feat(ci): add api-proxy image to release pipeline#846
Conversation
The api-proxy sidecar container (containers/api-proxy/) exists in the repo but was never wired into the release workflow. This means the image ghcr.io/github/gh-aw-firewall/api-proxy:<version> was never published to GHCR, causing smoke tests to fail when --enable-api-proxy is used: Container awf-api-proxy Error response from daemon: No such image: ghcr.io/github/gh-aw-firewall/api-proxy:0.16.5 Add build, push, cosign signing, and SBOM attestation steps for the api-proxy image, matching the existing pattern for squid and agent images. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
|
Chroot tests failed Smoke Chroot failed - See logs for details. |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... No actionable task requested yet. Awaiting instructions. |
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
There was a problem hiding this comment.
Pull request overview
This PR adds the missing api-proxy container image to the release pipeline, enabling the --enable-api-proxy feature to work with published images from GHCR. The api-proxy sidecar (introduced in #751) securely holds LLM API credentials and routes traffic through Squid for domain whitelisting, but was never published to the container registry.
Changes:
- Bump version from 0.16.4 to 0.16.5
- Add build, sign, SBOM generation, and SBOM attestation steps for api-proxy image to release.yml
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| package.json | Version bump to 0.16.5 for release |
| package-lock.json | Version bump to 0.16.5 (lockfile sync) |
| .github/workflows/release.yml | Add api-proxy image build/push/sign/SBOM steps following the same pattern as squid image |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Bun Build Test Results
Overall: PASS ✅ All Bun projects built and tested successfully.
|
Build Test: Deno ✅All Deno tests passed successfully!
Overall: PASS Environment: Deno 2.6.9
|
C++ Build Test Results
Overall: PASS ✅ All C++ projects built successfully.
|
Build Test: Node.js Results
Overall: PASS ✅ All Node.js projects installed successfully and passed their test suites.
|
Smoke Test ResultsLast 2 Merged PRs:
Test Results:
Status: PASS 🎉 cc @Mossaka
|
Smoke Test Results (Claude)Last 2 Merged PRs:
Test Results:
Status: PASS
|
Build Test: Go - Results
Overall: PASS ✅ All Go projects successfully downloaded dependencies and passed their tests.
|
Rust Build Test Results
Overall: PASS ✅ All Rust projects built and tested successfully.
|
.NET Build Test Results
Overall: PASS ✅ All .NET projects restored, built, and ran successfully.
|
Summary
api-proxycontainer image to the release workflowContext
The
containers/api-proxy/directory has existed in this repo since #751, but the release workflow only builds and pushessquid,agent, andagent-actimages. Theapi-proxyimage was never published to GHCR.This causes failures in gh-aw workflows that use
--enable-api-proxy:See: github/gh-aw#15533 (gh-aw side that enables
--enable-api-proxyfor Claude and Codex)Changes
Added to
release.ymlbetween the Agent and Agent-Act image steps:Follows the exact same pattern as the squid and agent image steps.
Test plan
ghcr.io/github/gh-aw-firewall/api-proxy:<version>is published🤖 Generated with Claude Code