CLI proxy: start difc-proxy on host, pass --difc-proxy-host to AWF#25366
Open
CLI proxy: start difc-proxy on host, pass --difc-proxy-host to AWF#25366
Conversation
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/cd08abe8-65f6-4cd4-aca7-a2cfa59d7e81 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
…roxy on host When features.cli-proxy is enabled, the compiler now: 1. Starts a difc-proxy container on the host before AWF execution 2. Passes --difc-proxy-host host.docker.internal:18443 and --difc-proxy-ca-cert /tmp/gh-aw/difc-proxy-tls/ca.crt to AWF 3. Injects GH_TOKEN into the AWF step env with --exclude-env GH_TOKEN 4. Stops the CLI proxy container after AWF execution Removed deprecated flags: --enable-cli-proxy, --cli-proxy-policy. Minimum AWF version bumped to v0.26.0 for CLI proxy support. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/cd08abe8-65f6-4cd4-aca7-a2cfa59d7e81 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
- Handle empty policy gracefully in start_cli_proxy.sh (proxy starts without guard filtering when no policy is configured) - Exit with error when proxy fails to start (prevents AWF from running with a non-functional proxy) - Rename hasCliProxyNeeded to isCliProxyNeeded for naming consistency Agent-Logs-Url: https://github.com/github/gh-aw/sessions/cd08abe8-65f6-4cd4-aca7-a2cfa59d7e81 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Update CLI proxy to start difc-proxy on host
CLI proxy: start difc-proxy on host, pass --difc-proxy-host to AWF
Apr 8, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR shifts AWF CLI-proxy support from an AWF-managed container to a host-managed difc-proxy container, updating AWF invocation flags and ensuring GH_TOKEN is available for the proxy while excluded from the agent container.
Changes:
- Add host-side start/stop lifecycle for the CLI proxy and inject those steps around engine execution.
- Replace deprecated AWF CLI-proxy flags with
--difc-proxy-host/--difc-proxy-ca-certand bump the minimum AWF version gate. - Inject
GH_TOKENinto AWF execution step env (post secret-filtering) across engines; update various workflow lockfiles for quoting consistency.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/gemini_engine.go | Injects GH_TOKEN into filtered step env for CLI-proxy mode. |
| pkg/workflow/copilot_engine_execution.go | Injects GH_TOKEN into filtered step env for CLI-proxy mode. |
| pkg/workflow/compiler_yaml_main_job.go | Adds start/stop CLI-proxy steps around engine execution. |
| pkg/workflow/compiler_difc_proxy.go | Adds CLI-proxy gating + YAML step generation for host-managed proxy lifecycle. |
| pkg/workflow/codex_engine.go | Injects GH_TOKEN into filtered step env for CLI-proxy mode. |
| pkg/workflow/claude_engine.go | Injects GH_TOKEN into filtered step env for CLI-proxy mode. |
| pkg/workflow/awf_helpers.go | Switches AWF flags to --difc-proxy-*, adds GH_TOKEN exclusion, adds env injection helper, updates version gate docs. |
| pkg/workflow/awf_helpers_test.go | Updates tests to expect new --difc-proxy-* flags and new version gating semantics. |
| pkg/constants/version_constants.go | Bumps AWFCliProxyMinVersion to v0.26.0. |
| pkg/constants/feature_constants.go | Updates cli-proxy feature flag documentation to reflect host-managed difc-proxy + new flags. |
| actions/setup/sh/start_cli_proxy.sh | New script to start host-side difc-proxy for AWF CLI-proxy sidecar. |
| actions/setup/sh/stop_cli_proxy.sh | New script to stop/remove the host-side CLI proxy container. |
| .github/workflows/refactoring-cadence.lock.yml | Quotes ${RUNNER_TEMP} paths consistently in bash invocations. |
| .github/workflows/design-decision-gate.lock.yml | Quotes ${RUNNER_TEMP} paths consistently in bash invocations. |
| .github/workflows/deep-report.lock.yml | Lockfile regeneration + minor env expression tweak (REPO_NAME). |
| .github/workflows/architecture-guardian.lock.yml | Quotes ${RUNNER_TEMP} paths consistently in bash invocations. |
| .github/workflows/approach-validator.lock.yml | Quotes ${RUNNER_TEMP} paths consistently in bash invocations. |
| .changeset/minor-add-cli-proxy-feature-flag.md | Updates changeset to mention new flags/host proxy (but still contains outdated statement). |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comments suppressed due to low confidence (1)
pkg/workflow/awf_helpers.go:649
awfSupportsCliProxycurrently returnstruewhenfirewallConfigis nil/empty, butconstants.DefaultFirewallVersionis stillv0.25.16whileAWFCliProxyMinVersionis nowv0.26.0. In the common case where sandbox/firewall is enabled viasandbox:(sonetwork.firewallis absent), this will incorrectly emit--difc-proxy-host/--difc-proxy-ca-certagainst AWFv0.25.16and cause AWF to fail at startup. Fix by either (a) bumpingDefaultFirewallVersionto >=v0.26.0, or (b) makingawfSupportsCliProxycompare against the effective default version instead of assuming it always meets the minimum (and update the associated tests).
// Special cases:
// - No version override (firewallConfig is nil or has no Version): use DefaultFirewallVersion
// which is always ≥ AWFCliProxyMinVersion → returns true.
// - "latest": always returns true (latest is always a new release).
// - Any semver string ≥ AWFCliProxyMinVersion: returns true.
// - Any semver string < AWFCliProxyMinVersion: returns false.
// - Non-semver string (e.g. a branch name): returns false (conservative).
func awfSupportsCliProxy(firewallConfig *FirewallConfig) bool {
var versionStr string
if firewallConfig != nil && firewallConfig.Version != "" {
versionStr = firewallConfig.Version
} else {
// No override → use the default, which is always ≥ the minimum.
return true
}
- Files reviewed: 18/18 changed files
- Comments generated: 5
Comment on lines
+586
to
+591
| // The token is excluded from the agent container via --exclude-env GH_TOKEN. | ||
| // | ||
| // #nosec G101 -- This is NOT a hardcoded credential. It is a GitHub Actions expression | ||
| // template that is resolved at runtime by the GitHub Actions runner. | ||
| func addCliProxyGHTokenToEnv(env map[string]string, workflowData *WorkflowData) { | ||
| if isFeatureEnabled(constants.CliProxyFeatureFlag, workflowData) && isFirewallEnabled(workflowData) { |
There was a problem hiding this comment.
addCliProxyGHTokenToEnv injects GH_TOKEN into the AWF step env whenever the feature flag + firewall are enabled, but it does not check whether the effective AWF version supports --exclude-env. When AWF < v0.25.3, BuildAWFArgs will still pass --env-all and skip --exclude-env, which would leak this injected GH_TOKEN into the agent container. Consider gating the injection on awfSupportsExcludeEnv(getFirewallConfig(workflowData)) (and likely the CLI proxy version gate as well) so we never introduce a new secret into the container on older AWF versions.
This issue also appears on line 635 of the same file.
Suggested change
| // The token is excluded from the agent container via --exclude-env GH_TOKEN. | |
| // | |
| // #nosec G101 -- This is NOT a hardcoded credential. It is a GitHub Actions expression | |
| // template that is resolved at runtime by the GitHub Actions runner. | |
| func addCliProxyGHTokenToEnv(env map[string]string, workflowData *WorkflowData) { | |
| if isFeatureEnabled(constants.CliProxyFeatureFlag, workflowData) && isFirewallEnabled(workflowData) { | |
| // The token is excluded from the agent container via --exclude-env GH_TOKEN, so only | |
| // inject it when the effective AWF version supports both cli-proxy flags and | |
| // --exclude-env. | |
| // | |
| // #nosec G101 -- This is NOT a hardcoded credential. It is a GitHub Actions expression | |
| // template that is resolved at runtime by the GitHub Actions runner. | |
| func addCliProxyGHTokenToEnv(env map[string]string, workflowData *WorkflowData) { | |
| firewallConfig := getFirewallConfig(workflowData) | |
| if isFeatureEnabled(constants.CliProxyFeatureFlag, workflowData) && | |
| isFirewallEnabled(workflowData) && | |
| awfSupportsCliProxy(firewallConfig) && | |
| awfSupportsExcludeEnv(firewallConfig) { |
Comment on lines
49
to
60
| // DefaultFirewallVersion is the default version of the gh-aw-firewall (AWF) binary | ||
| const DefaultFirewallVersion Version = "v0.25.16" | ||
|
|
||
| // AWFExcludeEnvMinVersion is the minimum AWF version that supports the --exclude-env flag. | ||
| // Workflows pinning an older AWF version must not emit --exclude-env flags or the run will fail. | ||
| const AWFExcludeEnvMinVersion Version = "v0.25.3" | ||
|
|
||
| // AWFCliProxyMinVersion is the minimum AWF version that supports the --enable-cli-proxy flag. | ||
| // Workflows pinning an older AWF version must not emit --enable-cli-proxy flags or the run will fail. | ||
| const AWFCliProxyMinVersion Version = "v0.25.14" | ||
| // AWFCliProxyMinVersion is the minimum AWF version that supports the CLI proxy flags | ||
| // (--difc-proxy-host, --difc-proxy-ca-cert). Workflows pinning an older AWF version | ||
| // must not emit CLI proxy flags or the run will fail. | ||
| const AWFCliProxyMinVersion Version = "v0.26.0" | ||
|
|
There was a problem hiding this comment.
AWFCliProxyMinVersion is now v0.26.0 but DefaultFirewallVersion remains v0.25.16. With the current version-gate logic (and tests), this combination can cause CLI proxy flags to be emitted for workflows that rely on the default AWF version, even though that default is below the minimum. Either bump DefaultFirewallVersion to >= v0.26.0 or adjust the gating logic/tests to treat the default as not supporting CLI proxy yet.
Comment on lines
868
to
883
| want: true, | ||
| }, | ||
| { | ||
| name: "v0.25.14 supports --enable-cli-proxy (exact minimum version)", | ||
| firewallConfig: &FirewallConfig{Version: "v0.25.14"}, | ||
| name: "v0.26.0 supports CLI proxy flags (exact minimum version)", | ||
| firewallConfig: &FirewallConfig{Version: "v0.26.0"}, | ||
| want: true, | ||
| }, | ||
| { | ||
| name: "v0.26.0 supports --enable-cli-proxy", | ||
| firewallConfig: &FirewallConfig{Version: "v0.26.0"}, | ||
| name: "v0.27.0 supports CLI proxy flags", | ||
| firewallConfig: &FirewallConfig{Version: "v0.27.0"}, | ||
| want: true, | ||
| }, | ||
| { | ||
| name: "v0.25.13 does not support --enable-cli-proxy", | ||
| firewallConfig: &FirewallConfig{Version: "v0.25.13"}, | ||
| name: "v0.25.16 does not support CLI proxy flags", | ||
| firewallConfig: &FirewallConfig{Version: "v0.25.16"}, | ||
| want: false, |
There was a problem hiding this comment.
The version-gate tests here assume awfSupportsCliProxy(nil) / empty version implies support via the default, but DefaultFirewallVersion is currently v0.25.16 while the minimum is v0.26.0. If the default stays at v0.25.16, the expected behavior should be that the default does not support CLI proxy flags; alternatively bump the default version and keep these expectations. Either way, align this test table with the chosen default/version-gate semantics so unsupported flags aren’t emitted by default.
Comment on lines
+38
to
+44
| docker run -d --name awmg-cli-proxy --network host \ | ||
| -e GH_TOKEN \ | ||
| -e GITHUB_SERVER_URL \ | ||
| -e DEBUG='*' \ | ||
| -v "$TLS_DIR:$TLS_DIR" \ | ||
| -v "$MCP_LOG_DIR:$MCP_LOG_DIR" \ | ||
| "$CONTAINER_IMAGE" proxy \ |
There was a problem hiding this comment.
start_cli_proxy.sh is not idempotent: docker run --name awmg-cli-proxy will fail if a container with that name already exists (e.g., prior job cancellation on a self-hosted runner, or a previous failed cleanup). Consider removing any existing container (and/or checking for it) before starting so the step can recover reliably.
Comment on lines
5
to
+6
| Add `cli-proxy` feature flag that injects `--enable-cli-proxy` and `--cli-proxy-policy` into the AWF command, giving agents secure read-only `gh` CLI access without exposing `GITHUB_TOKEN` (requires firewall v0.25.14+). | ||
| Replaced with `--difc-proxy-host` and `--difc-proxy-ca-cert` flags, starting difc-proxy on the host before AWF (requires firewall v0.26.0+). |
There was a problem hiding this comment.
