diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index f9dd2c577ea..3c30a7f91ae 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -776,8 +776,6 @@ jobs: /tmp/gh-aw/sandbox/agent/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 56a463522c4..ee4eb2ec215 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -339,15 +339,6 @@ jobs: run: bash ${RUNNER_TEMP}/gh-aw/actions/configure_gh_for_ghe.sh env: GH_TOKEN: ${{ github.token }} - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GITHUB_SERVER_URL: ${{ github.server_url }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.8' - - name: Set GH_REPO for proxied steps - run: | - echo "GH_REPO=${GITHUB_REPOSITORY}" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - name: Install gh CLI @@ -439,10 +430,6 @@ jobs: GH_AW_BLOCKED_USERS_VAR: ${{ vars.GH_AW_GITHUB_BLOCKED_USERS || '' }} GH_AW_APPROVAL_LABELS_VAR: ${{ vars.GH_AW_GITHUB_APPROVAL_LABELS || '' }} run: bash ${RUNNER_TEMP}/gh-aw/actions/parse_guard_list.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Download container images run: bash ${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.25.3 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.3 ghcr.io/github/gh-aw-firewall/squid:0.25.3 ghcr.io/github/gh-aw-mcpg:v0.2.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config @@ -899,8 +886,6 @@ jobs: /tmp/gh-aw/mcp-config/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 7b796669949..cf28d21f938 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -813,8 +813,6 @@ jobs: /tmp/gh-aw/sandbox/agent/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 11f9dda5072..566a874ebfc 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -858,8 +858,6 @@ jobs: /tmp/gh-aw/mcp-config/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index d57c4e6010d..bb3d6787b43 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -306,15 +306,6 @@ jobs: run: bash ${RUNNER_TEMP}/gh-aw/actions/configure_gh_for_ghe.sh env: GH_TOKEN: ${{ github.token }} - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GITHUB_SERVER_URL: ${{ github.server_url }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.8' - - name: Set GH_REPO for proxied steps - run: | - echo "GH_REPO=${GITHUB_REPOSITORY}" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -364,10 +355,6 @@ jobs: GH_AW_BLOCKED_USERS_VAR: ${{ vars.GH_AW_GITHUB_BLOCKED_USERS || '' }} GH_AW_APPROVAL_LABELS_VAR: ${{ vars.GH_AW_GITHUB_APPROVAL_LABELS || '' }} run: bash ${RUNNER_TEMP}/gh-aw/actions/parse_guard_list.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Download container images run: bash ${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.25.3 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.3 ghcr.io/github/gh-aw-firewall/squid:0.25.3 ghcr.io/github/gh-aw-mcpg:v0.2.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config @@ -813,8 +800,6 @@ jobs: /tmp/gh-aw/mcp-config/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index a7121132ff8..1818ef73fdb 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -1125,8 +1125,6 @@ jobs: /tmp/gh-aw/sandbox/agent/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index c40515d9358..00fc993dd9e 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -725,8 +725,6 @@ jobs: /tmp/gh-aw/sandbox/agent/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 5d4b85f1527..ec57b834f20 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -825,8 +825,6 @@ jobs: /tmp/gh-aw/sandbox/agent/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 61ce656d52e..d5b11983b29 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -817,8 +817,6 @@ jobs: /tmp/gh-aw/sandbox/agent/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index fb39825b8d3..ceab9e306a9 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -803,8 +803,6 @@ jobs: /tmp/gh-aw/sandbox/agent/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 15399821d38..29ce23bfbdf 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -786,8 +786,6 @@ jobs: /tmp/gh-aw/sandbox/agent/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 25be8c2e955..926cd4c4275 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1063,8 +1063,6 @@ jobs: path: | /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index 13348da036f..cc64687c54e 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -757,8 +757,6 @@ jobs: /tmp/gh-aw/mcp-config/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index 18553848fda..aa9ca556a86 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -757,8 +757,6 @@ jobs: /tmp/gh-aw/mcp-config/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index ad64d40f03d..356c0880055 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -783,8 +783,6 @@ jobs: /tmp/gh-aw/mcp-config/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index be7c454cb3b..947728488fa 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -757,8 +757,6 @@ jobs: /tmp/gh-aw/mcp-config/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index 4802a37449f..f10dd749671 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -761,8 +761,6 @@ jobs: /tmp/gh-aw/mcp-config/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 2f7d4f07f6e..5c1f1f57cc2 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -337,15 +337,6 @@ jobs: run: bash ${RUNNER_TEMP}/gh-aw/actions/configure_gh_for_ghe.sh env: GH_TOKEN: ${{ github.token }} - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GITHUB_SERVER_URL: ${{ github.server_url }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.8' - - name: Set GH_REPO for proxied steps - run: | - echo "GH_REPO=${GITHUB_REPOSITORY}" >> "$GITHUB_ENV" - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -456,10 +447,6 @@ jobs: GH_AW_BLOCKED_USERS_VAR: ${{ vars.GH_AW_GITHUB_BLOCKED_USERS || '' }} GH_AW_APPROVAL_LABELS_VAR: ${{ vars.GH_AW_GITHUB_APPROVAL_LABELS || '' }} run: bash ${RUNNER_TEMP}/gh-aw/actions/parse_guard_list.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Download container images run: bash ${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.25.3 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.3 ghcr.io/github/gh-aw-firewall/squid:0.25.3 ghcr.io/github/gh-aw-mcpg:v0.2.8 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config @@ -895,8 +882,6 @@ jobs: /tmp/gh-aw/sandbox/agent/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index c44bae78962..3d41d62bf1d 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -931,8 +931,6 @@ jobs: /tmp/gh-aw/sandbox/agent/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl @@ -1260,12 +1258,6 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GITHUB_SERVER_URL: ${{ github.server_url }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":["github/gh-aw"]}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.8' - name: Restore qmd index from cache id: qmd-cache-restore uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 @@ -1312,10 +1304,6 @@ jobs: with: key: gh-aw-qmd-2.0.1-${{ github.run_id }} path: /tmp/gh-aw/qmd-index/ - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh push_repo_memory: needs: diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 98ed69c6fc2..f5af202b3d3 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -805,8 +805,6 @@ jobs: /tmp/gh-aw/sandbox/agent/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index fc1e89a06d7..9a81007d9f0 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -735,8 +735,6 @@ jobs: /tmp/gh-aw/sandbox/agent/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index c71655cdbbd..aa6c74c7e5e 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -812,8 +812,6 @@ jobs: /tmp/gh-aw/sandbox/agent/logs/ /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index 1df988c3193..9412ca76078 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -708,6 +708,11 @@ const ( // When enabled: no secret validation step is generated, copilot-requests: write permission is added, // and the GitHub Actions token is used as the agentic engine secret. CopilotRequestsFeatureFlag FeatureFlag = "copilot-requests" + // DIFCProxyFeatureFlag is the feature flag name for enabling the DIFC proxy. + // When enabled, the compiler injects DIFC proxy steps (start/stop) around pre-agent + // gh CLI steps and qmd indexing steps when guard policies are configured. + // By default (flag absent), DIFC proxy steps are not emitted. + DIFCProxyFeatureFlag