Merged
Conversation
Convert firewall-issue-dispatcher, smoke-copilot, and smoke-services from features.cli-proxy to features.byok-copilot. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Copilot engine workflows: byok-copilot: true - Non-copilot engine workflows (claude, codex, opencode): cli-proxy: true All 29 workflows now have explicit feature flags for proxy support. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The agent was timing out at 5 minutes with Redis + PostgreSQL services. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This reverts commit cf1f942.
This reverts commit 731e68d.
This reverts commit e73a18b.
Update ghcr.io/github/gh-aw-mcpg from v0.2.22 to v0.2.23 across all 29 workflow lock files. This picks up the DIFC proxy fix for /api/graphql 404 errors on github.com repos. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Update build-test.lock.yml to mcpg v0.2.24 and export SSL trust environment variables (GIT_SSL_CAINFO, SSL_CERT_FILE, NODE_EXTRA_CA_CERTS, CURL_CA_BUNDLE, REQUESTS_CA_BUNDLE) before the AWF command so that git/curl/node inside the container trust the DIFC proxy's TLS certificate. This fixes the 'SSL certificate problem: unable to get local issuer certificate' error that caused all 18 gh repo clone operations to fail in the Build Test Suite. Refs: gh-aw-mcpg#4041, gh-aw-mcpg#4042 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates a large set of agentic workflow sources (.md) and their compiled lock workflows (.lock.yml) to shift Copilot-based runs toward BYOK/offline configuration (via features: byok-copilot: true), while keeping/adding cli-proxy for non-Copilot engines where needed. It also refreshes related compiled artifacts (e.g., mcpg image version bumps) and expands the maintenance workflow to support additional operations and workflow_call.
Changes:
- Add
features: byok-copilot: trueacross many Copilot-backed workflow sources, and adjust related compiled lock workflows (including COPILOT env defaults, timeouts, and proxy setup). - Enable
features: cli-proxy: truefor several non-Copilot workflows (OpenCode/Codex/Claude/etc.) and update corresponding lock workflows and proxy wiring. - Update
.github/workflows/agentics-maintenance.ymlto support more operations, addworkflow_call, and add workflow validation + cache-memory cleanup capabilities.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/update-release-notes.md | Adds byok-copilot feature flag to the workflow source. |
| .github/workflows/test-coverage-improver.md | Adds byok-copilot feature flag to the workflow source. |
| .github/workflows/smoke-services.md | Switches feature flag to byok-copilot; increases timeout. |
| .github/workflows/smoke-services.lock.yml | Updates compiled workflow (mcpg bump, Copilot CLI install change, timeout, BYOK env defaults). |
| .github/workflows/smoke-opencode.md | Enables cli-proxy feature for OpenCode workflow source. |
| .github/workflows/smoke-opencode.lock.yml | Updates compiled OpenCode workflow (mcpg bump, adds CLI proxy lifecycle steps, difc proxy flags). |
| .github/workflows/smoke-copilot.md | Switches feature flag to byok-copilot for Copilot smoke source. |
| .github/workflows/smoke-copilot.lock.yml | Updates compiled Copilot workflow (mcpg bump, Copilot CLI install change, BYOK env defaults). |
| .github/workflows/smoke-copilot-byok.lock.yml | Updates compiled BYOK Copilot workflow (mcpg bump, adds GH_TOKEN + CLI proxy lifecycle). |
| .github/workflows/smoke-codex.md | Enables cli-proxy feature for Codex workflow source. |
| .github/workflows/smoke-claude.md | Enables cli-proxy feature for Claude workflow source. |
| .github/workflows/smoke-chroot.md | Enables cli-proxy feature for chroot Copilot workflow source. |
| .github/workflows/smoke-chroot.lock.yml | Updates compiled workflow (mcpg bump, switches prompt include to cli-proxy prompt). |
| .github/workflows/security-review.md | Adds byok-copilot feature flag to the workflow source. |
| .github/workflows/security-review.lock.yml | Updates compiled workflow (mcpg bump, Copilot CLI install change, proxy prompt switch). |
| .github/workflows/security-guard.md | Enables cli-proxy feature for security-guard workflow source. |
| .github/workflows/secret-digger-copilot.md | Adds byok-copilot feature flag to the workflow source. |
| .github/workflows/secret-digger-codex.md | Enables cli-proxy feature for Codex secret-digger source. |
