Bump pinned CLI and Playwright browser versions#41328
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This pull request updates the pinned default versions for several agent CLIs (and the Playwright browser image tag) in gh-aw, then refreshes generated workflow artifacts (compiled .lock.yml workflows and WASM golden outputs) so the emitted install steps and run metadata reflect the new defaults.
Changes:
- Bumped default engine/tool pins (Claude Code, GitHub Copilot CLI + SDK, Codex, Pi, Playwright browser) in
pkg/constants/version_constants.go. - Regenerated workflow lock files to embed the new engine versions in metadata/env/install steps.
- Refreshed WASM golden outputs affected by the version metadata changes and added a patch changeset entry.
Show a summary per file
| File | Description |
|---|---|
| pkg/constants/version_constants.go | Updates the canonical default pinned versions used by the compiler/runtime. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden | Refreshes golden output to reflect the new Copilot CLI pin in emitted workflow metadata/install steps. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden | Refreshes golden output to reflect the new Copilot CLI pin. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden | Refreshes golden output to reflect the new Copilot CLI pin in the Playwright CLI-mode fixture output. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden | Refreshes golden output to reflect the new Copilot CLI pin. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden | Refreshes golden output to reflect the new Pi CLI pin. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden | Refreshes golden output to reflect the new Copilot CLI pin. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden | Refreshes golden output to reflect the new Codex CLI pin. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden | Refreshes golden output to reflect the new Claude Code CLI pin. |
| .github/workflows/video-analyzer.lock.yml | Regenerated lock workflow with updated Copilot CLI pin embedded in metadata/env/install steps. |
| .github/workflows/test-workflow.lock.yml | Regenerated lock workflow with updated Copilot CLI pin embedded in metadata/env/install steps. |
| .github/workflows/test-dispatcher.lock.yml | Regenerated lock workflow with updated Copilot CLI pin embedded in metadata/env/install steps. |
| .github/workflows/smoke-ci.lock.yml | Regenerated lock workflow with updated Copilot CLI pin embedded in metadata/env/install steps. |
| .github/workflows/schema-feature-coverage.lock.yml | Regenerated lock workflow with updated Codex CLI pin embedded in metadata/env/install steps. |
| .github/workflows/research.lock.yml | Regenerated lock workflow with updated Copilot CLI pin embedded in metadata/env/install steps. |
| .github/workflows/lint-monster.lock.yml | Regenerated lock workflow with updated Pi/Copilot pins embedded in metadata/env/install steps. |
| .github/workflows/hourly-ci-cleaner.lock.yml | Regenerated lock workflow with updated Claude Code CLI pin embedded in metadata/env/install steps. |
| .github/workflows/hippo-embed.lock.yml | Regenerated lock workflow with updated Pi pin embedded in metadata/env/install steps. |
| .github/workflows/github-remote-mcp-auth-test.lock.yml | Regenerated lock workflow with updated Copilot CLI pin embedded in metadata/env/install steps. |
| .github/workflows/firewall.lock.yml | Regenerated lock workflow with updated Copilot CLI and Copilot SDK pins embedded in metadata/install steps. |
| .github/workflows/example-permissions-warning.lock.yml | Regenerated lock workflow with updated Copilot CLI pin embedded in metadata/env/install steps. |
| .github/workflows/example-failure-category-filter.lock.yml | Regenerated lock workflow with updated Copilot CLI pin embedded in metadata/env/install steps. |
| .github/workflows/duplicate-code-detector.lock.yml | Regenerated lock workflow with updated Codex CLI pin embedded in metadata/env/install steps. |
| .github/workflows/dev.lock.yml | Regenerated lock workflow with updated Codex CLI pin embedded in metadata/env/install steps. |
| .github/workflows/designer-drift-audit.lock.yml | Regenerated lock workflow with updated Copilot CLI pin embedded in metadata/env/install steps. |
