feat: bump AWF to v0.25.10 and use lightweight esbuild bundle#23993
feat: bump AWF to v0.25.10 and use lightweight esbuild bundle#23993
Conversation
There was a problem hiding this comment.
Pull request overview
This PR bumps the default gh-aw-firewall (AWF) version to v0.25.10 and updates the AWF installation script to prefer the new lightweight awf-bundle.js release asset when Node.js >= 20 is available, reducing download size on GitHub-hosted runners.
Changes:
- Bump AWF default version from v0.25.6 to v0.25.10.
- Update
install_awf_binary.shto installawf-bundle.jsvia a Node wrapper when Node >= 20, otherwise fall back to platform-specific pkg binaries. - Update wasm golden fixtures to reflect the new AWF version and image tags.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
pkg/constants/version_constants.go |
Updates the default AWF version constant to v0.25.10. |
actions/setup/sh/install_awf_binary.sh |
Adds bundle-first install strategy with checksum verification and binary fallback. |
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden |
Updates golden output to reference v0.25.10 and updated container image tags. |
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden |
Updates golden output to reference v0.25.10 and updated container image tags. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if has_node_20; then | ||
| install_bundle | ||
| else | ||
| echo "Node.js >= 20 not available, falling back to platform binary..." |
There was a problem hiding this comment.
Bundle install path is attempted solely based on Node.js availability. For versions that don’t publish awf-bundle.js (e.g., callers still passing v0.25.6), curl/checksum lookup will fail under set -e and the script will exit without falling back to the pkg binary. Please make install_bundle a best-effort attempt (e.g., return non-zero on 404/missing checksum) and only commit to bundle mode if download + checksum verification succeeds; otherwise fall back to the platform binary.
| if has_node_20; then | |
| install_bundle | |
| else | |
| echo "Node.js >= 20 not available, falling back to platform binary..." | |
| if has_node_20 && install_bundle; then | |
| echo "Bundle installation succeeded; skipping platform-specific binary install." | |
| else | |
| if ! has_node_20; then | |
| echo "Node.js >= 20 not available, falling back to platform binary..." | |
| else | |
| echo "Bundle installation failed, falling back to platform binary..." | |
| fi |
| # Create wrapper script | ||
| sudo tee "${AWF_INSTALL_DIR}/${AWF_INSTALL_NAME}" > /dev/null <<'WRAPPER' | ||
| #!/bin/bash | ||
| exec node /usr/local/lib/awf/awf-bundle.js "$@" |
There was a problem hiding this comment.
The generated wrapper runs exec node ... via PATH. This is brittle under sudo (many environments enforce secure_path, so root may not be able to find the same node binary) and can also enable PATH hijacking if awf is later executed with elevated privileges. Consider resolving node to an absolute path at install time (and optionally validating it’s not from the workspace), then hardcoding that path in the wrapper and/or setting a minimal safe PATH inside the wrapper before exec.
| # Create wrapper script | |
| sudo tee "${AWF_INSTALL_DIR}/${AWF_INSTALL_NAME}" > /dev/null <<'WRAPPER' | |
| #!/bin/bash | |
| exec node /usr/local/lib/awf/awf-bundle.js "$@" | |
| # Resolve absolute Node.js path for wrapper to avoid PATH-based exec | |
| local node_path | |
| node_path="$(command -v node || true)" | |
| if [ -z "${node_path}" ]; then | |
| echo "ERROR: Failed to resolve Node.js path during bundle installation" | |
| exit 1 | |
| fi | |
| # Create wrapper script | |
| sudo tee "${AWF_INSTALL_DIR}/${AWF_INSTALL_NAME}" > /dev/null <<WRAPPER | |
| #!/bin/bash | |
| # Use a minimal, safe PATH and invoke Node.js via its absolute path | |
| PATH="/usr/local/bin:/usr/bin" | |
| export PATH | |
| exec ${node_path} /usr/local/lib/awf/awf-bundle.js "\$@" |
| install_bundle() { | ||
| local bundle_name="awf-bundle.js" | ||
| local bundle_url="${BASE_URL}/${bundle_name}" | ||
|
|
||
| echo "Node.js >= 20 detected ($(node --version)), using lightweight bundle..." | ||
| echo "Downloading bundle from ${bundle_url@Q}..." | ||
| curl -fsSL --retry 3 --retry-delay 5 -o "${TEMP_DIR}/${bundle_name}" "${bundle_url}" | ||
|
|
There was a problem hiding this comment.
When running on macOS with Node.js >= 20, the script will choose the bundle path and skip the existing Darwin warning about iptables/container firewalling not working natively. Please emit the same warning when OS=Darwin and install_bundle is used so behavior/messages stay consistent.
There was a problem hiding this comment.
Good catch! The Darwin warning should definitely be emitted consistently regardless of the install path taken. Adding it to the bundle path ensures users on macOS are aware of the iptables/container firewall limitation. 🍎
📰 BREAKING: Report filed by Smoke Copilot
Switch from ~50MB pkg binaries to ~357KB esbuild single-file bundle (awf-bundle.js) when Node.js >= 20 is available. GitHub hosted runners always have Node.js 22, so the bundle path is always taken. Falls back to platform-specific pkg binary for self-hosted runners without Node.js. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Mossaka
force-pushed
the
feat/awf-v0.25.10-bundle
branch
from
5e05fe1 to
06702ce
Compare
|
@copilot Merge main build wasm recompile |
The smoke test lock files still referenced v0.25.8, causing install_awf_binary.sh to attempt downloading awf-bundle.js from a release that doesn't have it. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
❌ Tool validation failed! Agent Container Smoke Test detected missing tools: failed |
|
💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges... |
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
|
📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident... |
If the bundle asset doesn't exist for a given AWF version (e.g., older releases before v0.25.10), gracefully fall back to downloading the platform-specific pkg binary instead of hard-failing. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
Smoke test results for @Mossaka's PR:
Overall:
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Smoke test review: PR bumps AWF to v0.25.10 and introduces a lightweight bundle install path. The bundle approach is a great improvement (~140x smaller). Main concern: the wrapper script uses exec node without an absolute path — consider resolving node at install time for robustness. Otherwise the changes look solid.
📰 BREAKING: Report filed by Smoke Copilot
| # Create wrapper script | ||
| sudo tee "${AWF_INSTALL_DIR}/${AWF_INSTALL_NAME}" > /dev/null <<'WRAPPER' | ||
| #!/bin/bash | ||
| exec node /usr/local/lib/awf/awf-bundle.js "$@" |
There was a problem hiding this comment.
The wrapper script uses exec node without an absolute path, which relies on PATH being correctly set. Consider resolving node to an absolute path at install time for better robustness, especially in environments with restricted PATH.
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
Warning The Smoke Test Results — Run §23879967654 Core: ✅1 ✅2 ✅3 ✅4 ❌5 ✅6 ✅7 ✅8 ✅9 ✅10 ✅11 Status: PARTIAL (Playwright ❌, threads/close
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal! This is an automated review comment from the Claude smoke test run §23879967654.
💥 [THE END] — Illustrated by Smoke Claude
| GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' | ||
| GH_AW_INFO_FIREWALL_ENABLED: "true" | ||
| GH_AW_INFO_AWF_VERSION: "v0.25.8" | ||
| GH_AW_INFO_AWF_VERSION: "v0.25.10" |
There was a problem hiding this comment.
✅ Version bump from v0.25.8 → v0.25.10 looks correct here. The AWF version env var is consistently updated across all lock files in this PR.
| run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh latest | ||
| - name: Install AWF binary | ||
| run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.8 | ||
| run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.10 |
There was a problem hiding this comment.
✅ Install AWF binary step updated to v0.25.10 — consistent with the esbuild bundle approach introduced in this PR.
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
💥 [THE END] — Illustrated by Smoke Claude
| GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' | ||
| GH_AW_INFO_FIREWALL_ENABLED: "true" | ||
| GH_AW_INFO_AWF_VERSION: "v0.25.8" | ||
| GH_AW_INFO_AWF_VERSION: "v0.25.10" |
There was a problem hiding this comment.
Smoke test review comment #1: Version bump from v0.25.8 → v0.25.10 looks correct. Consider adding a changelog entry or release notes reference for traceability.
| run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh latest | ||
| - name: Install AWF binary | ||
| run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.8 | ||
| run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.10 |
There was a problem hiding this comment.
Smoke test review comment #2: AWF binary install step updated to v0.25.10. Consistent with the version env var above — good alignment across install and runtime config.
Summary
awf-bundle.js(~357KB) over platform-specific pkg binaries (~50MB) when Node.js >= 20 is availableCloses #23975
Motivation
AWF v0.25.10 publishes
awf-bundle.jsas a release asset -- a single JavaScript file that runs on any system with Node.js >= 20. GitHub hosted runners already have Node.js 22, making the bundled Node.js 18 runtime in pkg binaries redundant. This reduces download size from ~50MB to ~357KB (140x smaller), speeding up workflow setup.Node.js 18 (bundled in pkg binaries) reached EOL in April 2025.
Changes
pkg/constants/version_constants.go: Version bump v0.25.6 -> v0.25.10actions/setup/sh/install_awf_binary.sh: Tryawf-bundle.jsfirst when Node >= 20 is available, fall back to platform binary otherwise. SHA256 checksum verification preserved for both paths.Test plan
make test-unitpasses (wasm golden tests updated; pre-existing failures in lock file tests and CLI env tests are unrelated)make fmtpassesmake golint-incrementalpasses with 0 issues🤖 Generated with Claude Code
✨ PR Review Safe Output Test - Run 23879967654
✨ PR Review Safe Output Test - Run 23880126574