Skip to content

chore: bump firewall version to v0.27.30#45025

Merged
lpcox merged 3 commits into
mainfrom
copilot/chore-bump-firewall-version
Jul 12, 2026
Merged

chore: bump firewall version to v0.27.30#45025
lpcox merged 3 commits into
mainfrom
copilot/chore-bump-firewall-version

Conversation

Copilot AI commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Bumps DefaultFirewallVersion from v0.27.29 to v0.27.30 and resolves the long-standing AWFContainerRuntimeMinVersion TODO — gh-aw-firewall PRs #6093 (gVisor runtime) and #6101 (Docker sbx microVM) both shipped in v0.27.30, so the placeholder v0.28.0 is replaced with the actual release version.

Constants (pkg/constants/version_constants.go)

  • DefaultFirewallVersion: v0.27.29v0.27.30
  • AWFContainerRuntimeMinVersion: v0.28.0v0.27.30 (resolves TODO; containerRuntime field is now live)

Container image SHA pins

Added v0.27.30 digest entries for all six sidecar images (agent, agent-act, api-proxy, cli-proxy, build-tools, squid) to .github/aw/actions-lock.json and both action_pins.json copies.

Test updates

  • docker_firewall_pin_compile_test.go — hardcoded v0.27.29 SHA digests updated to v0.27.30
  • docker_sbx_test.go / gvisor_test.go — version-gating tests that previously relied on the default version predating AWFContainerRuntimeMinVersion now explicitly pin v0.27.29 to preserve the "too-old" coverage path; TestGVisorFrontmatterExtraction flipped to assert containerRuntime is emitted with the default version
  • Wasm golden files — regenerated to reflect v0.27.30 in compiled output

Lock files

All 256 .lock.yml files regenerated via make build && make recompile && make recompile.

Copilot AI linked an issue Jul 12, 2026 that may be closed by this pull request
…MinVersion TODO

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Copilot AI changed the title [WIP] Bump firewall version to v0.27.30 chore: bump firewall version to v0.27.30 Jul 12, 2026
Copilot finished work on behalf of lpcox July 12, 2026 00:57
Copilot AI requested a review from lpcox July 12, 2026 00:57
@lpcox lpcox marked this pull request as ready for review July 12, 2026 01:01
Copilot AI review requested due to automatic review settings July 12, 2026 01:01
@github-actions

Copy link
Copy Markdown
Contributor

🤖 PR Triage

Field Value
Category chore
Risk 🟢 Low
Score 62/100 (Impact: 28, Urgency: 22, Quality: 12)
Action fast_track

Rationale: Firewall version bump + resolves AWFContainerRuntimeMinVersion TODO. Low-risk version update across 30 lock files. CI status: unknown (draft).

Generated by 🔧 PR Triage Agent · 148.7 AIC · ⌖ 4.43 AIC · ⊞ 5.6K ·

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Bumps gh-aw-firewall from v0.27.29 to v0.27.30, activates gVisor/docker-sbx runtime support, and refreshes generated artifacts.

Changes:

  • Updates firewall and container-runtime minimum versions.
  • Adds v0.27.30 image digests and regenerated locks/goldens.
  • Updates runtime gating and pinning tests.
Show a summary per file
File Description
pkg/constants/version_constants.go Updates firewall version gates.
pkg/workflow/gvisor_test.go Updates gVisor gating expectations.
pkg/workflow/docker_sbx_test.go Preserves old-version rejection coverage.
pkg/workflow/docker_firewall_pin_compile_test.go Updates expected image digests.
pkg/workflow/data/action_pins.json Adds v0.27.30 pins.
pkg/actionpins/data/action_pins.json Adds v0.27.30 pins.
.github/aw/actions-lock.json Adds repository-level pins.
.github/workflows/example-permissions-warning.lock.yml Regenerates workflow output.
.github/workflows/codex-github-remote-mcp-test.lock.yml Regenerates workflow output.
.github/workflows/bot-detection.lock.yml Regenerates workflow output.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden Refreshes firewall output.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden Refreshes firewall output.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden Refreshes firewall output.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden Refreshes firewall output.
pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden Refreshes Pi output.
pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden Refreshes Gemini output.
pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden Refreshes Copilot output.
pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden Refreshes Codex output.
pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden Refreshes Claude output.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 35/272 changed files
  • Comments generated: 4
  • Review effort level: Medium

