chore: set sandbox.agent.sudo: false on 30% of agentic workflows#41380
Merged
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
pelikhan
June 25, 2026 05:18
View session
Contributor
|
✅ Test Quality Sentinel completed test quality analysis. No test files were added or modified in this PR. Test Quality Sentinel skipped. PR #41380 only modifies .github/workflows/.lock.yml and .github/workflows/.md files (sandbox.agent.sudo configuration changes). |
Contributor
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
Contributor
|
✅ PR Code Quality Reviewer completed the code quality review. |
Contributor
|
✅ Design Decision Gate 🏗️ completed the design decision gate check. No ADR enforcement needed: PR does not have the 'implementation' label and has ≤100 new lines of code in business logic directories. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates a subset of agentic workflow sources to run with sandbox.agent.sudo: false, which (per gh-aw’s sandbox semantics) enables the network-isolation/rootless execution path for AWF. It also includes regenerated .lock.yml artifacts from recompilation so the emitted Actions YAML matches the updated sandbox configuration.
Changes:
- Flip
sandbox.agent.sudofromtrue→falseacross the selected workflow.mdsources. - Regenerate the corresponding
.lock.ymlfiles (reflecting rootless AWF invocation and network-isolation topology where applicable).
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/weekly-safe-outputs-spec-review.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/weekly-blog-post-writer.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/unbloat-docs.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/typist.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/test-project-url-default.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/test-project-url-default.lock.yml | Regenerated lock output reflecting rootless / isolation-mode runtime behavior. |
| .github/workflows/super-linter.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/static-analysis-report.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/spec-librarian.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/smoke-workflow-call-with-inputs.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/smoke-service-ports.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/smoke-opencode.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/smoke-opencode.lock.yml | Regenerated lock output reflecting rootless / isolation-mode runtime behavior. |
| .github/workflows/smoke-copilot.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/smoke-copilot-aoai-entra.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/smoke-claude-on-copilot.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/smoke-antigravity.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/smoke-agent-public-approved.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/skillet.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/security-compliance.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/schema-consistency-checker.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/schema-consistency-checker.lock.yml | Regenerated lock output reflecting rootless / isolation-mode runtime behavior. |
| .github/workflows/repository-quality-improver.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/refiner.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/python-data-charts.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/pr-nitpick-reviewer.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/poem-bot.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/poem-bot.lock.yml | Regenerated lock output reflecting rootless / isolation-mode runtime behavior. |
| .github/workflows/outcome-collector.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/mergefest.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/lockfile-stats.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/jsweep.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/instructions-janitor.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/grumpy-reviewer.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/grumpy-reviewer.lock.yml | Regenerated lock output reflecting rootless / isolation-mode runtime behavior. |
| .github/workflows/glossary-maintainer.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/github-mcp-structural-analysis.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/example-workflow-analyzer.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/discussion-task-miner.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/dev.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/deployment-incident-monitor.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/dead-code-remover.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/daily-testify-uber-super-expert.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/daily-skill-optimizer.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/daily-skill-optimizer.lock.yml | Regenerated lock output reflecting rootless / isolation-mode runtime behavior. |
| .github/workflows/daily-security-observability.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/daily-safe-outputs-conformance.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/daily-rendering-scripts-verifier.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/daily-observability-report.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/daily-model-resolution.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/daily-malicious-code-scan.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/daily-malicious-code-scan.lock.yml | Regenerated lock output reflecting rootless / isolation-mode runtime behavior. |
| .github/workflows/daily-geo-optimizer.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/daily-file-diet.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/daily-doc-healer.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/daily-compiler-quality.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/daily-cli-performance.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/daily-byok-ollama-test.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/daily-byok-ollama-test.lock.yml | Regenerated lock output reflecting rootless / isolation-mode runtime behavior. |
| .github/workflows/daily-astrostylelite-markdown-spellcheck.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/daily-agent-of-the-day-blog-writer.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/copilot-pr-prompt-analysis.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/copilot-opt.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/constraint-solving-potd.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/constraint-solving-potd.lock.yml | Regenerated lock output reflecting rootless / isolation-mode runtime behavior. |
| .github/workflows/code-scanning-fixer.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/cli-consistency-checker.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/cli-consistency-checker.lock.yml | Regenerated lock output reflecting rootless / isolation-mode runtime behavior. |
| .github/workflows/changeset.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/blog-auditor.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/auto-triage-issues.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/archie.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/ai-moderator.md | Set sandbox.agent.sudo: false for this workflow. |
| .github/workflows/ab-testing-advisor.md | Set sandbox.agent.sudo: false for this workflow. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 88/128 changed files
- Comments generated: 0
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Review: chore: set sandbox.agent.sudo: false (post-merge)
PR already merged. Two findings worth tracking.
