Enable firewall (AWF) for smoke-copilot and smoke-copilot-playwright workflows

[Copilot]

• Changed sandbox.agent: false to sandbox.agent: awf for smoke-copilot.md
• Changed sandbox.agent: false to sandbox.agent: awf for smoke-copilot-playwright.md
• Regenerated lock files with AWF installation and log parsing steps
• Left smoke-copilot-no-firewall.md unchanged (for no-firewall testing)
• Merged origin/main and recompiled lock files

CI Failure Analysis:
Both smoke-copilot and smoke-copilot-playwright workflows fail with:

Error executing prompt: Error: Directory does not exist or cannot be accessed: /home/runner/work/gh-aw/gh-aw

Root cause: The Copilot CLI's --add-dir validation fails inside the AWF container, even though the workspace is correctly mounted. This appears to be an AWF/Copilot CLI compatibility issue that requires investigation in the gh-aw-firewall repository.

Original prompt

enable firewall (awf) for smoke copilot and other AW that runs copilot engine

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

🤖 DIAGNOSTIC COMPLETE: Smoke Copilot No Firewall STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS.

[github-actions]

💀 Blimey! Smoke Copilot Safe Inputs failed and walked the plank! No treasure today, matey! ☠️

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[Mossaka]

@copilot please debug and figure out why https://github.com/githubnext/gh-aw/actions/runs/20355160413/job/58488921366?pr=6901 and https://github.com/githubnext/gh-aw/actions/runs/20355160424/job/58488922722?pr=6901 are failing

[Copilot]

@copilot please debug and figure out why https://github.com/githubnext/gh-aw/actions/runs/20355160413/job/58488921366?pr=6901 and https://github.com/githubnext/gh-aw/actions/runs/20355160424/job/58488...

I analyzed the CI failures at https://github.com/githubnext/gh-aw/actions/runs/20355160413/job/58488921366 and https://github.com/githubnext/gh-aw/actions/runs/20355160424/job/58488922722.

Root cause: The Copilot CLI fails with "Directory does not exist or cannot be accessed: /home/runner/work/gh-aw/gh-aw" when running inside the AWF container.

Analysis:

• AWF correctly mounts the workspace: --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw"
• AWF sets container workdir: --container-workdir "${GITHUB_WORKSPACE}"
• Copilot CLI runs with --add-dir "${GITHUB_WORKSPACE}"
• But Copilot CLI validation for --add-dir fails inside the container

Possible causes:

1. Timing issue - Copilot CLI validates directory before mount is fully accessible
2. Permission issue - awfuser (UID: 1000) may not have read permissions on the mounted workspace
3. AWF version mismatch - The installed binary reports version 0.1.0 but was downloaded from v0.6.0 release

Recommendation: This appears to be an AWF/Copilot CLI compatibility issue, not a problem with the workflow configuration. The changes made (switching sandbox.agent: false → sandbox.agent: awf) are correct. The issue may need to be investigated in the gh-aw-firewall repository or with the Copilot CLI team.

[pelikhan]

@copilot merge main

[Copilot]

@copilot merge main

Merged main branch and recompiled lock files in commit 4e007ed.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

🤖 DIAGNOSTIC COMPLETE: Smoke Copilot No Firewall STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS.

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

🎉 Yo ho ho! Smoke Copilot Safe Inputs found the treasure and completed successfully! ⚓💰

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• [WIP] Refactor duplicated workflow scaffolding for issues and PRs #6909: "[WIP] Refactor duplicated workflow scaffolding for issues and PRs"
• Bump gh-aw-firewall version from v0.6.0 to v0.7.0 #6898: "Bump gh-aw-firewall version from v0.6.0 to v0.7.0"

Test Results:

• ✅ GitHub MCP Testing
• ✅ File Writing Testing
• ✅ Bash Tool Testing
• ✅ GitHub MCP Default Toolset (get_me unavailable as expected)
• ✅ Cache Memory Testing

Status: PASS

PR Author: @Copilot | Assignees: @Mossaka, @Copilot

📰 BREAKING: Report filed by Smoke Copilot fer issue #6901 🗺️

[github-actions]

Last merged PRs: "Bump gh-aw-firewall version from v0.6.0 to v0.7.0", "Disable sandbox.agent: false in strict mode for copilot engine".
Tests: ✅ GitHub MCP PR lookup; ✅ /tmp/gh-aw/agent smoke file write/read; ✅ Playwright title contains "GitHub"; ✅ cache-memory file write/read; ❌ safeinputs-gh "gh issues list --limit 3" (tool unavailable).
Overall: FAIL (safeinputs-gh missing).

🔮 The oracle has spoken through Smoke Codex fer issue #6901 🗺️

[github-actions]

Smoke Test Results: PASS ✅

Last 2 Merged PRs:

• Disable sandbox.agent: false in strict mode for copilot engine #6903: Disable sandbox.agent: false in strict mode for copilot engine
• Remove stdio mode from safe-inputs, keep HTTP-only transport #6900: Remove stdio mode from safe-inputs, keep HTTP-only transport

Test Results:

• ✅ GitHub MCP (fetched PR data)
• ✅ File Writing (/tmp/gh-aw/agent/smoke-test-copilot-20359671791.txt)
• ✅ Bash Tool (verified file creation)
• ✅ Playwright MCP (GitHub page title verified: "GitHub · Change is constant. GitHub keeps you ahead. · GitHub")
• ✅ safeinputs-gh Tool (prepared issue list request)

Overall Status: PASS

🤖 DIAGNOSTIC REPORT GENERATED BY Smoke Copilot No Firewall fer issue #6901 🗺️

[github-actions]

Smoke Test Results for Claude (Run 20359671810)

Last 2 Merged PRs:

• [WIP] Refactor duplicated workflow scaffolding for issues and PRs #6909: [WIP] Refactor duplicated workflow scaffolding for issues and PRs
• Bump gh-aw-firewall version from v0.6.0 to v0.7.0 #6898: Bump gh-aw-firewall version from v0.6.0 to v0.7.0

Test Results:
✅ GitHub MCP - Retrieved merged PRs
✅ File Writing - Created /tmp/gh-aw/agent/smoke-test-claude-20359671810.txt
✅ Bash Tool - Verified file creation
✅ Playwright MCP - Navigated to github.com (title contains "GitHub")
✅ Cache Memory - Created /tmp/gh-aw/cache-memory/smoke-test-20359671810.txt
❌ Safe Input gh Tool - gh CLI not authenticated in Actions (expected)

Overall Status: PASS (5/6 tests passed, gh CLI failure is environment limitation)

💥 [THE END] — Illustrated by Smoke Claude fer issue #6901 🗺️

[github-actions]

Smoke Test Results - Copilot Engine

Last 2 Merged PRs: ❌ (GitHub MCP/API auth failed)
File Writing: ✅ Created /tmp/gh-aw/agent/smoke-test-copilot-20359671798.txt
Bash Tool: ✅ Verified file contents successfully
Serena MCP: ❌ (@skillz/cli not available in npm registry)
Safe Input gh Tool: ❌ (safeinputs-gh tool not found in PATH)

Overall Status: ❌ FAIL - 2/5 tests passed

Environment lacks GitHub auth token, safeinputs-gh tool, and Serena MCP access.

Ahoy! This treasure was crafted by 🏴‍☠️ Smoke Copilot Safe Inputs fer issue #6901 🗺️