// Until then, no released AWF binary accepts containerRuntime, so the compiler must not
// emit the field for workflows pinned to any currently-available version.
const AWFContainerRuntimeMinVersion Version = "v0.28.0"
const AWFContainerRuntimeMinVersion Version = "v0.27.30"
// Until then, no released AWF binary accepts containerRuntime, so the compiler must not
// emit the field for workflows pinned to any currently-available version.
const AWFContainerRuntimeMinVersion Version = "v0.28.0"
const AWFContainerRuntimeMinVersion Version = "v0.27.30"
@@ -73,7 +73,7 @@ const DefaultGitHubMCPServerVersion Version = "v1.5.0"
//
// The first recompile regenerates all lock files using the new version; the second recompile
// refreshes the container SHA pins that were resolved during the first pass.
const DefaultFirewallVersion Version = "v0.27.29"
const DefaultFirewallVersion Version = "v0.27.30"
Comment on lines +167 to +170
`agent=sha256:3cc1e14efa9e52ed1fc29d72a0eabf02ff86b30c6af9685fa9ddd687caca6613`,
`api-proxy=sha256:fdbd94bb668ed736a27c146633842db5c7e658dc7a0d6a0e6011e74e18132785`,
`cli-proxy=sha256:959c876217038ac6f9c2047b591e819e5f1f726625a34490ccdcacaa71d83e4c`,
`squid=sha256:eb74fca5309c7542df0f32aef41b92c728ecef7ac3b0cca9f9a6b97cc324d22a`,
@github-actions

Copy link
Copy Markdown
Contributor

Hey @copilot-swe-agent 👋 — great work on this firewall version bump to v0.27.30! The PR is well-scoped, resolves the long-standing AWFContainerRuntimeMinVersion TODO, updates all six sidecar image SHA pins across both lock files, and keeps the test suite in sync with the new digests. Everything looks ready for review. 🎉

Generated by ✅ Contribution Check · 84.2 AIC · ⌖ 11.2 AIC · ⊞ 6.2K ·

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

pr-sous-chef
@copilot please run the pr-finisher skill, address unresolved review comments, and rerun checks once the branch is up to date.

Unresolved review feedback to address:

Generated by 👨‍🍳 PR Sous Chef · 8.08 AIC · ⌖ 6.67 AIC · ⊞ 7.5K ·
Comment /souschef to run again

- Add containerRuntime property to awf-config.schema.json container object
- Update docs/README/changeset v0.28.0 placeholder → v0.27.30
- Add patch changeset for v0.27.30 firewall bump
- Add agent-act=sha256:d0beee… assertion to docker_firewall_pin_compile_test.go
- Enable schema validation in TestGVisorFrontmatterExtraction

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 12, 2026

Copy link
Copy Markdown
Contributor Author

pr-sous-chef
@copilot please run the pr-finisher skill, address unresolved review comments, and rerun checks once the branch is up to date.
...

Addressed all four review threads in commit fix: address review feedback for v0.27.30 bump:

  • Schema (awf-config.schema.json): Added containerRuntime property to the container object so the schema matches the emitted config. Also enabled SetSkipValidation(false) in TestGVisorFrontmatterExtraction to exercise AWF config schema validation going forward.
  • Docs (pkg/constants/README.md, docs/adr/44796-gvisor-runtime-for-agent-containers.md, .changeset/minor-docker-sbx-runtime-support.md): Replaced all v0.28.0 placeholder references with the actual release v0.27.30 and removed pending-release wording.
  • Changeset: Added .changeset/patch-bump-awf-v0-27-30.md covering the v0.27.30 bump and newly active container runtimes.
  • Test coverage: Added agent-act=sha256:d0beee47… entry to the imageTagPart assertions in docker_firewall_pin_compile_test.go.

Copilot AI requested a review from gh-aw-bot July 12, 2026 02:05
@lpcox lpcox requested review from Copilot and removed request for gh-aw-bot July 12, 2026 03:08
@lpcox

lpcox commented Jul 12, 2026

Copy link
Copy Markdown
Collaborator

@copilot run pr-finisher skill

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review details

  • Files reviewed: 37/277 changed files
  • Comments generated: 3
  • Review effort level: Medium

Comment on lines +574 to +575
"type": "string",
"description": "OCI runtime for the agent container. Set to \"gvisor\" to run the agent under gVisor's runsc runtime for additional kernel-level isolation. AWF translates \"gvisor\" to \"runsc\" internally. Requires AWF >= v0.27.30."
// Default version (v0.27.29) predates containerRuntime support.
Firewall: &FirewallConfig{Enabled: true},
// Pin to a version that predates containerRuntime support.
Firewall: &FirewallConfig{Enabled: true, Version: "v0.27.29"},
@@ -364,6 +365,8 @@ func TestDockerSbxValidation_DefaultVersionRejected(t *testing.T) {
Runtime: AgentRuntimeDockerSbx,
NetworkIsolation: false, // sudo: true → NetworkIsolation=false (overridden by isDockerSbxRuntime)
SudoExplicitlyEnabled: true,
// Pin to a version that predates containerRuntime support.
Version: "v0.27.29",
@lpcox lpcox merged commit bc7d2db into main Jul 12, 2026
30 of 31 checks passed
@lpcox lpcox deleted the copilot/chore-bump-firewall-version branch July 12, 2026 03:16
Copilot stopped work on behalf of lpcox due to an error July 12, 2026 03:16
@github-actions

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore: bump firewall version to v0.27.30

4 participants