Summary
Currently the DIFC proxy steps (Start / Set GH_REPO / Stop) in the agent job are only emitted when both conditions are met:
- Guard policies are configured (
tools.github.min-integrity is set)
- Pre-agent custom steps reference
GH_TOKEN (detected by hasPreAgentStepsWithGHToken())
This means the proxy is completely absent from compiled workflows that have guard policies but no custom steps with GH_TOKEN. If a workflow author later adds a custom step that uses GH_TOKEN, they must recompile to pick up the proxy — and there is no warning if they forget.
Proposed Change
Always emit the Start/Stop DIFC proxy steps in the agent job when guard policies are configured (hasDIFCGuardsConfigured() returns true), regardless of whether custom steps currently use GH_TOKEN.
The proxy will sit idle and harmless if no steps route traffic through it. When the integrity-proxy feature is active, the compiler should set the environment variables (GH_HOST, GITHUB_API_URL, GITHUB_GRAPHQL_URL, NODE_EXTRA_CA_CERTS) on the relevant steps to direct traffic into the proxy.
Current behavior
hasDIFCProxyNeeded() = hasDIFCGuardsConfigured() AND hasPreAgentStepsWithGHToken()
Only when both conditions are true are the Start/Stop/SetGHRepo steps emitted.
Desired behavior
// Always start/stop the proxy when guards are configured
shouldEmitProxy() = hasDIFCGuardsConfigured()
// Only set env vars on steps when the feature flag routes traffic through it
shouldSetProxyEnvVars() = hasDIFCGuardsConfigured() AND hasPreAgentStepsWithGHToken()
- Start DIFC proxy step: emitted when
hasDIFCGuardsConfigured() is true
- Stop DIFC proxy step: emitted when
hasDIFCGuardsConfigured() is true
- Set GH_REPO + proxy env vars on custom steps: only when steps actually use
GH_TOKEN
Benefits
- Simpler mental model: if you have guard policies, the proxy is always available
- Safer by default: adding a custom step with
GH_TOKEN automatically gets integrity filtering without needing a recompile to add the proxy
- No downside: an idle proxy container has negligible overhead on the runner
Affected Files
pkg/workflow/compiler_difc_proxy.go — decouple proxy lifecycle from hasPreAgentStepsWithGHToken(); split into shouldEmitProxy() vs shouldSetProxyEnvVars()pkg/workflow/compiler_yaml_main_job.go — call sites at lines 209, 216, 303pkg/workflow/compiler_difc_proxy_test.go — update tests for new gating logic- Lock files — recompile after change (
make recompile)
Summary
Currently the DIFC proxy steps (Start / Set GH_REPO / Stop) in the agent job are only emitted when both conditions are met:
tools.github.min-integrityis set)GH_TOKEN(detected byhasPreAgentStepsWithGHToken())This means the proxy is completely absent from compiled workflows that have guard policies but no custom steps with
GH_TOKEN. If a workflow author later adds a custom step that usesGH_TOKEN, they must recompile to pick up the proxy — and there is no warning if they forget.Proposed Change
Always emit the Start/Stop DIFC proxy steps in the agent job when guard policies are configured (
hasDIFCGuardsConfigured()returns true), regardless of whether custom steps currently useGH_TOKEN.The proxy will sit idle and harmless if no steps route traffic through it. When the integrity-proxy feature is active, the compiler should set the environment variables (
GH_HOST,GITHUB_API_URL,GITHUB_GRAPHQL_URL,NODE_EXTRA_CA_CERTS) on the relevant steps to direct traffic into the proxy.Current behavior
Only when both conditions are true are the Start/Stop/SetGHRepo steps emitted.
Desired behavior
hasDIFCGuardsConfigured()is truehasDIFCGuardsConfigured()is trueGH_TOKENBenefits
GH_TOKENautomatically gets integrity filtering without needing a recompile to add the proxyAffected Files
pkg/workflow/compiler_difc_proxy.go— decouple proxy lifecycle fromhasPreAgentStepsWithGHToken(); split intoshouldEmitProxy()vsshouldSetProxyEnvVars()pkg/workflow/compiler_yaml_main_job.go— call sites at lines 209, 216, 303pkg/workflow/compiler_difc_proxy_test.go— update tests for new gating logicmake recompile)