Skip to content

Release v0.11.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 23 Jan 00:25
· 431 commits to main since this release
v0.11.0
14ddbaa

Highlights

πŸš€ New Feature: Configurable Agent Base Image

When building containers locally from source, use --agent-base-image to achieve closer parity with GitHub Actions runner environments:

# In a GitHub Actions workflow or local development with source checkout
sudo awf --build-local --agent-base-image ghcr.io/catthehacker/ubuntu:runner-22.04 \
  --allow-domains github.com -- your-command

Note: --build-local requires the gh-aw-firewall source code (it builds from containers/agent/Dockerfile). This is primarily useful in GitHub Actions workflows that clone the repo, or for local development.

Available images:

Image Size Use Case
ubuntu:22.04 (default) ~200MB Fast startup, minimal footprint
ghcr.io/catthehacker/ubuntu:runner-22.04 ~2-5GB Common GitHub Actions tools
ghcr.io/catthehacker/ubuntu:full-22.04 ~20GB Maximum GitHub Actions parity

SHA256 digest pinning supported for supply chain security. See docs/usage.md for details.

πŸ”’ Security Fixes

  • System UID validation (#267): Prevents privilege escalation by rejecting system UIDs (0-999) in container user mapping
  • NAT blacklist for dangerous ports (#269): Defense-in-depth blocking at iptables level for SSH, databases, RDP, etc.
  • ReDoS prevention (#265): Replaced unbounded .* regex patterns with safer bounded alternatives
  • Supply chain hardening (#266): All GitHub Actions pinned to commit SHAs

What's Changed

Other Changes

  • ci: add dedicated ESLint workflow by @Copilot in #237
  • ci: add build verification workflow for PRs by @Copilot in #238
  • feat: add workflow schema and upgrade agent by @Mossaka in #271
  • ci: add dependabot configuration for automated dependency updates by @Copilot in #242
  • feat(ci): add coverage regression detection by @Copilot in #244
  • chore: delete existing firewall tests and migrate smoke tests by @Copilot in #229
  • ci: pin GitHub Actions to commit SHAs for supply chain security by @Copilot in #266
  • feat: port plan workflow from gh-aw repository by @Copilot in #230
  • chore: remove smoke-codex workflow due to missing key by @Copilot in #291
  • docs: add security scope restriction info to AGENTS.md by @Copilot in #301
  • feat: port issue-monster workflow from gh-aw repository by @Copilot in #300
  • chore: regenerate security-guard.lock.yml by @Copilot in #292
  • feat: expand integration test coverage from 7 to 17 test files by @Copilot in #251
  • feat(ci): implement test parallelization to reduce CI time by @Copilot in #255
  • ci: add Node.js and Ubuntu version matrix to test workflows by @Copilot in #259
  • ci: add eslint, build workflows and dependabot configuration by @Copilot in #261
  • feat: expand dangerous ports database (CouchDB, Elasticsearch, InfluxDB) by @Copilot in #264
  • fix: replace .* regex with safer patterns (ReDoS) by @Copilot in #265
  • feat: add static analysis for execa() command injection detection by @Copilot in #268
  • fix: add NAT blacklist for dangerous ports in iptables by @Copilot in #269
  • feat(ci): add daily pelis agent factory advisor agentic workflow by @Copilot in #272
  • feat: Add issue duplication agent using cache memory by @Copilot in #299
  • fix: add system UID range validation to prevent privilege escalation by @Copilot in #267
  • test: add IPv6 integration tests by @Copilot in #260
  • chore: add githubnext.github.io to pelis-agent-factory-advisor domain allowlist by @Copilot in #305
  • feat(ci): add TypeScript type checking to CI by @Copilot in #303
  • ci: disable PR title check for dependabot PRs by @Copilot in #312
  • [WIP] Regenerate pelis agent factory advisor by @Copilot in #317
  • fix: add issues trigger to issue-monster workflow by @Copilot in #338
  • feat: add test-coverage-improver agentic workflow by @Copilot in #344
  • feat: add dependency security monitor workflow by @Copilot in #342
  • feat: add doc-maintainer workflow for daily documentation sync by @Copilot in #341
  • feat(ci): add CI Failure Doctor workflow by @Copilot in #340
  • docs: clarify container privilege drop in security architecture by @Copilot in #385
  • chore: update gh aw by @Mossaka in #387
  • ci: use local awf build in smoke workflows by @Copilot in #388
  • feat: add configurable agent base image for GitHub Actions runner parity by @Copilot in #214

Full Changelog: v0.10.0...v0.11.0

Installation

One-Line Installer (Recommended)

curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo bash

Manual Installation

curl -fL https://github.com/githubnext/gh-aw-firewall/releases/download/v0.11.0/awf-linux-x64 -o awf
chmod +x awf
sudo mv awf /usr/local/bin/

Container Images

  • ghcr.io/githubnext/gh-aw-firewall/squid:0.11.0
  • ghcr.io/githubnext/gh-aw-firewall/agent:0.11.0

All images signed with cosign. See docs/image-verification.md for verification instructions.

Contributors

Mossaka
Assets 5
Loading