Conversation
…y-proxy Agent-Logs-Url: https://github.com/github/gh-aw/sessions/ab2b192b-e861-44a7-857e-16d65dbe2549 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
- Change hasDIFCGuardsConfigured to use opt-out model: proxy is enabled by default when guard policies are configured, disabled only when tools.github.integrity-proxy: false is set - Add isIntegrityProxyDisabled helper function - Add integrity-proxy boolean field to tools.github JSON schema (default: true) - Mark DIFCProxyFeatureFlag constant as deprecated - Add getDIFCProxyToIntegrityProxyCodemod codemod to migrate features.difc-proxy → tools.github.integrity-proxy - Update compiler_difc_proxy_test.go to reflect default-enabled behavior - Update docs (frontmatter.md, glossary.md) Agent-Logs-Url: https://github.com/github/gh-aw/sessions/ab2b192b-e861-44a7-857e-16d65dbe2549 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
- Rename isIntegrityProxyDisabled to isIntegrityProxyEnabled (clearer semantics) - Handle string 'false' explicitly in getDIFCProxyFlagValue - Derive indentation dynamically from existing github block sub-fields - Add test cases for string 'false' and indentation correctness Agent-Logs-Url: https://github.com/github/gh-aw/sessions/ab2b192b-e861-44a7-857e-16d65dbe2549 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
| GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
| GITHUB_SERVER_URL: ${{ github.server_url }} | ||
| run: | | ||
| bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.11' |
There was a problem hiding this comment.
Done in 8a781bb. The policy JSON and container image are now stored in DIFC_PROXY_POLICY and DIFC_PROXY_IMAGE env vars, and start_difc_proxy.sh reads them from the environment instead of positional arguments. The generated step now looks like:
env:
GH_TOKEN: ...
GITHUB_SERVER_URL: ${{ github.server_url }}
DIFC_PROXY_POLICY: '{"allow-only":{"min-integrity":"approved","repos":"all"}}'
DIFC_PROXY_IMAGE: 'ghcr.io/github/gh-aw-mcpg:v0.2.11'
run: |
bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh
Move policy JSON and container image from start_difc_proxy.sh positional arguments to DIFC_PROXY_POLICY and DIFC_PROXY_IMAGE environment variables. This avoids shell-quoting issues and keeps the run: command clean. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/0770a3b0-0a28-479e-8d10-4c0018bb4246 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
There was a problem hiding this comment.
Pull request overview
This PR migrates DIFC proxy enablement from the opt-in features.difc-proxy flag to an opt-out tools.github.integrity-proxy setting (default enabled when guard policies are configured), and adds an automated codemod + schema/docs updates to support the new configuration.
Changes:
- Update DIFC proxy injection gating to use
tools.github.integrity-proxy(opt-out) instead offeatures.difc-proxy(opt-in). - Add schema + docs for
tools.github.integrity-proxyand deprecate the old feature flag. - Introduce and register a
gh aw fixcodemod to migrate existing workflows; regenerate multiple locked workflows to include proxy steps and proxy log artifact paths.
Reviewed changes
Copilot reviewed 36 out of 36 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/compiler_difc_proxy.go | Switch proxy gating to tools.github.integrity-proxy via isIntegrityProxyEnabled(). |
| pkg/workflow/compiler_difc_proxy_test.go | Update compiler tests for default-enabled proxy behavior and explicit opt-out. |
| pkg/parser/schemas/main_workflow_schema.json | Add tools.github.integrity-proxy boolean with default true. |
| pkg/constants/feature_constants.go | Deprecate DIFCProxyFeatureFlag in favor of tools.github.integrity-proxy. |
| pkg/cli/fix_codemods.go | Register the new DIFC proxy migration codemod. |
| pkg/cli/codemod_difc_proxy.go | Implement codemod migrating features.difc-proxy → tools.github.integrity-proxy. |
| pkg/cli/codemod_difc_proxy_test.go | Add tests covering codemod migration scenarios and indentation handling. |
| docs/src/content/docs/reference/frontmatter.md | Document new tools.github.integrity-proxy field and migration guidance. |
| docs/src/content/docs/reference/glossary.md | Update glossary entry to reflect new config location and default behavior. |
| .github/workflows/workflow-generator.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/weekly-safe-outputs-spec-review.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/weekly-issue-summary.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/weekly-blog-post-writer.lock.yml | Include proxy logs in artifacts; add start/stop DIFC proxy steps around pre-agent gh calls. |
| .github/workflows/stale-repo-identifier.lock.yml | Add start/stop DIFC proxy steps; include proxy logs in artifacts; adjust concurrency group. |
| .github/workflows/smoke-copilot.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/smoke-agent-scoped-approved.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/smoke-agent-public-none.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/smoke-agent-public-approved.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/smoke-agent-all-none.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/smoke-agent-all-merged.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/slide-deck-maintainer.lock.yml | Adjust concurrency group key to incorporate workflow inputs. |
| .github/workflows/scout.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/refiner.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/q.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/pr-triage-agent.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/plan.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/org-health-report.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/issue-triage-agent.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/issue-monster.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/issue-arborist.lock.yml | Add start/stop DIFC proxy steps; include proxy logs in artifacts. |
| .github/workflows/grumpy-reviewer.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/discussion-task-miner.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
| .github/workflows/daily-issues-report.lock.yml | Add start/stop DIFC proxy steps; include proxy logs in artifacts. |
| .github/workflows/daily-doc-updater.lock.yml | Include proxy logs in artifacts; add start/stop DIFC proxy steps around pre-agent gh calls. |
| .github/workflows/contribution-check.lock.yml | Include proxy logs in artifacts (and exclude proxy TLS directory). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| val, hasField := toolConfig["integrity-proxy"] | ||
| if !hasField { | ||
| return true // default: enabled | ||
| } | ||
| if enabled, ok := val.(bool); ok { |
There was a problem hiding this comment.
tools.github.integrity-proxy is parsed only as a boolean. If a workflow sets integrity-proxy: "false" (quoted YAML string), this function currently falls back to true, so the proxy cannot be disabled as documented. Consider treating a case-insensitive string value of "false" as disabled (and optionally warn on other non-bool types).
| // Step 1: remove features.difc-proxy | ||
| result, modified := removeFieldFromBlock(lines, "difc-proxy", "features") | ||
| if !modified { | ||
| return lines, false | ||
| } |
There was a problem hiding this comment.
Removing features.difc-proxy via removeFieldFromBlock can leave an empty features: key behind when it was the only feature. In YAML that becomes features: null, which violates the schema (features must be an object) and can break validation/compilation. After removal, drop the features: block entirely when it has no remaining children (or rewrite it as features: {}) and add a test for the “only difc-proxy feature” case.
| // Note: string values are checked case-insensitively; "false" returns false, any other non-empty | ||
| // string returns true. This matches the existing behavior of isFeatureEnabled in features.go. |
There was a problem hiding this comment.
The comment says this matches isFeatureEnabled behavior, but isFeatureEnabled treats any non-empty string as enabled (including "false"). Either update this comment to describe the intentional divergence (treating "false" as false) or align the parsing logic with isFeatureEnabled.
| // Note: string values are checked case-insensitively; "false" returns false, any other non-empty | |
| // string returns true. This matches the existing behavior of isFeatureEnabled in features.go. | |
| // Note: string values are checked case-insitively; "false" returns false, any other non-empty | |
| // string returns true. This intentionally differs from isFeatureEnabled in features.go, which | |
| // treats any non-empty string (including "false") as enabled. |
| contents: write | ||
| issues: write | ||
| concurrency: |
There was a problem hiding this comment.
This changes the workflow’s concurrency group key (now includes inputs.organization), which is a behavioral change but isn’t mentioned in the PR description. If this is unrelated to the integrity-proxy refactor, consider splitting it into a separate PR or updating the description to call it out.
| concurrency: | ||
| group: "gh-aw-conclusion-slide-deck-maintainer" | ||
| group: "gh-aw-conclusion-slide-deck-maintainer-${{ inputs.focus || github.run_id }}" | ||
| cancel-in-progress: false |
There was a problem hiding this comment.
This changes the workflow’s concurrency group key (now includes inputs.focus), which is a behavioral change but isn’t mentioned in the PR description. If this is unrelated to the integrity-proxy refactor, consider splitting it into a separate PR or updating the description to call it out.
There was a problem hiding this comment.
Confirmed — the inline comment at line 63 is noted. The intentional divergence from isFeatureEnabled behavior is worth documenting clearly. The suggestion in the comment is a good addition.
📰 BREAKING: Report filed by Smoke Copilot
|
@lpcox proxy ready? |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
🎉 Smoke test complete!
Overall: Author:
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Smoke test review on PR #24065. The opt-out migration from features.difc-proxy to tools.github.integrity-proxy is well-structured. Two minor observations: (1) the codemod silently drops the opt-out when no tools.github block exists, and (2) a debug log on the default-enabled path would help operators. Overall a clean refactor.
