chore: bump default gh-aw-mcpg to v0.3.16 and gh-aw-firewall to v0.25.50

[Copilot]

This updates gh-aw to the requested MCP Gateway and Firewall releases, including regenerated compiled artifacts that embed these defaults. It also aligns checked-in golden outputs that snapshot generated workflow content with the new version pins.

• Version pin updates

  • Updated DefaultMCPGatewayVersion to v0.3.16
  • Updated DefaultFirewallVersion to v0.25.50

• Regenerated lock artifacts

  • Recompiled workflow lock files under .github/workflows/*.lock.yml so embedded AWF/MCPG image references reflect the new defaults.

• Golden output refresh

  • Updated wasm golden fixtures in pkg/workflow/testdata/TestWasmGolden_* where expected compiled output includes pinned AWF/MCPG versions.

• Release metadata

  • Added a patch changeset documenting the dependency bump.

// pkg/constants/version_constants.go
const DefaultFirewallVersion Version = "v0.25.50"
const DefaultMCPGatewayVersion Version = "v0.3.16"

---

---

✨ PR Review Safe Output Test - Run 26202036082

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · ● 5.8M · ◷

[github-actions]

🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨

Caution

agentic threat detected
Threat detection flagged this output in warn mode. Manual review is REQUIRED before any follow-up automation.

Details

The threat detection results could not be parsed.

Review the workflow run logs for details.

Testing safeoutputs CLI

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

🧪 Test Quality Sentinel completed test quality analysis.

No test files were added or modified in PR #33664. This is a dependency version bump PR (gh-aw-mcpg v0.3.16, gh-aw-firewall v0.25.50) that only updates compiled workflow .lock.yml files. Test Quality Sentinel analysis skipped.

[github-actions]

✅ PR Code Quality Reviewer completed the code quality review.

[github-actions]

✅ Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR #33664 does not have the 'implementation' label and has only 45 new lines (≤100 threshold) in default business logic directories. This PR is a chore-level dependency bump (mcpg to v0.3.16 and firewall to v0.25.50) that does not introduce architectural decisions warranting an ADR.

[github-actions]

🧠 Matt Pocock Skills Reviewer failed during the skills-based review.

[github-actions]

🧠 Matt Pocock Skills Reviewer failed during the skills-based review.

[github-actions]

Caution

agentic threat detected
Threat detection flagged this output in warn mode. Manual review is REQUIRED before any follow-up automation.

Details

The threat detection results could not be parsed.

Review the workflow run logs for details.

Smoke Test Results

• github-mcp-test: ✅
• web-fetch-test: ✅
• file-write-test: ✅
• bash-test: ✅
• build-test: ❌

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

✨ Smoke Gemini — Powered by Gemini · ◷

[github-actions]

Agent Container Tool Check ✅

All development tools are available and functional in the agent container environment.

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.54.0
jq	✅	1.7
yq	✅	4.53.2
curl	✅	8.5.0
gh	✅	2.92.0
node	✅	22.22.2
python3	✅	3.14.5
go	✅	1.24.13
java	✅	21.0.11
dotnet	✅	10.0.300

Result: 12/12 tools available ✅

All common development tools (shell, version control, JSON/YAML processing, HTTP, GitHub CLI, and programming runtimes) are accessible and ready for use in agent workflows.

🔧 Tool validation by Agent Container Smoke Test · ● 1.2M · ◷

[github-actions]

✅ Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR #33664 does not have the 'implementation' label and has only 45 new lines of code in business logic directories (below the 100-line threshold).

[github-actions]

🧪 Test Quality Sentinel completed test quality analysis.

No test files were added or modified in PR #33664. This PR only contains version bumps (mcpg v0.3.16, firewall v0.25.50) and recompiled workflow lock files. Test Quality Sentinel analysis skipped.

[lpcox]

@copilot recompile workflows

[Copilot]

@copilot merge main

Merged latest main into this branch in b8dfb0f.

[Copilot]

@copilot recompile workflows

Ran make recompile on this branch; it completed successfully (233/233 workflows compiled with validation) and produced no additional diffs. Current HEAD: 291dc49.

[github-actions]

``
@copilot review all comments

Attempted branch update (automated) — please re-run CI and confirm any remaining blockers.

Forward-progress: post a completion plan or request a maintainer merge.

Generated by 👨‍🍳 PR Sous Chef · ● 207.2K · ◷

[lpcox]

@copilot recompile workflows

[Copilot]

@copilot recompile workflows

Ran make recompile again; it completed successfully (233/233 workflows compiled) and produced no diffs. Current HEAD: 291dc49.

[lpcox]

@copilot merge main

[lpcox]

@copilot merge main and recompile the workflows

[Copilot]

@copilot merge main

Merged latest main in 2a2d268.