and skills handling.
`.github/workflows/smoke-copilot.lock.yml`	Regenerated Copilot smoke workflow lock with updated images/actions and skills handling.
`.github/workflows/refactoring-scanner.lock.yml`	Regenerated scanner workflow lock with updated images/actions and skills handling.
`.github/workflows/duplicate-code-detector.lock.yml`	Regenerated duplicate-code workflow lock with updated images/actions and skills handling.
`.github/workflows/dependency-security-monitor.lock.yml`	Regenerated dependency monitor workflow lock with updated images/actions and skills handling.
`.github/workflows/copilot-token-usage-analyzer.lock.yml`	Regenerated token analyzer lock with updated gh-aw version and image/action pins.
`.github/workflows/claude-token-usage-analyzer.lock.yml`	Regenerated Claude token analyzer lock with updated gh-aw version and image/action pins.
`.github/aw/actions-lock.json`	Updates pinned action versions and SHAs.
`.github/agents/agentic-workflows.agent.md`	Updates dispatcher documentation links to gh-aw v0.76.1.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files reviewed: 33/42 changed files
Comments generated: 1

@@ -24,7 +24,7 @@ COPY server.js logging.js metrics.js rate-limiter.js \
     github-oidc.js aws-oidc-token-provider.js gcp-oidc-token-provider.js \
     anthropic-oidc-token-provider.js \
     oidc-refresh-utils.js body-transform.js rate-limit.js websocket-proxy.js \
-     otel.js ./
+     deprecated-header-tracker.js otel.js ./


lpcox · 2026-05-27T00:26:48Z

@copilot address the review feedback

Copilot · 2026-05-27T00:30:25Z

@copilot address the review feedback

Addressed in commit fd0a0a4 by updating containers/api-proxy/Dockerfile to copy both billing-headers.js and upstream-response.js into the image.

github-actions · 2026-05-27T00:33:08Z

🔭 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario	Result	Notes
Module Loading	✅	`otel.js` loads successfully; exports `initOtel`, `startSpan`, `endSpanOk`, `endSpanError`, `shutdown`
Test Suite	✅	33/33 tests passed in `otel.test.js`
Env Var Forwarding	✅	`api-proxy-service.ts` forwards `OTEL_EXPORTER_OTLP_ENDPOINT`, `OTEL_EXPORTER_OTLP_HEADERS`, `GITHUB_AW_OTEL_TRACE_ID`, `GITHUB_AW_OTEL_PARENT_SPAN_ID`, `OTEL_SERVICE_NAME`
Token Tracker Integration	✅	`onUsage` callback exists in `token-tracker-http.js` (line 237) as the OTEL hook point
OTEL Diagnostics	✅	`FileSpanExporter` writes to `/var/log/api-proxy/otel.jsonl`; OTLP export activates when `OTEL_EXPORTER_OTLP_ENDPOINT` is set

All scenarios pass. OTEL tracing integration is functional.

📡 OTel tracing validated by Smoke OTel Tracing

github-actions · 2026-05-27T00:35:12Z

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.15.0	v22.22.3	❌
Go	go1.22.12	go1.22.12	✅

Result: ⚠️ Not all versions match. Go matches, but Python and Node.js differ between host and chroot environments.

Tested by Smoke Chroot

lpcox · 2026-05-27T02:59:34Z

@copilot resolve the merge conflicts in this pull request

…0.76.1 # Conflicts: # containers/api-proxy/Dockerfile

Copilot · 2026-05-27T03:03:12Z

@copilot resolve the merge conflicts in this pull request

Resolved and pushed in fffb0d9. I merged origin/main into this branch and resolved the Dockerfile conflict, keeping both anthropic-cache.js and the new billing-headers.js/upstream-response.js entries.

github-actions · 2026-05-27T03:07:52Z

Smoke Test: Claude Engine

✅ GitHub API: 2 PR entries found
✅ GitHub check: playwright_check PASS
✅ File verify: smoke-test-claude-26488172075.txt exists

Total: PASS

💥 [THE END] — Illustrated by Smoke Claude

github-actions · 2026-05-27T03:08:25Z

🧪 Smoke Test Results

Test	Status
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity (200)	✅
File write/read	⚠️ (template vars unexpanded)

PR: chore: upgrade gh-aw to v0.76.1
Author: @lpcox

Overall: PASS (2/2 verifiable tests passed; file test skipped due to unexpanded workflow template variables)

📰 BREAKING: Report filed by Smoke Copilot

github-actions · 2026-05-27T03:09:52Z

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3897 · sonnet46 1.1M · ◷

github-actions · 2026-05-27T03:10:16Z

Gemini Smoke Test Results

GitHub MCP Testing: ❌ (mcpscripts not found)
GitHub.com Connectivity: ❌ (SSL Error 35)
File Writing Testing: ✅
Bash Tool Testing: ✅

Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

github-actions · 2026-05-27T03:10:42Z

Smoke Test Results

Check	Result
Redis PING	❌ Connection blocked
PostgreSQL pg_isready	❌ No response
PostgreSQL SELECT 1	❌ No response

Overall: FAIL

host.docker.internal resolves to 172.17.0.1, but TCP connections to ports 6379 and 5432 are blocked by AWF iptables rules. The sandbox firewall drops traffic to the host network, preventing access to GitHub Actions service containers.

🔌 Service connectivity validated by Smoke Services

github-actions · 2026-05-27T03:13:27Z

🔥 Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP	⚠️ (pre-step data not expanded)
File write/read	⚠️ (pre-step data not expanded)
BYOK inference (api-proxy → api.githubcopilot.com)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

PR: chore: upgrade gh-aw to v0.76.1 — author: @lpcox

Overall: PARTIAL (BYOK path confirmed; pre-step template vars not expanded)

🔑 BYOK report filed by Smoke Copilot BYOK

github-actions · 2026-05-27T03:27:13Z

Deduplicate OIDC getToken() across token providers via base-class implementation
refactor(oidc): extract duplicate cache-update/refresh-scheduling into base class
PR list: ✅
GitHub title check: ✅
File write/read: ✅
Discussion comment: ✅
Build: ❌
Overall: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

Copilot AI and others added 4 commits May 26, 2026 22:16

Initial plan

0d32a04

refactor(api-proxy): split proxy-request into focused modules

d1ba95c

fix: add deprecated-header-tracker.js to Dockerfile COPY

ed34b4a

The api-proxy container crashes with 'Cannot find module ./deprecated-header-tracker' because the file was not included in the Dockerfile COPY instruction. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

chore: upgrade gh-aw to v0.76.1

445d085

Upgrade agentic workflows from v0.75.4 to v0.76.1: - Update agent dispatcher references to v0.76.1 - Recompile all lock files with new version - Update actions-lock.json Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI review requested due to automatic review settings May 27, 2026 00:20

Copilot started reviewing on behalf of lpcox May 27, 2026 00:20 View session