Merge firewall-audit-logs into unified agent artifact#25868
Merged
Conversation
- Compiler: add firewall log/audit paths to unified agent artifact paths instead of generating a separate upload step - Remove generateFirewallAuditLogsUploadStep method and its test - CLI: map MCP/firewall artifact sets to agent artifact name - CLI: remove firewall-audit-logs from critical artifact names - CLI: update hasFirewallArtifact checks to use AgentArtifactName - Mark FirewallAuditArtifactName constant as legacy - Update golden files and all affected tests - Recompile all 187 workflow lock files Agent-Logs-Url: https://github.com/github/gh-aw/sessions/04c856e1-d282-4339-9e2a-5deb4d4a3ff7 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
pelikhan
April 12, 2026 00:18
View session
pelikhan
approved these changes
Apr 12, 2026
Closed
Contributor
There was a problem hiding this comment.
Pull request overview
Consolidates firewall audit/log outputs into the unified agent artifact so each workflow run emits a single primary artifact (instead of a separate firewall-audit-logs artifact), and updates CLI artifact selection accordingly.
Changes:
- Compiler: appends firewall log/audit directories to the unified agent artifact upload and removes the dedicated firewall-audit-logs upload step.
- CLI: updates artifact-set resolution and gating logic to treat firewall/MCP data as residing in the
agentartifact; updates retry-critical artifact list accordingly. - Regenerates workflow lock files to remove the now-redundant firewall audit artifact upload step (paths folded into the existing agent upload step).
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/compiler_yaml_main_job.go | Adds firewall log/audit paths to unified agent artifact upload; removes dedicated firewall audit artifact upload. |
| pkg/workflow/engine_firewall_support.go | Removes now-unused dedicated firewall audit upload step helper and related import. |
| pkg/workflow/engine_firewall_support_test.go | Removes unit tests for deleted firewall audit upload step. |
| pkg/constants/constants.go | Re-documents FirewallAuditArtifactName as legacy/backward-compat only. |
| pkg/cli/logs_artifact_set.go | Updates MCP/firewall artifact sets to resolve to agent. |
| pkg/cli/logs_artifact_set_test.go | Updates artifact-set resolution tests for MCP/firewall -> agent. |
| pkg/cli/logs_orchestrator.go | Gates firewall/MCP analyses on agent artifact filter match; updates comments. |
| pkg/cli/audit.go | Gates firewall/MCP analyses on agent artifact filter match; updates comments. |
| pkg/cli/audit_diff.go | Gates firewall analysis on agent artifact filter match; updates comments. |
| pkg/cli/logs_download.go | Removes firewall-audit-logs from criticalArtifactNames. |
| pkg/cli/logs_download_test.go | Updates critical-artifact test expectations after removal of firewall-audit-logs. |
| pkg/cli/token_usage.go | Clarifies legacy firewall-audit-logs directory search as backward-compat behavior. |
| pkg/cli/firewall_policy.go | Clarifies legacy firewall-audit-logs directory search as backward-compat behavior. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden | Updates golden output: removes dedicated firewall audit upload step; firewall paths included in agent upload; updates github-script pin. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden | Updates golden output: removes dedicated firewall audit upload step; firewall paths included in agent upload; updates github-script pin. |
| .github/workflows/workflow-skill-extractor.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/workflow-normalizer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/workflow-health-manager.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/workflow-generator.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/weekly-safe-outputs-spec-review.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/weekly-issue-summary.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/weekly-editors-health-check.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/weekly-blog-post-writer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/video-analyzer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/update-astro.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/unbloat-docs.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/ubuntu-image-analyzer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/typist.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/tidy.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/test-workflow.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/test-quality-sentinel.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/test-project-url-default.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/test-dispatcher.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/test-create-pr-error-handling.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/terminal-stylist.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/technical-doc-writer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/super-linter.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/sub-issue-closer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/step-name-alignment.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/static-analysis-report.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/stale-repo-identifier.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-workflow-call.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-workflow-call-with-inputs.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-update-cross-repo-pr.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-test-tools.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-temporary-id.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-service-ports.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-project.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-multi-pr.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-gemini.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-create-cross-repo-pr.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-copilot.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-copilot-arm.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-codex.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-claude.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-call-workflow.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-agent-scoped-approved.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-agent-public-none.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-agent-public-approved.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-agent-all-none.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/smoke-agent-all-merged.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/slide-deck-maintainer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/sergo.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/semantic-function-refactor.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/security-review.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/security-compliance.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/scout.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/schema-feature-coverage.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/schema-consistency-checker.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/safe-output-health.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/research.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/repository-quality-improver.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/repo-tree-map.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/repo-audit-analyzer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/release.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/refiner.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/refactoring-cadence.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/q.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/python-data-charts.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/prompt-clustering-analysis.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/pr-triage-agent.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/pr-nitpick-reviewer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/portfolio-analyst.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/poem-bot.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/plan.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/pdf-summary.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/org-health-report.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/notion-issue-summary.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/metrics-collector.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/mergefest.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/mcp-inspector.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/lockfile-stats.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/layout-spec-maintainer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/jsweep.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/issue-triage-agent.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/issue-monster.