Skip to content

Release v0.25.14

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 07 Apr 01:30
· 1 commit to main since this release
v0.25.14
8dca831

What's Changed

Documentation

  • [docs] docs: document --session-state-dir flag and AWF_SESSION_STATE_DIR env var by @github-actions[bot] in #1600
  • [docs] docs: sync smoke-claude toolset and max-turns after token optimization by @github-actions[bot] in #1641

Other Changes

  • feat: add daily token optimization advisor workflows by @lpcox in #1620
  • fix: token analyzers should always run and close older issues by @lpcox in #1626
  • perf: exclude browser tools and reduce turns in smoke-copilot by @lpcox in #1625
  • docs: fix inaccuracies in CLI reference by @Copilot in #1611
  • docs: add missing subcommands to CLI reference (predownload, logs audit) by @Copilot in #1608
  • docs: add missing security and network flags to CLI reference by @Copilot in #1609
  • docs: add missing container configuration flags to CLI reference by @Copilot in #1610
  • docs: add API Proxy section to CLI reference by @Copilot in #1607
  • docs: document implicit CLI behaviors (localhost keyword, enterprise auto-detection) by @Copilot in #1612
  • feat(smoke-claude): trim unused tools to reduce token spend ~8% by @Copilot in #1631
  • fix: fast-kill agent container on SIGTERM/SIGINT before full cleanup by @Mossaka in #1623
  • perf: optimize doc-maintainer token usage (~27% reduction) by @lpcox in #1645
  • perf: optimize security-guard token usage by @lpcox in #1648
  • feat: add Google Gemini API proxy support (port 10003) by @lpcox in #1640
  • ⚡ Optimize secret-digger-copilot: remove unused tools, condense prompt, add emergency exit rule by @Copilot in #1661
  • ⚡ pelis-agent-factory-advisor: remove unused GitHub toolset, pre-fetch docs by @Copilot in #1680
  • Remove unused github network group from secret-audit to cut token usage ~66% by @Copilot in #1681
  • chore: upgrade gh-aw to v0.67.0 and recompile all workflows by @lpcox in #1686
  • ⚡ pelis-agent-factory-advisor: pre-fetch content, restrict tools, reduce prompt tokens (~21% token savings) by @Copilot in #1701
  • Fix Secret Digger (Copilot): reframe prompt to avoid safety policy false positive by @Copilot in #1704
  • docs: add environment variables section to CLI reference by @Mossaka in #1713
  • ⚡ Token optimization for pelis-agent-factory-advisor (~151K tokens/run, −11%) by @Copilot in #1718
  • Optimize security-review workflow: ~67% cost reduction, 55% fewer LLM turns by @Copilot in #1717
  • fix: enable color output when --tty flag is set by @Mossaka in #1714
  • feat: support npm install -g in agent container by @Mossaka in #1712
  • fix(smoke-services): add GitHub Actions services block and use --allow-host-service-ports by @Copilot in #1729
  • chore: upgrade workflows to gh-aw-actions v0.67.2 by @lpcox in #1731
  • feat: phase 1 – gh CLI proxy sidecar with mcpg DIFC proxy by @Copilot in #1730
  • test: add CLI proxy sidecar integration tests by @lpcox in #1734

Full Changelog: v0.25.13...v0.25.14

CLI Options

Usage: awf [options] [command] [args...]

Network firewall for agentic workflows with domain whitelisting

Arguments:
  args                                           Command and arguments to execute (use -- to separate from options)

Options:
    -V, --version                                  output the version number

  Domain Filtering:
    -d, --allow-domains <domains>                  Comma-separated list of allowed domains. Supports wildcards and protocol prefixes:
                                       github.com         - exact domain + subdomains (HTTP & HTTPS)
                                       *.github.qkg1.top       - any subdomain of github.com
                                       api-*.example.com  - api-* subdomains
                                       https://secure.com - HTTPS only
                                       http://legacy.com  - HTTP only
                                       localhost          - auto-configure for local testing (Playwright, etc.)
    --allow-domains-file <path>                    Path to file with allowed domains (one per line, supports # comments)
    --ruleset-file <path>                          YAML rule file for domain allowlisting (repeatable). Schema: version: 1, rules: [{domain, subdomains}] (default: [])
    --block-domains <domains>                      Comma-separated blocked domains (overrides allow list). Supports wildcards.
    --block-domains-file <path>                    Path to file with blocked domains (one per line, supports # comments)
    --ssl-bump                                     Enable SSL Bump for HTTPS content inspection (allows URL path filtering) (default: false)
    --allow-urls <urls>                            Comma-separated allowed URL patterns for HTTPS (requires --ssl-bump).
                                       Supports wildcards: https://github.com/myorg/*