| .github/workflows/secret-digger-claude.md | Enables cli-proxy feature for Claude secret-digger source. |
| .github/workflows/plan.md | Adds byok-copilot feature flag to the workflow source. |
| .github/workflows/pelis-agent-factory-advisor.md | Adds byok-copilot feature flag to the workflow source. |
| .github/workflows/issue-monster.md | Adds byok-copilot feature flag to the workflow source. |
| .github/workflows/issue-monster.lock.yml | Updates compiled workflow (mcpg bump, Copilot CLI install change, BYOK env defaults). |
| .github/workflows/issue-duplication-detector.md | Adds byok-copilot feature flag to the workflow source. |
| .github/workflows/firewall-issue-dispatcher.md | Switches feature flag to byok-copilot for the workflow source. |
| .github/workflows/firewall-issue-dispatcher.lock.yml | Updates compiled workflow (mcpg bump, Copilot CLI install change, BYOK env defaults). |
| .github/workflows/doc-maintainer.md | Adds byok-copilot feature flag to the workflow source. |
| .github/workflows/dependency-security-monitor.md | Adds byok-copilot feature flag to the workflow source. |
| .github/workflows/copilot-token-usage-analyzer.md | Adds byok-copilot feature flag to the workflow source. |
| .github/workflows/copilot-token-usage-analyzer.lock.yml | Updates compiled workflow (mcpg bump, Copilot CLI install change, BYOK env defaults). |
| .github/workflows/copilot-token-optimizer.md | Adds byok-copilot feature flag to the workflow source. |
| .github/workflows/copilot-token-optimizer.lock.yml | Updates compiled workflow (mcpg bump, Copilot CLI install change, BYOK env defaults). |
| .github/workflows/cli-flag-consistency-checker.md | Adds byok-copilot feature flag to the workflow source. |
| .github/workflows/cli-flag-consistency-checker.lock.yml | Updates compiled workflow (mcpg bump, Copilot CLI install change, BYOK env defaults). |
| .github/workflows/claude-token-usage-analyzer.md | Adds byok-copilot feature flag to the workflow source. |
| .github/workflows/claude-token-usage-analyzer.lock.yml | Updates compiled workflow (mcpg bump, Copilot CLI install change, BYOK env defaults). |
| .github/workflows/claude-token-optimizer.md | Adds byok-copilot feature flag to the workflow source. |
| .github/workflows/claude-token-optimizer.lock.yml | Updates compiled workflow (mcpg bump, Copilot CLI install change, BYOK env defaults). |
| .github/workflows/ci-doctor.md | Adds byok-copilot feature flag to the workflow source. |
| .github/workflows/ci-doctor.lock.yml | Updates compiled workflow (mcpg bump, Copilot CLI install change, BYOK env defaults). |
| .github/workflows/ci-cd-gaps-assessment.md | Adds byok-copilot feature flag to the workflow source. |
| .github/workflows/build-test.md | Adds byok-copilot feature flag to the workflow source. |
| .github/workflows/agentics-maintenance.yml | Expands maintenance operations, adds workflow_call, and adds validation + cache-memory cleanup jobs. |
| .github/aw/actions-lock.json | Adds a lock entry for github/gh-aw-actions/setup-cli@v0.68.7. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 0
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Closed
The cli-proxy entrypoint sets SSL_CERT_FILE (for Go's gh CLI) and NODE_EXTRA_CA_CERTS (for Node.js), but when `gh repo clone` shells out to `git`, it uses OpenSSL which reads GIT_SSL_CAINFO — not SSL_CERT_FILE. Changes: - Add GIT_SSL_CAINFO export pointing to the combined CA bundle in containers/cli-proxy/entrypoint.sh - Add GIT_SSL_CAINFO to PROTECTED_ENV_KEYS in server.js to prevent agent override of the TLS trust store - Remove unnecessary SSL env var exports from build-test.lock.yml (those were in the agent container, but git runs in the cli-proxy) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
Smoke Test Results
Overall: PASS
|
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Contributor
Smoke Test: GitHub Actions Services Connectivity ✅
All checks passed.
|
Contributor
Chroot Version Comparison Results
Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot.
|
Contributor
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
The agent was hitting the max turns limit and exiting with code 1 before completing its review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
Smoke Test Results —
Overall: PASS
|
Contributor
|
Smoke Test: Copilot BYOK (Offline Mode) — PASS ✅
Running in BYOK offline mode ( Author:
|
This was referenced Apr 18, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.