Bump default CLI/MCP toolchain versions and regenerate workflow locks

[Copilot]

This updates the tracked default toolchain versions from the 2026-05-19 inventory: Claude Code, Copilot CLI, Codex, GitHub MCP Server, and MCP Gateway. It also aligns generated lock files with the new MCP/GitHub MCP pairing so workflow outputs consume the updated defaults consistently.

• Version constant updates

  • pkg/constants/version_constants.go
  • DefaultClaudeCodeVersion: 2.1.142 → 2.1.144
  • DefaultCopilotVersion: 1.0.48 → 1.0.50
  • DefaultCodexVersion: 0.130.0 → 0.131.0
  • DefaultGitHubMCPServerVersion: v1.0.4 → v1.0.5
  • DefaultMCPGatewayVersion: v0.3.9 → v0.3.12

• Generated workflow lock refresh

  • Recompiled lock files across .github/workflows/*.lock.yml to propagate:
    • new CLI install defaults (Claude/Copilot/Codex)
    • new container tags/digests for github-mcp-server and gh-aw-mcpg
  • Ensures compiled workflows and pinned artifacts are synchronized with the updated defaults.

• Release metadata

  • Added .changeset/patch-update-cli-tool-versions-2026-05-19.md documenting the coordinated version bump.

// pkg/constants/version_constants.go
const DefaultClaudeCodeVersion Version = "2.1.144"
const DefaultCopilotVersion Version = "1.0.50"
const DefaultCodexVersion Version = "0.131.0"
const DefaultGitHubMCPServerVersion Version = "v1.0.5"
const DefaultMCPGatewayVersion Version = "v0.3.12"

[github-actions]

❌ Smoke OTEL failed. Please review the logs for details.

[github-actions]

⚠️ Smoke Gemini failed. Gemini encountered unexpected challenges...

[github-actions]

⚠️ Smoke Pi failed. Pi encountered unexpected challenges...

[Copilot]

Pull request overview

Updates the repository’s default CLI/MCP toolchain versions to the latest inventory and refreshes generated workflow lock files so compiled workflows consume the new defaults consistently.

Changes:

• Bumped default versions for Claude Code, GitHub Copilot CLI, Codex, GitHub MCP Server image, and MCP Gateway image.
• Regenerated .github/workflows/*.lock.yml files to reflect the new tool versions and container tags.
• Updated action pin datasets / cache and added a Changeset entry documenting the coordinated patch bump.

Show a summary per file

File	Description
pkg/constants/version_constants.go	Updates default toolchain version constants (CLIs + MCP containers).
pkg/workflow/data/action_pins.json	Adds additional action refs to the embedded pin dataset.
pkg/actionpins/data/action_pins.json	Mirrors the embedded action pin dataset update for the actionpins package.
.github/aw/actions-lock.json	Updates the repo’s cached action lock entries used during compilation.
.github/workflows/video-analyzer.lock.yml	Regenerated lock workflow to use updated Copilot/MCP versions.
.github/workflows/test-workflow.lock.yml	Regenerated lock workflow to use updated Copilot/MCP versions.
.github/workflows/test-dispatcher.lock.yml	Regenerated lock workflow to use updated Copilot/MCP versions.
.github/workflows/smoke-pi.lock.yml	Regenerated lock workflow to use updated MCP Gateway / MCP Server versions.
.github/workflows/smoke-opencode.lock.yml	Regenerated lock workflow to use updated MCP Gateway / MCP Server versions.
.github/workflows/smoke-gemini.lock.yml	Regenerated lock workflow to use updated MCP Gateway / MCP Server versions.
.github/workflows/smoke-crush.lock.yml	Regenerated lock workflow to use updated MCP Gateway / MCP Server versions.
.github/workflows/smoke-ci.lock.yml	Regenerated lock workflow to use updated Copilot/MCP versions.
.github/workflows/research.lock.yml	Regenerated lock workflow to use updated Copilot/MCP versions.
.github/workflows/repo-tree-map.lock.yml	Regenerated lock workflow to use updated Copilot/MCP versions.
.github/workflows/hippo-embed.lock.yml	Regenerated lock workflow to use updated Copilot/MCP versions.
.github/workflows/github-remote-mcp-auth-test.lock.yml	Regenerated lock workflow to use updated Copilot + MCP Gateway version.
.github/workflows/firewall.lock.yml	Regenerated lock workflow to use updated Copilot/MCP versions.
.github/workflows/example-permissions-warning.lock.yml	Regenerated lock workflow to use updated Copilot/MCP versions.
.github/workflows/dev.lock.yml	Regenerated lock workflow to use updated MCP Gateway / MCP Server versions.
.github/workflows/daily-team-evolution-insights.lock.yml	Regenerated lock workflow to use updated Claude Code + MCP versions.
.github/workflows/daily-malicious-code-scan.lock.yml	Regenerated lock workflow to use updated Copilot/MCP versions.
.github/workflows/copilot-token-optimizer.lock.yml	Regenerated lock workflow to use updated Copilot/MCP versions.
.github/workflows/codex-github-remote-mcp-test.lock.yml	Regenerated lock workflow to use updated Codex + MCP Gateway version.
.github/workflows/cli-consistency-checker.lock.yml	Regenerated lock workflow to use updated Copilot/MCP versions.
.github/workflows/changeset.lock.yml	Regenerated lock workflow to use updated Codex + MCP versions.
.github/workflows/bot-detection.lock.yml	Regenerated lock workflow to use updated Copilot/MCP versions.
.github/workflows/ace-editor.lock.yml	Regenerated lock workflow to use updated Copilot/MCP versions.
.changeset/patch-update-cli-tool-versions-2026-05-19.md	Adds release metadata describing the coordinated version bump.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 77/236 changed files
• Comments generated: 2

[github-actions]

Hey @Copilot 👋 — thanks for keeping the toolchain versions up to date! This looks like a systematic version bump and lock file regeneration. Here are a few observations to help this PR land smoothly:

• Add tests — While this PR updates version constants and regenerates lock files, there are no test changes included. Consider adding or updating tests that verify the new version constants are correctly applied (e.g., integration tests that check the installed CLI versions match the new defaults, or unit tests confirming the constants are read correctly).
• Clarify project alignment — The CONTRIBUTING.md doesn't explicitly list version bumps as a priority area. It might help to reference an issue or discussion that establishes why these specific version updates are needed now (e.g., security patch, feature requirement, deprecation timeline).

If you'd like to add test coverage, here's a prompt you can use:

Add integration tests to verify that the updated default toolchain versions in pkg/constants/version_constants.go are correctly applied when workflows are compiled. The tests should:
1. Confirm that DefaultClaudeCodeVersion, DefaultCopilotVersion, DefaultCodexVersion, DefaultGitHubMCPServerVersion, and DefaultMCPGatewayVersion constants match the expected values (2.1.144, 1.0.50, 0.131.0, v1.0.5, v0.3.12 respectively).
2. Validate that at least one generated workflow lock file references the new version numbers (e.g., check .github/workflows/ab-testing-advisor.lock.yml for updated container tags or CLI install versions).
3. Ensure the changeset file .changeset/patch-update-cli-tool-versions-2026-05-19.md is present and documents the version changes.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• patchdiff.githubusercontent.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "patchdiff.githubusercontent.com"

See Network Configuration for more information.

Generated by ✅ Contribution Check · ● 12.4M · ◷