Skip to content

Releases: github/gh-aw-firewall

Release v0.27.22

Choose a tag to compare

@github-actions github-actions released this 02 Jul 15:31

What's Changed

Other Changes

  • fix: chmod squid logs inside container before compose down by @lpcox with @Copilot in #5817

Full Changelog: v0.27.21...v0.27.22

CLI Options

Usage: awf [options] [command] [args...]

Network firewall for agentic workflows with domain whitelisting

Arguments:
  args                                           Command and arguments to execute (use -- to separate from options)

Options:
    -V, --version                                  output the version number

  Configuration:
    --config <path>                                Path to AWF JSON/YAML config file (use "-" to read from stdin)

  Domain Filtering:
    -d, --allow-domains <domains>                  Comma-separated list of allowed domains. Supports wildcards and protocol prefixes:
                                       github.com         - exact domain + subdomains (HTTP & HTTPS)
                                       *.github.com       - any subdomain of github.com
                                       api-*.example.com  - api-* subdomains
                                       https://secure.com - HTTPS only
                                       http://legacy.com  - HTTP only
                                       localhost          - auto-configure for local testing (Playwright, etc.)
    --allow-domains-file <path>                    Path to file with allowed domains (one per line, supports # comments)
    --ruleset-file <path>                          YAML rule file for domain allowlisting (repeatable). Schema: version: 1, rules: [{domain, subdomains}] (default: [])
    --block-domains <domains>                      Comma-separated blocked domains (overrides allow list). Supports wildcards.
    --block-domains-file <path>                    Path to file with blocked domains (one per line, supports # comments)
    --ssl-bump                                     Enable SSL Bump for HTTPS content inspection (allows URL path filtering) (default: false)
    --allow-urls <urls>                            Comma-separated allowed URL patterns for HTTPS (requires --ssl-bump).
                                       Supports wildcards: https://github.com/myorg/*

  Image Management:
    -b, --build-local                              Build containers locally instead of using GHCR images (default: false)
    --agent-image <value>                          Agent container image (default: "default")
                                       Presets (pre-built, fast):
                                         default  - Minimal ubuntu:22.04 (~200MB)
                                         act      - GitHub Actions parity (~2GB)
                                       Custom base images (requires --build-local):
                                         ubuntu:XX.XX
                                         ghcr.io/catthehacker/ubuntu:runner-XX.XX
                                         ghcr.io/catthehacker/ubuntu:full-XX.XX
    --image-registry <registry>                    Container image registry (default: "ghcr.io/github/gh-aw-firewall")
    --image-tag <tag>                              Container image tag (applies to squid, agent/agent-act, api-proxy, and cli-proxy when enabled)
                                       Optional digest metadata format:
                                         <tag>,squid=sha256:...,agent=sha256:...,agent-act=sha256:...,api-proxy=sha256:...,cli-proxy=sha256:...
                                       Image name varies by --agent-image preset:
                                         default → agent:<tag>
                                         act     → agent-act:<tag> (default: "latest")
    --skip-pull                                    Use local images without pulling from registry (requires pre-downloaded images) (default: false)
    --docker-host <socket>                         Docker socket for AWF's own containers (default: auto-detect from DOCKER_HOST env).
                                       Use when Docker is at a non-standard path.
                                       Example: unix:///run/user/1000/docker.sock
    --docker-host-path-prefix <prefix>             Prefix bind-mount source paths so Docker daemon can resolve runner filesystem paths.
                                       Useful for split runner/daemon filesystems (e.g. ARC DinD).
                                       Example: /host

  Container Configuration:
    -e, --env <KEY=VALUE>                          Environment variable for the container (repeatable) (default: [])
    --env-all                                      Pass all host environment variables to container (excludes system vars like PATH) (default: false)
    --exclude-env <name>                           Exclude a specific environment variable from --env-all passthrough (repeatable) (default: [])
    --env-file <path>                              Read environment variables from a file (KEY=VALUE format, one per line)
    -v, --mount <host_path:container_path[:mode]>
                                                   Volume mount (repeatable). Format: host_path:container_path[:ro|rw] (default: [])
    --container-workdir <dir>                      Working directory inside the container
    --memory-limit <limit>                         Memory limit for the agent container (e.g., 4g, 6g, 8g, 512m). Default: 6g (default: "6g")
    --tty                                          Allocate a pseudo-TTY (required for interactive tools like Claude Code) (default: false)

  Network & Security:
    --dns-servers <servers>                        Comma-separated trusted DNS servers (auto-detected from host if omitted)
    --dns-over-https [resolver-url]                Enable DNS-over-HTTPS via sidecar proxy (default: https://dns.google/dns-query)

  Network & Security:
    --upstream-proxy <url>                         Upstream (corporate) proxy URL for Squid to chain through.
                                       Auto-detected from host https_proxy/http_proxy if not set.
                                       Example: http://proxy.corp.com:3128
    --enable-host-access                           Enable access to host services via host.docker.internal (default: false)
    --network-isolation                            Experimental: enforce egress via Docker network topology (internal network +
                                       dual-homed proxy) instead of iptables. Requires no sudo/NET_ADMIN.
                                       Not yet supported with --dns-over-https or --enable-host-access. (default: false)
    --topology-attach <name>                       With --network-isolation, attach an externally-launched trusted container
                                       (by name) to the internal network so the agent can reach it.
                                       Repeatable. Example: --topology-attach mcp-gateway --topology-attach difc-proxy (default: [])
    --allow-host-ports <ports>                     Ports/ranges to allow with --enable-host-access (default: 80,443).
                                       Example: 3000,8080 or 3000-3010,8000-8090
    --allow-host-service-ports <ports>             Ports to allow ONLY to host gateway (for GitHub Actions services).
                                       Bypasses dangerous port restrictions. Auto-enables host access.
                                       WARNING: Allowing port 22 grants SSH access to the host.
                                       Example: 5432,6379
    --enable-dind                                  Enable Docker-in-Docker by exposing host Docker socket.
                                       WARNING: allows firewall bypass via docker run (default: false)
    --enable-dlp                                   Enable DLP (Data Loss Prevention) scanning to block credential
                                       exfiltration in outbound request URLs. (default: false)

  API Proxy:
    --enable-api-proxy                             Enable API proxy sidecar for secure credential injection.
                                       Supports OpenAI (Codex) and Anthropic (Claude) APIs. (default: false)
    --copilot-api-target <host>                    Target hostname for Copilot API requests (default: api.githubcopilot.com)
    --openai-api-target <host>                     Target hostname for OpenAI API requests (default: api.openai.com)
    --openai-api-base-path <path>                  Base path prefix for OpenAI API requests (e.g. /serving-endpoints for Databricks)
    --anthropic-api-target <host>                  Target hostname for Anthropic API requests (default: api.anthropic.com)
    --anthropic-api-base-path <path>               Base path prefix for Anthropic API requests (e.g. /anthropic)
    --openai-api-auth-header <name>                Custom auth header name for OpenAI requests (default: Authorization with Bearer prefix)
    --anthropic-api-auth-header <name>             Custom auth header name for Anthropic requests (default: x-api-key)
    --gemini-api-target <host>                     Target hostname for Gemini API requests (default: generativelanguage.googleapis.com)
    --gemini-api-base-path <path>                  Base path prefix for Gemini API requests
    --anthropic-auto-cache                         Enable Anthropic prompt-cache optimizations in the API proxy (requires --enable-api-proxy).
                                       Injects cache breakpoints on tools/system/messages, upgrades TTL to 1h,
                                       and strips ANSI codes — typically saves ~90% on Anthropic API input costs. (default: false)
    --anthropic-cache-tail-ttl <5m|1h>             TTL for the rolling-tail cache breakpoint when --anthropic-auto-cache is enabled.
              ...
Read more

Release v0.27.21

Choose a tag to compare

@github-actions github-actions released this 01 Jul 23:25

What's Changed

Documentation

  • chore: update model-to-API mapping (2026-07-01) by @github-actions[bot] in #5742

Other Changes

  • Refactor preflight allowed-domain resolution into explicit pipeline stages by @lpcox with @Copilot in #5757
  • Refactor startContainers into focused startup and failure helpers by @lpcox with @Copilot in #5758
  • fix: ensure chmod runs even when chown fails in rootless permission repair by @lpcox in #5766
  • [Test Coverage] container-lifecycle missing branch coverage by @github-actions[bot] in #5743
  • refactor(api-proxy): extract createProviderAuthScaffold to deduplicate provider adapter boilerplate by @lpcox with @Copilot in #5760
  • Deduplicate writeConfigs Jest dependency mock registration across config-writer suites by @lpcox with @Copilot in #5761
  • Refactor buildConfig by extracting API credential resolution by @lpcox with @Copilot in #5759
  • feat: add container.mounts to AWF config file schema by @lpcox with @Copilot in #5755
  • Sync Copilot model allowlist with model API mapping by @lpcox with @Copilot in #5756
  • docs: update runner doctor — A13 fixed in v0.27.15, B7 rootless repair incomplete by @lpcox with @Copilot in #5762
  • refactor: split 309-line generateDockerCompose into focused phases by @lpcox with @Copilot in #5763
  • Fix split-fs test to use actual effectiveHome instead of hardcoded /home by @lpcox in #5781
  • chore: upgrade gh-aw to v0.82.1 pre-release and recompile workflows by @lpcox in #5748
  • fix(ci): postprocess install-step swap must tolerate trailing --rootless flag by @lpcox in #5800
  • fix: detect and expose system CA bundle for RHEL/Amazon Linux in chroot by @lpcox in #5783

Full Changelog: v0.27.20...v0.27.21

CLI Options

Usage: awf [options] [command] [args...]

Network firewall for agentic workflows with domain whitelisting

Arguments:
  args                                           Command and arguments to execute (use -- to separate from options)

Options:
    -V, --version                                  output the version number

  Configuration:
    --config <path>                                Path to AWF JSON/YAML config file (use "-" to read from stdin)

  Domain Filtering:
    -d, --allow-domains <domains>                  Comma-separated list of allowed domains. Supports wildcards and protocol prefixes:
                                       github.com         - exact domain + subdomains (HTTP & HTTPS)
                                       *.github.com       - any subdomain of github.com
                                       api-*.example.com  - api-* subdomains
                                       https://secure.com - HTTPS only
                                       http://legacy.com  - HTTP only
                                       localhost          - auto-configure for local testing (Playwright, etc.)
    --allow-domains-file <path>                    Path to file with allowed domains (one per line, supports # comments)
    --ruleset-file <path>                          YAML rule file for domain allowlisting (repeatable). Schema: version: 1, rules: [{domain, subdomains}] (default: [])
    --block-domains <domains>                      Comma-separated blocked domains (overrides allow list). Supports wildcards.
    --block-domains-file <path>                    Path to file with blocked domains (one per line, supports # comments)
    --ssl-bump                                     Enable SSL Bump for HTTPS content inspection (allows URL path filtering) (default: false)
    --allow-urls <urls>                            Comma-separated allowed URL patterns for HTTPS (requires --ssl-bump).
                                       Supports wildcards: https://github.com/myorg/*

  Image Management:
    -b, --build-local                              Build containers locally instead of using GHCR images (default: false)
    --agent-image <value>                          Agent container image (default: "default")
                                       Presets (pre-built, fast):
                                         default  - Minimal ubuntu:22.04 (~200MB)
                                         act      - GitHub Actions parity (~2GB)
                                       Custom base images (requires --build-local):
                                         ubuntu:XX.XX
                                         ghcr.io/catthehacker/ubuntu:runner-XX.XX
                                         ghcr.io/catthehacker/ubuntu:full-XX.XX
    --image-registry <registry>                    Container image registry (default: "ghcr.io/github/gh-aw-firewall")
    --image-tag <tag>                              Container image tag (applies to squid, agent/agent-act, api-proxy, and cli-proxy when enabled)
                                       Optional digest metadata format:
                                         <tag>,squid=sha256:...,agent=sha256:...,agent-act=sha256:...,api-proxy=sha256:...,cli-proxy=sha256:...
                                       Image name varies by --agent-image preset:
                                         default → agent:<tag>
                                         act     → agent-act:<tag> (default: "latest")
    --skip-pull                                    Use local images without pulling from registry (requires pre-downloaded images) (default: false)
    --docker-host <socket>                         Docker socket for AWF's own containers (default: auto-detect from DOCKER_HOST env).
                                       Use when Docker is at a non-standard path.
                                       Example: unix:///run/user/1000/docker.sock
    --docker-host-path-prefix <prefix>             Prefix bind-mount source paths so Docker daemon can resolve runner filesystem paths.
                                       Useful for split runner/daemon filesystems (e.g. ARC DinD).
                                       Example: /host

  Container Configuration:
    -e, --env <KEY=VALUE>                          Environment variable for the container (repeatable) (default: [])
    --env-all                                      Pass all host environment variables to container (excludes system vars like PATH) (default: false)
    --exclude-env <name>                           Exclude a specific environment variable from --env-all passthrough (repeatable) (default: [])
    --env-file <path>                              Read environment variables from a file (KEY=VALUE format, one per line)
    -v, --mount <host_path:container_path[:mode]>
                                                   Volume mount (repeatable). Format: host_path:container_path[:ro|rw] (default: [])
    --container-workdir <dir>                      Working directory inside the container
    --memory-limit <limit>                         Memory limit for the agent container (e.g., 4g, 6g, 8g, 512m). Default: 6g (default: "6g")
    --tty                                          Allocate a pseudo-TTY (required for interactive tools like Claude Code) (default: false)

  Network & Security:
    --dns-servers <servers>                        Comma-separated trusted DNS servers (auto-detected from host if omitted)
    --dns-over-https [resolver-url]                Enable DNS-over-HTTPS via sidecar proxy (default: https://dns.google/dns-query)

  Network & Security:
    --upstream-proxy <url>                         Upstream (corporate) proxy URL for Squid to chain through.
                                       Auto-detected from host https_proxy/http_proxy if not set.
                                       Example: http://proxy.corp.com:3128
    --enable-host-access                           Enable access to host services via host.docker.internal (default: false)
    --network-isolation                            Experimental: enforce egress via Docker network topology (internal network +
                                       dual-homed proxy) instead of iptables. Requires no sudo/NET_ADMIN.
                                       Not yet supported with --dns-over-https or --enable-host-access. (default: false)
    --topology-attach <name>                       With --network-isolation, attach an externally-launched trusted container
                                       (by name) to the internal network so the agent can reach it.
                                       Repeatable. Example: --topology-attach mcp-gateway --topology-attach difc-proxy (default: [])
    --allow-host-ports <ports>                     Ports/ranges to allow with --enable-host-access (default: 80,443).
                                       Example: 3000,8080 or 3000-3010,8000-8090
    --allow-host-service-ports <ports>             Ports to allow ONLY to host gateway (for GitHub Actions services).
                                       Bypasses dangerous port restrictions. Auto-enables host access.
                                       WARNING: Allowing port 22 grants SSH access to the host.
                                       Example: 5432,6379
    --enable-dind                                  Enable Docker-in-...
Read more

Release v0.27.20

Choose a tag to compare

@github-actions github-actions released this 01 Jul 14:46

What's Changed

Other Changes

  • fix: sysroot filter should not drop workspace custom mounts by @lpcox in #5739

Full Changelog: v0.27.19...v0.27.20

CLI Options

Usage: awf [options] [command] [args...]

Network firewall for agentic workflows with domain whitelisting

Arguments:
  args                                           Command and arguments to execute (use -- to separate from options)

Options:
    -V, --version                                  output the version number

  Configuration:
    --config <path>                                Path to AWF JSON/YAML config file (use "-" to read from stdin)

  Domain Filtering:
    -d, --allow-domains <domains>                  Comma-separated list of allowed domains. Supports wildcards and protocol prefixes:
                                       github.com         - exact domain + subdomains (HTTP & HTTPS)
                                       *.github.com       - any subdomain of github.com
                                       api-*.example.com  - api-* subdomains
                                       https://secure.com - HTTPS only
                                       http://legacy.com  - HTTP only
                                       localhost          - auto-configure for local testing (Playwright, etc.)
    --allow-domains-file <path>                    Path to file with allowed domains (one per line, supports # comments)
    --ruleset-file <path>                          YAML rule file for domain allowlisting (repeatable). Schema: version: 1, rules: [{domain, subdomains}] (default: [])
    --block-domains <domains>                      Comma-separated blocked domains (overrides allow list). Supports wildcards.
    --block-domains-file <path>                    Path to file with blocked domains (one per line, supports # comments)
    --ssl-bump                                     Enable SSL Bump for HTTPS content inspection (allows URL path filtering) (default: false)
    --allow-urls <urls>                            Comma-separated allowed URL patterns for HTTPS (requires --ssl-bump).
                                       Supports wildcards: https://github.com/myorg/*

  Image Management:
    -b, --build-local                              Build containers locally instead of using GHCR images (default: false)
    --agent-image <value>                          Agent container image (default: "default")
                                       Presets (pre-built, fast):
                                         default  - Minimal ubuntu:22.04 (~200MB)
                                         act      - GitHub Actions parity (~2GB)
                                       Custom base images (requires --build-local):
                                         ubuntu:XX.XX
                                         ghcr.io/catthehacker/ubuntu:runner-XX.XX
                                         ghcr.io/catthehacker/ubuntu:full-XX.XX
    --image-registry <registry>                    Container image registry (default: "ghcr.io/github/gh-aw-firewall")
    --image-tag <tag>                              Container image tag (applies to squid, agent/agent-act, api-proxy, and cli-proxy when enabled)
                                       Optional digest metadata format:
                                         <tag>,squid=sha256:...,agent=sha256:...,agent-act=sha256:...,api-proxy=sha256:...,cli-proxy=sha256:...
                                       Image name varies by --agent-image preset:
                                         default → agent:<tag>
                                         act     → agent-act:<tag> (default: "latest")
    --skip-pull                                    Use local images without pulling from registry (requires pre-downloaded images) (default: false)
    --docker-host <socket>                         Docker socket for AWF's own containers (default: auto-detect from DOCKER_HOST env).
                                       Use when Docker is at a non-standard path.
                                       Example: unix:///run/user/1000/docker.sock
    --docker-host-path-prefix <prefix>             Prefix bind-mount source paths so Docker daemon can resolve runner filesystem paths.
                                       Useful for split runner/daemon filesystems (e.g. ARC DinD).
                                       Example: /host