| .github/workflows/daily-team-status.lock.yml | Regenerated lock workflow with updated Copilot CLI pin embedded in metadata/env/install steps. |
| .github/workflows/daily-team-evolution-insights.lock.yml | Regenerated lock workflow with updated Claude Code CLI pin embedded in metadata/env/install steps. |
| .github/workflows/daily-safe-outputs-conformance.lock.yml | Regenerated lock workflow with updated Claude Code CLI pin embedded in metadata/env/install steps. |
| .github/workflows/daily-multi-device-docs-tester.lock.yml | Regenerated lock workflow with updated Pi/Copilot pins embedded in metadata/env/install steps. |
| .github/workflows/daily-malicious-code-scan.lock.yml | Regenerated lock workflow with updated Copilot CLI and Copilot SDK pins embedded in metadata/install steps. |
| .github/workflows/daily-choice-test.lock.yml | Regenerated lock workflow with updated Claude Code CLI pin embedded in metadata/env/install steps. |
| .github/workflows/contribution-check.lock.yml | Regenerated lock workflow with updated Copilot CLI pin embedded in metadata/env/install steps. |
| .github/workflows/commit-changes-analyzer.lock.yml | Regenerated lock workflow with updated Pi/Copilot pins embedded in metadata/env/install steps. |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Regenerated lock workflow with updated Codex CLI pin embedded in metadata/env/install steps. |
| .github/workflows/bot-detection.lock.yml | Regenerated lock workflow with updated Copilot CLI pin embedded in metadata/env/install steps. |
| .github/workflows/blog-auditor.lock.yml | Regenerated lock workflow with updated Claude Code CLI pin embedded in metadata/env/install steps. |
| .github/workflows/avenger.lock.yml | Regenerated lock workflow with updated Claude Code CLI pin embedded in metadata/env/install steps. |
| .github/workflows/ai-moderator.lock.yml | Regenerated lock workflow with updated Codex CLI pin embedded in metadata/env/install steps. |
| .github/workflows/agentic-token-optimizer.lock.yml | Regenerated lock workflow with updated Copilot CLI pin embedded in metadata/env/install steps. |
| .github/workflows/ace-editor.lock.yml | Regenerated lock workflow with updated Copilot CLI pin embedded in metadata/env/install steps. |
| .changeset/patch-bump-cli-versions-2026-06-24.md | Adds a patch changeset describing the version pin bumps and workflow regeneration. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 129/257 changed files
- Comments generated: 0
|
✅ PR Code Quality Reviewer completed the code quality review. |
|
✅ Design Decision Gate 🏗️ completed the design decision gate check. No ADR enforcement needed: PR #41328 does not have the 'implementation' label and has 54 new lines (≤100 threshold) in business logic directories. |
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
|
✅ Test Quality Sentinel completed test quality analysis. No test files were added or modified in this PR. PR #41328 ('Bump pinned CLI and Playwright browser versions') only modifies .lock.yml workflow files and a changeset file. Test Quality Sentinel skipped. |
|
🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨ |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 Caution agentic threat detected DetailsThe threat detection engine failed to produce results. Review the workflow run logs for details. |
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Skills-Based Review 🧠
Applied /zoom-out and /grill-with-docs — approving; the changes are clean, mechanical, and well-executed.
📋 Key Themes & Highlights
Key Themes
- Single source of truth respected:
pkg/constants/version_constants.gois the only place versions are pinned; the 251 lock file regenerations and WASM golden updates are fully mechanical downstream outputs. - Diff cap note: The PR diff was truncated at the 3000-line patch cap, so
pkg/constants/version_constants.goand WASM golden files are not visible in the patch. All claimed version values were verified against the current workspace HEAD and match the PR description exactly. - All 6 bumps are consistent: Claude Code 2.1.191, Copilot CLI 1.0.65, Copilot SDK 1.0.3, Codex 0.142.0, Pi 0.80.2, Playwright Browser v1.61.1 — each is reflected correctly in the source file and cascaded through lock files.
Positive Highlights
- ✅ Clear, well-scoped PR description with before/after version table
- ✅ Correct
patchchangeset type — version bumps do not change API or behaviour - ✅
frontmatter_hash/body_hashfields in lock file metadata are correctly unchanged (source workflow markdown was not modified) - ✅
DefaultPlaywrightCLIVersion(@playwright/cli@0.1.14) correctly left untouched — it is a separate artefact from the Playwright browser image - ✅
DefaultFirewallVersionandDefaultMCPGatewayVersioncorrectly excluded — those are managed by a separate release integrator workflow
Minor Observation (non-blocking)
The DefaultCopilotVersion constant carries an inline comment asking reviewers to verify that MCPs still load and that /models does not silently fail on PATs when this version is bumped. The PR description references a "2026-06-24 CLI version audit" as the source of truth — a one-liner confirming those checks passed (e.g. a link to the audit run) would strengthen it for future readers. This is a documentation nit, not a blocker.
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 49.9 AIC · ⌖ 9.97 AIC · ⊞ 6.5K
|
📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
There was a problem hiding this comment.
REQUEST_CHANGES — Two blocking issues
This PR is a standard version-bump + recompile, but it has two issues that must be addressed before merging.
### Blocking issues
1. 5 upstream-managed workflow lock files bypassed the required gh aw update path
agentic-token-audit, agentic-token-optimizer, ci-doctor, daily-team-status, and dependabot-repair all have source: frontmatter. AGENTS.md is explicit: do not edit their .lock.yml files directly; use gh aw update instead. Running make recompile over these files propagates local version defaults into provenance-managed artifacts, creating drift risk when upstream is synced later.
2. Copilot CLI version skips 1.0.64 with no explanation and no verification evidence
The DefaultCopilotVersion godoc explicitly requires verifying MCP loading and PAT-auth /models behavior on every upgrade. The PR description claims this was a verified audit but documents no test results. The unexplained skip of 1.0.64 also needs justification — either it was pulled (document that), or the wrong version was targeted.
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
patchdiff.githubusercontent.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "patchdiff.githubusercontent.com"See Network Configuration for more information.
🔎 Code quality review by PR Code Quality Reviewer · 98.2 AIC · ⌖ 7.24 AIC · ⊞ 5.2K
| @@ -1,4 +1,4 @@ | |||
| # gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"694d3215fb3d93a3860b3a3507ad4ced97afe10fc3b3a63eb2ac56ad89ebd911","body_hash":"e726cff2ea2023104a27d810546982d0027ef4fb3a025a37236e1605cac29d62","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.63"}} | |||
| # gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"694d3215fb3d93a3860b3a3507ad4ced97afe10fc3b3a63eb2ac56ad89ebd911","body_hash":"e726cff2ea2023104a27d810546982d0027ef4fb3a025a37236e1605cac29d62","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.65"}} | |||
There was a problem hiding this comment.
5 upstream-managed workflow lock files were directly modified, bypassing the gh aw update provenance path required by AGENTS.md.
💡 Details and required fix
The following .lock.yml files belong to workflows with a source: frontmatter declaration (provenance-managed from githubnext/agentic-ops@c611242a...), which AGENTS.md marks as read-only in this repo:
.github/workflows/agentic-token-audit.lock.yml.github/workflows/agentic-token-optimizer.lock.yml.github/workflows/ci-doctor.lock.yml.github/workflows/daily-team-status.lock.yml.github/workflows/dependabot-repair.lock.yml
All five had their engine_versions.copilot bumped from 1.0.63 → 1.0.65 via make recompile.
Policy violation: AGENTS.md states:
Do not manually edit their generated
.lock.ymlfiles.
To change these workflows, use the approved update path: rungh aw update...
Risk: When gh aw update is run next, the upstream bundle's engine version pins will silently overwrite these changes. The upstream source may pin these workflows to a different Copilot CLI version, causing provenance drift between this repo and the upstream.