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/issue-arborist.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/instructions-janitor.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/hourly-ci-cleaner.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/grumpy-reviewer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/gpclean.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/go-pattern-detector.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/go-logger.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/go-fan.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/glossary-maintainer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/github-remote-mcp-auth-test.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/github-mcp-tools-report.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/github-mcp-structural-analysis.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/functional-pragmatist.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/firewall.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/firewall-escape.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/example-workflow-analyzer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/example-permissions-warning.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/duplicate-code-detector.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/draft-pr-cleanup.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/docs-noob-tester.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/discussion-task-miner.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/dictation-prompt.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/developer-docs-consolidator.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/dev.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/dev-hawk.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/design-decision-gate.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/dependabot-go-checker.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/dependabot-burner.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/delight.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/deep-report.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/dead-code-remover.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-workflow-updater.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-testify-uber-super-expert.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-team-status.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-team-evolution-insights.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-syntax-error-quality.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-semgrep-scan.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-security-red-team.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-secrets-analysis.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-safe-outputs-conformance.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-safe-output-optimizer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-safe-output-integrator.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-repo-chronicle.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-rendering-scripts-verifier.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-regulatory.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-performance-summary.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-otel-instrumentation-advisor.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-observability-report.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-news.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-multi-device-docs-tester.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-mcp-concurrency-analysis.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-malicious-code-scan.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-issues-report.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-integrity-analysis.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-function-namer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-firewall-report.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-file-diet.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-fact.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-doc-updater.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-doc-healer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-compiler-quality.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-community-attribution.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-code-metrics.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-cli-tools-tester.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-cli-performance.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-choice-test.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-assign-issue-to-user.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/daily-architecture-diagram.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/craft.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/copilot-token-optimizer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/copilot-token-audit.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/copilot-session-insights.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/copilot-pr-prompt-analysis.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/copilot-pr-nlp-analysis.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/copilot-pr-merged-report.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/copilot-cli-deep-research.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/copilot-agent-analysis.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/contribution-check.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/constraint-solving-potd.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/commit-changes-analyzer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/code-simplifier.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/code-scanning-fixer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/cloclo.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/cli-version-checker.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/cli-consistency-checker.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/claude-code-user-docs-review.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/ci-doctor.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/ci-coach.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/changeset.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/breaking-change-checker.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/brave.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/bot-detection.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/blog-auditor.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/auto-triage-issues.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/audit-workflows.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/artifacts-summary.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/architecture-guardian.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/archie.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/approach-validator.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/api-consumption-report.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/ai-moderator.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/agentic-observability-kit.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/agent-persona-explorer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/agent-performance-analyzer.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
| .github/workflows/ace-editor.lock.yml | Removes dedicated firewall audit upload step; firewall paths included in agent upload. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 202/202 changed files
- Comments generated: 2
Comment on lines
+567
to
+572
| // Include firewall audit/observability logs in the unified agent artifact | ||
| // so all agent job outputs ship as a single artifact (AWF v0.25.0+). | ||
| if isFirewallEnabled(data) { | ||
| artifactPaths = append(artifactPaths, constants.AWFProxyLogsDir+"/") | ||
| artifactPaths = append(artifactPaths, constants.AWFAuditDir+"/") | ||
| } |
There was a problem hiding this comment.
The wasm golden fixtures likely need additional updates beyond the two shown here. The compiler no longer emits the dedicated "Upload firewall audit logs" step, but at least pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden still contains that step, so TestWasmGolden_CompileFixtures will fail unless the remaining golden files are regenerated/updated to reflect firewall paths being included in the unified agent artifact.
Comment on lines
67
to
+72
| var artifactSetArtifacts = map[ArtifactSet][]string{ | ||
| ArtifactSetAll: nil, // no filtering – download all artifacts | ||
| ArtifactSetActivation: {constants.ActivationArtifactName}, | ||
| ArtifactSetAgent: {constants.AgentArtifactName}, | ||
| ArtifactSetMCP: {constants.FirewallAuditArtifactName}, | ||
| ArtifactSetFirewall: {constants.FirewallAuditArtifactName}, | ||
| ArtifactSetMCP: {constants.AgentArtifactName}, | ||
| ArtifactSetFirewall: {constants.AgentArtifactName}, |
There was a problem hiding this comment.
