Document firewall Docker socket restrictions

[Copilot]

Agent firewall docs did not mention Docker socket access is unsupported, leading to confusion about container spawning capabilities. Update the sandbox documentation to explicitly state the restriction and align reference examples.

• Agent firewall limitations
  • Add a focused warning that the firewall does not allow /var/run/docker.sock and prevents container spawning.
• Sandbox examples + reference sync
  • Replace Docker-based custom command samples with local wrapper commands.
  • Note that Docker socket mounts are unsupported in the frontmatter reference.
• Action pin integrity
  • Align the actions/github-script@v7.0.1 pin version and SHA with the upstream tag.

sandbox:
  agent:
    command: "/usr/local/bin/custom-awf-wrapper"
    mounts:
      - "/host/path:/container/path:ro"

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• telemetry.astro.build
  • Triggering command: /opt/hostedtoolcache/node/24.12.0/x64/bin/node node /home/REDACTED/work/gh-aw/gh-aw/docs/node_modules/.bin/astro build git -c tags/v1.0.0 log ache/node/24.12.0/x64/bin/node -n1 --format=format:-c d4cb1e1a84704032node install.js /usr/bin/networkctl stat�� -2924750469.cjs --no-legend (dns block)
  • Triggering command: /opt/hostedtoolcache/node/24.12.0/x64/bin/node node /home/REDACTED/work/gh-aw/gh-aw/docs/node_modules/.bin/astro build git cat-�� -3222423055.cjs 6a06edea37991debrun ache/node/24.12.--bundle it/ref/tags/v6 sh (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Update the docs about agent firewall and mention that docker socket was no longer supported. The agent won't be able to spawn docker containers for security reasons

Custom agent used: technical-doc-writer
AI technical documentation writer for GitHub Actions library using GitHub Docs voice

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Mossaka]

@copilot why this change?

[Copilot]

Updated action_pins.json to align the github-script@v7.0.1 pin with the upstream tag metadata (version+SHA) after the review flagged the mismatch. Commit: 6a06ede.