From 608db9b85671620b85bc876371df95615207e65e Mon Sep 17 00:00:00 2001 From: Don Syme Date: Mon, 16 Feb 2026 20:15:39 +0000 Subject: [PATCH 1/2] add new domains --- pkg/workflow/data/ecosystem_domains.json | 2 ++ pkg/workflow/domains_test.go | 34 ++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/pkg/workflow/data/ecosystem_domains.json b/pkg/workflow/data/ecosystem_domains.json index 72ac6eaf944..fa94451216d 100644 --- a/pkg/workflow/data/ecosystem_domains.json +++ b/pkg/workflow/data/ecosystem_domains.json @@ -55,6 +55,7 @@ "oneocsp.microsoft.com" ], "dart": ["pub.dev", "pub.dartlang.org"], + "fonts": ["fonts.googleapis.com", "fonts.gstatic.com"], "github": [ "*.githubusercontent.com", "raw.githubusercontent.com", @@ -134,6 +135,7 @@ "*.jsr.io", "registry.bower.io" ], + "node-cdns": ["cdn.jsdelivr.net"], "perl": ["cpan.org", "www.cpan.org", "metacpan.org", "cpan.metacpan.org"], "php": ["repo.packagist.org", "packagist.org", "getcomposer.org"], "playwright": ["playwright.download.prss.microsoft.com", "cdn.playwright.dev"], diff --git a/pkg/workflow/domains_test.go b/pkg/workflow/domains_test.go index 2d99a108d86..548194f2834 100644 --- a/pkg/workflow/domains_test.go +++ b/pkg/workflow/domains_test.go @@ -42,6 +42,25 @@ func TestGetDomainEcosystem(t *testing.T) { expected: "containers", }, + // Fonts ecosystem + { + name: "fonts ecosystem - fonts.googleapis.com", + domain: "fonts.googleapis.com", + expected: "fonts", + }, + { + name: "fonts ecosystem - fonts.gstatic.com", + domain: "fonts.gstatic.com", + expected: "fonts", + }, + + // Node CDNs ecosystem + { + name: "node-cdns ecosystem - cdn.jsdelivr.net", + domain: "cdn.jsdelivr.net", + expected: "node-cdns", + }, + // Container ecosystem wildcard matches { name: "containers ecosystem - docker.io subdomain", @@ -467,6 +486,21 @@ func TestGetAllowedDomains_VariousCombinations(t *testing.T) { allowed: []string{"defaults", "node", "containers"}, expectContains: []string{"json-schema.org", "registry.npmjs.org", "ghcr.io", "registry.hub.docker.com"}, }, + { + name: "fonts ecosystem", + allowed: []string{"fonts"}, + expectContains: []string{"fonts.googleapis.com", "fonts.gstatic.com"}, + }, + { + name: "node-cdns ecosystem", + allowed: []string{"node-cdns"}, + expectContains: []string{"cdn.jsdelivr.net"}, + }, + { + name: "node + node-cdns ecosystems", + allowed: []string{"node", "node-cdns"}, + expectContains: []string{"registry.npmjs.org", "cdn.jsdelivr.net"}, + }, { name: "single literal domain", allowed: []string{"example.com"}, From bc6ef89980387b96e87017309d96de236640561a Mon Sep 17 00:00:00 2001 From: Don Syme Date: Mon, 16 Feb 2026 20:15:57 +0000 Subject: [PATCH 2/2] add new domains --- .github/workflows/mcp-inspector.lock.yml | 101 +++++++++++++++++++---- .github/workflows/mcp-inspector.md | 5 +- 2 files changed, 85 insertions(+), 21 deletions(-) diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 0425dea42ac..5638cef4181 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -13,7 +13,7 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.45.0). DO NOT EDIT. +# This file was automatically generated by gh-aw. DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -42,12 +42,12 @@ # - shared/mood.md # - shared/reporting.md # -# frontmatter-hash: a6921a13bb643abf9ba88fb54707b78ce0984ca06e486e3ddc30fc3a824293b2 +# frontmatter-hash: 0b3a36033c9a5a9f012dcaaadda443842af75df8d790b2999c8be7eb89bdfae6 name: "MCP Inspector Agent" "on": schedule: - - cron: "10 18 * * 1" + - cron: "35 18 * * 1" # Friendly format: weekly on monday around 18:00 (scattered) workflow_dispatch: @@ -67,8 +67,14 @@ jobs: comment_id: "" comment_repo: "" steps: + - name: Checkout actions folder + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + sparse-checkout: | + actions + persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0 + uses: ./actions/setup with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -110,14 +116,50 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: + - name: Checkout actions folder + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + sparse-checkout: | + actions + persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0 + uses: ./actions/setup with: destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false + - name: Setup Go for CLI build + uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 + with: + go-version-file: go.mod + cache: true + - name: Build gh-aw CLI + run: | + echo "Building gh-aw CLI for linux/amd64..." + mkdir -p dist + VERSION=$(git describe --tags --always --dirty) + CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \ + -ldflags "-s -w -X main.version=${VERSION}" \ + -o dist/gh-aw-linux-amd64 \ + ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw + echo "✓ Built gh-aw CLI successfully" + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + - name: Build gh-aw Docker image + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + with: + context: . + platforms: linux/amd64 + push: false + load: true + tags: localhost/gh-aw:dev + build-args: | + BINARY=dist/gh-aw-linux-amd64 - name: Setup Node.js uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: @@ -179,7 +221,6 @@ jobs: model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", agent_version: "0.0.410", - cli_version: "v0.45.0", workflow_name: "MCP Inspector Agent", experimental: false, supports_tools_allowlist: true, @@ -192,7 +233,7 @@ jobs: actor: context.actor, event_name: context.eventName, staged: false, - allowed_domains: ["defaults","containers","node","cdn.jsdelivr.net","fonts.googleapis.com","fonts.gstatic.com"], + allowed_domains: ["defaults","containers","node","node-cdns","fonts"], firewall_enabled: true, awf_version: "v0.19.0", awmg_version: "v0.1.4", @@ -230,7 +271,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest docker.io/mcp/brave-search ghcr.io/github/gh-aw-firewall/agent:0.19.0 ghcr.io/github/gh-aw-firewall/squid:0.19.0 ghcr.io/github/gh-aw-mcpg:v0.1.4 ghcr.io/github/github-mcp-server:v0.30.3 ghcr.io/github/serena-mcp-server:latest mcp/arxiv-mcp-server mcp/ast-grep:latest mcp/context7 mcp/markitdown mcp/memory mcp/notion node:lts-alpine python:alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/gh-aw-firewall/agent:0.19.0 ghcr.io/github/gh-aw-firewall/squid:0.19.0 ghcr.io/github/gh-aw-mcpg:v0.1.4 ghcr.io/github/github-mcp-server:v0.30.3 ghcr.io/github/serena-mcp-server:latest mcp/arxiv-mcp-server mcp/ast-grep:latest mcp/context7 mcp/markitdown mcp/memory mcp/notion node:lts-alpine python:alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -540,10 +581,8 @@ jobs: "mcpServers": { "agenticworkflows": { "type": "stdio", - "container": "alpine:latest", - "entrypoint": "/opt/gh-aw/gh-aw", - "entrypointArgs": ["mcp-server", "--validate-actor"], - "mounts": ["/opt/gh-aw:/opt/gh-aw:ro", "/usr/bin/gh:/usr/bin/gh:ro", "\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], + "container": "localhost/gh-aw:dev", + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], "args": ["--network", "host", "-w", "\${GITHUB_WORKSPACE}"], "env": { "DEBUG": "*", @@ -1164,8 +1203,14 @@ jobs: tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} total_count: ${{ steps.missing_tool.outputs.total_count }} steps: + - name: Checkout actions folder + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + sparse-checkout: | + actions + persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0 + uses: ./actions/setup with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1248,15 +1293,22 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} steps: + - name: Checkout actions folder + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + sparse-checkout: | + actions + persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0 + uses: ./actions/setup with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1640,8 +1692,14 @@ jobs: process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }} process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: + - name: Checkout actions folder + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + sparse-checkout: | + actions + persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0 + uses: ./actions/setup with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1675,10 +1733,17 @@ jobs: - detection if: always() && needs.detection.outputs.success == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read steps: + - name: Checkout actions folder + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + sparse-checkout: | + actions + persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0 + uses: ./actions/setup with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/mcp-inspector.md b/.github/workflows/mcp-inspector.md index 07543a8c15d..6f78897ccaa 100644 --- a/.github/workflows/mcp-inspector.md +++ b/.github/workflows/mcp-inspector.md @@ -14,9 +14,8 @@ network: - defaults - containers - node - - "cdn.jsdelivr.net" # npm package CDN - - "fonts.googleapis.com" # Google Fonts API - - "fonts.gstatic.com" # Google Fonts static content + - node-cdns + - fonts sandbox: agent: awf # Firewall enabled (migrated from network.firewall) safe-outputs: