Release Notes Action Items for awf 0.27.3 → 0.27.5
This issue summarizes upstream release notes for the awf dependency between the previously pinned version (0.27.3) and the new pinned version (0.27.5), highlighting items that may need follow-up in ado-aw.
The companion version-bump PR is titled chore(deps): update AWF_VERSION to 0.27.5.
Releases analyzed
Security fixes
fix: add bare API proxy targets as https:// only to prevent over-broad allowlisting — The API proxy was previously adding bare target hostnames (e.g. api.githubcopilot.com) to the network allowlist without a protocol prefix, which caused both HTTP and HTTPS to be permitted. This fix pins them to https:// only, tightening the egress policy. (v0.27.5)
Notable features for ado-aw to adopt
-
feat: allowedModels / disallowedModels policy enforcement in api-proxy — AWF now supports allowlisting or denylisting specific AI models at the API proxy layer. ado-aw could expose this as a front-matter configuration option (e.g. engine.allowed-models / engine.disallowed-models) to let pipeline authors or platform admins restrict which models agents may call. (v0.27.5)
-
feat(api-proxy): forward COPILOT_INTEGRATION_ID from host env — The API proxy now forwards COPILOT_INTEGRATION_ID from the host environment into the sandbox, enabling integration-ID-scoped telemetry and billing. ado-aw may want to ensure this variable is passed through the AWF invocation (via --env) when set, particularly for enterprise GHES deployments. (v0.27.5)
-
fix: broaden GHES detection for Copilot auth prefix — Improved GHES host detection in the Copilot auth path, fixing auth failures for non-standard GHES hostnames. ado-aw users on GHES should benefit automatically once the version is pinned, but this is worth noting for enterprise deployment documentation. (v0.27.4)
This issue was opened automatically by the dependency version updater workflow.
Generated by Dependency Version Updater · 348.1 AIC · ⌖ 39.5 AIC · ⊞ 39.2K · ◷
Release Notes Action Items for
awf0.27.3→0.27.5This issue summarizes upstream release notes for the
awfdependency between the previously pinned version (0.27.3) and the new pinned version (0.27.5), highlighting items that may need follow-up in ado-aw.The companion version-bump PR is titled
chore(deps): update AWF_VERSION to 0.27.5.Releases analyzed
Security fixes
fix: add bare API proxy targets as https:// only to prevent over-broad allowlisting— The API proxy was previously adding bare target hostnames (e.g.api.githubcopilot.com) to the network allowlist without a protocol prefix, which caused both HTTP and HTTPS to be permitted. This fix pins them tohttps://only, tightening the egress policy. (v0.27.5)Notable features for ado-aw to adopt
feat: allowedModels / disallowedModels policy enforcement in api-proxy— AWF now supports allowlisting or denylisting specific AI models at the API proxy layer. ado-aw could expose this as a front-matter configuration option (e.g.engine.allowed-models/engine.disallowed-models) to let pipeline authors or platform admins restrict which models agents may call. (v0.27.5)feat(api-proxy): forward COPILOT_INTEGRATION_ID from host env— The API proxy now forwardsCOPILOT_INTEGRATION_IDfrom the host environment into the sandbox, enabling integration-ID-scoped telemetry and billing. ado-aw may want to ensure this variable is passed through the AWF invocation (via--env) when set, particularly for enterprise GHES deployments. (v0.27.5)fix: broaden GHES detection for Copilot auth prefix— Improved GHES host detection in the Copilot auth path, fixing auth failures for non-standard GHES hostnames. ado-aw users on GHES should benefit automatically once the version is pinned, but this is worth noting for enterprise deployment documentation. (v0.27.4)This issue was opened automatically by the dependency version updater workflow.