Use locally built MCP gateway in smoke-copilot workflow and trigger on Go PRs

[Copilot]

Plan: Update Smoke Copilot Workflow for Local MCP Gateway

• Understand current smoke-copilot.md workflow (uses ghcr.io/github/gh-aw-mcpg:v0.1.4)
• Update smoke-copilot.md to build and use local MCP gateway container
  • Add Go setup and Docker buildx setup in frontmatter steps
  • Build local container using Dockerfile (tag as local-awmg:v0.1.4)
  • Update sandbox.mcp.container to use locally built image
• Recompile smoke-copilot workflow (compiled with gh-aw)
• Add smoke-copilot test to CI workflow for PRs modifying Go code
  • Create new job in ci.yml that triggers smoke-copilot on PR
  • Job runs after unit-test, lint, and integration-test pass
• Fix container versioning issue
  • Container tag: local-awmg:v0.1.4 (matches compiler expectation)
  • VERSION build arg: dev-<sha> (correct development version in binary)
  • Recompiled workflow with updated versioning
• Verify all changes work correctly
  • Workflow compiles successfully with gh-aw compiler
  • All ghcr.io references replaced with local-awmg:v0.1.4
  • Lint checks pass
  • No security vulnerabilities introduced (CodeQL clean)

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[lpcox]

@copilot look at the last comment about versioning the built container

[Copilot]

@copilot look at the last comment about versioning the built container

Fixed in commit 4431dcf. The container versioning now uses:

• Container tag: local-awmg:v0.1.4 (to satisfy gh-aw compiler expectations)
• VERSION build arg: dev-$(git rev-parse --short HEAD) (embeds accurate dev version in binary)

This ensures the binary reports the correct development version (e.g., dev-3d10d13) while maintaining compatibility with the workflow compiler's version injection mechanism.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha .go (http block)
• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login -g -fno-stack-protector -ffile-prefix-map=/opt/hostedtoolcache/go/1.25.7/x64=/_/GOROOT -frandom-seed=mrdHwX_2NrK14Tvcsd1_ -o /tmp/go-build2656446941/b234/_cgo_main.o -c conf�� get gKxUsK41W /opt/pipx_bin/gi--64 credential.usern/usr/libexec/gcc/x86_64-linux-gnu/13/cc1 (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

This PR modifies the smoke-copilot workflow to build and use a locally built MCP Gateway container instead of pulling from ghcr.io/github/gh-aw-mcpg:v0.1.4. It also adds a new CI job to trigger the smoke-copilot workflow on pull requests that modify Go code. The purpose is to test MCP Gateway changes in pull requests before they are merged to main.

Changes:

• Modified smoke-copilot.md to add build steps for local MCP Gateway container (Go setup, Docker Buildx, docker build)
• Updated MCP Gateway container reference from registry image to locally built image
• Added smoke-copilot-pr job in ci.yml to trigger workflow on Go-related PRs
• Recompiled smoke-copilot.lock.yml with updated configuration

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File	Description
.github/workflows/smoke-copilot.md	Added frontmatter steps to build local MCP Gateway container; changed container reference from ghcr.io/github/gh-aw-mcpg to local-awmg
.github/workflows/smoke-copilot.lock.yml	Compiled workflow with new build steps, updated container references, and modified action setup pattern
.github/workflows/ci.yml	Added smoke-copilot-pr job to trigger smoke-copilot workflow via workflow_dispatch on pull requests

Comments suppressed due to low confidence (6)

.github/workflows/smoke-copilot.lock.yml:1671

• This "Checkout actions folder" pattern with "./actions/setup" is inconsistent with all other workflows and will fail because there is no "actions" folder in the repository. All other compiled workflows use "github/gh-aw/actions/setup@v0.46.1" directly without this checkout step.

      - name: Checkout actions folder
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          sparse-checkout: |
            actions
          persist-credentials: false
      - name: Setup Scripts
        uses: ./actions/setup

.github/workflows/smoke-copilot.lock.yml:1766

• This "Checkout actions folder" pattern with "./actions/setup" is inconsistent with all other workflows and will fail because there is no "actions" folder in the repository. All other compiled workflows use "github/gh-aw/actions/setup@v0.46.1" directly without this checkout step.

      - name: Checkout actions folder
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          sparse-checkout: |
            actions
          persist-credentials: false
      - name: Setup Scripts
        uses: ./actions/setup

.github/workflows/smoke-copilot.lock.yml:1934

• This "Checkout actions folder" pattern with "./actions/setup" is inconsistent with all other workflows and will fail because there is no "actions" folder in the repository. All other compiled workflows use "github/gh-aw/actions/setup@v0.46.1" directly without this checkout step.