📰 BREAKING: Report filed by Smoke Copilot
| newContent, applied, err := applyFrontmatterLineTransform(content, func(lines []string) ([]string, bool) { | ||
| // Step 1: remove features.difc-proxy | ||
| result, modified := removeFieldFromBlock(lines, "difc-proxy", "features") | ||
| if !modified { |
There was a problem hiding this comment.
The addDisableFlag logic only adds integrity-proxy: false when hasToolsGithubMap returns true. If a workflow has features.difc-proxy: false but no tools.github block yet, the opt-out intent will be silently dropped. Consider creating the tools.github block when it doesn't exist, to always preserve the user's explicit opt-out.
| toolConfig, ok := githubTool.(map[string]any) | ||
| if !ok { | ||
| return true | ||
| } |
There was a problem hiding this comment.
Good default — returning true when the field is absent correctly implements the opt-out model. A small nit: the comment // default: enabled is clear, but it might be worth also logging a debug message here (via difcProxyLog.Print) so operators can confirm the proxy defaulted on during debugging.
|
@copilot merge main and recompile |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done — merged main and recompiled all 179 workflows successfully. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…ge behavior Agent-Logs-Url: https://github.com/github/gh-aw/sessions/5f35a885-54fa-4e44-93d7-674a679e8262 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done in d211569. Merged main and fixed the CI failure — the Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
💥 [THE END] — Illustrated by Smoke Claude
| /tmp/gh-aw/sandbox/agent/logs/ | ||
| /tmp/gh-aw/redacted-urls.log | ||
| /tmp/gh-aw/mcp-logs/ | ||
| /tmp/gh-aw/proxy-logs/ |
There was a problem hiding this comment.
The proxy-logs path exclusion looks correct — including proxy-logs/ for artifact upload while excluding proxy-logs/proxy-tls/ to avoid leaking TLS certs. Good pattern.
| DIFC_PROXY_IMAGE: 'ghcr.io/github/gh-aw-mcpg:v0.2.11' | ||
| run: | | ||
| bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh | ||
| - name: Set GH_REPO for proxied steps |
There was a problem hiding this comment.
The Set GH_REPO for proxied steps step correctly sets the env var for downstream steps using the proxy. This ensures the DIFC proxy knows which repo context to use for integrity checks.
…ositional arg Agent-Logs-Url: https://github.com/github/gh-aw/sessions/ccb2befc-f1f2-4975-a3bd-a15f65ec7a1a Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Fixed in 398c494. The CI test in |
Contribution Check Report
Hey Everything looks solid:
This PR looks ready for maintainer review. 🚀
|
…IFC proxy codemod Agent-Logs-Url: https://github.com/github/gh-aw/sessions/d3b1cadb-129c-42cb-8a04-d0cbaecb5fe5 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Fixed in 9d14ce1. The |
Summary
Refactors the
features.difc-proxyopt-in feature flag to atools.github.integrity-proxyfield with opt-out semantics (default enabled).Changes
Behavioral change (opt-in → opt-out)
features.difc-proxy: trueto enabletools.github.min-integrityis configured; settools.github.integrity-proxy: falseto disableFiles changed
pkg/workflow/compiler_difc_proxy.goisIntegrityProxyEnabled()helper that readstools.github.integrity-proxypkg/constants/feature_constants.goDIFCProxyFeatureFlagas deprecatedpkg/parser/schemas/main_workflow_schema.jsonintegrity-proxy: booleanfield totools.github(default:true)pkg/cli/codemod_difc_proxy.gofeatures-difc-proxy-to-tools-githubpkg/cli/fix_codemods.gopkg/workflow/compiler_difc_proxy_test.gopkg/cli/codemod_difc_proxy_test.goactions/setup/sh/start_difc_proxy.shDIFC_PROXY_POLICY/DIFC_PROXY_IMAGEenv vars instead of positional argumentsdocs/src/content/docs/reference/frontmatter.mddocs/src/content/docs/reference/glossary.mdDIFC proxy step config via environment variables
The generated
Start DIFC proxystep now passes the guard policy JSON and container image through environment variables rather than inline shell arguments, avoiding shell-quoting issues:Codemod (
gh aw fix)The
features-difc-proxy-to-tools-githubcodemod automatically migrates existing workflows:features.difc-proxy: true→ removes the flag (proxy is now enabled by default)features.difc-proxy: false→ removes from features + addstools.github.integrity-proxy: falseto preserve opt-out intentTesting
All existing tests updated. New tests added for:
integrity-proxy: falsesuppresses proxy'false'handlingDIFC_PROXY_POLICYandDIFC_PROXY_IMAGEenv vars present in generated step✨ PR Review Safe Output Test - Run 23900581947