  Image Management:
    -b, --build-local                              Build containers locally instead of using GHCR images (default: false)
    --agent-image <value>                          Agent container image (default: "default")
                                       Presets (pre-built, fast):
                                         default  - Minimal ubuntu:22.04 (~200MB)
                                         act      - GitHub Actions parity (~2GB)
                                       Custom base images (requires --build-local):
                                         ubuntu:XX.XX
                                         ghcr.io/catthehacker/ubuntu:runner-XX.XX
                                         ghcr.io/catthehacker/ubuntu:full-XX.XX
    --image-registry <registry>                    Container image registry (default: "ghcr.io/github/gh-aw-firewall")
    --image-tag <tag>                              Container image tag (applies to both squid and agent images)
                                       Image name varies by --agent-image preset:
                                         default → agent:<tag>
                                         act     → agent-act:<tag> (default: "latest")
    --skip-pull                                    Use local images without pulling from registry (requires pre-downloaded images) (default: false)

  Container Configuration:
    -e, --env <KEY=VALUE>                          Environment variable for the container (repeatable) (default: [])
    --env-all                                      Pass all host environment variables to container (excludes system vars like PATH) (default: false)
    --exclude-env <name>                           Exclude a specific environment variable from --env-all passthrough (repeatable) (default: [])
    --env-file <path>                              Read environment variables from a file (KEY=VALUE format, one per line)
    -v, --mount <host_path:container_path[:mode]>
                                                   Volume mount (repeatable). Format: host_path:container_path[:ro|rw] (default: [])
    --container-workdir <dir>                      Working directory inside the container
    --memory-limit <limit>                         Memory limit for the agent container (e.g., 4g, 6g, 8g, 512m). Default: 6g (default: "6g")
    --tty                                          Allocate a pseudo-TTY (required for interactive tools like Claude Code) (default: false)

  Network & Security:
    --dns-servers <servers>                        Comma-separated trusted DNS servers (auto-detected from host if omitted)
    --dns-over-https [resolver-url]                Enable DNS-over-HTTPS via sidecar proxy (default: https://dns.google/dns-query)
    --enable-host-access                           Enable access to host services via host.docker.internal (default: false)
    --allow-host-ports <ports>                     Ports/ranges to allow with --enable-host-access (default: 80,443).
                                       Example: 3000,8080 or 3000-3010,8000-8090
    --allow-host-service-ports <ports>             Ports to allow ONLY to host gateway (for GitHub Actions services).
                                       Bypasses dangerous port restrictions. Auto-enables host access.
                                       WARNING: Allowing port 22 grants SSH access to the host.
                                       Example: 5432,6379
    --enable-dind                                  Enable Docker-in-Docker by exposing host Docker socket.
                                       WARNING: allows firewall bypass via docker run (default: false)
    --enable-dlp                                   Enable DLP (Data Loss Prevention) scanning to block credential
                                       exfiltration in outbound request URLs. (default: false)

  API Proxy:
    --enable-api-proxy                             Enable API proxy sidecar for secure credential injection.
                                       Supports OpenAI (Codex) and Anthropic (Claude) APIs. (default: false)
    --copilot-api-target <host>                    Target hostname for Copilot API requests (default: api.githubcopilot.com)
    --openai-api-target <host>                     Target hostname for OpenAI API requests (default: api.openai.com)
    --openai-api-base-path <path>                  Base path prefix for OpenAI API requests (e.g. /serving-endpoints for Databricks)
    --anthropic-api-target <host>                  Target hostname for Anthropic API requests (default: api.anthropic.com)
    --anthropic-api-base-path <path>               Base path prefix for Anthropic API requests (e.g. /anthropic)
    --gemini-api-target <host>                     Target hostname for Gemini API requests (default: generativelanguage.googleapis.com)
    --gemini-api-base-path <path>                  Base path prefix for Gemini API requests
    --rate-limit-rpm <n>                           Max requests per minute per provider (requires --enable-api-proxy)
    --rate-limit-rph <n>                           Max requests per hour per provider (requires --enable-api-proxy)
    --rate-limit-bytes-pm <n>                      Max request bytes per minute per provider (requires --enable-api-proxy)
    --no-rate-limit                                Disable rate limiting in the API proxy (requires --enable-api-proxy)
    --enable-cli-proxy                             Enable gh CLI proxy sidecar for secure GitHub CLI access.
                                       Routes gh commands through mcpg DIFC proxy with guard policies.
                                       GH_TOKEN is held in the sidecar; never exposed to the agent. (default: false)
    --cli-proxy-writable                           Allow write operations through the CLI proxy (default: read-only) (default: false)
    --cli-proxy-policy <json>                      Guard policy JSON for the mcpg DIFC proxy inside the CLI proxy sidecar
                                       (e.g. '{"repos":["owner/repo"],"min-integrity":"public"}')
    --cli-proxy-mcpg-image <image>                 Docker image for the mcpg DIFC proxy used inside the CLI proxy sidecar
                                       (only used with --build-local; ignored when pulling pre-built GHCR images)
                                       Set by the AWF compiler to control which mcpg version is pulled and run (default: "ghcr.io/github/gh-aw-mcpg:v0.2.15")

