preinstall 3 versions of awf for agentic workflow#13937
preinstall 3 versions of awf for agentic workflow#13937aiqiaoy wants to merge 3 commits intoactions:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds preinstallation of Agentic Workflow tooling to the Ubuntu runner images to reduce setup time for agentic workflows by caching multiple versions of the AWF JS bundle and the Copilot CLI in the toolcache.
Changes:
- Add Ubuntu build scripts to install and toolcache the latest 3 stable versions of
copilot-cliand the AWF JS bundle (skipping Ubuntu 22.04). - Wire the new installers into the Ubuntu 22.04/24.04 Packer templates.
- Add Pester tests validating the AWF toolcache layout and that the Copilot CLI is present and runnable.
Show a summary per file
| File | Description |
|---|---|
| images/ubuntu/templates/build.ubuntu-24_04.pkr.hcl | Adds AWF + Copilot CLI installers to the 24.04 build pipeline. |
| images/ubuntu/templates/build.ubuntu-22_04.pkr.hcl | Adds the same installers (scripts self-skip on 22.04). |
| images/ubuntu/scripts/tests/Tools.Tests.ps1 | Adds AWF toolcache validation tests (skipped on 22.04). |
| images/ubuntu/scripts/tests/CLI.Tools.Tests.ps1 | Adds Copilot CLI presence/version tests (skipped on 22.04). |
| images/ubuntu/scripts/build/install-copilot-cli.sh | New installer that caches multiple Copilot CLI versions + symlinks latest. |
| images/ubuntu/scripts/build/install-awf.sh | New installer that caches multiple AWF JS bundle versions in toolcache. |
Copilot's findings
- Files reviewed: 6/6 changed files
- Comments generated: 3
| # Get the most recent stable releases (exclude pre-releases, beta and release without assets) | ||
| releases=$(curl -fsSL "https://api.github.com/repos/github/gh-aw-firewall/releases?per_page=10") | ||
| versions=$(echo "$releases" | jq -r '[.[] | select(.assets | length > 0) | select(.prerelease == false) | select(.tag_name | test(".*-[a-z]|beta") | not)] | .[:'"$NUM_VERSIONS"'] | .[].tag_name') | ||
|
|
There was a problem hiding this comment.
The GitHub release query uses per_page=10 and only checks that a release has some assets, not that it includes awf-bundle.js/checksums.txt. This can lead to caching fewer than NUM_VERSIONS versions or failing downloads if a release is missing the expected files. Prefer using helpers/install.sh (get_github_releases_by_version + resolve_github_release_asset_url) or filter releases by the required asset name and increase the page size so you can reliably install 3 stable versions.
There was a problem hiding this comment.
já verifiquei as mudanças a serem feitas.
aiqiaoy
changed the title
| bundle_path=$(download_with_retry "$bundle_url") | ||
|
|
||
| # Supply chain security - AWF | ||
| checksums_url="https://github.com/github/gh-aw-firewall/releases/download/${tag}/checksums.txt" |
There was a problem hiding this comment.
Curious, how do we enforce the security here? If someone was able to update release artifacts then they could equally update the checksum file too.
There was a problem hiding this comment.
Yeah good point. I think we need to verify signature to be fully protected, although this check sum validation is an existing pattern in our install scripts
| source $HELPER_SCRIPTS/os.sh | ||
|
|
||
| # Following the pattern in install-docker.sh where the core AW container images are only installed on ubuntu-latest | ||
| if is_ubuntu22; then |
There was a problem hiding this comment.
Given this code do you need updating ubuntu-22 Packer template?
Description
New tool, Bug fixing, or Improvement?
Please include a summary of the change and which issue is fixed. Also include relevant motivation and context.
For new tools, please provide total size and installation time.
Following ADR to pre-install awf js bundle in runner images. 3 versions of awf bundle ~1MB.
Related issue: https://github.com/github/c2c-actions/issues/9991
Check list