chore: Upgrade agentic workflows to gh-aw v0.65.3#3007
Merged
Conversation
Upgrade all 31 agentic workflows from v0.64.5 to v0.65.3 using `gh aw upgrade`. Actions updated (22 total): - github/gh-aw-actions/setup: v0.64.5 → v0.65.3 - github/gh-aw-actions/setup-cli: v0.64.5 → v0.65.3 - github/gh-aw/actions/setup: v0.64.2 → v0.65.3 - actions/checkout: v4/v5 → v6.0.2 - actions/upload-artifact: v4/v5 → v7.0.0 - actions/setup-go: v6/v6.3.0 → v6.4.0 - anchore/sbom-action: v0.20.10 → v0.24.0 - docker/setup-buildx-action: v3 → v4.0.0 - docker/build-push-action: v6 → v7.0.0 - docker/setup-qemu-action: v3 → v4.0.0 - docker/login-action: v3 → v4.0.0 - astral-sh/setup-uv: v7.6.0 → v8.0.0 - erlef/setup-beam: v1.23.0 → v1.24.0 - github/stale-repos: v9.0.5 → v9.0.6 - super-linter/super-linter: v8.5.0 → v8.6.0 No codemods needed. All workflows compile successfully. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Upgrades the repository’s agentic workflow infrastructure to gh-aw v0.65.3 by refreshing the shared agent configuration, updating the pinned action lock map, and recompiling all workflow .lock.yml artifacts to the new compiler output.
Changes:
- Bumped gh-aw compiler references from v0.64.5 to v0.65.3 across compiled workflow lock files and added the new compile-version check step.
- Updated
.github/aw/actions-lock.jsonwith new pinned action versions/SHAs used by gh-aw workflows. - Updated the agent descriptor (
.github/agents/agentic-workflows.agent.md) to reference the v0.65.3 upstream documentation/prompt templates.
Reviewed changes
Copilot reviewed 33 out of 33 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/agents/agentic-workflows.agent.md | Updates upstream gh-aw documentation/prompt links to v0.65.3. |
| .github/aw/actions-lock.json | Refreshes pinned GitHub Action versions/SHAs for gh-aw compilation/runtime. |
| .github/workflows/daily-compliance-checker.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/duplicate-code-detector.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/gateway-issue-dispatcher.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/ghcr-download-tracker.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/github-mcp-guard-coverage-checker.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/go-fan.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/go-logger.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/gpl-dependency-checker.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/guard-status-tracker.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/integrity-filtering-audit.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/issue-monster.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/large-payload-tester.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/mcp-gateway-log-analyzer.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/nightly-docs-reconciler.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/nightly-schema-updater.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/nightly-workflow-compiler.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/plan.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/release.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/repo-assist.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/rust-guard-improver.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/semantic-function-refactor.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/smoke-allowonly.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/smoke-copilot.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/smoke-proxy-github-script.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/smoke-safeoutputs-discussions.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/smoke-safeoutputs-issues.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/smoke-safeoutputs-labels.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/smoke-safeoutputs-prs.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/smoke-safeoutputs-reviews.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/test-coverage-improver.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
| .github/workflows/test-improver.lock.yml | Recompiled with gh-aw v0.65.3; updates pinned actions/scripts and adds compile-version check. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Update all 31 lock files: - gh-aw-mcpg: v0.2.10 → v0.2.11 - gh-aw-firewall/squid: 0.25.5 → 0.25.6 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
lpcox
added a commit
that referenced
this pull request
Apr 1, 2026
The previous upgrade PR (#3007) bumped squid and --image-tag to 0.25.6 but left agent and api-proxy at 0.25.5. AWF uses --image-tag for all firewall containers, so it looks for api-proxy:0.25.6 which was never pre-pulled, causing: No such image: ghcr.io/github/gh-aw-firewall/api-proxy:0.25.6 This broke all workflows dispatched from main since the merge. Fixes #3011 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
lpcox
added a commit
that referenced
this pull request
Apr 1, 2026
## Problem PR #3007 bumped `squid` and `--image-tag` to `0.25.6` but left `agent` and `api-proxy` at `0.25.5`. AWF uses `--image-tag` for **all** firewall containers, so it looks for `api-proxy:0.25.6` which was never pre-pulled: ``` No such image: ghcr.io/github/gh-aw-firewall/api-proxy:0.25.6 ``` This broke every workflow dispatched from main since the merge, including the Gateway Issue Dispatcher (#3011). ## Fix Bump `agent` and `api-proxy` from `0.25.5` → `0.25.6` across all 31 lock files, matching `squid` and `--image-tag`. Fixes #3011
This was referenced Apr 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgraded all agentic workflows from gh-aw v0.64.5 to v0.65.3.
Upgrade Method
Used
gh aw upgradewhich automatically:actions-lock.jsonActions Updated (22 total)
github/gh-aw-actions/setupgithub/gh-aw-actions/setup-cligithub/gh-aw/actions/setupactions/checkoutactions/upload-artifactactions/setup-goanchore/sbom-actiondocker/setup-buildx-actiondocker/build-push-actiondocker/setup-qemu-actiondocker/login-actionastral-sh/setup-uverlef/setup-beamgithub/stale-repossuper-linter/super-linterCompilation Results
github-mcp-guard-coverage-checker.mdmissingpull-requests: readforpull_requeststoolset (pre-existing)smoke-safeoutputs-discussions.mddiscussion category normalized to lowercase (cosmetic)Files Changed
.lock.ymlfiles recompiled.github/agents/agentic-workflows.agent.mdupdated.github/aw/actions-lock.jsonupdated