  Logging & Debug:
    --log-level <level>                            Log level: debug, info, warn, error (default: "info")
    -k, --keep-containers                          Keep containers running after command exits (default: false)
    --agent-timeout <minutes>                      Maximum time in minutes for the agent command to run (default: no limit)
    --work-dir <dir>                               Working directory for temporary files (default: "/tmp/awf-1775525451770")
    --proxy-logs-dir <path>                        Directory to save Squid proxy access.log
    --audit-dir <path>                             Directory for firewall audit artifacts (configs, policy manifest, iptables state)
    --session-state-dir <path>                     Directory to save Copilot CLI session state (events.jsonl, session data)
    -h, --help                                     display help for command

Installation

One-Line Installer (Recommended)

Linux and macOS (x64 and ARM64) with automatic SHA verification:

curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo bash

This installer:

  • Automatically detects your OS (Linux or macOS) and architecture (x86_64/aarch64/arm64)
  • Downloads the correct release binary
  • Verifies SHA256 checksum against checksums.txt
  • Validates the file is a valid executable (ELF on Linux, Mach-O on macOS)
  • Installs to /usr/local/bin/awf

Manual Binary Installation (Alternative)

Linux (x64):

curl -fL https://github.com/github/gh-aw-firewall/releases/download/v0.25.14/awf-linux-x64 -o awf
curl -fL https://github.com/github/gh-aw-firewall/releases/download/v0.25.14/checksums.txt -o checksums.txt
sha256sum -c checksums.txt --ignore-missing
chmod +x awf
sudo mv awf /usr/local/bin/

Linux (ARM64):

curl -fL https://github.com/github/gh-aw-firewall/releases/download/v0.25.14/awf-linux-arm64 -o awf
curl -fL https://github.com/github/gh-aw-firewall/releases/download/v0.25.14/checksums.txt -o checksums.txt
sha256sum -c checksums.txt --ignore-missing
chmod +x awf
sudo mv awf /usr/local/bin/

macOS (Apple Silicon / ARM64):

curl -fL https://github.com/github/gh-aw-firewall/releases/download/v0.25.14/awf-darwin-arm64 -o awf
curl -fL https://github.com/github/gh-aw-firewall/releases/download/v0.25.14/checksums.txt -o checksums.txt
shasum -a 256 -c checksums.txt --ignore-missing
chmod +x awf
sudo mv awf /usr/local/bin/

macOS (Intel / x64):

curl -fL https://github.com/github/gh-aw-firewall/releases/download/v0.25.14/awf-darwin-x64 -o awf
curl -fL https://github.com/github/gh-aw-firewall/releases/download/v0.25.14/checksums.txt -o checksums.txt
shasum -a 256 -c checksums.txt --ignore-missing
chmod +x awf
sudo mv awf /usr/local/bin/

NPM Installation (Alternative)

# Install from tarball
npm install -g https://github.com/github/gh-aw-firewall/releases/download/v0.25.14/awf.tgz

Quick Start

# Basic usage with domain whitelist
sudo awf --allow-domains github.com,api.github.com -- curl https://api.github.com

# Pass environment variables
sudo awf --allow-domains api.github.com -e GITHUB_TOKEN=xxx -- gh api /user

# Mount additional volumes
sudo awf --allow-domains github.com -v /my/data:/data:ro -- cat /data/file.txt

# Set working directory in container
sudo awf --allow-domains github.com --container-workdir /workspace -- pwd

See README.md for full documentation.

Container Images

Published to GitHub Container Registry:

  • ghcr.io/github/gh-aw-firewall/squid:0.25.14
  • ghcr.io/github/gh-aw-firewall/agent:0.25.14
  • ghcr.io/github/gh-aw-firewall/squid:latest
  • ghcr.io/github/gh-aw-firewall/agent:latest

Image Verification

All container images are cryptographically signed with cosign for authenticity verification.

# Verify image signature
cosign verify \
  --certificate-identity-regexp 'https://github.com/github/gh-aw-firewall/.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  ghcr.io/github/gh-aw-firewall/squid:0.25.14

For detailed instructions including SBOM verification, see docs/image-verification.md.

Contributors

Mossaka and lpcox
Assets 9
Loading