From 390738d9876a436255a5061d0a2cd017fba55105 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 19 Apr 2026 12:31:07 +0000 Subject: [PATCH] docs: update --image-tag documentation for digest-aware format Document the new digest-pinning format for --image-tag introduced in commit 52969fc. Updates the quick-reference table entry and the detailed section in cli-reference.md to describe the extended format: ,squid=sha256:...,agent=sha256:...,agent-act=sha256:...,api-proxy=sha256:...,cli-proxy=sha256:... Also updates the predownload subcommand table to mention all supported image keys and link to the main --image-tag section. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../src/content/docs/reference/cli-reference.md | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/docs-site/src/content/docs/reference/cli-reference.md b/docs-site/src/content/docs/reference/cli-reference.md index 3ff03dde..8bf8a83c 100644 --- a/docs-site/src/content/docs/reference/cli-reference.md +++ b/docs-site/src/content/docs/reference/cli-reference.md @@ -33,7 +33,7 @@ awf [options] -- | `--work-dir ` | string | `/tmp/awf-` | Working directory for temporary files | | `--build-local` | flag | `false` | Build containers locally instead of pulling from registry | | `--image-registry ` | string | `ghcr.io/github/gh-aw-firewall` | Container image registry | -| `--image-tag ` | string | `latest` | Container image tag | +| `--image-tag ` | string | `latest` | Container image tag. Supports optional per-image digest pinning: `,squid=sha256:...,agent=sha256:...,agent-act=sha256:...,api-proxy=sha256:...,cli-proxy=sha256:...` | | `--skip-pull` | flag | `false` | Use local images without pulling from registry | | `-e, --env ` | string | `[]` | Environment variable (repeatable) | | `--env-all` | flag | `false` | Pass all host environment variables | @@ -333,7 +333,17 @@ Custom container image registry URL. ### `--image-tag ` -Container image tag to use. +Container image tag to use. Supports an optional digest-aware format for cryptographic image pinning: + +``` +,squid=sha256:...,agent=sha256:...,agent-act=sha256:...,api-proxy=sha256:...,cli-proxy=sha256:... +``` + +Digest keys correspond to each runtime container image. When a digest is provided, the image reference is pinned to `/:@`, preventing tag mutation attacks. The setup action's `image-tag` output produces this format automatically when `pull-images: true` is set. + +Which agent image key is used depends on the `--agent-image` preset: +- `default` → `agent` +- `act` → `agent-act` ### `--skip-pull` @@ -950,7 +960,7 @@ awf predownload [options] | Option | Type | Default | Description | |--------|------|---------|-------------| | `--image-registry ` | string | `ghcr.io/github/gh-aw-firewall` | Container image registry | -| `--image-tag ` | string | `latest` | Container image tag (applies to squid, agent, and api-proxy images) | +| `--image-tag ` | string | `latest` | Container image tag (applies to squid, agent, agent-act, api-proxy, and cli-proxy images). Supports optional digest metadata — see [`--image-tag`](#--image-tag-tag) for format details. | | `--agent-image ` | string | `default` | Agent image preset (`default`, `act`) or custom image | | `--enable-api-proxy` | flag | `false` | Also download the API proxy image |