  Container Configuration:
    -e, --env <KEY=VALUE>                          Environment variable for the container (repeatable) (default: [])
    --env-all                                      Pass all host environment variables to container (excludes system vars like PATH) (default: false)
    --exclude-env <name>                           Exclude a specific environment variable from --env-all passthrough (repeatable) (default: [])
    --env-file <path>                              Read environment variables from a file (KEY=VALUE format, one per line)
    -v, --mount <host_path:container_path[:mode]>
                                                   Volume mount (repeatable). Format: host_path:container_path[:ro|rw] (default: [])
    --container-workdir <dir>                      Working directory inside the container
    --memory-limit <limit>                         Memory limit for the agent container (e.g., 4g, 6g, 8g, 512m). Default: 6g (default: "6g")
    --tty                                          Allocate a pseudo-TTY (required for interactive tools like Claude Code) (default: false)

  Network & Security:
    --dns-servers <servers>                        Comma-separated trusted DNS servers (auto-detected from host if omitted)
    --dns-over-https [resolver-url]                Enable DNS-over-HTTPS via sidecar proxy (default: https://dns.google/dns-query)

  Network & Security:
    --upstream-proxy <url>                         Upstream (corporate) proxy URL for Squid to chain through.
                                       Auto-detected from host https_proxy/http_proxy if not set.
                                       Example: http://proxy.corp.com:3128
    --enable-host-access                           Enable access to host services via host.docker.internal (default: false)
    --network-isolation                            Experimental: enforce egress via Docker network topology (internal network +
                                       dual-homed proxy) instead of iptables. Requires no sudo/NET_ADMIN.
                                       Not yet supported with --dns-over-https or --enable-host-access. (default: false)
    --topology-attach <name>                       With --network-isolation, attach an externally-launched trusted container
                                       (by name) to the internal network so the agent can reach it.
                                       Repeatable. Example: --topology-attach mcp-gateway --topology-attach difc-proxy (default: [])
    --allow-host-ports <ports>                     Ports/ranges to allow with --enable-host-access (default: 80,443).
                                       Example: 3000,8080 or 3000-3010,8000-8090
    --allow-host-service-ports <ports>             Ports to allow ONLY to host gateway (for GitHub Actions services).
                                       Bypasses dangerous port restrictions. Auto-enables host access.
                                       WARNING: Allowing port 22 grants SSH access to the host.
                                       Example: 5432,6379
    --enable-dind                                  Enable Docker-in-Docker by exposing host Docker socket.
                                       WARNING: allows firewall bypass via docker run (default: false)
    --enable-dlp                                   Enable DLP (Data Loss Prevention) scanning to block credential
                                       exfiltration in outbound request URLs. (default: false)

  API Proxy:
    --enable-api-proxy                             Enable API proxy sidecar for secure credential injection.
                                       Supports OpenAI (Codex) and Anthropic (Claude) APIs. (default: false)
    --copilot-api-target <host>                    Target hostname for Copilot API requests (default: api.githubcopilot.com)
    --openai-api-target <host>                     Target hostname for OpenAI API requests (default: api.openai.com)
    --openai-api-base-path <path>                  Base path prefix for OpenAI API requests (e.g. /serving-endpoints for Databricks)
    --anthropic-api-target <host>                  Target hostname for Anthropic API requests (default: api.anthropic.com)
    --anthropic-api-base-path <path>               Base path prefix for Anthropic API requests (e.g. /anthropic)
    --openai-api-auth-header <name>                Custom auth header name for OpenAI requests (default: Authorization with Bearer prefix)
    --anthropic-api-auth-header <name>             Custom auth header name for Anthropic requests (default: x-api-key)
    --gemini-api-target <host>                     Target hostname for Gemini API requests (default: generativelanguage.googleapis.com)
    --gemini-api-base-path <path>                  Base path prefix for Gemini API requests
    --anthropic-auto-cache                         Enable Anthropic prompt-cache optimizations in the API proxy (requires --enable-api-proxy).
                                       Injects cache breakpoints on tools/system/messages, upgrades TTL to 1h,
                                       and strips ANSI codes — typically saves ~90% on Anthropic API input costs. (default: false)
    --anthropic-cache-tail-ttl <5m|1h>             TTL for the rolling-tail cache breakpoint when --anthropic-auto-cache is enabled.
                           ...
Read more

Release v0.27.19

Choose a tag to compare

@github-actions github-actions released this 30 Jun 22:45

What's Changed

Other Changes

  • fix: filter split-fs-invisible mounts when sysroot-stage is active (arc-dind) by @lpcox in #5734

Full Changelog: v0.27.18...v0.27.19

CLI Options

Usage: awf [options] [command] [args...]

Network firewall for agentic workflows with domain whitelisting

Arguments:
  args                                           Command and arguments to execute (use -- to separate from options)

Options:
    -V, --version                                  output the version number

  Configuration:
    --config <path>                                Path to AWF JSON/YAML config file (use "-" to read from stdin)

  Domain Filtering:
    -d, --allow-domains <domains>                  Comma-separated list of allowed domains. Supports wildcards and protocol prefixes:
                                       github.com         - exact domain + subdomains (HTTP & HTTPS)
                                       *.github.com       - any subdomain of github.com
                                       api-*.example.com  - api-* subdomains
                                       https://secure.com - HTTPS only
                                       http://legacy.com  - HTTP only
                                       localhost          - auto-configure for local testing (Playwright, etc.)
    --allow-domains-file <path>                    Path to file with allowed domains (one per line, supports # comments)
    --ruleset-file <path>                          YAML rule file for domain allowlisting (repeatable). Schema: version: 1, rules: [{domain, subdomains}] (default: [])
    --block-domains <domains>                      Comma-separated blocked domains (overrides allow list). Supports wildcards.
    --block-domains-file <path>                    Path to file with blocked domains (one per line, supports # comments)
    --ssl-bump                                     Enable SSL Bump for HTTPS content inspection (allows URL path filtering) (default: false)
    --allow-urls <urls>                            Comma-separated allowed URL patterns for HTTPS (requires --ssl-bump).
                                       Supports wildcards: https://github.com/myorg/*

  Image Management:
    -b, --build-local                              Build containers locally instead of using GHCR images (default: false)
    --agent-image <value>                          Agent container image (default: "default")
                                       Presets (pre-built, fast):
                                         default  - Minimal ubuntu:22.04 (~200MB)
                                         act      - GitHub Actions parity (~2GB)
                                       Custom base images (requires --build-local):
                                         ubuntu:XX.XX
                                         ghcr.io/catthehacker/ubuntu:runner-XX.XX
                                         ghcr.io/catthehacker/ubuntu:full-XX.XX
    --image-registry <registry>                    Container image registry (default: "ghcr.io/github/gh-aw-firewall")
    --image-tag <tag>                              Container image tag (applies to squid, agent/agent-act, api-proxy, and cli-proxy when enabled)
                                       Optional digest metadata format:
                                         <tag>,squid=sha256:...,agent=sha256:...,agent-act=sha256:...,api-proxy=sha256:...,cli-proxy=sha256:...
                                       Image name varies by --agent-image preset:
                                         default → agent:<tag>
                                         act     → agent-act:<tag> (default: "latest")
    --skip-pull                                    Use local images without pulling from registry (requires pre-downloaded images) (default: false)
    --docker-host <socket>                         Docker socket for AWF's own containers (default: auto-detect from DOCKER_HOST env).
                                       Use when Docker is at a non-standard path.
                                       Example: unix:///run/user/1000/docker.sock
    --docker-host-path-prefix <prefix>             Prefix bind-mount source paths so Docker daemon can resolve runner filesystem paths.
                                       Useful for split runner/daemon filesystems (e.g. ARC DinD).
                                       Example: /host

  Container Configuration:
    -e, --env <KEY=VALUE>                          Environment variable for the container (repeatable) (default: [])
    --env-all                                      Pass all host environment variables to container (excludes system vars like PATH) (default: false)
    --exclude-env <name>                           Exclude a specific environment variable from --env-all passthrough (repeatable) (default: [])
    --env-file <path>                              Read environment variables from a file (KEY=VALUE format, one per line)
    -v, --mount <host_path:container_path[:mode]>
                                                   Volume mount (repeatable). Format: host_path:container_path[:ro|rw] (default: [])
    --container-workdir <dir>                      Working directory inside the container
    --memory-limit <limit>                         Memory limit for the agent container (e.g., 4g, 6g, 8g, 512m). Default: 6g (default: "6g")
    --tty                                          Allocate a pseudo-TTY (required for interactive tools like Claude Code) (default: false)

  Network & Security:
    --dns-servers <servers>                        Comma-separated trusted DNS servers (auto-detected from host if omitted)
    --dns-over-https [resolver-url]                Enable DNS-over-HTTPS via sidecar proxy (default: https://dns.google/dns-query)

  Network & Security:
    --upstream-proxy <url>                         Upstream (corporate) proxy URL for Squid to chain through.
                                       Auto-detected from host https_proxy/http_proxy if not set.
                                       Example: http://proxy.corp.com:3128
    --enable-host-access                           Enable access to host services via host.docker.internal (default: false)
    --network-isolation                            Experimental: enforce egress via Docker network topology (internal network +
                                       dual-homed proxy) instead of iptables. Requires no sudo/NET_ADMIN.
                                       Not yet supported with --dns-over-https or --enable-host-access. (default: false)
    --topology-attach <name>                       With --network-isolation, attach an externally-launched trusted container
                                       (by name) to the internal network so the agent can reach it.
                                       Repeatable. Example: --topology-attach mcp-gateway --topology-attach difc-proxy (default: [])
    --allow-host-ports <ports>                     Ports/ranges to allow with --enable-host-access (default: 80,443).
                                       Example: 3000,8080 or 3000-3010,8000-8090
    --allow-host-service-ports <ports>             Ports to allow ONLY to host gateway (for GitHub Actions services).
                                       Bypasses dangerous port restrictions. Auto-enables host access.
                                       WARNING: Allowing port 22 grants SSH access to the host.
                                       Example: 5432,6379
    --enable-dind                                  Enable Docker-in-Docker by exposing host Docker socket.
                                       WARNING: allows firewall bypass via docker run (default: false)
    --enable-dlp                                   Enable DLP (Data Loss Prevention) scanning to block credential
                                       exfiltration in outbound request URLs. (default: false)