Finding 1 (medium): De-escalation is incomplete — threat detection still runs with sudo
The sandbox.agent.sudo: false flag only affects the main agent AWF invocation. Each affected lock file still contains a second sudo -E awf --enable-host-access --allow-host-ports 80,443,8080 call in the threat-detection sub-job (~line 1475 in ab-testing-advisor.lock.yml). All 64 'de-escalated' workflows retain root execution in that step. Whether intentional (threat detection may require root) or a compiler gap, the PR description should be explicit.
Finding 2 (medium): Lock file changes are far broader than sudo: true → false
The compiler translates sudo: false into: rootless AWF binary install, Docker bridge networking for MCP gateway (replacing --network host), GH_AW_NETWORK_ISOLATION: 'true', topology attachment, and removal of --enable-host-access. The PR description only mentions the frontmatter flip. This gap matters for incident diagnosis — a workflow regression in networking or MCP connectivity can now be traced back to this PR, but won't be obvious from the description.
Finding 3 (low): Stale host.docker.internal in allowDomains
The AWF config JSON still lists host.docker.internal in allowDomains, but the new bridge networking removes --add-host host.docker.internal:127.0.0.1 from the MCP gateway container. The entry is harmless but misleading to future auditors.
🔎 Code quality review by PR Code Quality Reviewer · 82.6 AIC · ⌖ 7 AIC · ⊞ 5.2K
Comments that could not be inline-anchored
.github/workflows/ab-testing-advisor.lock.yml:1475
Secondary sudo -E awf invocation (threat detection) was not removed: sandbox.agent.sudo: false only de-escalated the main agent job — the threat-detection sub-job at this line still invokes sudo -E awf --enable-host-access --allow-host-ports 80,443,8080, meaning root execution persists in all 64 affected workflows.
<details>
<summary>💡 Detail</summary>
The main agent AWF invocation (line ~862) was updated to rootless. The threat-detection job (lines ~1435–1490) was compiled separat…
.github/workflows/ab-testing-advisor.md:78
The compiled lock files contain far more than a sudo flag flip: setting sudo: false compiles into a broader set of runtime behavior changes that the PR description doesn't mention.
<details>
<summary>💡 What actually changed in every affected lock file</summary>
| Change | Before | After |
|---|---|---|
| AWF install mode | v0.27.10 |
v0.27.10 --rootless |
| MCP gateway networking | --network host |
--network bridge -p 127.0.0.1:${PORT}:${PORT} |
| MCP gateway domain | `host.d… |
Contributor
There was a problem hiding this comment.
Skills-Based Review 🧠
Applied /zoom-out — approving with observations. The changes are well-executed and the security improvement is clear.
📋 Key Themes & Highlights
What this PR actually does
The .md source files each change one line (sudo: true → sudo: false), but make recompile expands this into a full rootless container mode migration in each lock file:
--rootlessflag oninstall_awf_binary.sh- MCP gateway:
--network host→--network bridgewith explicit port binding - Gateway addressing:
host.docker.internal→ container nameawmg-mcpg - DIFC proxy:
host.docker.internal:18443→awmg-cli-proxy:18443 awf-config.jsongains"isolation":trueand"topologyAttach"for the bridge networksudo -E awf→awf,sudo chmodcleanup step removed
All 64 files follow the exact same compiled pattern — no per-workflow surprises.
Positive Highlights
- ✅ Correct use of
make recompile— source files are minimal, lock files are fully generated - ✅ Bridge networking is a meaningful isolation improvement over
--network host - ✅ Conservative 30% rollout: targets only workflows with explicit
sudo: true, allowing validation before migrating the rest - ✅ Consistent pattern across all 64 files
- ✅ The
sudo chmod -R a+rXcleanup step is cleanly removed — rootless mode files are already accessible
Observations (non-blocking)
host.docker.internalremains in the firewallallowDomainseven though all internal services now communicate via bridge container names — worth a follow-up check (see inline comment)GH_AW_NETWORK_ISOLATION: trueenv var purpose could use a short comment in the template- The remaining ~152 workflows (those without explicit
sudo: true) presumably already use a different default — it would help to document the migration plan for a full 100% rootless rollout in a follow-up issue
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 116.8 AIC · ⌖ 7.56 AIC · ⊞ 6.5K
| sandbox: | ||
| agent: | ||
| sudo: true | ||
| sudo: false |
Contributor
There was a problem hiding this comment.
[/zoom-out] The single-line source change is the right level of abstraction here — the .md file is the source of truth and sudo: false accurately captures the intent. Worth noting for reviewers that the compiled lock reflects a full rootless mode migration: rootless install, bridge networking, container name addressing, and isolation:true in the firewall config. None of this needs to be in the .md — it is all a compiler concern — but it is useful context when reading the diff.
💡 What rootless mode changes in the compiled lock
install_awf_binary.sh v0.27.10 --rootless— installs the rootless variant of the AWF container runtime- MCP Gateway:
--network host→--network bridge -p 127.0.0.1:PORT:PORT— better container isolation - Gateway domain:
host.docker.internal→awmg-mcpg(container name on bridge) - DIFC proxy host:
host.docker.internal:18443→awmg-cli-proxy:18443 awf-config.jsongains"isolation":true,"topologyAttach":["awmg-mcpg","awmg-cli-proxy"]sudo -E awf→awf, and thesudo chmod -R a+rXcleanup step is removed
| esac | ||
| DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') | ||
| export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --name awmg-mcpg --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.30' | ||
| export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.30' |
Contributor
There was a problem hiding this comment.
[/zoom-out] Switching the MCP gateway from --network host to --network bridge with an explicit port binding is a meaningful security improvement — the gateway container can no longer see all ports on the runner host. Addressing it by container name (awmg-mcpg) instead of host.docker.internal is the right pattern for bridge networking.
💡 Before / After
- docker run --network host --add-host host.docker.internal:127.0.0.1 ...
+ docker run --network bridge -p 127.0.0.1:${PORT}:${PORT} ...Since awmg-mcpg is attached to the bridge network with a fixed container name, the awf firewall can route to it via topologyAttach in the network config rather than via host networking.
| (umask 177 && touch /tmp/gh-aw/agent-stdio.log) | ||
| GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_MAX_AI_CREDITS || '1000' }}" | ||
| printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.10/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"*.grafana.net\",\"*.sentry.io\",\"api.githubcopilot.com\",\"api.pi.ai\",\"api.snapcraft.io\",\"archive.ubuntu.com\",\"azure.archive.ubuntu.com\",\"crl.geotrust.com\",\"crl.globalsign.com\",\"crl.identrust.com\",\"crl.sectigo.com\",\"crl.thawte.com\",\"crl.usertrust.com\",\"crl.verisign.com\",\"crl3.digicert.com\",\"crl4.digicert.com\",\"crls.ssl.com\",\"github.com\",\"host.docker.internal\",\"json-schema.org\",\"json.schemastore.org\",\"keyserver.ubuntu.com\",\"ocsp.digicert.com\",\"ocsp.geotrust.com\",\"ocsp.globalsign.com\",\"ocsp.identrust.com\",\"ocsp.sectigo.com\",\"ocsp.ssl.com\",\"ocsp.thawte.com\",\"ocsp.usertrust.com\",\"ocsp.verisign.com\",\"packagecloud.io\",\"packages.cloud.google.com\",\"packages.microsoft.com\",\"ppa.launchpad.net\",\"raw.githubusercontent.com\",\"registry.npmjs.org\",\"s.symcb.com\",\"s.symcd.com\",\"security.ubuntu.com\",\"ts-crl.ws.symantec.com\",\"ts-ocsp.ws.symantec.com\",\"www.googleapis.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS},\"maxCacheMisses\":5,\"models\":{\"agent\":[\"sonnet-6x\",\"gpt-5.5\",\"gpt-5.4\",\"gpt-5.3\",\"gemini-pro\",\"any\"],\"antigravity\":[\"copilot/antigravity*\",\"google/antigravity*\",\"gemini/antigravity*\"],\"any\":[\"copilot/*\",\"anthropic/*\",\"openai/*\",\"google/*\",\"gemini/*\"],\"claude\":[\"agent\"],\"codex\":[\"agent\"],\"coding\":[\"copilot/gpt-5*codex*\",\"openai/gpt-5*codex*\",\"gpt-5-codex\"],\"computer-use\":[\"copilot/*computer-use*\",\"google/*computer-use*\",\"gemini/*computer-use*\",\"openai/*computer-use*\"],\"copilot\":[\"agent\"],\"deep-research\":[\"copilot/deep-research*\",\"copilot/o3-deep-research*\",\"copilot/o4-mini-deep-research*\",\"google/deep-research*\",\"gemini/deep-research*\",\"openai/o3-deep-research*\",\"openai/o4-mini-deep-research*\"],\"gemini\":[\"agent\"],\"gemini-3-flash\":[\"copilot/gemini-3*flash*\",\"google/gemini-3*flash*\",\"gemini/gemini-3*flash*\"],\"gemini-3-pro\":[\"copilot/gemini-3*pro*\",\"google/gemini-3*pro*\",\"google/nano-banana*\",\"gemini/gemini-3*pro*\"],\"gemini-3.1-flash\":[\"copilot/gemini-3.1*flash*\",\"google/gemini-3.1*flash*\",\"gemini/gemini-3.1*flash*\"],\"gemini-3.1-pro\":[\"copilot/gemini-3.1*pro*\",\"google/gemini-3.1*pro*\",\"gemini/gemini-3.1*pro*\"],\"gemini-3.5-flash\":[\"copilot/gemini-3.5*flash*\",\"google/gemini-3.5*flash*\",\"gemini/gemini-3.5*flash*\"],\"gemini-flash\":[\"copilot/gemini-*flash*\",\"google/gemini-*flash*\",\"gemini/gemini-*flash*\"],\"gemini-flash-lite\":[\"copilot/gemini-*flash*lite*\",\"google/gemini-*flash*lite*\",\"gemini/gemini-*flash*lite*\"],\"gemini-pro\":[\"copilot/gemini-*pro*\",\"google/gemini-*pro*\",\"gemini/gemini-*pro*\"],\"gemma\":[\"copilot/gemma*\",\"google/gemma*\",\"gemini/gemma*\"],\"gpt-5\":[\"copilot/gpt-5*\",\"openai/gpt-5*\"],\"gpt-5-codex\":[\"copilot/gpt-5*codex*\",\"openai/gpt-5*codex*\"],\"gpt-5-mini\":[\"copilot/gpt-5*mini*\",\"openai/gpt-5*mini*\"],\"gpt-5-nano\":[\"copilot/gpt-5*nano*\",\"openai/gpt-5*nano*\"],\"gpt-5-pro\":[\"copilot/gpt-5*pro*\",\"openai/gpt-5*pro*\"],\"gpt-5.1\":[\"copilot/gpt-5.1*\",\"openai/gpt-5.1*\"],\"gpt-5.2\":[\"copilot/gpt-5.2*\",\"openai/gpt-5.2*\"],\"gpt-5.3\":[\"copilot/gpt-5.3*\",\"openai/gpt-5.3*\"],\"gpt-5.4\":[\"copilot/gpt-5.4*\",\"openai/gpt-5.4*\"],\"gpt-5.5\":[\"copilot/gpt-5.5*\",\"openai/gpt-5.5*\"],\"haiku\":[\"copilot/*haiku*\",\"anthropic/*haiku*\"],\"image-generation\":[\"copilot/gpt-image*\",\"openai/gpt-image*\",\"openai/chatgpt-image*\",\"copilot/gemini-*image*\",\"google/gemini-*image*\",\"gemini/gemini-*image*\",\"google/imagen*\"],\"large\":[\"sonnet\",\"gpt-5-pro\",\"gpt-5\",\"gemini-pro\"],\"mai-code\":[\"copilot/MAI-Code*\",\"copilot/mai-code*\",\"openai/MAI-Code*\"],\"mini\":[\"haiku\",\"gpt-5-mini\",\"gpt-5-nano\",\"gemini-flash-lite\"],\"nano-banana\":[\"copilot/nano-banana*\",\"google/nano-banana*\",\"gemini/nano-banana*\"],\"opus\":[\"copilot/*opus*\",\"anthropic/*opus*\"],\"opusplan\":[\"opus?effort=high\"],\"reasoning\":[\"copilot/o1*\",\"copilot/o3*\",\"copilot/o4*\",\"openai/o1*\",\"openai/o3*\",\"openai/o4*\"],\"robotics\":[\"copilot/*robotics*\",\"google/*robotics*\",\"gemini/*robotics*\"],\"small\":[\"mini\"],\"small-agent\":[\"haiku\",\"gpt-5-mini\",\"gemini-flash\"],\"sonnet\":[\"copilot/*sonnet*\",\"anthropic/*sonnet*\"],\"sonnet-6x\":[\"copilot/*sonnet-4.5*\",\"copilot/*sonnet-4.6*\",\"copilot/*sonnet-4-5-*\",\"anthropic/*sonnet-4-5-*\",\"copilot/*sonnet-4-6*\",\"anthropic/*sonnet-4-6*\"],\"summarization\":[\"haiku\",\"gpt-5-mini\",\"gemini-flash-lite\",\"mini\"],\"vision\":[\"copilot/gemini-*image*\",\"google/gemini-*image*\",\"gemini/gemini-*image*\",\"copilot/gemini-*flash*\",\"google/gemini-*flash*\",\"gemini/gemini-*flash*\"]}},\"container\":{\"imageTag\":\"0.27.10,squid=sha256:4d7a79482c47f2390f9fa87663cd9cb728bfb2380d9a9610479fa234c906ea98,agent=sha256:e47878fa4953f5b4d38b4ec12c155aa12ab9befea299ea2d21a8b104de8bcbc8,api-proxy=sha256:4bd2598466928efbd360fd6575b68c6b420a7ec3b7c1be20844c560a0dd2878e\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json" | ||
| printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.10/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"*.grafana.net\",\"*.sentry.io\",\"api.githubcopilot.com\",\"api.pi.ai\",\"api.snapcraft.io\",\"archive.ubuntu.com\",\"azure.archive.ubuntu.com\",\"crl.geotrust.com\",\"crl.globalsign.com\",\"crl.identrust.com\",\"crl.sectigo.com\",\"crl.thawte.com\",\"crl.usertrust.com\",\"crl.verisign.com\",\"crl3.digicert.com\",\"crl4.digicert.com\",\"crls.ssl.com\",\"github.com\",\"host.docker.internal\",\"json-schema.org\",\"json.schemastore.org\",\"keyserver.ubuntu.com\",\"ocsp.digicert.com\",\"ocsp.geotrust.com\",\"ocsp.globalsign.com\",\"ocsp.identrust.com\",\"ocsp.sectigo.com\",\"ocsp.ssl.com\",\"ocsp.thawte.com\",\"ocsp.usertrust.com\",\"ocsp.verisign.com\",\"packagecloud.io\",\"packages.cloud.google.com\",\"packages.microsoft.com\",\"ppa.launchpad.net\",\"raw.githubusercontent.com\",\"registry.npmjs.org\",\"s.symcb.com\",\"s.symcd.com\",\"security.ubuntu.com\",\"ts-crl.ws.symantec.com\",\"ts-ocsp.ws.symantec.com\",\"www.googleapis.com\"],\"isolation\":true,\"topologyAttach\":[\"awmg-mcpg\",\"awmg-cli-proxy\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS},\"maxCacheMisses\":5,\"models\":{\"agent\":[\"sonnet-6x\",\"gpt-5.5\",\"gpt-5.4\",\"gpt-5.3\",\"gemini-pro\",\"any\"],\"antigravity\":[\"copilot/antigravity*\",\"google/antigravity*\",\"gemini/antigravity*\"],\"any\":[\"copilot/*\",\"anthropic/*\",\"openai/*\",\"google/*\",\"gemini/*\"],\"claude\":[\"agent\"],\"codex\":[\"agent\"],\"coding\":[\"copilot/gpt-5*codex*\",\"openai/gpt-5*codex*\",\"gpt-5-codex\"],\"computer-use\":[\"copilot/*computer-use*\",\"google/*computer-use*\",\"gemini/*computer-use*\",\"openai/*computer-use*\"],\"copilot\":[\"agent\"],\"deep-research\":[\"copilot/deep-research*\",\"copilot/o3-deep-research*\",\"copilot/o4-mini-deep-research*\",\"google/deep-research*\",\"gemini/deep-research*\",\"openai/o3-deep-research*\",\"openai/o4-mini-deep-research*\"],\"gemini\":[\"agent\"],\"gemini-3-flash\":[\"copilot/gemini-3*flash*\",\"google/gemini-3*flash*\",\"gemini/gemini-3*flash*\"],\"gemini-3-pro\":[\"copilot/gemini-3*pro*\",\"google/gemini-3*pro*\",\"google/nano-banana*\",\"gemini/gemini-3*pro*\"],\"gemini-3.1-flash\":[\"copilot/gemini-3.1*flash*\",\"google/gemini-3.1*flash*\",\"gemini/gemini-3.1*flash*\"],\"gemini-3.1-pro\":[\"copilot/gemini-3.1*pro*\",\"google/gemini-3.1*pro*\",\"gemini/gemini-3.1*pro*\"],\"gemini-3.5-flash\":[\"copilot/gemini-3.5*flash*\",\"google/gemini-3.5*flash*\",\"gemini/gemini-3.5*flash*\"],\"gemini-flash\":[\"copilot/gemini-*flash*\",\"google/gemini-*flash*\",\"gemini/gemini-*flash*\"],\"gemini-flash-lite\":[\"copilot/gemini-*flash*lite*\",\"google/gemini-*flash*lite*\",\"gemini/gemini-*flash*lite*\"],\"gemini-pro\":[\"copilot/gemini-*pro*\",\"google/gemini-*pro*\",\"gemini/gemini-*pro*\"],\"gemma\":[\"copilot/gemma*\",\"google/gemma*\",\"gemini/gemma*\"],\"gpt-5\":[\"copilot/gpt-5*\",\"openai/gpt-5*\"],\"gpt-5-codex\":[\"copilot/gpt-5*codex*\",\"openai/gpt-5*codex*\"],\"gpt-5-mini\":[\"copilot/gpt-5*mini*\",\"openai/gpt-5*mini*\"],\"gpt-5-nano\":[\"copilot/gpt-5*nano*\",\"openai/gpt-5*nano*\"],\"gpt-5-pro\":[\"copilot/gpt-5*pro*\",\"openai/gpt-5*pro*\"],\"gpt-5.1\":[\"copilot/gpt-5.1*\",\"openai/gpt-5.1*\"],\"gpt-5.2\":[\"copilot/gpt-5.2*\",\"openai/gpt-5.2*\"],\"gpt-5.3\":[\"copilot/gpt-5.3*\",\"openai/gpt-5.3*\"],\"gpt-5.4\":[\"copilot/gpt-5.4*\",\"openai/gpt-5.4*\"],\"gpt-5.5\":[\"copilot/gpt-5.5*\",\"openai/gpt-5.5*\"],\"haiku\":[\"copilot/*haiku*\",\"anthropic/*haiku*\"],\"image-generation\":[\"copilot/gpt-image*\",\"openai/gpt-image*\",\"openai/chatgpt-image*\",\"copilot/gemini-*image*\",\"google/gemini-*image*\",\"gemini/gemini-*image*\",\"google/imagen*\"],\"large\":[\"sonnet\",\"gpt-5-pro\",\"gpt-5\",\"gemini-pro\"],\"mai-code\":[\"copilot/MAI-Code*\",\"copilot/mai-code*\",\"openai/MAI-Code*\"],\"mini\":[\"haiku\",\"gpt-5-mini\",\"gpt-5-nano\",\"gemini-flash-lite\"],\"nano-banana\":[\"copilot/nano-banana*\",\"google/nano-banana*\",\"gemini/nano-banana*\"],\"opus\":[\"copilot/*opus*\",\"anthropic/*opus*\"],\"opusplan\":[\"opus?effort=high\"],\"reasoning\":[\"copilot/o1*\",\"copilot/o3*\",\"copilot/o4*\",\"openai/o1*\",\"openai/o3*\",\"openai/o4*\"],\"robotics\":[\"copilot/*robotics*\",\"google/*robotics*\",\"gemini/*robotics*\"],\"small\":[\"mini\"],\"small-agent\":[\"haiku\",\"gpt-5-mini\",\"gemini-flash\"],\"sonnet\":[\"copilot/*sonnet*\",\"anthropic/*sonnet*\"],\"sonnet-6x\":[\"copilot/*sonnet-4.5*\",\"copilot/*sonnet-4.6*\",\"copilot/*sonnet-4-5-*\",\"anthropic/*sonnet-4-5-*\",\"copilot/*sonnet-4-6*\",\"anthropic/*sonnet-4-6*\"],\"summarization\":[\"haiku\",\"gpt-5-mini\",\"gemini-flash-lite\",\"mini\"],\"vision\":[\"copilot/gemini-*image*\",\"google/gemini-*image*\",\"gemini/gemini-*image*\",\"copilot/gemini-*flash*\",\"google/gemini-*flash*\",\"gemini/gemini-*flash*\"]}},\"container\":{\"imageTag\":\"0.27.10,squid=sha256:4d7a79482c47f2390f9fa87663cd9cb728bfb2380d9a9610479fa234c906ea98,agent=sha256:e47878fa4953f5b4d38b4ec12c155aa12ab9befea299ea2d21a8b104de8bcbc8,api-proxy=sha256:4bd2598466928efbd360fd6575b68c6b420a7ec3b7c1be20844c560a0dd2878e\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json" |
Contributor
There was a problem hiding this comment.
[/zoom-out] host.docker.internal remains in allowDomains even though the MCP gateway and DIFC proxy now communicate via container names on the bridge network. Is there still a service on the runner host that awf agents legitimately reach via host.docker.internal, or is this entry vestigial? If nothing actually uses it, removing it would tighten the outbound allowlist.
💡 Context
The compiled awf-config.json network config now includes:
"isolation": true,
"topologyAttach": ["awmg-mcpg", "awmg-cli-proxy"]All internal service references in the lock file now use container names (awmg-mcpg, awmg-cli-proxy). The host.docker.internal entry in allowDomains was useful when these services ran on the host network; in bridge mode it may no longer be needed for these workflows. Worth confirming upstream before removing.
| env: | ||
| GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
| GITHUB_SERVER_URL: ${{ github.server_url }} | ||
| GH_AW_NETWORK_ISOLATION: 'true' |
Contributor
There was a problem hiding this comment.
[/zoom-out] GH_AW_NETWORK_ISOLATION: true is a nice explicit signal that this workflow is running in rootless/isolated mode. Is this env var consumed by anything during the run (e.g., for conditional logic in setup steps or post-run cleanup), or is it primarily an observability marker? A brief comment in the compile template about its purpose would help future readers understand when it is emitted.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Sets
sandbox.agent.sudo: falseon 64 of 216 agentic workflows (29.6% ≈ 30%). Targets exactly the workflows that already had an explicitsandbox.agent.sudo: true— no new sandbox blocks introduced..mdfiles:sudo: true→sudo: falseundersandbox.agent.lock.ymlfiles: regenerated viamake recompile