Update AWF firewall to v0.11.2 with ACT agent container (#11567)

* Initial plan

* Update AWF firewall to v0.11.2 and add --agent-image act flag

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

* Merge origin/main and regenerate lock files with AWF v0.11.2

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

* Add changeset [skip-ci]

* Add Go dev path mount to AWF containers

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

* Mount entire /opt/hostedtoolcache to AWF containers for all tools

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

* Merge origin/main and recompile workflows with AWF v0.11.2

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

* Add changeset [skip-ci]

* Add Go and Node runtimes to dev workflow

This ensures the agent has access to Go and Node.js for building
and testing the gh-aw project.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Revert "Add Go and Node runtimes to dev workflow"

This reverts commit c82400e.

* Add hostedtoolcache PATH setup to Copilot engine AWF command

Tools installed via actions/setup-* (Go, Node, Python, etc.) are placed
in /opt/hostedtoolcache but the agent container doesn't have these paths
in PATH by default. This adds a PATH setup command that finds all bin
directories under /opt/hostedtoolcache and adds them to PATH before
running the copilot CLI inside the AWF container.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Add runtime ecosystem domains to AWF firewall allowlist

When runtimes are specified in workflow frontmatter (e.g., go, node, python),
automatically add the corresponding ecosystem domains to the AWF firewall
allowlist. This allows workflows to download packages and dependencies
without explicitly specifying network permissions.

Runtime to ecosystem mapping:
- node, bun, deno → node ecosystem (npmjs.org, nodejs.org, etc.)
- python, uv → python ecosystem (pypi.org, etc.)
- go → go ecosystem (proxy.golang.org, etc.)
- java → java ecosystem (maven.apache.org, gradle.org, etc.)
- ruby → ruby ecosystem (rubygems.org, etc.)
- dotnet → dotnet ecosystem (nuget.org, etc.)
- haskell → haskell ecosystem (haskell.org, etc.)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Add network allowlist for dev workflow tests

Add domains needed for running tests:
- ghcr.io, pkg-containers.githubusercontent.com: Docker image pulls
- proxy.golang.org, sum.golang.org, storage.googleapis.com: Go modules
- objects.githubusercontent.com, codeload.github.com: GitHub downloads

Also increase timeout to 30 minutes for full test suite.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Co-authored-by: Jiaxiao (mossaka) Zhou <duibao55328@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: 4 people

