Update gh-aw (upon mcp policy changes)

[JanKrivanek]

Fixes #13519 #13521 #13524

Details: github/gh-aw#25656

Context

gh-aw needs to be updated upon recent copilot mcp policy changes (copilot cli is implicit server side dep)

[Copilot]

Pull request overview

Updates the repository’s gh-aw compiled workflow lock files to align with recent GitHub Copilot MCP policy changes and newer gh-aw/AWF/Copilot CLI tooling, addressing the reported agent workflow failures.

Changes:

• Bump gh-aw compiler references from v0.67.1 to v0.68.1 and refresh pinned action SHAs accordingly.
• Update runtime components used by the workflows (AWF container images, MCP gateway image, and Copilot CLI version), and adjust how safe-outputs tooling is generated.
• Add/propagate new activation outputs (e.g., stale lock-file failure) and minor hardening (quoted bash invocations, log file creation).

Show a summary per file

File	Description
.github/workflows/review.agent.lock.yml	Regenerated “/review” workflow lock with updated gh-aw/AWF/Copilot CLI + safe-outputs tooling generation changes.
.github/workflows/review-on-open.agent.lock.yml	Regenerated “on open” workflow lock with the same toolchain/policy updates.
.github/workflows/close-stale-prs.agent.lock.yml	Regenerated stale PR maintenance workflow lock with the same toolchain/policy updates.
.github/aw/actions-lock.json	Updates the repo’s action pin mapping for gh-aw-related actions (notably actions/github-script@v9 and gh-aw-actions/setup@v0.68.1).

Copilot's findings

Comments suppressed due to low confidence (3)

.github/workflows/review.agent.lock.yml:1186

• (umask 177 && touch …/detection.log) won’t tighten permissions if the file already exists. This workflow already creates detection.log earlier via a plain touch, so the log may still end up world-readable (0644). Consider creating the file the first time under the stricter umask (or explicitly chmod 600 before writing).

          set -o pipefail
          touch /tmp/gh-aw/agent-step-summary.md
          (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log)
          # shellcheck disable=SC1003

.github/workflows/review-on-open.agent.lock.yml:1131

• (umask 177 && touch …/detection.log) won’t change permissions if detection.log was already created earlier in the job (it is, via a plain touch). If the goal is to avoid world-readable logs, create the file initially under the stricter umask or add an explicit chmod 600 before writing.

          set -o pipefail
          touch /tmp/gh-aw/agent-step-summary.md
          (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log)
          # shellcheck disable=SC1003

.github/workflows/close-stale-prs.agent.lock.yml:1077

• (umask 177 && touch …/detection.log) won’t tighten permissions if detection.log already exists. Since this job already does a plain touch earlier, the file may still be created with default (potentially world-readable) perms. Create the file the first time under the stricter umask or explicitly chmod 600 before writing.

          set -o pipefail
          touch /tmp/gh-aw/agent-step-summary.md
          (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log)
          # shellcheck disable=SC1003

• Files reviewed: 4/4 changed files
• Comments generated: 4

[github-actions]

Expert Review — PR #13526: Update gh-aw (upon mcp policy changes)

Verdict: ✅ LGTM — Clean infrastructure update with positive security improvements

This PR is a compiler-generated update of gh-aw (GitHub Agentic Workflows) infrastructure files. No MSBuild source code, tests, targets, or engine logic is changed. Of the 24 review dimensions, only Build Infrastructure (#19), Security (#24), Dependency Management (#23), and Scope (#20) are applicable.

---

Dimension 19: Build Infrastructure — ✅ Good

All version bumps are consistent across all three workflow files:

• gh-aw-actions/setup: v0.67.1 → v0.68.1 (SHA-pinned)
• actions/github-script: v8 → v9 (SHA-pinned)
• AWF firewall images: 0.25.13 → 0.25.18
• MCP gateway: v0.2.14 → v0.2.17
• Copilot CLI: "latest" → "1.0.21" (explicit pinning — good)

The old github/gh-aw-actions/setup@v0.59.0 entry was properly removed from actions-lock.json.

Dimension 24: Security — ✅ Improved

Positive changes:

1. Shell quoting hardened — All RUNNER_TEMP usages in run: steps are now properly double-quoted, preventing word-splitting/globbing. This is a real security improvement.
2. Explicit bash invocation — Steps previously running scripts directly now use bash "...", ensuring a known shell interpreter.
3. Restrictive file permissions — New (umask 177 && touch ...) creates log files with owner-only read/write.
4. Version pinning — Moving from "latest" to "1.0.21" for Copilot CLI eliminates supply-chain risk from floating versions.
5. New actions: read permission — Minimal, read-only scope increase for lock file staleness checks. Appropriate and justified.

Observation (informational, not blocking):

• Two distinct SHAs are used for actions/github-script@v9: 373c709c... (for determine-automatic-lockdown only, present in actions-lock.json) and 3a2844b7... (for all other steps, listed in gh-aw-manifest but not in actions-lock.json). This appears to be by design of the gh-aw compiler infrastructure.
• Inside the bash -c '...' strings of the awf invocations, RUNNER_TEMP remains unquoted. This is technically safe since it is a GitHub-controlled path without spaces, and the expansion happens inside the container. However, it is inconsistent with the quoting discipline applied elsewhere. Since this is compiler-generated code, this is informational only.

Dimension 23: Dependency Management — ✅ Good

All dependencies are SHA-pinned. Version bumps are coordinated across all workflow files. No new external dependencies introduced.

Dimension 20: Scope — ✅ Clean

Pure infrastructure update. No MSBuild behavioral changes. Correctly references issues #13519, #13521, #13524. New stale_lock_file_failed output propagation is properly wired through activation → agent failure handling.

Other behavioral changes noted:

• Safe outputs tools generation moved from shell cat/node to actions/github-script step (more robust)
• New copilot_driver.cjs wrapper around Copilot CLI invocation (new in v0.68.1)
• Reporting condition expanded: stale_lock_file_failed now also triggers the reporting job
• Step name casing normalized (e.g., "Record Missing Tool" → "Record missing tool")

Dimensions N/A for this PR:

1–18, 21–22: No MSBuild C# code, targets, evaluation, API, or test changes.

---

Summary: This is a well-structured, compiler-generated infrastructure update with genuine security improvements (shell quoting, version pinning, file permissions). No concerns found. Ship it.

Generated by Expert Code Review (on open) for issue #13526 · ● 14.7M