Upgrade agentic workflows to gh-aw v0.37.0 (#8261)

* Initial plan * Upgrade workflows to gh-aw v0.37.0 (latest) Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com>
2026-01-22 01:54:44 +00:00 · 2026-01-20 09:42:30 -08:00 · 2026-01-20 09:42:30 -08:00 · 7c4a22d865
commit 7c4a22d865
parent 2ab9887478
17 changed files with 2248 additions and 7034 deletions
--- a/.github/aw/github-agentic-workflows.md
+++ b/.github/aw/github-agentic-workflows.md
@ -243,6 +243,11 @@ The YAML frontmatter supports these fields:
      allowed:
        - "example.com"
        - "*.trusted-domain.com"
+        - "https://api.secure.com"        # Optional: protocol-specific filtering
+      blocked:
+        - "blocked-domain.com"
+        - "*.untrusted.com"
+        - python                          # Block ecosystem identifiers
      firewall: true                      # Optional: Enable AWF (Agent Workflow Firewall) for Copilot engine
    ```
  - **Firewall configuration** (Copilot engine only):
@ -1059,6 +1064,11 @@ network:
    - node            # Node.js/NPM ecosystem
    - containers      # Container registries
    - "api.custom.com" # Custom domain
+    - "https://secure.api.com" # Protocol-specific domain
+  blocked:
+    - "tracking.com"   # Block specific domains
+    - "*.ads.com"      # Block domain patterns
+    - ruby             # Block ecosystem identifiers
  firewall: true      # Enable AWF (Copilot engine only)

 # Or allow specific domains only
@ -1079,6 +1089,8 @@ network: {}
 - Use ecosystem identifiers (`python`, `node`, `java`, etc.) for language-specific tools
 - When custom permissions are specified with `allowed:` list, deny-by-default policy is enforced
 - Supports exact domain matches and wildcard patterns (where `*` matches any characters, including nested subdomains)
+- **Protocol-specific filtering**: Prefix domains with `http://` or `https://` for protocol restrictions
+- **Domain blocklist**: Use `blocked:` field to explicitly deny domains or ecosystem identifiers
 - **Firewall support**: Copilot engine supports AWF (Agent Workflow Firewall) for domain-based access control
 - Claude engine uses hooks for enforcement; Codex support planned

@ -1087,6 +1099,7 @@ network: {}
 2. **Ecosystem access**: `network: { allowed: [defaults, python, node, ...] }` (development tool ecosystems)
 3. **No network access**: `network: {}` (deny all)
 4. **Specific domains**: `network: { allowed: ["api.example.com", ...] }` (granular access control)
+5. **Block specific domains**: `network: { blocked: ["tracking.com", "*.ads.com", ...] }` (deny-list)

 **Available Ecosystem Identifiers:**
 - `defaults`: Basic infrastructure (certificates, JSON schema, Ubuntu, common package mirrors, Microsoft sources)