.changeset/patch-update-awf-firewall-to-v0-11-2-act.md

@@ -1,109 +1,139 @@
 {
   "entries": {
-    "actions/ai-inference@v2.0.5": {
+    "actions/ai-inference@v2": {
       "repo": "actions/ai-inference",
-      "version": "v2.0.5",
+      "version": "v2",
       "sha": "a6101c89c6feaecc585efdd8d461f18bb7896f20"
     },
-    "actions/attest-build-provenance@v3.2.0": {
+    "actions/attest-build-provenance@v2": {
       "repo": "actions/attest-build-provenance",
-      "version": "v3.2.0",
-      "sha": "62fc1d596301d0ab9914e1fec14dc5c8d93f65cd"
+      "version": "v2",
+      "sha": "96b4a1ef7235a096b17240c259729fdd70c83d45"
     },
-    "actions/cache/restore@v5.0.2": {
+    "actions/cache/restore@v4.3.0": {
       "repo": "actions/cache/restore",
-      "version": "v5.0.2",
-      "sha": "8b402f58fbc84540c8b491a91e594a4576fec3d7"
+      "version": "v4.3.0",
+      "sha": "0057852bfaa89a56745cba8c7296529d2fc39830"
     },
-    "actions/cache/save@v5.0.2": {
+    "actions/cache/save@v4.3.0": {
       "repo": "actions/cache/save",
-      "version": "v5.0.2",
-      "sha": "8b402f58fbc84540c8b491a91e594a4576fec3d7"
+      "version": "v4.3.0",
+      "sha": "0057852bfaa89a56745cba8c7296529d2fc39830"
     },
-    "actions/cache@v5.0.2": {
+    "actions/cache@v4.3.0": {
       "repo": "actions/cache",
-      "version": "v5.0.2",
-      "sha": "8b402f58fbc84540c8b491a91e594a4576fec3d7"
+      "version": "v4.3.0",
+      "sha": "0057852bfaa89a56745cba8c7296529d2fc39830"
     },
-    "actions/checkout@v5": {
+    "actions/checkout@v4": {
       "repo": "actions/checkout",
-      "version": "v5",
+      "version": "v4",
+      "sha": "34e114876b0b11c390a56381ad16ebd13914f8d5"
+    },
+    "actions/checkout@v5.0.1": {
+      "repo": "actions/checkout",
+      "version": "v5.0.1",
       "sha": "93cb6efe18208431cddfb8368fd83d5badbf9bfd"
     },
     "actions/checkout@v6": {
       "repo": "actions/checkout",
       "version": "v6",
       "sha": "8e8c483db84b4bee98b60c0593521ed34d9990e8"
     },
-    "actions/checkout@v6.0.2": {
-      "repo": "actions/checkout",
-      "version": "v6.0.2",
-      "sha": "de0fac2e4500dabe0009e67214ff5f5447ce83dd"
-    },
-    "actions/create-github-app-token@v3.0.0-beta.2": {
+    "actions/create-github-app-token@v2.2.1": {
       "repo": "actions/create-github-app-token",
-      "version": "v3.0.0-beta.2",
-      "sha": "bf559f85448f9380bcfa2899dbdc01eb5b37be3a"
+      "version": "v2.2.1",
+      "sha": "29824e69f54612133e76f7eaac726eef6c875baf"
     },
-    "actions/download-artifact@v6": {
+    "actions/download-artifact@v6.0.0": {
       "repo": "actions/download-artifact",
-      "version": "v6",
+      "version": "v6.0.0",
       "sha": "018cc2cf5baa6db3ef3c5f8a56943fffe632ef53"
     },
-    "actions/download-artifact@v7": {
-      "repo": "actions/download-artifact",
-      "version": "v7",
-      "sha": "37930b1c2abaa49bbe596cd826c3c89aef350131"
-    },
     "actions/github-script@v7": {
       "repo": "actions/github-script",
       "version": "v7",
       "sha": "f28e40c7f34bde8b3046d885e986cb6290c5673b"
     },
-    "actions/github-script@v8": {
+    "actions/github-script@v7.0.1": {
+      "repo": "actions/github-script",
+      "version": "v7.0.1",
+      "sha": "60a0d83039c74a4aee543508d2ffcb1c3799cdea"
+    },
+    "actions/github-script@v8.0.0": {
       "repo": "actions/github-script",
-      "version": "v8",
+      "version": "v8.0.0",
       "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd"
     },
-    "actions/setup-dotnet@v5.1.0": {
+    "actions/setup-dotnet@v4": {
       "repo": "actions/setup-dotnet",
-      "version": "v5.1.0",
-      "sha": "baa11fbfe1d6520db94683bd5c7a3818018e4309"
+      "version": "v4.3.1",
+      "sha": "67a3573c9a986a3f9c594539f4ab511d57bb3ce9"
     },
-    "actions/setup-go@v6.2.0": {
+    "actions/setup-go@v6": {
       "repo": "actions/setup-go",
-      "version": "v6.2.0",
+      "version": "v6",
       "sha": "7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5"
     },
-    "actions/setup-java@v5.2.0": {
+    "actions/setup-go@v6.1.0": {
+      "repo": "actions/setup-go",
+      "version": "v6.1.0",
+      "sha": "4dc6199c7b1a012772edbd06daecab0f50c9053c"
+    },
+    "actions/setup-java@v4": {
       "repo": "actions/setup-java",
-      "version": "v5.2.0",
-      "sha": "be666c2fcd27ec809703dec50e508c2fdc7f6654"
+      "version": "v4.8.0",
+      "sha": "c1e323688fd81a25caa38c78aa6df2d33d3e20d9"
     },
-    "actions/setup-node@v6.2.0": {
+    "actions/setup-node@v6": {
       "repo": "actions/setup-node",
-      "version": "v6.2.0",
+      "version": "v6",
       "sha": "6044e13b5dc448c55e2357c09f80417699197238"
     },
-    "actions/setup-python@v6.2.0": {
+    "actions/setup-node@v6.1.0": {
+      "repo": "actions/setup-node",
+      "version": "v6.1.0",
+      "sha": "395ad3262231945c25e8478fd5baf05154b1d79f"
+    },
+    "actions/setup-python@v5.6.0": {
       "repo": "actions/setup-python",
-      "version": "v6.2.0",
-      "sha": "a309ff8b426b58ec0e2a45f0f869d46889d02405"
+      "version": "v5.6.0",
+      "sha": "a26af69be951a213d495a4c3e4e4022e16d87065"
     },
-    "actions/upload-artifact@v6": {
+    "actions/upload-artifact@v4": {
       "repo": "actions/upload-artifact",
-      "version": "v6",
+      "version": "v4.6.2",
+      "sha": "ea165f8d65b6e75b540449e92b4886f43607fa02"
+    },
+    "actions/upload-artifact@v5.0.0": {
+      "repo": "actions/upload-artifact",
+      "version": "v5.0.0",
+      "sha": "330a01c490aca151604b8cf639adc76d48f6c5d4"
+    },
+    "actions/upload-artifact@v6.0.0": {
+      "repo": "actions/upload-artifact",
+      "version": "v6.0.0",
       "sha": "b7c566a772e6b6bfb58ed0dc250532a479d7789f"
     },
-    "anchore/sbom-action@v0.22.0": {
+    "anchore/sbom-action@v0": {
       "repo": "anchore/sbom-action",
-      "version": "v0.22.0",
+      "version": "v0",
       "sha": "62ad5284b8ced813296287a0b63906cb364b73ee"
     },
-    "astral-sh/setup-uv@v7.2": {
+    "anchore/sbom-action@v0.20.10": {
+      "repo": "anchore/sbom-action",
+      "version": "v0.20.10",
+      "sha": "fbfd9c6c189226748411491745178e0c2017392d"
+    },
+    "anchore/sbom-action@v0.20.11": {
+      "repo": "anchore/sbom-action",
+      "version": "v0.20.11",
+      "sha": "43a17d6e7add2b5535efe4dcae9952337c479a93"
+    },
+    "astral-sh/setup-uv@v5.4.2": {
       "repo": "astral-sh/setup-uv",
-      "version": "v7.2",
-      "sha": "3ae150cc9da67abcd31089a802e239773e6a2cb5"
+      "version": "v5.4.2",
+      "sha": "d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86"
     },
     "cli/gh-extension-precompile@v2.1.0": {
       "repo": "cli/gh-extension-precompile",
@@ -115,70 +145,70 @@
       "version": "v2.0.3",
       "sha": "e95548e56dfa95d4e1a28d6f422fafe75c4c26fb"
     },
-    "docker/build-push-action@v6.18.0": {
+    "docker/build-push-action@v6": {
       "repo": "docker/build-push-action",
-      "version": "v6.18.0",
+      "version": "v6",
       "sha": "263435318d21b8e681c14492fe198d362a7d2c83"
     },
-    "docker/login-action@v3.6.0": {
+    "docker/login-action@v3": {
       "repo": "docker/login-action",
-      "version": "v3.6.0",
+      "version": "v3",
       "sha": "5e57cd118135c172c3672efd75eb46360885c0ef"
     },
-    "docker/metadata-action@v5.10.0": {
+    "docker/metadata-action@v5": {
       "repo": "docker/metadata-action",
-      "version": "v5.10.0",
+      "version": "v5",
       "sha": "c299e40c65443455700f0fdfc63efafe5b349051"
     },
-    "docker/setup-buildx-action@v3.12.0": {
+    "docker/setup-buildx-action@v3": {
       "repo": "docker/setup-buildx-action",
-      "version": "v3.12.0",
+      "version": "v3",
       "sha": "8d2750c68a42422c14e847fe6c8ac0403b4cbd6f"
     },
     "erlef/setup-beam@v1": {
       "repo": "erlef/setup-beam",
       "version": "v1.20.4",
       "sha": "dff508cca8ce57162e7aa6c4769a4f97c2fed638"
     },
-    "github/codeql-action/upload-sarif@v4.32.0": {
+    "github/codeql-action/upload-sarif@v3": {
       "repo": "github/codeql-action/upload-sarif",
-      "version": "v4.32.0",
-      "sha": "e6985fd516cce3b1a0e8db34a4013d2e50a1e252"
+      "version": "v3.31.9",
+      "sha": "70c165ac82ca0e33a10e9741508dd0ccb4dcf080"
     },
     "github/stale-repos@v3": {
       "repo": "github/stale-repos",
       "version": "v3",
       "sha": "3477b6488008d9411aaf22a0924ec7c1f6a69980"
     },
-    "github/stale-repos@v8.0.4": {
+    "github/stale-repos@v3.0.2": {
       "repo": "github/stale-repos",
-      "version": "v8.0.4",
-      "sha": "6084a41431c4ce8842a7e879b1a15082b88742ae"
+      "version": "v3.0.2",
+      "sha": "a21e55567b83cf3c3f3f9085d3038dc6cee02598"
     },
-    "haskell-actions/setup@v2.10.3": {
+    "haskell-actions/setup@v2": {
       "repo": "haskell-actions/setup",
-      "version": "v2.10.3",
-      "sha": "9cd1b7bf3f36d5a3c3b17abc3545bfb5481912ea"
+      "version": "v2.9.1",
+      "sha": "55073cbd0e96181a9abd6ff4e7d289867dffc98d"
     },
-    "oven-sh/setup-bun@v2.1.2": {
+    "oven-sh/setup-bun@v2": {
       "repo": "oven-sh/setup-bun",
-      "version": "v2.1.2",
-      "sha": "3d267786b128fe76c2f16a390aa2448b815359f3"
+      "version": "v2.0.2",
+      "sha": "735343b667d3e6f658f44d0eca948eb6282f2b76"
     },
-    "ruby/setup-ruby@v1.286.0": {
+    "ruby/setup-ruby@v1": {
       "repo": "ruby/setup-ruby",
-      "version": "v1.286.0",
-      "sha": "90be1154f987f4dc0fe0dd0feedac9e473aa4ba8"
+      "version": "v1.275.0",
+      "sha": "d354de180d0c9e813cfddfcbdc079945d4be589b"
     },
     "super-linter/super-linter@v8.2.1": {
       "repo": "super-linter/super-linter",
       "version": "v8.2.1",
       "sha": "2bdd90ed3262e023ac84bf8fe35dc480721fc1f2"
     },
-    "super-linter/super-linter@v8.3.2": {
+    "super-linter/super-linter@v8.3.1": {
       "repo": "super-linter/super-linter",
-      "version": "v8.3.2",
-      "sha": "d5b0a2ab116623730dd094f15ddc1b6b25bf7b99"
+      "version": "v8.3.1",
+      "sha": "47984f49b4e87383eed97890fe2dca6063bbd9c3"
     }
   }
 }