feat(ci): add api-proxy image to release pipeline

[Mossaka]

Summary

• Add build, push, cosign signing, and SBOM attestation steps for the api-proxy container image to the release workflow

Context

The containers/api-proxy/ directory has existed in this repo since #751, but the release workflow only builds and pushes squid, agent, and agent-act images. The api-proxy image was never published to GHCR.

This causes failures in gh-aw workflows that use --enable-api-proxy:

Container awf-api-proxy  Error response from daemon: No such image:
ghcr.io/github/gh-aw-firewall/api-proxy:0.16.5

See: github/gh-aw#15533 (gh-aw side that enables --enable-api-proxy for Claude and Codex)

Changes

Added to release.yml between the Agent and Agent-Act image steps:

1. Build and push API Proxy image (with GHA cache)
2. Sign with cosign
3. Generate SBOM with anchore/sbom-action
4. Attest SBOM with cosign

Follows the exact same pattern as the squid and agent image steps.

Test plan

• After merge, cut a new release and verify ghcr.io/github/gh-aw-firewall/api-proxy:<version> is published
• Run smoke-claude and smoke-codex with the new image

🤖 Generated with Claude Code

[github-actions]

Chroot tests failed Smoke Chroot failed - See logs for details.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

No actionable task requested yet. Awaiting instructions.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.82%	82.97%	📈 +0.15%
Statements	82.81%	82.96%	📈 +0.15%
Functions	82.74%	82.74%	➡️ +0.00%
Branches	74.87%	74.97%	📈 +0.10%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	84.7% → 85.3% (+0.61%)	84.1% → 84.7% (+0.59%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR adds the missing api-proxy container image to the release pipeline, enabling the --enable-api-proxy feature to work with published images from GHCR. The api-proxy sidecar (introduced in #751) securely holds LLM API credentials and routes traffic through Squid for domain whitelisting, but was never published to the container registry.

Changes:

• Bump version from 0.16.4 to 0.16.5
• Add build, sign, SBOM generation, and SBOM attestation steps for api-proxy image to release.yml

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File	Description
package.json	Version bump to 0.16.5 for release
package-lock.json	Version bump to 0.16.5 (lockfile sync)
.github/workflows/release.yml	Add api-proxy image build/push/sign/SBOM steps following the same pattern as squid image

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Bun Build Test Results

Project	Install	Tests	Status
elysia	✅	1/1	PASS
hono	✅	1/1	PASS

Overall: PASS ✅

All Bun projects built and tested successfully.

AI generated by Build Test Bun

[github-actions]

Build Test: Deno ✅

All Deno tests passed successfully!

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: PASS

Environment: Deno 2.6.9

AI generated by Build Test Deno

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS ✅

All C++ projects built successfully.

AI generated by Build Test C++

[github-actions]

Build Test: Node.js Results

Project	Install	Tests	Status
clsx	✅	PASS	PASS
execa	✅	PASS	PASS
p-limit	✅	PASS	PASS

Overall: PASS ✅

All Node.js projects installed successfully and passed their test suites.

AI generated by Build Test Node.js

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• feat(ci): add api-proxy image to release pipeline #846 feat(ci): add api-proxy image to release pipeline
• perf: batch chroot integration tests to reduce container overhead #845 perf: batch chroot integration tests to reduce container overhead

Test Results:

• ✅ GitHub MCP (retrieved PR data)
• ✅ Playwright (title: "GitHub · Change is constant. GitHub keeps you ahead.")
• ✅ File writing (smoke-test-copilot-22007696155.txt created)
• ✅ Bash tool (file verified)

Status: PASS 🎉

cc @Mossaka

AI generated by Smoke Copilot

[github-actions]

Smoke Test Results (Claude)

Last 2 Merged PRs:

• feat(ci): add api-proxy image to release pipeline #846: feat(ci): add api-proxy image to release pipeline
• perf: batch chroot integration tests to reduce container overhead #845: perf: batch chroot integration tests to reduce container overhead

Test Results:

• ✅ GitHub MCP (list PRs)
• ✅ Playwright (page title contains "GitHub")
• ✅ File write (/tmp/gh-aw/agent/smoke-test-claude-22007696202.txt)
• ✅ Bash verification (file read successful)

Status: PASS

AI generated by Smoke Claude

[github-actions]

Build Test: Go - Results

Project	Download	Tests	Status
color	✅	1/1	PASS
env	✅	1/1	PASS
uuid	✅	1/1	PASS

Overall: PASS ✅

All Go projects successfully downloaded dependencies and passed their tests.

AI generated by Build Test Go

[github-actions]

Rust Build Test Results

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: PASS ✅

All Rust projects built and tested successfully.

AI generated by Build Test Rust

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS ✅

All .NET projects restored, built, and ran successfully.

AI generated by Build Test .NET