Fix: Revert the 5 upstream-managed lock files to their pre-PR state. Use gh aw update to propagate version changes that should apply to them.
|
|
||
| // DefaultCopilotVersion is the default version of the GitHub Copilot CLI. | ||
| // | ||
| // When unpinning or upgrading this version, verify: | ||
| // - MCPs are not blocked from loading (tools.mcp configuration still works end-to-end) | ||
| // - /models does not silently fail on PATs (check that model listing works with PAT auth) | ||
| const DefaultCopilotVersion Version = "1.0.63" | ||
| const DefaultCopilotVersion Version = "1.0.65" |
There was a problem hiding this comment.
Copilot CLI skips version 1.0.64 (1.0.63 → 1.0.65), and the constant's own godoc lists mandatory verification steps that are unaddressed in this PR.
💡 Why this matters
The godoc comment on this constant is unusually explicit:
// When unpinning or upgrading this version, verify:
// - MCPs are not blocked from loading (tools.mcp configuration still works end-to-end)
// - /models does not silently fail on PATs (check that model listing works with PAT auth)These requirements exist because the Copilot CLI version directly controls two production-critical behaviors across all ~252 generated workflows. This PR skips 1.0.64 entirely with no explanation. Either:
- 1.0.64 was pulled/had a known regression — this should be documented in the PR and ideally in a comment on the constant.
- The skip was accidental — in which case the wrong target version was bumped to.
The PR description says "latest verified releases from the 2026-06-24 CLI version audit" but provides no explicit confirmation that the MCP loading and PAT-auth /models checks were run against 1.0.65. For a two-version jump with a documented compatibility checklist, this evidence is required before merging.
Required: State in the PR whether 1.0.64 was intentionally skipped (and why), and confirm the MCP/PAT checks were performed for 1.0.65.
Overview
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "proxy.golang.org"See Network Configuration for more information.
|
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
Smoke Test: Gemini Results
Overall Status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
|
Caution agentic threat detected DetailsThe threat detection engine failed to produce results. Review the workflow run logs for details. Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
|
@copilot review all comments and address unresolved review feedback.
|
|
@copilot summarize the remaining blockers and the next step to unblock this PR.
|
Smoke Test Summary\n\nTest1:✅\nTest2:❌\nTest3:❌\nTest4:✅\nTest5:✅\nTest6:✅\n\nOverall: FAIL\n\n@app/copilot-swe-agentWarning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
💥 Smoke Test: Claude — Run 28140379546Core #1-12: 1✅ 2✅ 3✅ 4✅ 5❌(Tavily MCP no tools) 6✅ 7✅ 8✅ 9✅ 10✅ 11✅ 12✅ Overall: FAIL — Tavily MCP server exposed empty tool list. All other tests passed. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · 108.4 AIC · ⌖ 42.9 AIC · ⊞ 8.7K
| @@ -0,0 +1,5 @@ | |||
| --- | |||
| "gh-aw": patch | |||
There was a problem hiding this comment.
Smoke test review: clear patch-level changeset entry — version bump correctly scoped. ✅
| "gh-aw": patch | ||
| --- | ||
|
|
||
| Bump default CLI versions: Claude Code 2.1.191, Copilot CLI 1.0.65, Copilot SDK 1.0.3, Codex 0.142.0, Pi 0.80.2, Playwright Browser v1.61.1. Recompile all 251 workflows. |
There was a problem hiding this comment.
Smoke test review: consider listing recompiled workflow count separately for readability. 💥
|
PR titles:
Warning Firewall blocked 5 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 5 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
Smoke tooling exercised the inline review path.
Warning
Firewall blocked 5 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot · 379.1 AIC · ⌖ 19.3 AIC · ⊞ 18.9K
|
Smoke Test Run 28140407796 Results:
Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
This updates the stale tool pins in
pkg/constants/version_constants.goto the latest verified releases from the 2026-06-24 CLI version audit. The change also refreshes generated workflow outputs that embed those defaults.Version pins
2.1.185→2.1.1911.0.63→1.0.651.0.2→1.0.30.141.0→0.142.00.79.9→0.80.2v1.61.0→v1.61.1Generated workflow updates
.lock.ymlfiles so embedded install steps and runtime metadata reflect the new pinned versions.Golden output refresh
Release note
✨ PR Review Safe Output Test - Run 28140379546
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.