  API Proxy:
    --enable-api-proxy                             Enable API proxy sidecar for secure credential injection.
                                       Supports OpenAI (Codex) and Anthropic (Claude) APIs. (default: false)
    --copilot-api-target <host>                    Target hostname for Copilot API requests (default: api.githubcopilot.com)
    --openai-api-target <host>                     Target hostname for OpenAI API requests (default: api.openai.com)
    --openai-api-base-path <path>                  Base path prefix for OpenAI API requests (e.g. /serving-endpoints for Databricks)
    --anthropic-api-target <host>                  Target hostname for Anthropic API requests (default: api.anthropic.com)
    --anthropic-api-base-path <path>               Base path prefix for Anthropic API requests (e.g. /anthropic)
    --openai-api-auth-header <name>                Custom auth header name for OpenAI requests (default: Authorization with Bearer prefix)
    --anthropic-api-auth-header <name>             Custom auth header name for Anthropic requests (default: x-api-key)
    --gemini-api-target <host>                     Target hostname for Gemini API requests (default: generativelanguage.googleapis.com)
    --gemini-api-base-path <path>                  Base path prefix for Gemini API requests
    --anthropic-auto-cache                         Enable Anthropic prompt-cache optimizations in the API proxy (requires --enable-api-proxy).
                                       Injects cache breakpoints on tools/system/messages, upgrades TTL to 1h,
                                       and strips ANSI codes — typically saves ~90% on Anthropic API input costs. (default: false)
    --anthropic-cache-tail-ttl <5m|1h>             TTL for the rolling-tail cache breakpoint when --anthropic-auto-cache is enabled.
         ...
Read more

Release v0.27.18

Choose a tag to compare

@github-actions github-actions released this 30 Jun 21:15

What's Changed

Other Changes

  • fix: skip /etc bind mounts when sysroot-stage is active (arc-dind) by @lpcox in #5732

Full Changelog: v0.27.17...v0.27.18

CLI Options

Usage: awf [options] [command] [args...]

Network firewall for agentic workflows with domain whitelisting

Arguments:
  args                                           Command and arguments to execute (use -- to separate from options)

Options:
    -V, --version                                  output the version number

  Configuration:
    --config <path>                                Path to AWF JSON/YAML config file (use "-" to read from stdin)

  Domain Filtering:
    -d, --allow-domains <domains>                  Comma-separated list of allowed domains. Supports wildcards and protocol prefixes:
                                       github.com         - exact domain + subdomains (HTTP & HTTPS)
                                       *.github.com       - any subdomain of github.com
                                       api-*.example.com  - api-* subdomains
                                       https://secure.com - HTTPS only
                                       http://legacy.com  - HTTP only
                                       localhost          - auto-configure for local testing (Playwright, etc.)
    --allow-domains-file <path>                    Path to file with allowed domains (one per line, supports # comments)
    --ruleset-file <path>                          YAML rule file for domain allowlisting (repeatable). Schema: version: 1, rules: [{domain, subdomains}] (default: [])
    --block-domains <domains>                      Comma-separated blocked domains (overrides allow list). Supports wildcards.
    --block-domains-file <path>                    Path to file with blocked domains (one per line, supports # comments)
    --ssl-bump                                     Enable SSL Bump for HTTPS content inspection (allows URL path filtering) (default: false)
    --allow-urls <urls>                            Comma-separated allowed URL patterns for HTTPS (requires --ssl-bump).
                                       Supports wildcards: https://github.com/myorg/*

  Image Management:
    -b, --build-local                              Build containers locally instead of using GHCR images (default: false)
    --agent-image <value>                          Agent container image (default: "default")
                                       Presets (pre-built, fast):
                                         default  - Minimal ubuntu:22.04 (~200MB)
                                         act      - GitHub Actions parity (~2GB)
                                       Custom base images (requires --build-local):
                                         ubuntu:XX.XX
                                         ghcr.io/catthehacker/ubuntu:runner-XX.XX
                                         ghcr.io/catthehacker/ubuntu:full-XX.XX
    --image-registry <registry>                    Container image registry (default: "ghcr.io/github/gh-aw-firewall")
    --image-tag <tag>                              Container image tag (applies to squid, agent/agent-act, api-proxy, and cli-proxy when enabled)
                                       Optional digest metadata format:
                                         <tag>,squid=sha256:...,agent=sha256:...,agent-act=sha256:...,api-proxy=sha256:...,cli-proxy=sha256:...
                                       Image name varies by --agent-image preset:
                                         default → agent:<tag>
                                         act     → agent-act:<tag> (default: "latest")
    --skip-pull                                    Use local images without pulling from registry (requires pre-downloaded images) (default: false)
    --docker-host <socket>                         Docker socket for AWF's own containers (default: auto-detect from DOCKER_HOST env).
                                       Use when Docker is at a non-standard path.
                                       Example: unix:///run/user/1000/docker.sock
    --docker-host-path-prefix <prefix>             Prefix bind-mount source paths so Docker daemon can resolve runner filesystem paths.
                                       Useful for split runner/daemon filesystems (e.g. ARC DinD).
                                       Example: /host

  Container Configuration:
    -e, --env <KEY=VALUE>                          Environment variable for the container (repeatable) (default: [])
    --env-all                                      Pass all host environment variables to container (excludes system vars like PATH) (default: false)
    --exclude-env <name>                           Exclude a specific environment variable from --env-all passthrough (repeatable) (default: [])
    --env-file <path>                              Read environment variables from a file (KEY=VALUE format, one per line)
    -v, --mount <host_path:container_path[:mode]>
                                                   Volume mount (repeatable). Format: host_path:container_path[:ro|rw] (default: [])
    --container-workdir <dir>                      Working directory inside the container
    --memory-limit <limit>                         Memory limit for the agent container (e.g., 4g, 6g, 8g, 512m). Default: 6g (default: "6g")
    --tty                                          Allocate a pseudo-TTY (required for interactive tools like Claude Code) (default: false)

  Network & Security:
    --dns-servers <servers>                        Comma-separated trusted DNS servers (auto-detected from host if omitted)
    --dns-over-https [resolver-url]                Enable DNS-over-HTTPS via sidecar proxy (default: https://dns.google/dns-query)

  Network & Security:
    --upstream-proxy <url>                         Upstream (corporate) proxy URL for Squid to chain through.
                                       Auto-detected from host https_proxy/http_proxy if not set.
                                       Example: http://proxy.corp.com:3128
    --enable-host-access                           Enable access to host services via host.docker.internal (default: false)
    --network-isolation                            Experimental: enforce egress via Docker network topology (internal network +
                                       dual-homed proxy) instead of iptables. Requires no sudo/NET_ADMIN.
                                       Not yet supported with --dns-over-https or --enable-host-access. (default: false)
    --topology-attach <name>                       With --network-isolation, attach an externally-launched trusted container
                                       (by name) to the internal network so the agent can reach it.
                                       Repeatable. Example: --topology-attach mcp-gateway --topology-attach difc-proxy (default: [])
    --allow-host-ports <ports>                     Ports/ranges to allow with --enable-host-access (default: 80,443).
                                       Example: 3000,8080 or 3000-3010,8000-8090
    --allow-host-service-ports <ports>             Ports to allow ONLY to host gateway (for GitHub Actions services).
                                       Bypasses dangerous port restrictions. Auto-enables host access.
                                       WARNING: Allowing port 22 grants SSH access to the host.
                                       Example: 5432,6379
    --enable-dind                                  Enable Docker-in-Docker by exposing host Docker socket.
                                       WARNING: allows firewall bypass via docker run (default: false)
    --enable-dlp                                   Enable DLP (Data Loss Prevention) scanning to block credential
                                       exfiltration in outbound request URLs. (default: false)

  API Proxy:
    --enable-api-proxy                             Enable API proxy sidecar for secure credential injection.
                                       Supports OpenAI (Codex) and Anthropic (Claude) APIs. (default: false)
    --copilot-api-target <host>                    Target hostname for Copilot API requests (default: api.githubcopilot.com)
    --openai-api-target <host>                     Target hostname for OpenAI API requests (default: api.openai.com)
    --openai-api-base-path <path>                  Base path prefix for OpenAI API requests (e.g. /serving-endpoints for Databricks)
    --anthropic-api-target <host>                  Target hostname for Anthropic API requests (default: api.anthropic.com)
    --anthropic-api-base-path <path>               Base path prefix for Anthropic API requests (e.g. /anthropic)
    --openai-api-auth-header <name>                Custom auth header name for OpenAI requests (default: Authorization with Bearer prefix)
    --anthropic-api-auth-header <name>             Custom auth header name for Anthropic requests (default: x-api-key)
    --gemini-api-target <host>                     Target hostname for Gemini API requests (default: generativelanguage.googleapis.com)
    --gemini-api-base-path <path>                  Base path prefix for Gemini API requests
    --anthropic-auto-cache                         Enable Anthropic prompt-cache optimizations in the API proxy (requires --enable-api-proxy).
                                       Injects cache breakpoints on tools/system/messages, upgrades TTL to 1h,
                                       and strips ANSI codes — typically saves ~90% on Anthropic API input costs. (default: false)
    --anthropic-cache-tail-ttl <5m|1h>             TTL for the rolling-tail cache breakpoint when --anthropic-auto-cache is enabled.
                    ...
Read more

Release v0.27.17

Choose a tag to compare

@github-actions github-actions released this 30 Jun 20:10

What's Changed

Other Changes

  • fix: escape $d as $$d in sysroot-stage compose command by @lpcox in #5730

Full Changelog: v0.27.16...v0.27.17

CLI Options

Usage: awf [options] [command] [args...]

Network firewall for agentic workflows with domain whitelisting

Arguments:
  args                                           Command and arguments to execute (use -- to separate from options)

Options:
    -V, --version                                  output the version number

  Configuration:
    --config <path>                                Path to AWF JSON/YAML config file (use "-" to read from stdin)

  Domain Filtering:
    -d, --allow-domains <domains>                  Comma-separated list of allowed domains. Supports wildcards and protocol prefixes:
                                       github.com         - exact domain + subdomains (HTTP & HTTPS)
                                       *.github.com       - any subdomain of github.com
                                       api-*.example.com  - api-* subdomains
                                       https://secure.com - HTTPS only
                                       http://legacy.com  - HTTP only
                                       localhost          - auto-configure for local testing (Playwright, etc.)
    --allow-domains-file <path>                    Path to file with allowed domains (one per line, supports # comments)
    --ruleset-file <path>                          YAML rule file for domain allowlisting (repeatable). Schema: version: 1, rules: [{domain, subdomains}] (default: [])
    --block-domains <domains>                      Comma-separated blocked domains (overrides allow list). Supports wildcards.
    --block-domains-file <path>                    Path to file with blocked domains (one per line, supports # comments)
    --ssl-bump                                     Enable SSL Bump for HTTPS content inspection (allows URL path filtering) (default: false)
    --allow-urls <urls>                            Comma-separated allowed URL patterns for HTTPS (requires --ssl-bump).
                                       Supports wildcards: https://github.com/myorg/*

  Image Management:
    -b, --build-local                              Build containers locally instead of using GHCR images (default: false)
    --agent-image <value>                          Agent container image (default: "default")
                                       Presets (pre-built, fast):
                                         default  - Minimal ubuntu:22.04 (~200MB)
                                         act      - GitHub Actions parity (~2GB)
                                       Custom base images (requires --build-local):
                                         ubuntu:XX.XX
                                         ghcr.io/catthehacker/ubuntu:runner-XX.XX
                                         ghcr.io/catthehacker/ubuntu:full-XX.XX
    --image-registry <registry>                    Container image registry (default: "ghcr.io/github/gh-aw-firewall")
    --image-tag <tag>                              Container image tag (applies to squid, agent/agent-act, api-proxy, and cli-proxy when enabled)
                                       Optional digest metadata format:
                                         <tag>,squid=sha256:...,agent=sha256:...,agent-act=sha256:...,api-proxy=sha256:...,cli-proxy=sha256:...
                                       Image name varies by --agent-image preset:
                                         default → agent:<tag>
                                         act     → agent-act:<tag> (default: "latest")
    --skip-pull                                    Use local images without pulling from registry (requires pre-downloaded images) (default: false)
    --docker-host <socket>                         Docker socket for AWF's own containers (default: auto-detect from DOCKER_HOST env).
                                       Use when Docker is at a non-standard path.
                                       Example: unix:///run/user/1000/docker.sock
    --docker-host-path-prefix <prefix>             Prefix bind-mount source paths so Docker daemon can resolve runner filesystem paths.
                                       Useful for split runner/daemon filesystems (e.g. ARC DinD).
                                       Example: /host

  Container Configuration:
    -e, --env <KEY=VALUE>                          Environment variable for the container (repeatable) (default: [])
    --env-all                                      Pass all host environment variables to container (excludes system vars like PATH) (default: false)
    --exclude-env <name>                           Exclude a specific environment variable from --env-all passthrough (repeatable) (default: [])
    --env-file <path>                              Read environment variables from a file (KEY=VALUE format, one per line)
    -v, --mount <host_path:container_path[:mode]>
                                                   Volume mount (repeatable). Format: host_path:container_path[:ro|rw] (default: [])
    --container-workdir <dir>                      Working directory inside the container
    --memory-limit <limit>                         Memory limit for the agent container (e.g., 4g, 6g, 8g, 512m). Default: 6g (default: "6g")
    --tty                                          Allocate a pseudo-TTY (required for interactive tools like Claude Code) (default: false)

  Network & Security:
    --dns-servers <servers>                        Comma-separated trusted DNS servers (auto-detected from host if omitted)
    --dns-over-https [resolver-url]                Enable DNS-over-HTTPS via sidecar proxy (default: https://dns.google/dns-query)

  Network & Security:
    --upstream-proxy <url>                         Upstream (corporate) proxy URL for Squid to chain through.
                                       Auto-detected from host https_proxy/http_proxy if not set.
                                       Example: http://proxy.corp.com:3128
    --enable-host-access                           Enable access to host services via host.docker.internal (default: false)
    --network-isolation                            Experimental: enforce egress via Docker network topology (internal network +
                                       dual-homed proxy) instead of iptables. Requires no sudo/NET_ADMIN.
                                       Not yet supported with --dns-over-https or --enable-host-access. (default: false)
    --topology-attach <name>                       With --network-isolation, attach an externally-launched trusted container
                                       (by name) to the internal network so the agent can reach it.
                                       Repeatable. Example: --topology-attach mcp-gateway --topology-attach difc-proxy (default: [])
    --allow-host-ports <ports>                     Ports/ranges to allow with --enable-host-access (default: 80,443).
                                       Example: 3000,8080 or 3000-3010,8000-8090
    --allow-host-service-ports <ports>             Ports to allow ONLY to host gateway (for GitHub Actions services).
                                       Bypasses dangerous port restrictions. Auto-enables host access.
                                       WARNING: Allowing port 22 grants SSH access to the host.
                                       Example: 5432,6379
    --enable-dind                                  Enable Docker-in-Docker by exposing host Docker socket.
                                       WARNING: allows firewall bypass via docker run (default: false)
    --enable-dlp                                   Enable DLP (Data Loss Prevention) scanning to block credential
                                       exfiltration in outbound request URLs. (default: false)

  API Proxy:
    --enable-api-proxy                             Enable API proxy sidecar for secure credential injection.
                                       Supports OpenAI (Codex) and Anthropic (Claude) APIs. (default: false)
    --copilot-api-target <host>                    Target hostname for Copilot API requests (default: api.githubcopilot.com)
    --openai-api-target <host>                     Target hostname for OpenAI API requests (default: api.openai.com)
    --openai-api-base-path <path>                  Base path prefix for OpenAI API requests (e.g. /serving-endpoints for Databricks)
    --anthropic-api-target <host>                  Target hostname for Anthropic API requests (default: api.anthropic.com)
    --anthropic-api-base-path <path>               Base path prefix for Anthropic API requests (e.g. /anthropic)
    --openai-api-auth-header <name>                Custom auth header name for OpenAI requests (default: Authorization with Bearer prefix)
    --anthropic-api-auth-header <name>             Custom auth header name for Anthropic requests (default: x-api-key)
    --gemini-api-target <host>                     Target hostname for Gemini API requests (default: generativelanguage.googleapis.com)
    --gemini-api-base-path <path>                  Base path prefix for Gemini API requests
    --anthropic-auto-cache                         Enable Anthropic prompt-cache optimizations in the API proxy (requires --enable-api-proxy).
                                       Injects cache breakpoints on tools/system/messages, upgrades TTL to 1h,
                                       and strips ANSI codes — typically saves ~90% on Anthropic API input costs. (default: false)
    --anthropic-cache-tail-ttl <5m|1h>             TTL for the rolling-tail cache breakpoint when --anthropic-auto-cache is enabled.
                                ...
Read more

Release v0.27.16

Choose a tag to compare

@github-actions github-actions released this 30 Jun 18:26

What's Changed

Other Changes

  • feat: add model-to-API endpoint mapping and daily updater workflow by @lpcox in #5706
  • fix: add write permission in rootless artifact permission repair by @lpcox in #5717
  • chore: upgrade gh-aw extension to latest pre-release (v0.82.0) by @lpcox in #5718
  • fix: update test assertions for gh-aw-actions v0.82.0 and github-mcp-server v1.5.0 by @lpcox in #5719
  • fix: pass host-gateway IP to iptables-init container for NAT bypass by @lpcox in #5724
  • [Test Coverage] Improve test coverage for config-writer and logs-command-helpers by @github-actions[bot] in #5713
  • fix: propagate runner config fields to all layers by @github-actions[bot] in #5716
  • chore: update model-to-API mapping (2026-06-30) by @github-actions[bot] in #5710
  • docs: sync schemas and specs with source changes by @github-actions[bot] in #5721

Full Changelog: v0.27.15...v0.27.16

CLI Options

Usage: awf [options] [command] [args...]

Network firewall for agentic workflows with domain whitelisting

Arguments:
  args                                           Command and arguments to execute (use -- to separate from options)

Options:
    -V, --version                                  output the version number

  Configuration:
    --config <path>                                Path to AWF JSON/YAML config file (use "-" to read from stdin)

  Domain Filtering:
    -d, --allow-domains <domains>                  Comma-separated list of allowed domains. Supports wildcards and protocol prefixes:
                                       github.com         - exact domain + subdomains (HTTP & HTTPS)
                                       *.github.com       - any subdomain of github.com
                                       api-*.example.com  - api-* subdomains
                                       https://secure.com - HTTPS only
                                       http://legacy.com  - HTTP only
                                       localhost          - auto-configure for local testing (Playwright, etc.)
    --allow-domains-file <path>                    Path to file with allowed domains (one per line, supports # comments)
    --ruleset-file <path>                          YAML rule file for domain allowlisting (repeatable). Schema: version: 1, rules: [{domain, subdomains}] (default: [])
    --block-domains <domains>                      Comma-separated blocked domains (overrides allow list). Supports wildcards.
    --block-domains-file <path>                    Path to file with blocked domains (one per line, supports # comments)
    --ssl-bump                                     Enable SSL Bump for HTTPS content inspection (allows URL path filtering) (default: false)
    --allow-urls <urls>                            Comma-separated allowed URL patterns for HTTPS (requires --ssl-bump).
                                       Supports wildcards: https://github.com/myorg/*

  Image Management:
    -b, --build-local                              Build containers locally instead of using GHCR images (default: false)
    --agent-image <value>                          Agent container image (default: "default")
                                       Presets (pre-built, fast):
                                         default  - Minimal ubuntu:22.04 (~200MB)
                                         act      - GitHub Actions parity (~2GB)
                                       Custom base images (requires --build-local):
                                         ubuntu:XX.XX
                                         ghcr.io/catthehacker/ubuntu:runner-XX.XX
                                         ghcr.io/catthehacker/ubuntu:full-XX.XX
    --image-registry <registry>                    Container image registry (default: "ghcr.io/github/gh-aw-firewall")
    --image-tag <tag>                              Container image tag (applies to squid, agent/agent-act, api-proxy, and cli-proxy when enabled)
                                       Optional digest metadata format:
                                         <tag>,squid=sha256:...,agent=sha256:...,agent-act=sha256:...,api-proxy=sha256:...,cli-proxy=sha256:...
                                       Image name varies by --agent-image preset:
                                         default → agent:<tag>
                                         act     → agent-act:<tag> (default: "latest")
    --skip-pull                                    Use local images without pulling from registry (requires pre-downloaded images) (default: false)
    --docker-host <socket>                         Docker socket for AWF's own containers (default: auto-detect from DOCKER_HOST env).
                                       Use when Docker is at a non-standard path.
                                       Example: unix:///run/user/1000/docker.sock
    --docker-host-path-prefix <prefix>             Prefix bind-mount source paths so Docker daemon can resolve runner filesystem paths.
                                       Useful for split runner/daemon filesystems (e.g. ARC DinD).
                                       Example: /host

  Container Configuration:
    -e, --env <KEY=VALUE>                          Environment variable for the container (repeatable) (default: [])
    --env-all                                      Pass all host environment variables to container (excludes system vars like PATH) (default: false)
    --exclude-env <name>                           Exclude a specific environment variable from --env-all passthrough (repeatable) (default: [])
    --env-file <path>                              Read environment variables from a file (KEY=VALUE format, one per line)
    -v, --mount <host_path:container_path[:mode]>
                                                   Volume mount (repeatable). Format: host_path:container_path[:ro|rw] (default: [])
    --container-workdir <dir>                      Working directory inside the container
    --memory-limit <limit>                         Memory limit for the agent container (e.g., 4g, 6g, 8g, 512m). Default: 6g (default: "6g")
    --tty                                          Allocate a pseudo-TTY (required for interactive tools like Claude Code) (default: false)

  Network & Security:
    --dns-servers <servers>                        Comma-separated trusted DNS servers (auto-detected from host if omitted)
    --dns-over-https [resolver-url]                Enable DNS-over-HTTPS via sidecar proxy (default: https://dns.google/dns-query)

  Network & Security:
    --upstream-proxy <url>                         Upstream (corporate) proxy URL for Squid to chain through.
                                       Auto-detected from host https_proxy/http_proxy if not set.
                                       Example: http://proxy.corp.com:3128
    --enable-host-access                           Enable access to host services via host.docker.internal (default: false)
    --network-isolation                            Experimental: enforce egress via Docker network topology (internal network +
                                       dual-homed proxy) instead of iptables. Requires no sudo/NET_ADMIN.
                                       Not yet supported with --dns-over-https or --enable-host-access. (default: false)
    --topology-attach <name>                       With --network-isolation, attach an externally-launched trusted container
                                       (by name) to the internal network so the agent can reach it.
                                       Repeatable. Example: --topology-attach mcp-gateway --topology-attach difc-proxy (default: [])
    --allow-host-ports <ports>                     Ports/ranges to allow with --enable-host-access (default: 80,443).
                                       Example: 3000,8080 or 3000-3010,8000-8090
    --allow-host-service-ports <ports>             Ports to allow ONLY to host gateway (for GitHub Actions services).
                                       Bypasses dangerous port restrictions. Auto-enables host access.
                                       WARNING: Allowing port 22 grants SSH access to the host.
                                       Example: 5432,6379
    --enable-dind                                  Enable Docker-in-Docker by exposing host Docker socket.
                                       WARNING: allows firewall bypass via docker run (default: false)
    --enable-dlp                                   Enable DLP (Data Loss Prevention) scanning to block credential
                                       exfiltration in outbound request URLs. (default: false)

  API Proxy:
    --enable-api-proxy                             Enable API proxy sidecar for secure credential injection.
                                       Supports OpenAI (Codex) and Anthropic (Claude) APIs. (default: false)
    --copilot-api-target <host>                    Target hostname for Copilot API requests (default: api.githubcopilot.com)
    --openai-api-target <host>                     Target hostname for OpenAI API requests (default: api.openai.com)
    --openai-api-base-path <path>                  Base path prefix for OpenAI API requests (e.g. /serving-endpoints for Databricks)
    --anthropic-api-target <host>                  Target hostname for Anthropic API requests (default: api.anthropic.com)
    --anthropic-api-base-path <path>          ...
Read more

Release v0.27.15

Choose a tag to compare

@github-actions github-actions released this 30 Jun 04:33

What's Changed

Other Changes

  • fix: update invalid docker/setup-qemu-action SHA in release workflow by @lpcox in #5704

Full Changelog: v0.27.14...v0.27.15

CLI Options

Usage: awf [options] [command] [args...]

Network firewall for agentic workflows with domain whitelisting

Arguments:
  args                                           Command and arguments to execute (use -- to separate from options)

Options:
    -V, --version                                  output the version number

  Configuration:
    --config <path>                                Path to AWF JSON/YAML config file (use "-" to read from stdin)

  Domain Filtering:
    -d, --allow-domains <domains>                  Comma-separated list of allowed domains. Supports wildcards and protocol prefixes:
                                       github.com         - exact domain + subdomains (HTTP & HTTPS)
                                       *.github.com       - any subdomain of github.com
                                       api-*.example.com  - api-* subdomains
                                       https://secure.com - HTTPS only
                                       http://legacy.com  - HTTP only
                                       localhost          - auto-configure for local testing (Playwright, etc.)
    --allow-domains-file <path>                    Path to file with allowed domains (one per line, supports # comments)
    --ruleset-file <path>                          YAML rule file for domain allowlisting (repeatable). Schema: version: 1, rules: [{domain, subdomains}] (default: [])
    --block-domains <domains>                      Comma-separated blocked domains (overrides allow list). Supports wildcards.
    --block-domains-file <path>                    Path to file with blocked domains (one per line, supports # comments)
    --ssl-bump                                     Enable SSL Bump for HTTPS content inspection (allows URL path filtering) (default: false)
    --allow-urls <urls>                            Comma-separated allowed URL patterns for HTTPS (requires --ssl-bump).
                                       Supports wildcards: https://github.com/myorg/*

  Image Management:
    -b, --build-local                              Build containers locally instead of using GHCR images (default: false)
    --agent-image <value>                          Agent container image (default: "default")
                                       Presets (pre-built, fast):
                                         default  - Minimal ubuntu:22.04 (~200MB)
                                         act      - GitHub Actions parity (~2GB)
                                       Custom base images (requires --build-local):
                                         ubuntu:XX.XX
                                         ghcr.io/catthehacker/ubuntu:runner-XX.XX
                                         ghcr.io/catthehacker/ubuntu:full-XX.XX
    --image-registry <registry>                    Container image registry (default: "ghcr.io/github/gh-aw-firewall")
    --image-tag <tag>                              Container image tag (applies to squid, agent/agent-act, api-proxy, and cli-proxy when enabled)
                                       Optional digest metadata format:
                                         <tag>,squid=sha256:...,agent=sha256:...,agent-act=sha256:...,api-proxy=sha256:...,cli-proxy=sha256:...
                                       Image name varies by --agent-image preset:
                                         default → agent:<tag>
                                         act     → agent-act:<tag> (default: "latest")
    --skip-pull                                    Use local images without pulling from registry (requires pre-downloaded images) (default: false)
    --docker-host <socket>                         Docker socket for AWF's own containers (default: auto-detect from DOCKER_HOST env).
                                       Use when Docker is at a non-standard path.
                                       Example: unix:///run/user/1000/docker.sock
    --docker-host-path-prefix <prefix>             Prefix bind-mount source paths so Docker daemon can resolve runner filesystem paths.
                                       Useful for split runner/daemon filesystems (e.g. ARC DinD).
                                       Example: /host

  Container Configuration:
    -e, --env <KEY=VALUE>                          Environment variable for the container (repeatable) (default: [])
    --env-all                                      Pass all host environment variables to container (excludes system vars like PATH) (default: false)
    --exclude-env <name>                           Exclude a specific environment variable from --env-all passthrough (repeatable) (default: [])
    --env-file <path>                              Read environment variables from a file (KEY=VALUE format, one per line)
    -v, --mount <host_path:container_path[:mode]>
                                                   Volume mount (repeatable). Format: host_path:container_path[:ro|rw] (default: [])
    --container-workdir <dir>                      Working directory inside the container
    --memory-limit <limit>                         Memory limit for the agent container (e.g., 4g, 6g, 8g, 512m). Default: 6g (default: "6g")
    --tty                                          Allocate a pseudo-TTY (required for interactive tools like Claude Code) (default: false)

  Network & Security:
    --dns-servers <servers>                        Comma-separated trusted DNS servers (auto-detected from host if omitted)
    --dns-over-https [resolver-url]                Enable DNS-over-HTTPS via sidecar proxy (default: https://dns.google/dns-query)

  Network & Security:
    --upstream-proxy <url>                         Upstream (corporate) proxy URL for Squid to chain through.
                                       Auto-detected from host https_proxy/http_proxy if not set.
                                       Example: http://proxy.corp.com:3128
    --enable-host-access                           Enable access to host services via host.docker.internal (default: false)
    --network-isolation                            Experimental: enforce egress via Docker network topology (internal network +
                                       dual-homed proxy) instead of iptables. Requires no sudo/NET_ADMIN.
                                       Not yet supported with --dns-over-https or --enable-host-access. (default: false)
    --topology-attach <name>                       With --network-isolation, attach an externally-launched trusted container
                                       (by name) to the internal network so the agent can reach it.
                                       Repeatable. Example: --topology-attach mcp-gateway --topology-attach difc-proxy (default: [])
    --allow-host-ports <ports>                     Ports/ranges to allow with --enable-host-access (default: 80,443).
                                       Example: 3000,8080 or 3000-3010,8000-8090
    --allow-host-service-ports <ports>             Ports to allow ONLY to host gateway (for GitHub Actions services).
                                       Bypasses dangerous port restrictions. Auto-enables host access.
                                       WARNING: Allowing port 22 grants SSH access to the host.
                                       Example: 5432,6379
    --enable-dind                                  Enable Docker-in-Docker by exposing host Docker socket.
                                       WARNING: allows firewall bypass via docker run (default: false)
    --enable-dlp                                   Enable DLP (Data Loss Prevention) scanning to block credential
                                       exfiltration in outbound request URLs. (default: false)

  API Proxy:
    --enable-api-proxy                             Enable API proxy sidecar for secure credential injection.
                                       Supports OpenAI (Codex) and Anthropic (Claude) APIs. (default: false)
    --copilot-api-target <host>                    Target hostname for Copilot API requests (default: api.githubcopilot.com)
    --openai-api-target <host>                     Target hostname for OpenAI API requests (default: api.openai.com)
    --openai-api-base-path <path>                  Base path prefix for OpenAI API requests (e.g. /serving-endpoints for Databricks)
    --anthropic-api-target <host>                  Target hostname for Anthropic API requests (default: api.anthropic.com)
    --anthropic-api-base-path <path>               Base path prefix for Anthropic API requests (e.g. /anthropic)
    --openai-api-auth-header <name>                Custom auth header name for OpenAI requests (default: Authorization with Bearer prefix)
    --anthropic-api-auth-header <name>             Custom auth header name for Anthropic requests (default: x-api-key)
    --gemini-api-target <host>                     Target hostname for Gemini API requests (default: generativelanguage.googleapis.com)
    --gemini-api-base-path <path>                  Base path prefix for Gemini API requests
    --anthropic-auto-cache                         Enable Anthropic prompt-cache optimizations in the API proxy (requires --enable-api-proxy).
                                       Injects cache breakpoints on tools/system/messages, upgrades TTL to 1h,
                                       and strips ANSI codes — typically saves ~90% on Anthropic API input costs. (default: false)
    --anthropic-cache-tail-ttl <5m|1h>             TTL for the rolling-tail cache breakpoint when --anthropic-auto-cache is enabled.
                  ...
Read more

Release v0.27.13

Choose a tag to compare

@github-actions github-actions released this 28 Jun 20:14

What's Changed

Other Changes

  • chore: upgrade gh-aw to v0.81.6 and recompile all workflows by @lpcox in #5617
  • fix: only count inference calls against maxRuns limit by @lpcox in #5619
  • [Test Coverage] security-module-coverage.test.ts by @github-actions[bot] in #5625
  • refactor: extract sidecar and host-access helpers from addProxyDestinationAcceptRules by @lpcox in #5636
  • refactor: extract ssl-key-storage lifecycle into focused module by @lpcox in #5637
  • refactor: extract handleRequestError into proxy-error-handler.js by @lpcox in #5638
  • refactor: deduplicate OIDC auth env var mappings via shared constant by @lpcox in #5640
  • refactor: extract shared auth header resolution helper for provider adapters by @lpcox in #5641
  • refactor: extract fallback-selection logic into model-fallback.js by @lpcox in #5639
  • fix: return 429 instead of 403 when max turns exceeded by @lpcox in #5648
  • docs(runner-doctor): add C7 failure mode for DIFC probe on *.ghe.com by @lpcox in #5651
  • fix: handle EACCES during chroot-home cleanup in rootless Docker by @lpcox in #5653

Full Changelog: v0.27.12...v0.27.13

CLI Options

Usage: awf [options] [command] [args...]

Network firewall for agentic workflows with domain whitelisting

Arguments:
  args                                           Command and arguments to execute (use -- to separate from options)

Options:
    -V, --version                                  output the version number

  Configuration:
    --config <path>                                Path to AWF JSON/YAML config file (use "-" to read from stdin)

  Domain Filtering:
    -d, --allow-domains <domains>                  Comma-separated list of allowed domains. Supports wildcards and protocol prefixes:
                                       github.com         - exact domain + subdomains (HTTP & HTTPS)
                                       *.github.com       - any subdomain of github.com
                                       api-*.example.com  - api-* subdomains
                                       https://secure.com - HTTPS only
                                       http://legacy.com  - HTTP only
                                       localhost          - auto-configure for local testing (Playwright, etc.)
    --allow-domains-file <path>                    Path to file with allowed domains (one per line, supports # comments)
    --ruleset-file <path>                          YAML rule file for domain allowlisting (repeatable). Schema: version: 1, rules: [{domain, subdomains}] (default: [])
    --block-domains <domains>                      Comma-separated blocked domains (overrides allow list). Supports wildcards.
    --block-domains-file <path>                    Path to file with blocked domains (one per line, supports # comments)
    --ssl-bump                                     Enable SSL Bump for HTTPS content inspection (allows URL path filtering) (default: false)
    --allow-urls <urls>                            Comma-separated allowed URL patterns for HTTPS (requires --ssl-bump).
                                       Supports wildcards: https://github.com/myorg/*

  Image Management:
    -b, --build-local                              Build containers locally instead of using GHCR images (default: false)
    --agent-image <value>                          Agent container image (default: "default")
                                       Presets (pre-built, fast):
                                         default  - Minimal ubuntu:22.04 (~200MB)
                                         act      - GitHub Actions parity (~2GB)
                                       Custom base images (requires --build-local):
                                         ubuntu:XX.XX
                                         ghcr.io/catthehacker/ubuntu:runner-XX.XX
                                         ghcr.io/catthehacker/ubuntu:full-XX.XX
    --image-registry <registry>                    Container image registry (default: "ghcr.io/github/gh-aw-firewall")
    --image-tag <tag>                              Container image tag (applies to squid, agent/agent-act, api-proxy, and cli-proxy when enabled)
                                       Optional digest metadata format:
                                         <tag>,squid=sha256:...,agent=sha256:...,agent-act=sha256:...,api-proxy=sha256:...,cli-proxy=sha256:...
                                       Image name varies by --agent-image preset:
                                         default → agent:<tag>
                                         act     → agent-act:<tag> (default: "latest")
    --skip-pull                                    Use local images without pulling from registry (requires pre-downloaded images) (default: false)
    --docker-host <socket>                         Docker socket for AWF's own containers (default: auto-detect from DOCKER_HOST env).
                                       Use when Docker is at a non-standard path.
                                       Example: unix:///run/user/1000/docker.sock
    --docker-host-path-prefix <prefix>             Prefix bind-mount source paths so Docker daemon can resolve runner filesystem paths.
                                       Useful for split runner/daemon filesystems (e.g. ARC DinD).
                                       Example: /host

  Container Configuration:
    -e, --env <KEY=VALUE>                          Environment variable for the container (repeatable) (default: [])
    --env-all                                      Pass all host environment variables to container (excludes system vars like PATH) (default: false)
    --exclude-env <name>                           Exclude a specific environment variable from --env-all passthrough (repeatable) (default: [])
    --env-file <path>                              Read environment variables from a file (KEY=VALUE format, one per line)
    -v, --mount <host_path:container_path[:mode]>
                                                   Volume mount (repeatable). Format: host_path:container_path[:ro|rw] (default: [])
    --container-workdir <dir>                      Working directory inside the container
    --memory-limit <limit>                         Memory limit for the agent container (e.g., 4g, 6g, 8g, 512m). Default: 6g (default: "6g")
    --tty                                          Allocate a pseudo-TTY (required for interactive tools like Claude Code) (default: false)

  Network & Security:
    --dns-servers <servers>                        Comma-separated trusted DNS servers (auto-detected from host if omitted)
    --dns-over-https [resolver-url]                Enable DNS-over-HTTPS via sidecar proxy (default: https://dns.google/dns-query)

  Network & Security:
    --upstream-proxy <url>                         Upstream (corporate) proxy URL for Squid to chain through.
                                       Auto-detected from host https_proxy/http_proxy if not set.
                                       Example: http://proxy.corp.com:3128
    --enable-host-access                           Enable access to host services via host.docker.internal (default: false)
    --network-isolation                            Experimental: enforce egress via Docker network topology (internal network +
                                       dual-homed proxy) instead of iptables. Requires no sudo/NET_ADMIN.
                                       Not yet supported with --dns-over-https or --enable-host-access. (default: false)
    --topology-attach <name>                       With --network-isolation, attach an externally-launched trusted container
                                       (by name) to the internal network so the agent can reach it.
                                       Repeatable. Example: --topology-attach mcp-gateway --topology-attach difc-proxy (default: [])
    --allow-host-ports <ports>                     Ports/ranges to allow with --enable-host-access (default: 80,443).
                                       Example: 3000,8080 or 3000-3010,8000-8090
    --allow-host-service-ports <ports>             Ports to allow ONLY to host gateway (for GitHub Actions services).
                                       Bypasses dangerous port restrictions. Auto-enables host access.
                                       WARNING: Allowing port 22 grants SSH access to the host.
                                       Example: 5432,6379
    --enable-dind                                  Enable Docker-in-Docker by exposing host Docker socket.
                                       WARNING: allows firewall bypass via docker run (default: false)
    --enable-dlp                                   Enable DLP (Data Loss Prevention) scanning to block credential
                                       exfiltration in outbound request URLs. (default: false)

  API Proxy:
    --enable-api-proxy                             Enable API proxy sidecar for secure credential injection.
                                       Supports OpenAI (Codex) and Anthropic (Claude) APIs. (default: false)
    --copilot-api-target <host>                    Target hostname for Copilot API requests (default: api.githubcopilot.com)
    --openai-api-target <host>                     Target ...
Read more

Release v0.27.12

Choose a tag to compare

@github-actions github-actions released this 27 Jun 19:26

What's Changed

Other Changes

  • [Test Coverage] security: test coverage for compose-sanitizer, domain-validation, and domain-matchers by @github-actions[bot] in #5554
  • fix: propagate apiProxy.auth OIDC config fields to all layers by @github-actions[bot] in #5559
  • perf(contribution-check): cut token/tool overhead per #5558 by @lpcox in #5576
  • Refactor option parser misc tests into focused suites by concern by @lpcox with @Copilot in #5574
  • Split squid config tests by concern by @lpcox with @Copilot in #5575
  • refactor: split agent-service.test.ts by concern into three focused files by @lpcox with @Copilot in #5573
  • refactor: split run_chroot_command (476 lines) into 8 named helper functions by @lpcox with @Copilot in #5562
  • fix(doc-maintainer): prevent maxRuns 403 from wasted shell turns by @lpcox in #5564
  • refactor: split squid-config-features.test.ts into focused files by feature area by @lpcox with @Copilot in #5572
  • refactor: split host-iptables-setup.test.ts into focused test modules by @lpcox with @Copilot in #5571
  • fix(test): sync doc-maintainer test with max-turns 15 + prompt rewrite by @lpcox in #5587
  • docs: runner doctor update — A13, B5, B6 + portable agent A12 sync by @lpcox with @Copilot in #5590
  • Extract OIDC/auth helpers from proxy-utils into oidc-adapter-utils by @lpcox with @Copilot in #5604
  • Refactor artifact cleanup: extract rootless permission repair into artifact-permissions.ts by @lpcox with @Copilot in #5605
  • Refactor AWF config handling into focused loader, mapper, and precedence modules by @lpcox with @Copilot in #5606
  • Apply safe dependency updates for June 2026 security refresh by @lpcox with @Copilot in #5609
  • Update transitive linkify-it to 5.0.1 in lockfile by @lpcox with @Copilot in #5608
  • Optimize test-coverage-reporter token/runtime footprint by shrinking agent context and pre-step overhead by @lpcox with @Copilot in #5607
  • fix(cli-proxy): surface HTTP status in DIFC probe diagnostics by @lpcox in #5616

Full Changelog: v0.27.11...v0.27.12

CLI Options

Usage: awf [options] [command] [args...]

Network firewall for agentic workflows with domain whitelisting

Arguments:
  args                                           Command and arguments to execute (use -- to separate from options)

Options:
    -V, --version                                  output the version number

  Configuration:
    --config <path>                                Path to AWF JSON/YAML config file (use "-" to read from stdin)

  Domain Filtering:
    -d, --allow-domains <domains>                  Comma-separated list of allowed domains. Supports wildcards and protocol prefixes:
                                       github.com         - exact domain + subdomains (HTTP & HTTPS)
                                       *.github.com       - any subdomain of github.com
                                       api-*.example.com  - api-* subdomains
                                       https://secure.com - HTTPS only
                                       http://legacy.com  - HTTP only
                                       localhost          - auto-configure for local testing (Playwright, etc.)
    --allow-domains-file <path>                    Path to file with allowed domains (one per line, supports # comments)
    --ruleset-file <path>                          YAML rule file for domain allowlisting (repeatable). Schema: version: 1, rules: [{domain, subdomains}] (default: [])
    --block-domains <domains>                      Comma-separated blocked domains (overrides allow list). Supports wildcards.
    --block-domains-file <path>                    Path to file with blocked domains (one per line, supports # comments)
    --ssl-bump                                     Enable SSL Bump for HTTPS content inspection (allows URL path filtering) (default: false)
    --allow-urls <urls>                            Comma-separated allowed URL patterns for HTTPS (requires --ssl-bump).
                                       Supports wildcards: https://github.com/myorg/*

  Image Management:
    -b, --build-local                              Build containers locally instead of using GHCR images (default: false)
    --agent-image <value>                          Agent container image (default: "default")
                                       Presets (pre-built, fast):
                                         default  - Minimal ubuntu:22.04 (~200MB)
                                         act      - GitHub Actions parity (~2GB)
                                       Custom base images (requires --build-local):
                                         ubuntu:XX.XX
                                         ghcr.io/catthehacker/ubuntu:runner-XX.XX
                                         ghcr.io/catthehacker/ubuntu:full-XX.XX
    --image-registry <registry>                    Container image registry (default: "ghcr.io/github/gh-aw-firewall")
    --image-tag <tag>                              Container image tag (applies to squid, agent/agent-act, api-proxy, and cli-proxy when enabled)
                                       Optional digest metadata format:
                                         <tag>,squid=sha256:...,agent=sha256:...,agent-act=sha256:...,api-proxy=sha256:...,cli-proxy=sha256:...
                                       Image name varies by --agent-image preset:
                                         default → agent:<tag>
                                         act     → agent-act:<tag> (default: "latest")
    --skip-pull                                    Use local images without pulling from registry (requires pre-downloaded images) (default: false)
    --docker-host <socket>                         Docker socket for AWF's own containers (default: auto-detect from DOCKER_HOST env).
                                       Use when Docker is at a non-standard path.
                                       Example: unix:///run/user/1000/docker.sock
    --docker-host-path-prefix <prefix>             Prefix bind-mount source paths so Docker daemon can resolve runner filesystem paths.
                                       Useful for split runner/daemon filesystems (e.g. ARC DinD).
                                       Example: /host

  Container Configuration:
    -e, --env <KEY=VALUE>                          Environment variable for the container (repeatable) (default: [])
    --env-all                                      Pass all host environment variables to container (excludes system vars like PATH) (default: false)
    --exclude-env <name>                           Exclude a specific environment variable from --env-all passthrough (repeatable) (default: [])
    --env-file <path>                              Read environment variables from a file (KEY=VALUE format, one per line)
    -v, --mount <host_path:container_path[:mode]>
                                                   Volume mount (repeatable). Format: host_path:container_path[:ro|rw] (default: [])
    --container-workdir <dir>                      Working directory inside the container
    --memory-limit <limit>                         Memory limit for the agent container (e.g., 4g, 6g, 8g, 512m). Default: 6g (default: "6g")
    --tty                                          Allocate a pseudo-TTY (required for interactive tools like Claude Code) (default: false)

  Network & Security:
    --dns-servers <servers>                        Comma-separated trusted DNS servers (auto-detected from host if omitted)
    --dns-over-https [resolver-url]                Enable DNS-over-HTTPS via sidecar proxy (default: https://dns.google/dns-query)

  Network & Security:
    --upstream-proxy <url>                         Upstream (corporate) proxy URL for Squid to chain through.
                                       Auto-detected from host https_proxy/http_proxy if not set.
                                       Example: http://proxy.corp.com:3128
    --enable-host-access                           Enable access to host services via host.docker.internal (default: false)
    --network-isolation                            Experimental: enforce egress via Docker network topology (internal network +
                                       dual-homed proxy) instead of iptables. Requires no sudo/NET_ADMIN.
                                       Not yet supported with --dns-over-https or --enable-host-access. (default: false)
    --topology-attach <name>                       With --network-isolation, attach an externally-launched trusted container
                                       (by name) to the internal network so the agent can reach it.
                                       Repeatable. Example: --topology-attach mcp-gateway --topology-attach difc-proxy (default: [])
    --allow-host-ports <ports>                     Ports/ranges to allow with --enable-host-access (default: 80,443).
                                       Example: 3000,8080 ...
Read more