ArtifactSetMCP and ArtifactSetFirewall currently resolve only to the "agent" artifact. That breaks analysis for older workflow runs where firewall/MCP data lived in the legacy "firewall-audit-logs" artifact (which is still referenced for backward compatibility elsewhere). Since downloadRunArtifacts intersects the filter with the run’s actual artifact names, consider including both constants.AgentArtifactName and constants.FirewallAuditArtifactName in these sets so older runs still download the legacy artifact while newer runs only download agent.
Contributor
|
|
Contributor
|
|
Contributor
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Contributor
|
|
Contributor
|
|
Contributor
|
|
Contributor
|
Commit pushed:
|
Copilot AI
added a commit
that referenced
this pull request
Apr 12, 2026
The "Merge firewall-audit-logs into unified agent artifact" change (#25868) added firewall logs/audit files to the agent artifact. When the detection job downloads this artifact to /tmp/gh-aw/, it pre-populates the firewall directories with the agent job's squid.conf, cache.log, access.log, etc. AWF then fails to start the squid container (exit code 1) because it finds pre-existing files in its working directories. Add a cleanup step that removes /tmp/gh-aw/sandbox/firewall/logs and /tmp/gh-aw/sandbox/firewall/audit before AWF starts in the detection job, giving it a clean slate. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/74c377e1-155c-4c1d-82cf-688d4514387c Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI
added a commit
that referenced
this pull request
Apr 12, 2026
The "Merge firewall-audit-logs into unified agent artifact" change (#25868) added firewall logs/audit files to the agent artifact. When the detection job downloads this artifact to /tmp/gh-aw/, it pre-populates the firewall directories with the agent job's squid.conf, cache.log, access.log, etc. AWF then fails to start the squid container (exit code 1) because it finds pre-existing files in its working directories. Add a cleanup step that removes /tmp/gh-aw/sandbox/firewall/logs and /tmp/gh-aw/sandbox/firewall/audit before AWF starts in the detection job, giving it a clean slate. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/74c377e1-155c-4c1d-82cf-688d4514387c Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI
added a commit
that referenced
this pull request
Apr 12, 2026
… crash The unified agent artifact now includes firewall logs/audit files (squid.conf, cache.log, access.log, etc.) since #25868. When the detection job downloads this artifact to /tmp/gh-aw/, it pre-populates the firewall directories with stale files from the agent job. AWF then fails to start the squid container (exit code 1). Add a cleanup step that removes /tmp/gh-aw/sandbox/firewall/logs and /tmp/gh-aw/sandbox/firewall/audit before AWF starts in the detection job. Also propagate Features to the detection download step so the cli-proxy image is included when that feature flag is enabled. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI
added a commit
that referenced
this pull request
Apr 12, 2026
… crash The unified agent artifact now includes firewall logs/audit files (squid.conf, cache.log, access.log, etc.) since #25868. When the detection job downloads this artifact to /tmp/gh-aw/, it pre-populates the firewall directories with stale files from the agent job. AWF then fails to start the squid container (exit code 1). Add a cleanup step that removes /tmp/gh-aw/sandbox/firewall/logs and /tmp/gh-aw/sandbox/firewall/audit before AWF starts in the detection job. Also propagate Features to the detection download step so the cli-proxy image is included when that feature flag is enabled. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Consolidates the separate
firewall-audit-logsartifact into the unifiedagentartifact so each workflow run produces a single artifact containing all agent job outputs.Compiler
AWFProxyLogsDir,AWFAuditDir) to the unified artifact upload when firewall is enabledgenerateFirewallAuditLogsUploadStep— no longer neededCLI (audit/logs)
ArtifactSetMCPandArtifactSetFirewallnow resolve toagentinstead offirewall-audit-logshasFirewallArtifactchecks gate onAgentArtifactNamesince firewall data now lives therefirewall-audit-logsfromcriticalArtifactNamesretry listfirewall-audit-logs/directory searches retained intoken_usage.goandfirewall_policy.gofor older runsAfter flattening
The
flattenUnifiedArtifactstep already moves agent artifact contents to the run root, so firewall files land atrunDir/sandbox/firewall/logs/andrunDir/sandbox/firewall/audit/— exactly whereanalyzeFirewallLogsandfindPolicyManifestAndAuditcheck first. No search path changes needed.Lock files
All 187 workflow lock files recompiled. Each firewall-enabled workflow loses ~8 lines (the separate upload step) with the paths folded into the existing agent upload step.
Changeset
agentartifact and updatedgh aw logs/gh aw auditartifact resolution to useagentwith backward-compatible support for legacyfirewall-audit-logsruns.Warning
The following domains were blocked by the firewall during workflow execution:
ab.chatgpt.comchatgpt.comTo allow these domains, add them to the
network.allowedlist in your workflow frontmatter:See Network Configuration for more information.