-
Notifications
You must be signed in to change notification settings - Fork 14
Expand file tree
/
Copy pathaction.yml
More file actions
186 lines (154 loc) · 6.4 KB
/
action.yml
File metadata and controls
186 lines (154 loc) · 6.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
name: 'Setup AWF'
description: 'Install the Agentic Workflow Firewall (awf) CLI tool'
author: 'GitHub'
branding:
icon: 'shield'
color: 'blue'
inputs:
version:
description: 'Version to install (e.g., v1.0.0). Defaults to latest release.'
required: false
default: 'latest'
pull-images:
description: 'Pull Docker images for the installed version. Set to "true" to pre-pull squid and agent images.'
required: false
default: 'false'
outputs:
version:
description: 'The version of awf that was installed'
value: ${{ steps.install.outputs.version }}
image-tag:
description: 'The image tag that matches the installed version (without the v prefix)'
value: ${{ steps.install.outputs.image_tag }}
runs:
using: 'composite'
steps:
- name: Validate runner OS and architecture
shell: bash
run: |
if [ "$RUNNER_OS" != "Linux" ]; then
echo "::error::This action only supports Linux runners. Current OS: $RUNNER_OS"
exit 1
fi
# Validate architecture (only x64 is supported)
ARCH=$(uname -m)
if [ "$ARCH" != "x86_64" ] && [ "$ARCH" != "amd64" ]; then
echo "::error::This action only supports x64 architecture. Current architecture: $ARCH"
exit 1
fi
- name: Install awf
id: install
shell: bash
env:
INPUT_VERSION: ${{ inputs.version }}
run: |
set -euo pipefail
REPO="github/gh-aw-firewall"
BINARY_NAME="awf-linux-x64"
INSTALL_DIR="${RUNNER_TEMP}/awf-bin"
# Create install directory
mkdir -p "$INSTALL_DIR"
# Determine version
if [ "$INPUT_VERSION" = "latest" ] || [ -z "$INPUT_VERSION" ]; then
echo "Fetching latest release version..."
# Use jq if available, fallback to grep/sed
if command -v jq &> /dev/null; then
VERSION=$(curl -fsSL "https://api.github.com/repos/${REPO}/releases/latest" | jq -r '.tag_name')
else
VERSION=$(curl -fsSL "https://api.github.com/repos/${REPO}/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
fi
if [ -z "$VERSION" ] || [ "$VERSION" = "null" ]; then
echo "::error::Failed to fetch latest version from GitHub API"
exit 1
fi
echo "Latest version: $VERSION"
else
VERSION="$INPUT_VERSION"
# Validate version format (supports v1.0.0, v1.0.0-beta.1, v1.0.0-rc.1, etc.)
if ! echo "$VERSION" | grep -qE '^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$'; then
echo "::error::Invalid version format: $VERSION. Expected format: v1.0.0 or v1.0.0-beta.1"
exit 1
fi
fi
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
# Extract image tag (version without 'v' prefix)
IMAGE_TAG="${VERSION#v}"
echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
# Download URLs
BASE_URL="https://github.com/${REPO}/releases/download/${VERSION}"
BINARY_URL="${BASE_URL}/${BINARY_NAME}"
CHECKSUMS_URL="${BASE_URL}/checksums.txt"
# Download binary
echo "Downloading awf ${VERSION}..."
if ! curl -fsSL "$BINARY_URL" -o "$INSTALL_DIR/awf"; then
echo "::error::Failed to download binary from $BINARY_URL"
exit 1
fi
# Download checksums
echo "Downloading checksums..."
if ! curl -fsSL "$CHECKSUMS_URL" -o "$INSTALL_DIR/checksums.txt"; then
echo "::error::Failed to download checksums from $CHECKSUMS_URL"
exit 1
fi
# Verify checksum
echo "Verifying SHA256 checksum..."
# Validate checksums.txt format (should have "checksum filename" format)
if ! grep -qE '^[a-fA-F0-9]{64} ' "$INSTALL_DIR/checksums.txt"; then
echo "::error::checksums.txt has unexpected format"
exit 1
fi
EXPECTED_SUM=$(awk -v fname="$BINARY_NAME" '$2 == fname {print $1; exit}' "$INSTALL_DIR/checksums.txt")
if [ -z "$EXPECTED_SUM" ]; then
echo "::error::Could not find checksum for $BINARY_NAME in checksums.txt"
exit 1
fi
# Validate checksum format (64 hex characters)
if ! echo "$EXPECTED_SUM" | grep -qE '^[a-fA-F0-9]{64}$'; then
echo "::error::Invalid checksum format: $EXPECTED_SUM"
exit 1
fi
# Normalize to lowercase for comparison
EXPECTED_SUM=$(echo "$EXPECTED_SUM" | tr '[:upper:]' '[:lower:]')
ACTUAL_SUM=$(sha256sum "$INSTALL_DIR/awf" | awk '{print $1}' | tr '[:upper:]' '[:lower:]')
if [ "$EXPECTED_SUM" != "$ACTUAL_SUM" ]; then
echo "::error::Checksum verification failed!"
echo "Expected: $EXPECTED_SUM"
echo "Got: $ACTUAL_SUM"
exit 1
fi
echo "Checksum verification passed ✓"
# Verify it's a valid ELF executable
if ! file "$INSTALL_DIR/awf" | grep -q "ELF.*executable"; then
echo "::error::Downloaded file is not a valid Linux executable"
exit 1
fi
# Make executable
chmod +x "$INSTALL_DIR/awf"
# Clean up checksums file
rm -f "$INSTALL_DIR/checksums.txt"
# Add to PATH
echo "$INSTALL_DIR" >> "$GITHUB_PATH"
echo "Successfully installed awf ${VERSION} to $INSTALL_DIR"
echo "awf is now available in PATH for subsequent steps"
- name: Pull Docker images
if: ${{ inputs.pull-images == 'true' }}
shell: bash
env:
IMAGE_TAG: ${{ steps.install.outputs.image_tag }}
run: |
set -euo pipefail
REGISTRY="ghcr.io/github/gh-aw-firewall"
echo "Pulling awf Docker images with tag: ${IMAGE_TAG}"
# Pull squid image
echo "Pulling ${REGISTRY}/squid:${IMAGE_TAG}..."
if ! docker pull "${REGISTRY}/squid:${IMAGE_TAG}"; then
echo "::warning::Failed to pull squid image with tag ${IMAGE_TAG}, trying 'latest'"
docker pull "${REGISTRY}/squid:latest"
fi
# Pull agent image
echo "Pulling ${REGISTRY}/agent:${IMAGE_TAG}..."
if ! docker pull "${REGISTRY}/agent:${IMAGE_TAG}"; then
echo "::warning::Failed to pull agent image with tag ${IMAGE_TAG}, trying 'latest'"
docker pull "${REGISTRY}/agent:latest"
fi
echo "Docker images pulled successfully ✓"