Skip to content

fix: pin network-isolation-test to concrete release tags#5495

Open
lpcox wants to merge 7 commits into
mainfrom
fix/network-isolation-test-version
Open

fix: pin network-isolation-test to concrete release tags#5495
lpcox wants to merge 7 commits into
mainfrom
fix/network-isolation-test-version

Conversation

@lpcox

@lpcox lpcox commented Jun 24, 2026

Copy link
Copy Markdown
Collaborator

Problem

The network-isolation-test workflow (run 28112343145) failed at Install AWF binary with:

Downloading checksums from '.../releases/download/latest/checksums.txt'...
curl: (22) The requested URL returned error: 404

The frontmatter pinned firewall + mcpg to "latest". While GHCR images support a :latest tag, install_awf_binary.sh treats the version as a literal GitHub release tag and builds releases/download/latest/checksums.txt — but there is no release tagged latest (releases are versioned tags with one flagged Latest), so it 404s.

Fix

Pin to concrete latest tags:

  • firewall v0.27.10
  • mcpg v0.3.30

Verified to resolve:

  • releases/download/v0.27.10/checksums.txt → 200
  • GHCR agent/api-proxy/squid 0.27.10 and gh-aw-mcpg v0.3.30 manifests → 200

Recompiled with gh aw v0.81.2 and re-ran the postprocess script. actions-lock.json left intact (keeps both v0.81.0 entries used by 43 other locks and the v0.81.2 entry).

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

@lpcox
fix: pin network-isolation-test to concrete release tags
707dffd 
The workflow pinned firewall and mcpg to "latest", but install_awf_binary.sh
treats the version as a literal release tag and builds
releases/download/latest/checksums.txt, which 404s (there is no GitHub release
tagged "latest"). The run failed at the Install AWF binary step with curl exit
code 22.

Pin to concrete latest tags instead: firewall v0.27.10 and mcpg v0.3.30. The
binary download and all GHCR image tags (agent/api-proxy/squid 0.27.10,
gh-aw-mcpg v0.3.30) were verified to resolve.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 24, 2026 16:13
@github-actions

github-actions Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 98.10% 98.14% 📈 +0.04%
Statements 98.03% 98.07% 📈 +0.04%
Functions 99.52% 99.52% ➡️ +0.00%
Branches 93.81% 93.81% ➡️ +0.00%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/workdir-setup.ts 92.7% → 94.5% (+1.82%) 92.7% → 94.5% (+1.82%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

Copilot AI reviewed Jun 24, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins the network-isolation-test agentic workflow to concrete AWF + MCP gateway versions to avoid failures caused by treating "latest" as a literal GitHub release tag, and updates the compiled lock workflow accordingly.

Changes:

  • Update network-isolation-test.md frontmatter to pin MCP (v0.3.30) and AWF (v0.27.10) versions.
  • Regenerate network-isolation-test.lock.yml to use versioned GHCR image tags and a versioned schema URL (no /releases/latest/...).
  • Update the lock workflow’s AWF installation path to build/install awf from the checked-out repo rather than downloading a release artifact.
Show a summary per file
File Description
.github/workflows/network-isolation-test.md Pins MCP and AWF versions in the workflow source frontmatter.
.github/workflows/network-isolation-test.lock.yml Updates compiled workflow to use pinned tags/schema URL and reflects the new AWF install/build steps.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 2

Comment thread .github/workflows/network-isolation-test.lock.yml Outdated
Comment on lines +1 to +2
# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"1685e6c91573ab3867f9ec0638718b699d8e280b161b52603a1b822c1be72ad9","body_hash":"83aaa4742f377ca9a8a6e368cafea82d3d2dde9a353e329dcdbaaa49a72d3891","compiler_version":"v0.81.2","agent_id":"copilot","agent_model":"claude-haiku-4-5","engine_versions":{"copilot":"1.0.63"}}
# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/cache/restore","sha":"2c8a9bd7457de244a408f35966fab2fb45fda9c8","version":"v6.0.0"},{"repo":"actions/cache/save","sha":"2c8a9bd7457de244a408f35966fab2fb45fda9c8","version":"v6.0.0"},{"repo":"actions/checkout","sha":"9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0","version":"v7.0.0"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"b5cde6c5013569c8b0229dd2d7ffd63eaf2c9ad2","version":"v0.81.2"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.10"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.10"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.10"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.30"},{"image":"ghcr.io/github/gh-aw-node","digest":"sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b","pinned_image":"ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b"},{"image":"ghcr.io/github/github-mcp-server:v1.4.0","digest":"sha256:2afb26356481d1a350e14544a6e160f7f7ec1561a1ea309b823665abf0309036","pinned_image":"ghcr.io/github/github-mcp-server:v1.4.0@sha256:2afb26356481d1a350e14544a6e160f7f7ec1561a1ea309b823665abf0309036"}]}
Comment thread .github/workflows/network-isolation-test.lock.yml Outdated
Comment on lines +465 to +474
- name: Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '24'
package-manager-cache: false
- name: Install awf dependencies
run: npm ci
- name: Build awf
run: npm run build
- name: Install awf binary (local)
@lpcox
fix: raise network-isolation-test turn budget to avoid hard-cap 403
875f522 
Run 28112808921 failed: the Copilot api-proxy returned a non-retryable 403
on the agent's LLM call. Root cause was the maxRuns hard cap (derived from
max-turns) — api-proxy guards return 403 once AWF_MAX_RUNS is exceeded
(containers/api-proxy/guards/common-guard-checks.js:84). With max-turns: 5 the
agent exhausted its budget inspecting awf (which/--version/--help) before
finishing the two curl egress checks.

Raise max-turns 5 -> 15 (maxRuns 15) and instruct the agent to run the two
curl commands directly without introspecting the awf binary.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions

github-actions Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@lpcox Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@lpcox
test: drop sudo from network-isolation lock (keep artifact-upload only)
99db085 
Manual lock edit to validate rootless network-isolation: removes sudo from
the awf binary install (tee/chmod) and the awf invocation, keeping only the
artifact-upload chmod. Note: regenerated by gh aw compile / postprocess.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lpcox lpcox mentioned this pull request Jun 24, 2026
Open
6 tasks
Copilot AI mentioned this pull request Jun 24, 2026
Merged
lpcox and others added 4 commits June 24, 2026 14:58
@lpcox
chore: recompile network-isolation-test lock with gh-aw main (rootless)
385027a 
Recompiled with `gh-aw compile --gh-aw-ref main`, producing a fully
rootless lock: install_awf_binary.sh v0.27.10 --rootless (no sudo),
digest-pinned container images, and gh-aw-main setup action.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lpcox
chore: pin setup action to gh-aw rootless-install fix
b12b37d 
Recompile against gh-aw branch fix/rootless-awf-install-user-prefix
(c2d22aa3ac) so the rootless install writes awf to a user-writable
$HOME/.local prefix and exports it to $GITHUB_PATH, fixing the
"--rootless requires write access to /usr/local/lib/awf" failure on
standard ubuntu-latest runners.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lpcox
fix: exclude network-isolation-test from postprocess (release-mode)
bbe2440 
The network-isolation smoke test intentionally exercises the PUBLISHED awf
binary (rootless bundle install) and pinned GHCR container images. Postprocess
was rewriting --skip-pull -> --build-local, which the standalone awf bundle
rejects ("--build-local requires a full repository checkout"). Add a
release-mode exclusion set so this lock keeps the raw compiled output:
rootless install + --skip-pull with pre-downloaded pinned images.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lpcox
Merge remote-tracking branch 'origin/main' into fix/network-isolation…
d24fb24 
…-test-version
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lpcox