This changeset still states the cli-proxy feature injects the deprecated --enable-cli-proxy/--cli-proxy-policy flags. Since the implementation now uses --difc-proxy-host/--difc-proxy-ca-cert and host-managed proxy lifecycle, update the text to describe the current behavior (rather than appending a second sentence that contradicts the first).
Suggested change
| Add `cli-proxy` feature flag that injects `--enable-cli-proxy` and `--cli-proxy-policy` into the AWF command, giving agents secure read-only `gh` CLI access without exposing `GITHUB_TOKEN` (requires firewall v0.25.14+). | |
| Replaced with `--difc-proxy-host` and `--difc-proxy-ca-cert` flags, starting difc-proxy on the host before AWF (requires firewall v0.26.0+). | |
| Add `cli-proxy` feature flag that injects `--difc-proxy-host` and `--difc-proxy-ca-cert` into the AWF command, starting `difc-proxy` on the host before AWF and giving agents secure read-only `gh` CLI access without exposing `GITHUB_TOKEN` (requires firewall v0.26.0+). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
AWF's internal mcpg container for cli-proxy crashes reliably under its restrictive sandbox (cap_drop ALL, pids_limit 50, mem_limit 256m, non-host network). This moves difc-proxy management to the gh-aw compiler, running it on the host with
--network hostwhere it already works reliably.AWF flag changes
Replaced deprecated flags with new ones that point AWF at the external proxy:
--enable-cli-proxy,--cli-proxy-policy,--cli-proxy-mcpg-image→ removed--difc-proxy-host,--difc-proxy-ca-cert→ addedAWFCliProxyMinVersionbumped tov0.26.0New host-side proxy lifecycle
actions/setup/sh/start_cli_proxy.sh— startsawmg-cli-proxycontainer on host (port 18443, TLS to/tmp/gh-aw/difc-proxy-tls/), with optional guard policy. Fails the step if proxy doesn't become healthy within 30s.actions/setup/sh/stop_cli_proxy.sh—docker rm -fcleanup, runs withif: always().compiler_yaml_main_job.goimmediately before/after engine execution.GH_TOKEN injection
When cli-proxy is enabled,
GH_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || github.token }}is added to the AWF step env across all engines (copilot, claude, codex, gemini) via sharedaddCliProxyGHTokenToEnv()helper. The token is excluded from the agent container via--exclude-env GH_TOKEN.Architecture
Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/graphql/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw(http block)/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw roxy|CliProxy g/workflow/awf_hprettier x_amd64/vet(http block)/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw .*cli.proxy|cli./opt/hostedtoolcache/node/24.14.1/x64/bin/npx g/workflow x_amd64/vet(http block)https://api.github.com/orgs/test-owner/actions/secrets/usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -c=4 -nolocalimports -importcfg /tmp/go-build3045788820/b411/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go -c 2966524/b387/embGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-trimpath(http block)https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git ility-kit.md GO111MODULE x_amd64/link git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v3/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha 64/bin/go(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v5/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 5511/001/stability-test.md GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env Onlymin-integrity_with_explicit_repo1571791104/001 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git 484684895 GO111MODULE /opt/hostedtoolc--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git l /usr/bin/gh git rev-�� --show-toplevel gh /usr/bin/git /repos/github/ghgit --jq /usr/bin/git git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v6/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha heckout/git/ref/tags/v5 go /usr/bin/git ty-test.md GO111MODULE 64/bin/go /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git y_with_explicit_git GO111MODULE 64/pkg/tool/linu--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --git-dir go /usr/bin/git LsRemoteWithRealgit LsRemoteWithRealrev-parse 64/bin/go /usr/bin/git remo�� -v go /usr/bin/git y_with_repos_arrgit GO111MODULE 64/pkg/tool/linu--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha tags/v4 git /usr/bin/git XdPK/4_gG8mNLC_wgit rev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --get 5788820/b438/_terev-parse /usr/bin/infocmp--show-toplevel git(http block)https://api.github.com/repos/actions/github-script/git/ref/tags/v8/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha 2966524/b418/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/stylenv GOMODCACHE go env sTgb/Yr-IEH7B-fEGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 2966524/b418/imp-run(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha che/go-build/52/GOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.8/xGO111MODULE -o /tmp/go-build3932966524/b402/_pkGOINSECURE -trimpath 64/bin/go -p github.com/githurev-parse -lang=go1.25 go(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha 01 GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc--jq -o /tmp/go-build3932966524/b418/_pkGOINSECURE -trimpath 64/bin/go -p github.com/githu-C -lang=go1.25 go(http block)https://api.github.com/repos/actions/setup-go/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git y_with_repos=pubgit GO111MODULE 64/pkg/tool/linu--show-toplevel git(http block)https://api.github.com/repos/actions/setup-node/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel go /usr/bin/git mLsRemoteWithReagit