Skip to content

Raise sandbox.agent.sudo: false coverage to 80% of workflows#42119

Merged
pelikhan merged 1 commit into
mainfrom
copilot/enable-sandbox-agent-sudo-false
Jun 28, 2026
Merged

Raise sandbox.agent.sudo: false coverage to 80% of workflows#42119
pelikhan merged 1 commit into
mainfrom
copilot/enable-sandbox-agent-sudo-false

Conversation

Copilot AI commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

This PR increases sandbox hardening coverage by enabling sandbox.agent.sudo: false across additional workflow definitions, reaching the 80% target. The change is limited to workflow frontmatter and corresponding compiled lock outputs.

  • Frontmatter hardening

    • Added sandbox.agent.sudo: false to 79 existing workflow specs under .github/workflows/*.md.
    • Kept provenance-managed (source:) workflows unchanged.
  • Compiled workflow updates

    • Regenerated the matching 79 .lock.yml files so compiled outputs stay aligned with frontmatter.
  • Coverage result

    • Coverage moved from 127/257 to 206/257 workflows (80.16%) with sandbox.agent.sudo: false.
sandbox:
  agent:
    sudo: false
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan pelikhan marked this pull request as ready for review June 28, 2026 18:46
Copilot AI review requested due to automatic review settings June 28, 2026 18:46
@pelikhan pelikhan merged commit a2c8ef5 into main Jun 28, 2026
@pelikhan pelikhan deleted the copilot/enable-sandbox-agent-sudo-false branch June 28, 2026 18:46

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR increases sandbox hardening coverage across the gh-aw workflow specs by adding sandbox.agent.sudo: false to many additional .github/workflows/*.md definitions and regenerating the corresponding compiled .lock.yml outputs so the runtime configuration (rootless / network-isolation execution) matches the updated frontmatter.

Changes:

  • Add sandbox.agent.sudo: false to additional workflow spec frontmatter to expand hardened coverage.
  • Regenerate the corresponding .lock.yml compiled workflows to reflect rootless AWF installation/execution and network-isolation MCP gateway wiring.
  • Preserve provenance-managed (source:) workflows by not modifying their specs.
Show a summary per file
File Description
.github/workflows/smoke-agent-public-none.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/smoke-agent-public-approved.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/smoke-agent-all-none.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/smoke-agent-all-merged.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/slide-deck-maintainer.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/sergo.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/semantic-function-refactor.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/security-review.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/scout.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/schema-feature-coverage.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/schema-feature-coverage.lock.yml Regenerate compiled workflow to reflect rootless/network-isolated sandbox execution.
.github/workflows/safe-output-health.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/ruflo-backed-task.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/repo-tree-map.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/repo-tree-map.lock.yml Regenerate compiled workflow to reflect rootless/network-isolated sandbox execution.
.github/workflows/repo-audit-analyzer.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/repo-audit-analyzer.lock.yml Regenerate compiled workflow to reflect rootless/network-isolated sandbox execution.
.github/workflows/release.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/refactoring-cadence.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/q.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/prompt-clustering-analysis.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/pr-triage-agent.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/pr-sous-chef.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/pr-description-caveman.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/pr-code-quality-reviewer.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/portfolio-analyst.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/plan.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/pdf-summary.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/org-health-report.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/objective-impact-report.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/notion-issue-summary.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/necromancer.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/metrics-collector.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/mattpocock-skills-reviewer.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/linter-miner.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/lint-monster.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/layout-spec-maintainer.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/issue-triage-agent.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/issue-triage-agent.lock.yml Regenerate compiled workflow to reflect rootless/network-isolated sandbox execution.
.github/workflows/issue-monster.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/issue-arborist.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/impeccable-skills-reviewer.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/gpclean.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/gpclean.lock.yml Regenerate compiled workflow to reflect rootless/network-isolated sandbox execution.
.github/workflows/go-pattern-detector.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/go-logger.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/go-fan.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/github-remote-mcp-auth-test.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/github-remote-mcp-auth-test.lock.yml Regenerate compiled workflow to reflect rootless/network-isolated sandbox execution.
.github/workflows/github-mcp-tools-report.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/functional-pragmatist.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/example-permissions-warning.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/example-permissions-warning.lock.yml Regenerate compiled workflow to reflect rootless/network-isolated sandbox execution.
.github/workflows/example-failure-category-filter.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/example-failure-category-filter.lock.yml Regenerate compiled workflow to reflect rootless/network-isolated sandbox execution.
.github/workflows/eslint-refiner.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/eslint-monster.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/eslint-miner.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/duplicate-code-detector.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/draft-pr-cleanup.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/docs-noob-tester.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/dictation-prompt.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/developer-docs-consolidator.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/dev-hawk.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/designer-drift-audit.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/dependabot-go-checker.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/dependabot-burner.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/delight.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/deep-report.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/dataflow-pr-discussion-dataset.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/daily-workflow-updater.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/daily-windows-terminal-integration-builder.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/daily-token-consumption-report.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/daily-team-evolution-insights.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/daily-syntax-error-quality.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/daily-syntax-error-quality.lock.yml Regenerate compiled workflow to reflect rootless/network-isolated sandbox execution.
.github/workflows/daily-spdd-spec-planner.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/daily-sentrux-report.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/daily-semgrep-scan.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/daily-security-red-team.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/daily-secrets-analysis.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/daily-safeoutputs-git-simulator.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/daily-safe-output-optimizer.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/daily-safe-output-integrator.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/daily-reliability-review.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/daily-regulatory.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/daily-regulatory.lock.yml Regenerate compiled workflow to reflect rootless/network-isolated sandbox execution.
.github/workflows/daily-performance-summary.md Add sandbox.agent.sudo: false frontmatter.
.github/workflows/daily-multi-device-docs-tester.md Add sandbox.agent.sudo: false frontmatter.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 84/158 changed files
  • Comments generated: 0
  • Review effort level: Low
github-actions Bot added a commit that referenced this pull request Jun 29, 2026
Covers the week's highlights including:
- Copilot Canvas extension for agentic workflow operations (PR #42137)
- create-canvas skill (PR #42147)
- sandbox.agent.sudo: false coverage hits 80% (PR #42119)
- Code Scanning Fixer expanded to all severity levels (PR #42139)
- mcpg v0.3.32 + firewall v0.27.13 bump (PR #42146)
- Agent of the Week: agent-persona-explorer

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants