From c23bd113c471848760ab14607d766bbc387c6e22 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 7 Apr 2026 23:39:01 +0000 Subject: [PATCH 1/2] Initial plan From aeeb1e570538de83c41b3c223672c281e3de55ea Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 7 Apr 2026 23:42:47 +0000 Subject: [PATCH 2/2] fix: add cli-proxy container image to release workflow Add build-cli-proxy job to release.yml following the same pattern as api-proxy: build+push to GHCR, cosign signing, SBOM generation, and SBOM attestation. Also update docs/releasing.md to document the new cli-proxy image. The predownload logic already includes cli-proxy support from PR #1730. Fixes #1746 Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/d6d42f21-06c7-45b4-8d7f-f60f1d597851 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --- .github/workflows/release.yml | 62 ++++++++++++++++++++++++++++++++++- docs/releasing.md | 5 ++- 2 files changed, 65 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 482282ae..27c59233 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -269,6 +269,66 @@ jobs: --type spdxjson \ ghcr.io/${{ github.repository }}/api-proxy@${{ steps.build_api_proxy.outputs.digest }} + build-cli-proxy: + name: Build CLI Proxy Image + runs-on: ubuntu-latest + needs: bump-version + steps: + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + with: + ref: ${{ needs.bump-version.outputs.version }} + + - name: Log in to GitHub Container Registry + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + + - name: Set up QEMU + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + with: + platforms: arm64 + + - name: Install cosign + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + + - name: Build and push CLI Proxy image + id: build_cli_proxy + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 + with: + context: ./containers/cli-proxy + push: true + platforms: linux/amd64,linux/arm64 + tags: | + ghcr.io/${{ github.repository }}/cli-proxy:${{ needs.bump-version.outputs.version_number }} + ghcr.io/${{ github.repository }}/cli-proxy:latest + cache-from: type=gha,scope=cli-proxy + cache-to: type=gha,mode=max,scope=cli-proxy + + - name: Sign CLI Proxy image with cosign + run: | + cosign sign --yes \ + ghcr.io/${{ github.repository }}/cli-proxy@${{ steps.build_cli_proxy.outputs.digest }} + + - name: Generate SBOM for CLI Proxy image + uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2 + with: + image: ghcr.io/${{ github.repository }}/cli-proxy@${{ steps.build_cli_proxy.outputs.digest }} + format: spdx-json + output-file: cli-proxy-sbom.spdx.json + + - name: Attest SBOM for CLI Proxy image + run: | + cosign attest --yes \ + --predicate cli-proxy-sbom.spdx.json \ + --type spdxjson \ + ghcr.io/${{ github.repository }}/cli-proxy@${{ steps.build_cli_proxy.outputs.digest }} + # Build agent-act image with catthehacker/ubuntu:act-24.04 base for GitHub Actions parity # amd64-only: catthehacker/ubuntu:act-24.04 does not publish arm64 manifests build-agent-act: @@ -346,7 +406,7 @@ jobs: release: name: Create Release runs-on: ubuntu-latest - needs: [bump-version, build-squid, build-agent, build-api-proxy, build-agent-act] + needs: [bump-version, build-squid, build-agent, build-api-proxy, build-cli-proxy, build-agent-act] steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 diff --git a/docs/releasing.md b/docs/releasing.md index d9e7587d..6930b895 100644 --- a/docs/releasing.md +++ b/docs/releasing.md @@ -49,6 +49,7 @@ Once the workflow completes: - `squid:` and `squid:latest` - `agent:` and `agent:latest` - `api-proxy:` and `api-proxy:latest` + - `cli-proxy:` and `cli-proxy:latest` - `agent-act:` and `agent-act:latest` (GitHub Actions parity image) ## Release Artifacts @@ -66,6 +67,7 @@ Docker images are published to `ghcr.io/github/gh-aw-firewall`: - `squid:` and `squid:latest` - Squid proxy container - `agent:` and `agent:latest` - Agent execution environment (minimal, ~200MB) - `api-proxy:` and `api-proxy:latest` - API proxy sidecar for credential isolation +- `cli-proxy:` and `cli-proxy:latest` - CLI proxy sidecar for gh CLI access via mcpg DIFC proxy - `agent-act:` and `agent-act:latest` - Agent with GitHub Actions parity (~2GB) These images are automatically pulled by the CLI when running commands. @@ -100,6 +102,7 @@ pkg . --targets node18-linux-x64 --output release/awf docker build -t awf-test/squid:local ./containers/squid docker build -t awf-test/agent:local ./containers/agent docker build -t awf-test/api-proxy:local ./containers/api-proxy +docker build -t awf-test/cli-proxy:local ./containers/cli-proxy # Test with local images sudo ./dist/cli.js \ @@ -141,7 +144,7 @@ If users report that Docker images can't be pulled: To make packages public: 1. Go to repository **Packages** page -2. Click on the package (squid, agent, api-proxy, or agent-act) +2. Click on the package (squid, agent, api-proxy, cli-proxy, or agent-act) 3. Go to **Package settings** 4. Change visibility to **Public**