mLsRemoteWithRearev-parse 64/bin/go /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git(http block)https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha . -tests ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -json GO111MODULE 64/bin/go ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet(http block)https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b/usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha re --log-level=e!../../../pkg/workflow/js/**/*.json(http block)/usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha re --log-level=error t difc-proxy on host, pass new A-ifaceassert x_amd64/vet(http block)https://api.github.com/repos/github/gh-aw/usr/bin/gh gh api /repos/github/gh-aw --jq .visibility HEAD(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git md GO111MODULE ache/go/1.25.8/x--show-toplevel git(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha origin develop /usr/bin/git -c=4 -nolocalimports -importcfg git rev-�� --show-toplevel(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha -m l /usr/bin/git -json GO111MODULE 64/bin/go git -C /tmp/TestGuardPolicyMinIntegrityOnlyCompiledOutput2005680743/001 config /usr/bin/git remote.origin.urgit GOPROXY 64/bin/go git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x-importcfg GOINSECURE GOMOD GOMODCACHE go env 3896502057 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet(http block)/usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/pkg/tool/linu-importcfg GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/scripts/lint_error_messages_test.go env -json GO111MODULE ger.test GOINSECURE GOMOD GOMODCACHE ger.test(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile(http block)/usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE kflow.test GOINSECURE GOMOD GOMODCACHE kflow.test 7453�� -json GO111MODULE util.test xy|TestAWFSupporgit GOMOD GOMODCACHE util.test(http block)https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE 1/x64/bin/bash GOINSECURE GOMOD GOMODCACHE go env 3896502057 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet(http block)/usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 2599641236/.github/workflows GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link(http block)https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE 64/bin/bash GOINSECURE GOMOD GOMODCACHE go env 3896502057 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE setup/js/node_morev-parse GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE de/node/bin/bash GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 3896502057 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/pkg/tool/linux_amd64/cgo GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/cgo env -json GO111MODULE k GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/workflows/usr/bin/gh gh workflow list --json name,state,path qwAe/ASRcm6GLaNlGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 2966524/b378/impGO111MODULE -c k/gh-aw/gh-aw/cmGOINSECURE k/gh-aw/gh-aw/cmGOMOD 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcGOPROXY(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 ache/go/1.25.8/xpack-objects 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE go env l.go l_test.go ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel go /usr/bin/git /v1.2.3 GO111MODULE eutil.test git(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha til.go o x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env g_.a GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE til GOMODCACHE BB/DhPXKBUjWYAJ4--json(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha /tmp/go-build3932966524/b412/_pkGOINSECURE -trimpath 64/bin/go -p github.com/githu-C -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha /tmp/go-build3932966524/b415/_pkGOINSECURE -trimpath 64/bin/go -p lang/pkg/flatted-C -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 100717541/001 100717541/002/work 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha /tmp/go-build3932966524/b424/_pkGOINSECURE -trimpath 64/bin/go -p github.com/githu-C -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/githubnext/agentics/git/ref/tags/-/usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha get .cfg ode_modules/.bin/node committer.name(http block)https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/nonexistent/repo/actions/runs/12345/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile(http block)https://api.github.com/repos/owner/repo/actions/workflows/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE 2966524/b394/impGO111MODULE -c 2966524/b394/embGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK run-script/lib/n/tmp/go-build3045788820/b415/_pkg_.a /opt/hostedtoolc-trimpath(http block)/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE 2966524/b399/impGOPROXY -c che/go-build/bf/GOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.8/xGO111MODULE(http block)https://api.github.com/repos/owner/repo/contents/file.md/tmp/go-build3045788820/b397/cli.test /tmp/go-build3045788820/b397/cli.test -test.testlogfile=/tmp/go-build3045788820/b397/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh(http block)https://api.github.com/repos/test-owner/test-repo/actions/secrets/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name 5951517/001' 5951517/001' 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c "prettier" --cheGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-test.v=true(http block)If you need me to access, download, or install something from one of these locations, you can either: