Skip to content

fix: recompile agentic workflows with gh-aw v0.68.1#70

Merged
DanWahlin merged 2 commits intomainfrom
fix/recompile-agentic-workflows-v0.68.1
Apr 12, 2026
Merged

fix: recompile agentic workflows with gh-aw v0.68.1#70
DanWahlin merged 2 commits intomainfrom
fix/recompile-agentic-workflows-v0.68.1

Conversation

@DanWahlin
Copy link
Copy Markdown
Collaborator

@DanWahlin DanWahlin commented Apr 12, 2026

Problem

The Course Updater agentic workflow (run #24306045851) completed successfully but failed to create a PR because both the github and safeoutputs MCP servers were blocked by policy:

! 2 MCP servers were blocked by policy: 'github', 'safeoutputs'
✗ create_pull_request → Tool 'create_pull_request' does not exist.
✗ noop → Tool 'noop' does not exist.

Root Cause

The lock files were compiled with gh-aw v0.64.4, which used latest for the Copilot CLI version. Between April 3–11, the Copilot CLI introduced MCP policy enforcement that blocked MCP servers in the sandbox environment.

Fix

Recompiled both workflows with gh-aw v0.68.1, which:

  • Pins Copilot CLI to v1.0.21 instead of floating latest
  • Upgrades AWF firewall from v0.25.4 → v0.25.18
  • Upgrades MCP Gateway from v0.2.9 → v0.2.17
  • Updates gh-aw-actions to v0.68.1

Security Review

The github/gh-aw-actions/setup action SHA was updated from 7cae8cd (v0.64.4) to 2fe53ac (v0.68.1). This is the official gh-aw setup action maintained by GitHub — safe to use.

Affected Workflows

  • course-updater
  • traffic-updater

DanWahlin and others added 2 commits April 12, 2026 11:28
@DanWahlin
fix: recompile course-updater workflow with gh-aw v0.68.1
46af54c 
The 'Course Updater' agentic workflow was failing because both the
'github' and 'safeoutputs' MCP servers were blocked by a Copilot CLI
policy change. The old lock file (compiled with gh-aw v0.64.4) used
'latest' for the Copilot CLI version, which pulled a newer CLI that
introduced MCP policy enforcement breaking the MCP server connections.

Key changes from recompilation:
- Pin Copilot CLI to v1.0.21 (instead of floating 'latest')
- Upgrade AWF firewall from v0.25.4 to v0.25.18
- Upgrade MCP Gateway from v0.2.9 to v0.2.17
- Update gh-aw-actions to v0.68.1

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@DanWahlin
fix: recompile traffic-updater workflow with gh-aw v0.68.1
8b037c7 
Same MCP policy fix as course-updater - pin Copilot CLI version and
upgrade firewall/gateway components to prevent MCP server blocking.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 12, 2026 18:29
Copilot AI reviewed Apr 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR recompiles the repository’s agentic GitHub Actions workflows using gh-aw v0.68.1 to avoid recent Copilot CLI MCP policy enforcement issues by pinning the Copilot CLI version and updating the supporting agentic workflow components.

Changes:

  • Recompiled course-updater and traffic-updater lock workflows with gh-aw v0.68.1, pinning Copilot CLI to 1.0.21.
  • Upgraded the AWF firewall and MCP Gateway versions used by the workflows.
  • Updated the action lock file to include the new gh-aw-actions/setup pin and actions/github-script@v9.
Show a summary per file
File Description
.github/workflows/traffic-updater.lock.yml Recompiled workflow lock to gh-aw v0.68.1, pins Copilot CLI version, upgrades AWF/MCPG, and updates supporting steps.
.github/workflows/course-updater.lock.yml Recompiled workflow lock to gh-aw v0.68.1, pins Copilot CLI version, upgrades AWF/MCPG, and updates supporting steps.
.github/aw/actions-lock.json Updates action pin entries for the new gh-aw setup action and adds actions/github-script@v9.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 3/3 changed files
  • Comments generated: 3

.github/workflows/traffic-updater.lock.yml
Comment on lines 100 to +106
GH_AW_INFO_FIREWALL_TYPE: "squid"
GH_AW_COMPILED_STRICT: "true"
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
with:
script: |
const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
setupGlobals(core, github, context, exec, io);
setupGlobals(core, github, context, exec, io, getOctokit);
.github/workflows/course-updater.lock.yml
Comment on lines 100 to +106
GH_AW_INFO_FIREWALL_TYPE: "squid"
GH_AW_COMPILED_STRICT: "true"
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
with:
script: |
const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
setupGlobals(core, github, context, exec, io);
setupGlobals(core, github, context, exec, io, getOctokit);
@DanWahlin DanWahlin merged commit a9e32fe into main Apr 12, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DanWahlin