FeatureFlag = "difc-proxy" ) // Step IDs for pre-activation job diff --git a/pkg/constants/constants_test.go b/pkg/constants/constants_test.go index b932c2a8961..2afe4b85773 100644 --- a/pkg/constants/constants_test.go +++ b/pkg/constants/constants_test.go @@ -327,6 +327,7 @@ func TestFeatureFlagConstants(t *testing.T) { {"MCPScriptsFeatureFlag", MCPScriptsFeatureFlag, "mcp-scripts"}, {"MCPGatewayFeatureFlag", MCPGatewayFeatureFlag, "mcp-gateway"}, {"DisableXPIAPromptFeatureFlag", DisableXPIAPromptFeatureFlag, "disable-xpia-prompt"}, + {"DIFCProxyFeatureFlag", DIFCProxyFeatureFlag, "difc-proxy"}, } for _, tt := range tests { diff --git a/pkg/workflow/compiler_difc_proxy.go b/pkg/workflow/compiler_difc_proxy.go index c6ef82c3051..f9a0401a012 100644 --- a/pkg/workflow/compiler_difc_proxy.go +++ b/pkg/workflow/compiler_difc_proxy.go @@ -68,11 +68,16 @@ import ( var difcProxyLog = logger.New("workflow:difc_proxy") // hasDIFCGuardsConfigured returns true if the GitHub tool has explicit guard policies configured -// (min-integrity is set). This is the base condition for DIFC proxy injection. +// (min-integrity is set) AND the "difc-proxy" feature flag is enabled. +// This is the base condition for DIFC proxy injection. func hasDIFCGuardsConfigured(data *WorkflowData) bool { if data == nil { return false } + if !isFeatureEnabled(constants.DIFCProxyFeatureFlag, data) { + difcProxyLog.Print("difc-proxy feature flag not enabled, skipping DIFC proxy injection") + return false + } githubTool, hasGitHub := data.Tools["github"] if !hasGitHub || githubTool == false { return false diff --git a/pkg/workflow/compiler_difc_proxy_test.go b/pkg/workflow/compiler_difc_proxy_test.go index 309e90f82f4..f47281a0d05 100644 --- a/pkg/workflow/compiler_difc_proxy_test.go +++ b/pkg/workflow/compiler_difc_proxy_test.go @@ -65,7 +65,7 @@ func TestHasDIFCProxyNeeded(t *testing.T) { desc: "guard policy without GH_TOKEN pre-agent steps should not trigger proxy", }, { - name: "guard policy + custom steps with GH_TOKEN", + name: "guard policy + custom steps with GH_TOKEN but feature flag disabled", data: &WorkflowData{ Tools: map[string]any{ "github": map[string]any{ @@ -74,8 +74,22 @@ func TestHasDIFCProxyNeeded(t *testing.T) { }, CustomSteps: "steps:\n - name: Fetch issues\n env:\n GH_TOKEN: ${{ github.token }}\n run: gh issue list", }, + expected: false, + desc: "feature flag absent → proxy not triggered even when guard policy and GH_TOKEN present", + }, + { + name: "guard policy + custom steps with GH_TOKEN + feature flag enabled", + data: &WorkflowData{ + Tools: map[string]any{ + "github": map[string]any{ + "min-integrity": "approved", + }, + }, + CustomSteps: "steps:\n - name: Fetch issues\n env:\n GH_TOKEN: ${{ github.token }}\n run: gh issue list", + Features: map[string]any{"difc-proxy": true}, + }, expected: true, - desc: "guard policy + custom steps with GH_TOKEN should trigger proxy", + desc: "guard policy + custom steps with GH_TOKEN + difc-proxy feature flag should trigger proxy", }, { name: "guard policy + repo-memory configured", @@ -94,7 +108,7 @@ func TestHasDIFCProxyNeeded(t *testing.T) { desc: "guard policy + repo-memory should NOT trigger proxy: repo-memory clones use direct git URLs, not GH_HOST", }, { - name: "guard policy with allowed-repos + custom steps with GH_TOKEN", + name: "guard policy with allowed-repos + custom steps with GH_TOKEN + feature flag enabled", data: &WorkflowData{ Tools: map[string]any{ "github": map[string]any{ @@ -103,9 +117,10 @@ func TestHasDIFCProxyNeeded(t *testing.T) { }, }, CustomSteps: "steps:\n - name: Fetch PRs\n env:\n GH_TOKEN: ${{ secrets.MY_TOKEN }}\n run: gh pr list", + Features: map[string]any{"difc-proxy": true}, }, expected: true, - desc: "allowed-repos + min-integrity + GH_TOKEN custom steps should trigger proxy", + desc: "allowed-repos + min-integrity + GH_TOKEN custom steps + difc-proxy flag should trigger proxy", }, } @@ -291,6 +306,7 @@ func TestGenerateStartDIFCProxyStep(t *testing.T) { }, CustomSteps: "steps:\n - name: Fetch\n env:\n GH_TOKEN: ${{ github.token }}\n run: gh issue list", SandboxConfig: &SandboxConfig{}, + Features: map[string]any{"difc-proxy": true}, } ensureDefaultMCPGatewayConfig(data) c.generateStartDIFCProxyStep(&yaml, data) @@ -333,6 +349,7 @@ func TestGenerateStopDIFCProxyStep(t *testing.T) { }, CustomSteps: "steps:\n - name: Fetch\n env:\n GH_TOKEN: ${{ github.token }}\n run: gh issue list", SandboxConfig: &SandboxConfig{}, + Features: map[string]any{"difc-proxy": true}, } c.generateStopDIFCProxyStep(&yaml, data) @@ -361,6 +378,7 @@ func TestDIFCProxyLogPaths(t *testing.T) { "github": map[string]any{"min-integrity": "approved"}, }, CustomSteps: "steps:\n - name: Fetch\n env:\n GH_TOKEN: ${{ github.token }}\n run: gh issue list", + Features: map[string]any{"difc-proxy": true}, } paths := difcProxyLogPaths(data) require.Len(t, paths, 2, "should return include path and exclusion path") @@ -376,6 +394,8 @@ func TestDIFCProxyStepOrderInCompiledWorkflow(t *testing.T) { workflow := `--- on: issues engine: copilot +features: + difc-proxy: true tools: github: mode: local @@ -486,6 +506,41 @@ Test that DIFC proxy is NOT injected when min-integrity is not set. "compiled workflow should NOT contain proxy stop step without guard policy") } +// TestDIFCProxyNotInjectedWithoutFeatureFlag verifies no proxy injection when +// guard policies are configured but the "difc-proxy" feature flag is absent. +func TestDIFCProxyNotInjectedWithoutFeatureFlag(t *testing.T) { + workflow := `--- +on: issues +engine: copilot +tools: + github: + mode: local + toolsets: [default] + min-integrity: approved +steps: + - name: Fetch repo data + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: gh issue list +--- + +# Test Workflow + +Test that DIFC proxy is NOT injected when min-integrity is set but difc-proxy feature flag is absent. +` + compiler := NewCompiler() + data, err := compiler.ParseWorkflowString(workflow, "test-workflow.md") + require.NoError(t, err, "parsing should succeed") + + result, err := compiler.CompileToYAML(data, "test-workflow.md") + require.NoError(t, err, "compilation should succeed") + + assert.NotContains(t, result, "Start DIFC proxy", + "compiled workflow should NOT contain proxy start step without guard policy") + assert.NotContains(t, result, "Stop DIFC proxy", + "compiled workflow should NOT contain proxy stop step without guard policy") +} + // TestHasDIFCGuardsConfigured verifies the base guard policy check. func TestHasDIFCGuardsConfigured(t *testing.T) { tests := []struct { @@ -513,16 +568,24 @@ func TestHasDIFCGuardsConfigured(t *testing.T) { expected: false, }, { - name: "github tool with min-integrity", + name: "github tool with min-integrity but feature flag disabled", data: &WorkflowData{ Tools: map[string]any{ "github": map[string]any{"min-integrity": "approved"}, }, }, + expected: false, + }, + { + name: "github tool with min-integrity and feature flag enabled", + data: &WorkflowData{ + Tools: map[string]any{"github": map[string]any{"min-integrity": "approved"}}, + Features: map[string]any{"difc-proxy": true}, + }, expected: true, }, { - name: "github tool with allowed-repos and min-integrity", + name: "github tool with allowed-repos and min-integrity and feature flag enabled", data: &WorkflowData{ Tools: map[string]any{ "github": map[string]any{ @@ -530,6 +593,7 @@ func TestHasDIFCGuardsConfigured(t *testing.T) { "min-integrity": "merged", }, }, + Features: map[string]any{"difc-proxy": true}, }, expected: true, }, @@ -575,6 +639,7 @@ func TestDIFCProxyInjectedInIndexingJob(t *testing.T) { }, QmdConfig: &QmdToolConfig{}, SandboxConfig: &SandboxConfig{}, + Features: map[string]any{"difc-proxy": true}, } ensureDefaultMCPGatewayConfig(data) @@ -601,6 +666,7 @@ func TestDIFCProxyInjectedInIndexingJob(t *testing.T) { CacheKey: "qmd-test", }, SandboxConfig: &SandboxConfig{}, + Features: map[string]any{"difc-proxy": true}, } ensureDefaultMCPGatewayConfig(data) @@ -693,6 +759,7 @@ func TestGenerateSetGHRepoAfterDIFCProxyStep(t *testing.T) { }, CustomSteps: "steps:\n - name: Fetch\n env:\n GH_TOKEN: ${{ github.token }}\n run: gh issue list", SandboxConfig: &SandboxConfig{}, + Features: map[string]any{"difc-proxy": true}, } c.generateSetGHRepoAfterDIFCProxyStep(&yaml, data)