      - name: Checkout actions folder
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          sparse-checkout: |
            actions
          persist-credentials: false
      - name: Setup Scripts
        uses: ./actions/setup

.github/workflows/smoke-copilot.lock.yml:82

• This "Checkout actions folder" pattern with "./actions/setup" is inconsistent with all other workflows and will fail because there is no "actions" folder in the repository. All other compiled workflows use "github/gh-aw/actions/setup@v0.46.1" directly without this checkout step.

      - name: Checkout actions folder
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          sparse-checkout: |
            actions
          persist-credentials: false
      - name: Setup Scripts
        uses: ./actions/setup

.github/workflows/smoke-copilot.lock.yml:1875

• This "Checkout actions folder" pattern with "./actions/setup" is inconsistent with all other workflows and will fail because there is no "actions" folder in the repository. All other compiled workflows use "github/gh-aw/actions/setup@v0.46.1" directly without this checkout step.

      - name: Checkout actions folder
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          sparse-checkout: |
            actions
          persist-credentials: false
      - name: Setup Scripts
        uses: ./actions/setup

.github/workflows/smoke-copilot.lock.yml:1978

• This "Checkout actions folder" pattern with "./actions/setup" is inconsistent with all other workflows and will fail because there is no "actions" folder in the repository. All other compiled workflows use "github/gh-aw/actions/setup@v0.46.1" directly without this checkout step.

      - name: Checkout actions folder
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          sparse-checkout: |
            actions
          persist-credentials: false
      - name: Setup Scripts
        uses: ./actions/setup

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The compiled workflow introduces a new pattern of checking out an "actions" folder and using "./actions/setup" that is inconsistent with all other workflows in the repository (which use "github/gh-aw/actions/setup@v0.46.1"). Additionally, there is no "actions" folder in the repository root, which means this checkout step will fail or find no content. This appears to be an artifact of the compilation process that differs from the standard pattern used by other workflows.

This issue also appears in the following locations of the same file:

• line 1664
• line 1759
• line 1927
• line 75
• line 1868
• ...and 1 more

See below for a potential fix:

      - name: Setup Scripts
        uses: github/gh-aw/actions/setup@v0.46.1

[Copilot]

Docker Buildx is set up twice in this workflow - once on line 360 (for building gh-aw Docker image) and again on line 379 (for building local MCP Gateway container). The second setup is redundant and can be removed since Buildx only needs to be set up once per job.

Suggested change

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3

[Copilot]

The "Download container images" step is attempting to download "local-awmg:v0.1.4" from a registry, but this is a locally built image that was just built in the previous steps. The download_docker_images.sh script typically pulls images from registries, which will fail for locally built images. The "local-awmg:v0.1.4" reference should be removed from this download list since it's already available locally.

Suggested change

	run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.20.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.20.0 ghcr.io/github/gh-aw-firewall/squid:0.20.0 ghcr.io/github/github-mcp-server:v0.30.3 ghcr.io/github/serena-mcp-server:latest local-awmg:v0.1.4 mcr.microsoft.com/playwright/mcp node:lts-alpine
	run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.20.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.20.0 ghcr.io/github/gh-aw-firewall/squid:0.20.0 ghcr.io/github/github-mcp-server:v0.30.3 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine

[Copilot]

The workflow_dispatch trigger uses context.payload.pull_request.head.ref which will be the branch name. However, if the PR is from a fork, this ref won't exist in the target repository, causing the workflow dispatch to fail. Consider using context.payload.pull_request.head.sha instead, or adding a check to handle forks differently.

Suggested change

	await github.rest.actions.createWorkflowDispatch({
	owner: context.repo.owner,
	repo: context.repo.repo,
	workflow_id: 'smoke-copilot.lock.yml',
	ref: context.payload.pull_request.head.ref
	const targetRepoFullName = `${context.repo.owner}/${context.repo.repo}`;
	const headRepoFullName = context.payload.pull_request.head.repo.full_name;
	const dispatchRef = headRepoFullName === targetRepoFullName
	? context.payload.pull_request.head.ref
	: context.payload.pull_request.base.ref;
	await github.rest.actions.createWorkflowDispatch({
	owner: context.repo.owner,
	repo: context.repo.repo,
	workflow_id: 'smoke-copilot.lock.yml',
	ref: dispatchRef

[Copilot]

The container reference is set to "local-awmg" without a tag, but the build step explicitly tags it as "local-awmg:v0.1.4". Docker will use "local-awmg:latest" by default when no tag is specified, which won't match the built image. The reference should be "local-awmg:v0.1.4" to match the tag used in the build step.

Suggested change

	container: "local-awmg"
	container: "local-awmg:v0.1.4"