Bump gh-aw-firewall to v0.25.68 and refresh generated artifacts

[Copilot]

This updates gh-aw’s pinned AWF firewall release from v0.25.67 to v0.25.68, pulling in the upstream API proxy fixes and smoke-workflow improvements from that release. The repo’s generated workflow artifacts and coupled golden outputs are refreshed to keep the new default version consistent everywhere it is embedded.

• Version pin

  • Bump DefaultFirewallVersion to v0.25.68 in pkg/constants/version_constants.go
  • Leave existing AWF*MinVersion feature gates unchanged; the upstream release does not introduce new gh-aw-facing gates

• Generated workflow outputs

  • Regenerate compiled .lock.yml workflows so embedded AWF metadata, install steps, and container references align with the new default firewall version
  • Add a patch changeset for the shipped default-version bump

• Coupled golden fixtures

  • Refresh WASM golden fixtures that snapshot compiled workflow output and include the pinned AWF version

• Upstream schema review

  • Review v0.25.68 AWF spec/schema changes against gh-aw’s embedded schema and config generation
  • Do not sync the embedded schema in this PR; upstream now includes additional fields and a narrower apiProxy.modelFallback.enabled type, while gh-aw still intentionally supports templated expressions there

// pkg/constants/version_constants.go
const DefaultFirewallVersion Version = "v0.25.68"

---

---

✨ PR Review Safe Output Test - Run 27180578675

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 60.9 AIC · ⌖ 25.5 AIC · ◷

[github-actions]

🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧

[github-actions]

🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

⚠️ Smoke Gemini failed. Gemini encountered unexpected challenges...

[github-actions]

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

[github-actions]

📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing...

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.54.0
jq	✅	1.7
yq	✅	v4.53.2
curl	✅	8.5.0
gh	✅	2.92.0
node	✅	v24.16.0
python3	✅	3.13.13
go	✅	1.24.13
java	✅	21.0.11 (Temurin LTS)
dotnet	✅	10.0.300

Result: 12/12 tools available ✅ — PASS

🔧 Tool validation by Agent Container Smoke Test · 39.8 AIC · ⌖ 12.3 AIC · ◷

[github-actions]

💥 Smoke Test: Claude — Run 27180578675

Core #1-12: ✅✅✅✅✅✅✅✅✅✅✅✅
PR Review #13-19: 13 ✅ · 14 ✅ · 15 ✅ · 16 ⚠️ · 17 ✅ · 18 ✅ · 19 ⚠️

Overall: PARTIAL (all executed passed; #16 & #19 skipped — no unresolved threads / no safe test PR)

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 60.9 AIC · ⌖ 25.5 AIC · ◷

[github-actions]

💥 Automated smoke test review - all systems nominal!

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 60.9 AIC · ⌖ 25.5 AIC

[github-actions]

Nice — using a patch-level changeset is appropriate for a dependency version bump like this.

[github-actions]

Consider linking to the upstream v0.25.68 release notes here so reviewers can quickly see what changed.

[github-actions]

Smoke test FAIL

• Merged PRs: Clarify pr-finisher handling for github-actions[bot] review threads; Enable copilot-requests feature in Daily Max AI Credits workflow
• ✅ 1 3 5 6 7 8
• ❌ 2 4
• ⏳ 9 10
• Overall: FAIL

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · 118.1 AIC · ⌖ 7.19 AIC · ◷

[github-actions]

Comment Memory

First light on steel
Cache remembers the path
Tests whisper, then pass

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · 118.1 AIC · ⌖ 7.19 AIC · ◷

[github-actions]

Bump gh-aw-firewall to v0.25.68 and refresh generated artifacts
1✅ 2✅ 3✅ 4✅ 5✅
6✅ 7✅ 8✅ 9✅ 10✅
11✅ 12✅ 13✅ 14✅ 15✅
PASS
author: @app/copilot-swe-agent
assignees: @lpcox @Copilot

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 232.7 AIC · ⌖ 16.1 AIC · ◷

[Copilot]

Pull request overview

This PR bumps gh-aw’s default gh-aw-firewall (AWF) version from v0.25.67 → v0.25.68 and refreshes the repository’s generated workflow artifacts and WASM golden fixtures so compiled outputs consistently embed the new default.

Changes:

• Update DefaultFirewallVersion to v0.25.68.
• Regenerate compiled .lock.yml workflows to reflect the new AWF version (install steps, schema URLs, container tags, embedded config).
• Refresh WASM golden fixtures that snapshot compiled workflow output, plus add a patch changeset for the default bump.

Show a summary per file

File	Description
pkg/constants/version_constants.go	Bumps the default pinned AWF firewall version to v0.25.68.
.changeset/patch-bump-awf-v0-25-68.md	Adds a patch changeset documenting the default AWF version bump and regenerated artifacts.
.github/workflows/test-workflow.lock.yml	Regenerated lock workflow embedding AWF v0.25.68 (metadata, install steps, config schema URL, container tags).
.github/workflows/firewall.lock.yml	Regenerated firewall validation workflow for AWF v0.25.68.
.github/workflows/example-permissions-warning.lock.yml	Regenerated example workflow for AWF v0.25.68.
.github/workflows/daily-malicious-code-scan.lock.yml	Regenerated scheduled scan workflow for AWF v0.25.68.
.github/workflows/codex-github-remote-mcp-test.lock.yml	Regenerated Codex remote MCP test workflow embedding AWF v0.25.68.
.github/workflows/bot-detection.lock.yml	Regenerated bot-detection workflow embedding AWF v0.25.68.
.github/workflows/ace-editor.lock.yml	Regenerated ACE editor workflow embedding AWF v0.25.68.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden	Updates golden compiled output to reflect AWF v0.25.68.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden	Updates golden compiled output to reflect AWF v0.25.68.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden	Updates golden compiled output to reflect AWF v0.25.68.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden	Updates golden compiled output to reflect AWF v0.25.68.
pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden	Updates multi-engine golden output to reflect AWF v0.25.68.
pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden	Updates multi-engine golden output to reflect AWF v0.25.68.
pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden	Updates multi-engine golden output to reflect AWF v0.25.68.
pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden	Updates multi-engine golden output to reflect AWF v0.25.68.
pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden	Updates multi-engine golden output to reflect AWF v0.25.68.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 43/258 changed files
• Comments generated: 7