test: add copilot/network-isolation E2E test

[github-actions]

Caution

Protected files were modified in this change.
This pull request is in request_review mode and requires explicit human scrutiny before merge.

Protected files: .github/workflows/test-copilot-network-isolation.md

Adds test-copilot-network-isolation.md — a minimal workflow_dispatch test that verifies gh-aw can compile and execute a workflow when sandbox.agent.network-isolation: true is set.

Motivation

• Add compiler support for AWF --network-isolation topology mode (ARC/DinD-compatible egress) github/gh-aw#41088 added compiler support for the --network-isolation topology mode (container-based egress; avoids host iptables and sudo)
• feat: omit sudo from generated lock.yml when network-isolation is enabled; bump firewall to v0.27.10 and mcpg to v0.3.30 github/gh-aw#41269 omits sudo from the generated lockfile when this mode is enabled

Neither change has E2E coverage in this repository.

What the test does

Sets sandbox.agent.network-isolation: true in the workflow frontmatter and asks the agent to create a single GitHub issue. Success confirms:

1. gh aw compile accepts the sandbox.agent.network-isolation field without error
2. The compiled lockfile runs successfully on a GitHub-hosted runner using container-based egress (no sudo)

Test file

.github/workflows/test-copilot-network-isolation.md — source only; lockfile is intentionally omitted per AGENTS.md §4 and will be generated by the nightly matrix.

Notes

• Uses the standard create-issue safe output with a samples: block for deterministic --use-samples runs
• No new fixtures or secrets required; uses githubnext/gh-aw-test
• network-isolation is treated as a <feature> name (not a <variant>) in the test filename since it is not one of the two official variants (nosandbox, siderepo)
• All three engines (copilot, claude, codex) could eventually have a matching test; this PR covers the copilot variant only

Generated by 🔍 Suggest New E2E Tests · 67.7 AIC · ⌖ 10.2 AIC · ⊞ 5.9K · ◷

---

Note

This was originally intended as a pull request, but the git push operation failed.

Workflow Run: View run details and download bundle artifact

The bundle file is available in the agent artifact in the workflow run linked above.

To create a pull request with the changes:

# Download the artifact from the workflow run
gh run download 28124898027 -n agent -D /tmp/agent-28124898027

# Fetch the bundle into a temporary ref, then update the local branch
git fetch /tmp/agent-28124898027/aw-test-copilot-network-isolation.bundle refs/heads/test-copilot-network-isolation:refs/bundles/create-pr-test-copilot-network-isolation-72976105fc33813a-088348e1
git update-ref refs/heads/test-copilot-network-isolation-72976105fc33813a refs/bundles/create-pr-test-copilot-network-isolation-72976105fc33813a-088348e1
git checkout test-copilot-network-isolation-72976105fc33813a
# Ensure the working tree matches the updated branch
git reset --hard
# Remove the temporary bundle ref
git update-ref -d refs/bundles/create-pr-test-copilot-network-isolation-72976105fc33813a-088348e1

# Push the branch to origin
git push origin test-copilot-network-isolation-72976105fc33813a

# Create the pull request
gh pr create --title 'test: add copilot/network-isolation E2E test' --base main --head test-copilot-network-isolation-72976105fc33813a --repo githubnext/gh-aw-test