preinstall 3 versions of awf for agentic workflow #13937
+65
−0
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| #!/bin/bash -e | ||
| ################################################################################ | ||
| ## File: install-awf.sh | ||
| ## Desc: Install Agent Workflow Firewall JS bundle (most recent 3 versions) | ||
| ## Supply chain security: AWF - checksum validation | ||
| ################################################################################ | ||
|
|
||
| # Source the helpers for use with the script | ||
| source $HELPER_SCRIPTS/install.sh | ||
| source $HELPER_SCRIPTS/os.sh | ||
|
|
||
| # Following the pattern in install-docker.sh where the core AW container images are only installed on ubuntu-latest | ||
| if is_ubuntu22; then | ||
| exit 0 | ||
| fi | ||
|
|
||
| # Number of versions to install (current + 2 previous) | ||
| NUM_VERSIONS=3 | ||
|
|
||
| # Get the most recent stable releases (exclude pre-releases, beta and release without assets) | ||
| releases=$(curl -fsSL "https://api.github.com/repos/github/gh-aw-firewall/releases?per_page=10") | ||
| versions=$(echo "$releases" | jq -r '[.[] | select(.assets | length > 0) | select(.prerelease == false) | select(.tag_name | test(".*-[a-z]|beta") | not)] | .[:'"$NUM_VERSIONS"'] | .[].tag_name') | ||
|
|
||
|
Comment on lines
+14
to
+17
There was a problem hiding this comment. The GitHub release query uses per_page=10 and only checks that a release has some assets, not that it includes awf-bundle.js/checksums.txt. This can lead to caching fewer than NUM_VERSIONS versions or failing downloads if a release is missing the expected files. Prefer using helpers/install.sh (get_github_releases_by_version + resolve_github_release_asset_url) or filter releases by the required asset name and increase the page size so you can reliably install 3 stable versions. There was a problem hiding this comment. já verifiquei as mudanças a serem feitas. |
||
| if [[ -z "$versions" ]]; then | ||
| echo "Error: Unable to find AWF releases." | ||
| exit 1 | ||
| fi | ||
|
|
||
| for tag in $versions; do | ||
| version="${tag#v}" | ||
| echo "Installing AWF JS bundle version $version to toolcache..." | ||
|
|
||
| # Download the JS bundle | ||
| bundle_url="https://github.com/github/gh-aw-firewall/releases/download/${tag}/awf-bundle.js" | ||
| bundle_path=$(download_with_retry "$bundle_url") | ||
|
|
||
| # Supply chain security - AWF | ||
| checksums_url="https://github.com/github/gh-aw-firewall/releases/download/${tag}/checksums.txt" | ||
|
Contributor
There was a problem hiding this comment. Curious, how do we enforce the security here? If someone was able to update release artifacts then they could equally update the checksum file too.
Author
There was a problem hiding this comment. Yeah good point. I think we need to verify signature to be fully protected, although this check sum validation is an existing pattern in our install scripts |
||
| external_hash=$(get_checksum_from_url "$checksums_url" "awf-bundle.js" "SHA256") | ||
| use_checksum_comparison "$bundle_path" "$external_hash" | ||
|
|
||
| # Install to toolcache | ||
| awf_toolcache_path="$AGENT_TOOLSDIRECTORY/agentic-workflow-firewall-js/$version/x64" | ||
| mkdir -p "$awf_toolcache_path" | ||
| cp "$bundle_path" "$awf_toolcache_path/awf-bundle.js" | ||
|
|
||
| # Mark installation complete | ||
| touch "$AGENT_TOOLSDIRECTORY/agentic-workflow-firewall-js/$version/x64.complete" | ||
| done | ||
|
|
||
| invoke_tests "Tools" "AWF" | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| #!/bin/bash -e | ||
| ################################################################################ | ||
| ## File: install-copilot-cli.sh | ||
| ## Desc: Install Copilot CLI (most recent 3 versions) | ||
| ## Supply chain security: Copilot CLI - checksum validation | ||
| ################################################################################ | ||
|
|
||
| # Source the helpers for use with the script | ||
| source $HELPER_SCRIPTS/install.sh | ||
| source $HELPER_SCRIPTS/os.sh | ||
|
|
||
| # Following the pattern in install-docker.sh where the core AW container images are only installed on ubuntu-latest | ||
| if is_ubuntu22; then | ||
| exit 0 | ||
| fi | ||
|
|
||
| # Number of versions to cache (current + 2 previous) | ||
| NUM_VERSIONS=3 | ||
|
|
||
| # Get the most recent stable releases (exclude pre-releases, rc, and beta) | ||
| releases=$(curl -fsSL "https://api.github.com/repos/github/copilot-cli/releases?per_page=10") | ||
| versions=$(echo "$releases" | jq -r '[.[] | select(.assets | length > 0) | select(.prerelease == false) | select(.tag_name | test(".*-[a-z]|beta") | not)] | .[:'"$NUM_VERSIONS"'] | .[].tag_name') | ||
|
|
||
|
aiqiaoy marked this conversation as resolved.
Outdated
|
||
| if [[ -z "$versions" ]]; then | ||
| echo "Error: Unable to find Copilot CLI releases." | ||
| exit 1 | ||
| fi | ||
|
|
||
| for tag in $versions; do | ||
| version="${tag#v}" | ||
| echo "Installing Copilot CLI version $version to toolcache..." | ||
|
|
||
| # Download Copilot CLI | ||
| archive_url="https://github.com/github/copilot-cli/releases/download/${tag}/copilot-linux-x64.tar.gz" | ||
| copilot_cli_archive=$(download_with_retry "$archive_url") | ||
|
|
||
| # Supply chain security - Copilot CLI | ||
| checksums_url="https://github.com/github/copilot-cli/releases/download/${tag}/SHA256SUMS.txt" | ||
| external_hash=$(get_checksum_from_url "$checksums_url" "copilot-linux-x64.tar.gz" "SHA256") | ||
| use_checksum_comparison "$copilot_cli_archive" "$external_hash" | ||
|
|
||
| # Install to toolcache | ||
| copilot_cli_toolcache_path="$AGENT_TOOLSDIRECTORY/copilot-cli/$version/x64" | ||
| mkdir -p "$copilot_cli_toolcache_path" | ||
| tar -xzf "$copilot_cli_archive" -C "$copilot_cli_toolcache_path" | ||
|
|
||
| # Mark installation complete | ||
| touch "$AGENT_TOOLSDIRECTORY/copilot-cli/$version/x64.complete" | ||
| done | ||
|
|
||
| # Symlink the latest version to /usr/local/bin | ||
| latest_version=$(echo "$versions" | head -n 1) | ||
| latest_version="${latest_version#v}" | ||
| ln -sf "$AGENT_TOOLSDIRECTORY/copilot-cli/$latest_version/x64/copilot" /usr/local/bin/copilot | ||
|
|
||
| invoke_tests "CLI.Tools" "Copilot CLI" | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given this code do you need updating ubuntu-22 Packer template?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. Updated