chore: upgrade gh-aw to v0.69.3 and recompile workflows

[lpcox]

Summary

Upgrades the gh-aw extension to v0.69.3, recompiles all agentic workflow lock files, and adds a new Gemini engine smoke test.

Changes

Actions upgrades:

• github/gh-aw/actions/setup → v0.69.3
• github/gh-aw-actions/setup-cli → v0.69.3
• github/gh-aw-actions/setup → v0.69.3
• actions/github-script → v9.0.0

Container image pins updated:

• gh-aw-firewall/* → 0.25.26
• gh-aw-mcpg → v0.2.26 / v0.2.29

New workflow:

• smoke-gemini.md — Gemini engine smoke test (mirrors smoke-copilot pattern). Requires GEMINI_API_KEY secret.

All 29 existing workflow lock files recompiled with post-processing.

Security review (safe-update)

• New secret: GEMINI_API_KEY — Google Gemini API key, required for inference by the Gemini CLI engine. Used only within the AWF sandbox; not exposed to untrusted code. Safe to add.

[Copilot]

Pull request overview

Upgrades the repo’s pinned gh-aw tooling to v0.69.3 and refreshes generated agentic workflow lock files to match the new compiler/action versions and updated container pinning.

Changes:

• Bumps github/gh-aw-actions/setup (and related gh-aw setup actions) to v0.69.3 across workflow lock files.
• Refreshes lock-file manifests to include digest-pinned container image references for the AWF components and MCP images.
• Updates the agent documentation links to reference gh-aw v0.69.3.

Show a summary per file

File	Description
.github/workflows/update-release-notes.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers.
.github/workflows/test-coverage-improver.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers.
.github/workflows/smoke-opencode.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers.
.github/workflows/smoke-copilot.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers (mcpg v0.2.29).
.github/workflows/smoke-copilot-byok.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers.
.github/workflows/security-review.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers.
.github/workflows/security-guard.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers.
.github/workflows/plan.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers.
.github/workflows/issue-monster.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers.
.github/workflows/issue-duplication-detector.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers.
.github/workflows/firewall-issue-dispatcher.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers.
.github/workflows/doc-maintainer.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers.
.github/workflows/dependency-security-monitor.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers.
.github/workflows/copilot-token-usage-analyzer.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers.
.github/workflows/copilot-token-optimizer.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers.
.github/workflows/cli-flag-consistency-checker.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers.
.github/workflows/claude-token-usage-analyzer.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers.
.github/workflows/claude-token-optimizer.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers.
.github/workflows/ci-doctor.lock.yml	Regenerated lock with gh-aw v0.69.3, updated action pins and digest-pinned containers.
.github/aw/actions-lock.json	Updates action/version entries and adds container digest pins used by compilation/validation.
.github/agents/agentic-workflows.agent.md	Updates referenced gh-aw documentation links from v0.69.2 to v0.69.3.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 31/33 changed files
• Comments generated: 0

[github-actions]

✅ Smoke Test Results

• ✅ GitHub MCP: Last 2 merged PRs retrieved (fix: correct firewall issue dispatcher tracking issue link format #2161, Ensure Copilot bootstrap can find Node.js inside AWF chroot #2160)
• ✅ Playwright: github.com page title verified
• ✅ File Writing: Test file created successfully
• ✅ Bash Tool: File verified via cat

Status: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🤖 Smoke Test Results

Test	Status
GitHub MCP — latest merged PR: "fix: correct firewall issue dispatcher tracking issue link format" (#2161)	✅
GitHub.com connectivity — HTTP 200	✅
File write/read — template vars unexpanded (pre-step data unavailable)	⚠️

Overall: PASS (core connectivity verified)

cc @lpcox — no assignees on this PR.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

🔥 Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP (latest merged PR: #2161 "fix: correct firewall issue dispatcher tracking issue link format")	✅
GitHub.com connectivity	✅
File write/read	✅
BYOK inference (agent → api-proxy → api.githubcopilot.com)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

Overall: PASS | PR by @lpcox, no assignees.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	❌	N/A	❌ CLONE_FAILED
Bun	hono	❌	N/A	❌ CLONE_FAILED
C++	fmt	❌	N/A	❌ CLONE_FAILED
C++	json	❌	N/A	❌ CLONE_FAILED
Deno	oak	❌	N/A	❌ CLONE_FAILED
Deno	std	❌	N/A	❌ CLONE_FAILED
.NET	hello-world	❌	N/A	❌ CLONE_FAILED
.NET	json-parse	❌	N/A	❌ CLONE_FAILED
Go	color	❌	N/A	❌ CLONE_FAILED
Go	env	❌	N/A	❌ CLONE_FAILED
Go	uuid	❌	N/A	❌ CLONE_FAILED
Java	gson	❌	N/A	❌ CLONE_FAILED
Java	caffeine	❌	N/A	❌ CLONE_FAILED
Node.js	clsx	❌	N/A	❌ CLONE_FAILED
Node.js	execa	❌	N/A	❌ CLONE_FAILED
Node.js	p-limit	❌	N/A	❌ CLONE_FAILED
Rust	fd	❌	N/A	❌ CLONE_FAILED
Rust	zoxide	❌	N/A	❌ CLONE_FAILED

Overall: 0/8 ecosystems passed — ❌ FAIL

---

❌ Error Details

All repository clones failed. The gh repo clone command returned HTTP 403 for every test repository:

remote: access denied: unrecognized endpoint
fatal: unable to access '(localhost/redacted) The requested URL returned error: 403

Root cause: The GitHub CLI proxy sidecar (localhost:18443) does not allow cloning from the Mossaka organization/user — access is restricted to the github/gh-aw-firewall repository only. No tests could be executed.

Generated by Build Test Suite for issue #2170 · ● 177.4K · ◷

[github-actions]

Smoke test results:

• "fix: correct firewall issue dispatcher tracking issue link format" ✅
• "Ensure Copilot bootstrap can find Node.js inside AWF chroot" ✅
• Safe Inputs GH CLI (safeinputs-gh) ❌
• Playwright github.com title contains GitHub ✅
• Tavily search (GitHub Agentic Workflows Firewall) ❌
• File write/read + bash cat ✅
• Discussion oracle comment ✅
• npm ci && npm run build ✅
  Overall status: FAIL

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test Results: GitHub Actions Services Connectivity

Check	Status	Details
Redis PING (host.docker.internal:6379)	❌ Failed	redis-cli not installed; port unreachable (connection timeout)
PostgreSQL pg_isready (host.docker.internal:5432)	❌ Failed	no response — port unreachable (connection timeout)
PostgreSQL SELECT 1 (smoketest db)	❌ Failed	Port unreachable; query could not run

All checks failed. host.docker.internal resolves to 172.17.0.1 but both ports 6379 and 5432 timed out. The service containers may not be running, or firewall rules are blocking access from this environment.

🔌 Service connectivity validated by Smoke Services