feat: update DIFC proxying to also proxy actions/github-script#22712
feat: update DIFC proxying to also proxy actions/github-script#22712
Conversation
- Set GITHUB_API_URL, GITHUB_GRAPHQL_URL, and NODE_EXTRA_CA_CERTS in start_difc_proxy.sh so Octokit calls (actions/github-script) are routed through the proxy alongside gh CLI calls - Restore those variables in stop_difc_proxy.sh - Wrap qmd indexing steps with proxy start/stop in buildQmdIndexingJob when DIFC guards are configured - Update compiler_difc_proxy.go package docs and add tests Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/10a7cf43-239c-4be2-9599-37abebe341cf
There was a problem hiding this comment.
Pull request overview
Extends DIFC proxying to cover actions/github-script (Octokit) traffic by setting GITHUB_API_URL/GITHUB_GRAPHQL_URL and Node TLS trust, and updates qmd indexing to run behind the proxy when DIFC guards are configured.
Changes:
- Update DIFC proxy start/stop scripts to proxy Octokit API calls (REST + GraphQL) and configure Node.js CA trust.
- Wrap qmd indexing job steps with DIFC proxy start/stop when guard policies are configured.
- Add/extend tests verifying proxy injection behavior for the qmd indexing job.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
actions/setup/sh/start_difc_proxy.sh |
Sets GITHUB_API_URL/GITHUB_GRAPHQL_URL and NODE_EXTRA_CA_CERTS so Octokit-based actions route via the proxy. |
actions/setup/sh/stop_difc_proxy.sh |
Restores API URL env vars and clears Node CA override when stopping the proxy. |
pkg/workflow/qmd.go |
Injects DIFC proxy start/stop around qmd indexing steps when DIFC guards are configured. |
pkg/workflow/compiler_difc_proxy.go |
Updates documentation to reflect expanded proxy scope and indexing job lifecycle. |
pkg/workflow/compiler_difc_proxy_test.go |
Adds test cases asserting proxy step injection (and absence) for qmd indexing jobs. |
.github/workflows/weekly-blog-post-writer.lock.yml |
Regenerates/updates locked workflow to include DIFC proxy steps around qmd indexing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Route gh CLI calls through the proxy. | ||
| echo "GH_HOST=localhost:18443" >> "$GITHUB_ENV" | ||
| git remote add proxy "https://localhost:18443/${GITHUB_REPOSITORY}.git" || true | ||
| # Route actions/github-script Octokit calls through the proxy. | ||
| # Save the originals so stop_difc_proxy.sh can restore them. | ||
| echo "GH_AW_ORIGINAL_GITHUB_API_URL=${GITHUB_API_URL:-}" >> "$GITHUB_ENV" | ||
| echo "GH_AW_ORIGINAL_GITHUB_GRAPHQL_URL=${GITHUB_GRAPHQL_URL:-}" >> "$GITHUB_ENV" | ||
| echo "GITHUB_API_URL=https://localhost:18443/api/v3" >> "$GITHUB_ENV" | ||
| echo "GITHUB_GRAPHQL_URL=https://localhost:18443/api/graphql" >> "$GITHUB_ENV" | ||
| # Trust the proxy TLS certificate from Node.js (used by actions/github-script). | ||
| echo "NODE_EXTRA_CA_CERTS=$PROXY_LOG_DIR/proxy-tls/ca.crt" >> "$GITHUB_ENV" |
There was a problem hiding this comment.
start_difc_proxy.sh now overrides GH_HOST and NODE_EXTRA_CA_CERTS but only saves/restores the original values for GITHUB_API_URL/GITHUB_GRAPHQL_URL. If the runner/job already had GH_HOST (e.g., GitHub Enterprise) or NODE_EXTRA_CA_CERTS set, stopping the proxy will currently clear them rather than restoring the prior values. Consider saving the originals (e.g., to GH_AW_ORIGINAL_GH_HOST and GH_AW_ORIGINAL_NODE_EXTRA_CA_CERTS) alongside the existing GH_AW_ORIGINAL_* vars so stop_difc_proxy.sh can restore them.
| # Clear the Node.js CA certs override set by start_difc_proxy.sh. | ||
| echo "NODE_EXTRA_CA_CERTS=" >> "$GITHUB_ENV" |
There was a problem hiding this comment.
stop_difc_proxy.sh always clears NODE_EXTRA_CA_CERTS. Since start_difc_proxy.sh sets NODE_EXTRA_CA_CERTS globally for subsequent steps, this can unintentionally remove a pre-existing NODE_EXTRA_CA_CERTS value in the job. Prefer restoring NODE_EXTRA_CA_CERTS to its original value (saved by start_difc_proxy.sh) instead of unconditionally clearing it.
| # Clear the Node.js CA certs override set by start_difc_proxy.sh. | |
| echo "NODE_EXTRA_CA_CERTS=" >> "$GITHUB_ENV" | |
| # Restore the Node.js CA certs override only if it was set to the DIFC proxy CA | |
| # certificate. This preserves any pre-existing NODE_EXTRA_CA_CERTS value in the job. | |
| if [ "${NODE_EXTRA_CA_CERTS:-}" = "$DIFC_PROXY_CA_CERT" ]; then | |
| echo "NODE_EXTRA_CA_CERTS=${GH_AW_ORIGINAL_NODE_EXTRA_CA_CERTS:-}" >> "$GITHUB_ENV" | |
| fi |
Summary
Extends the DIFC proxy to also intercept
actions/github-script(Octokit) API calls, and wraps qmd indexing steps with the proxy when DIFC guards are configured.Previously, the proxy only set
GH_HOST=localhost:18443, which routesghCLI calls through the proxy. However,actions/github-scriptuses the@actions/githubOctokit client which readsGITHUB_API_URLandGITHUB_GRAPHQL_URL— notGH_HOST— so those calls bypassed the DIFC proxy entirely.Changes
actions/setup/sh/start_difc_proxy.shGITHUB_API_URL=https://localhost:18443/api/v3andGITHUB_GRAPHQL_URL=https://localhost:18443/api/graphqlto route Octokit calls through the proxyNODE_EXTRA_CA_CERTSso Node.js trusts the proxy's TLS certificate (required foractions/github-scriptto connect tolocalhost:18443)GITHUB_API_URLandGITHUB_GRAPHQL_URLtoGH_AW_ORIGINAL_*env vars sostop_difc_proxy.shcan restore themactions/setup/sh/stop_difc_proxy.shGITHUB_API_URLandGITHUB_GRAPHQL_URLto their saved originals when stopping the proxyNODE_EXTRA_CA_CERTSpkg/workflow/qmd.gobuildQmdIndexingJobnow wraps qmd index-building steps with proxy start/stop when DIFC guards are configured (previously skipped because the proxy only setGH_HOST)pkg/workflow/compiler_difc_proxy.gopkg/workflow/compiler_difc_proxy_test.goTestDIFCProxyInjectedInIndexingJobthat verifybuildQmdIndexingJobactually injects proxy steps when guard policies are configured, and does NOT inject them when no guard policy is setSecurity Summary
No new vulnerabilities introduced. CodeQL found 0 alerts.