diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 87b130ddf5..a79895234c 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -163,11 +163,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index d432597070..5c326626fe 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -165,11 +165,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index edf423f11c..6194f7ebd3 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -174,11 +174,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 17c9dd2c2e..33ba0a32e9 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -193,11 +193,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index ae7b0387ba..0e3bca1d0d 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -154,11 +154,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index c6d941cb0a..78fc7d6410 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -215,11 +215,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 2dc1ade912..c9b6e6ae22 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -153,11 +153,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 82ab2a2dad..1041f337dc 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -146,11 +146,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index a144ee182d..d9533b246d 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -184,11 +184,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 89c512acbe..0165e1e502 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -151,11 +151,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 7a8478bf29..9828c2de05 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -187,11 +187,7 @@ jobs: - name: Install Codex run: npm install -g --silent @openai/codex@0.87.0 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 99f71e58c1..af275339a4 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -207,11 +207,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index bf9b58cd60..b32c05e568 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -176,11 +176,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 48eb2132be..bd1b6ea5a4 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -150,11 +150,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 4771656e11..2789d2afeb 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -160,11 +160,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 79dc618911..818c50a273 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -242,11 +242,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 1fe5330f81..52b8d26c39 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -164,11 +164,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 8d079567ce..6b50b07b49 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -157,11 +157,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index 2c1bf71dde..c3b5f04a00 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -128,11 +128,7 @@ jobs: - name: Install Codex run: npm install -g --silent @openai/codex@0.87.0 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 319520c494..43f9473310 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -148,11 +148,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 16b686f7aa..c3e823683f 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -178,11 +178,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 9185388984..94e5dfb302 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -161,11 +161,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 3645672483..d0a13f2ffe 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -155,11 +155,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Download container images run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/githubnext/gh-aw-mcpg:v0.0.69 node:lts-alpine - name: Write Safe Outputs Config diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 476fd76057..df73d650aa 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -215,11 +215,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 880ab1ce21..7fec7b5dc5 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -186,11 +186,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 1c85df62e2..4b69ed8f10 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -202,11 +202,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 8580f855d9..5ac9a80d8e 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -185,11 +185,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 2132ee95db..c323784129 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -149,11 +149,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index d8b9d70edd..20b513fbeb 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -141,11 +141,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index ca5e34843b..a5ef860464 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -163,11 +163,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index e127fbedfe..c8272ffe7e 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -191,11 +191,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 0c8827fc06..032833d7a7 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -165,11 +165,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 6e87abe6de..24eee96da3 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -213,11 +213,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 736e951858..984d383339 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -153,11 +153,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 1612a8002a..3c1d049ad8 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -133,11 +133,7 @@ jobs: - name: Install Codex run: npm install -g --silent @openai/codex@0.87.0 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index e793455f8a..764e30d0f3 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -157,11 +157,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index e21b60493f..12d22e554c 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -218,11 +218,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 5afc61ce58..54365f5be5 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -197,11 +197,7 @@ jobs: - name: Install Codex run: npm install -g --silent @openai/codex@0.87.0 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index 5da743a206..226393ce1b 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -150,11 +150,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 434b289f6f..f9d633cc9a 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -151,11 +151,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 3e4a6ef27d..d54d8d8475 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -270,11 +270,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 2cb0d2b698..8d27c2d14e 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -152,11 +152,7 @@ jobs: - name: Install Codex run: npm install -g --silent @openai/codex@0.87.0 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 44eb3f2e52..a395e84a4b 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -187,11 +187,7 @@ jobs: - name: Install Codex run: npm install -g --silent @openai/codex@0.87.0 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index b694321f1a..0538dd8c0c 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -157,11 +157,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 7076d55ec7..6ec883ca85 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -190,11 +190,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 6cdbfec603..8fad68c72c 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -185,11 +185,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 8aba0dc741..318cf9582b 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -155,11 +155,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index b6be88b0af..a9d1063908 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -163,11 +163,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 99bfeffc4d..57296eab52 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -167,11 +167,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 390ea20d82..7f87064179 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -150,11 +150,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index a55a663742..721c95b991 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -197,11 +197,7 @@ jobs: - name: Install Codex run: npm install -g --silent @openai/codex@0.87.0 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index caa14cd03d..3651213c3a 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -168,11 +168,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 31a57ad921..d341334e64 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -151,11 +151,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index c714fd67e3..cdbe2ac092 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -180,11 +180,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index ac2943c323..6ebdc1ad32 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -159,11 +159,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index d1038bcd4b..6de33bf8a2 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -153,11 +153,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index bdd11200d6..8af784b088 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -168,11 +168,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index e3980a91c2..4b18ed6d77 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -154,11 +154,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 8a11cd6d1a..8cc3467384 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -144,11 +144,7 @@ jobs: - name: Install Codex run: npm install -g --silent @openai/codex@0.87.0 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/example-custom-error-patterns.lock.yml b/.github/workflows/example-custom-error-patterns.lock.yml index b34edc33c8..aaa3c7fe4f 100644 --- a/.github/workflows/example-custom-error-patterns.lock.yml +++ b/.github/workflows/example-custom-error-patterns.lock.yml @@ -136,11 +136,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index 3912703c5a..a05453125c 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -135,11 +135,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 9bd916efc2..588ec80239 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -147,11 +147,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 7ac830ecbe..1634a66b57 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -180,11 +180,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index e96c08f3dd..2710e6f0ef 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -135,11 +135,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index dd7fcddbf9..140d1e0d49 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -183,11 +183,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 65f7ffde82..8f3c53714b 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -160,11 +160,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index a9b7c23e44..75555a2dc5 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -150,11 +150,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index d1f3a801d0..e4e7f234bb 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -166,11 +166,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index dfde1cb7dc..15c7a64eba 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -157,11 +157,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 39ffdc02cd..6d2eaeaa98 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -169,11 +169,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index bad3ece735..bbee9732c3 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -148,11 +148,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index a09e6f350d..85f14397cd 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -195,11 +195,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index ec65d3498a..6fdc722459 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -179,11 +179,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 49c57bc883..b9de831825 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -153,11 +153,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index ac06ff71c5..61fccc51b5 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -155,11 +155,7 @@ jobs: - name: Install Codex run: npm install -g --silent @openai/codex@0.87.0 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 9248f123d7..1b90f59d46 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -160,11 +160,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 2ffa0f07eb..a3958f7ac6 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -130,11 +130,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index ff94649f17..c68daa05b6 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -171,11 +171,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 0b125c158b..26fe690e32 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -158,11 +158,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 3d7da5b684..ea9df3422c 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -157,11 +157,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 2d654b407c..152f0e0cce 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -210,11 +210,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 6a3e98d062..b55774c193 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -172,11 +172,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index cbee442984..3362752824 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -151,11 +151,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index a2e96a5c7a..2abed6952e 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -156,11 +156,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 61bbc4ce0f..ab714435a6 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -194,11 +194,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Download container images run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.28.1 ghcr.io/githubnext/gh-aw-mcpg:v0.0.69 node:lts-alpine - name: Write Safe Outputs Config diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index a3e46d9188..0c5b0b75fe 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -220,11 +220,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index e9551d4c36..47cd38228e 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -184,11 +184,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index b72ecc539e..a02b8bd2cd 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -199,11 +199,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index c86a23b2e6..3d76347cda 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -216,11 +216,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 6c1d67d8b3..5b033a5a5f 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -213,11 +213,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index acbdfccb1c..79c60fc0fb 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -230,11 +230,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 3d25c7be92..f12cfd5d81 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -188,11 +188,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 05fb97f50d..d50c1c4121 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -241,11 +241,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index bcd4df67b5..8fe0430b8f 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -169,11 +169,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 5ea4ecae5b..d58b00d135 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -171,11 +171,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 49a5505775..62ad0a0a1d 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -154,11 +154,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 7a59bc1026..efad694a03 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -167,11 +167,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 96eb95eb7f..b4728cd75f 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -157,11 +157,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index d393608ac9..4c462a0678 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -182,11 +182,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index f7e58df847..2a32f6c543 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -160,11 +160,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 50402b9e41..1df42383c4 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -240,11 +240,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 4fcd4a22b6..207567a6d6 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -165,11 +165,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index 9b12588f9c..f01280da0f 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -169,11 +169,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 21b805f62a..0a58d31e72 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -199,11 +199,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 4ae72e4735..57e0623284 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -146,11 +146,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index c001a69a45..77c83d3fc5 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -158,11 +158,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index c018efaf44..d7dab476d9 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -179,11 +179,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 873a401a94..989bc0caf0 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -183,11 +183,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 6efc8524a1..f56d7cf8ba 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -184,11 +184,7 @@ jobs: - name: Install Codex run: npm install -g --silent @openai/codex@0.87.0 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 636f0d5bd8..6a0e8d94c4 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -186,11 +186,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index ff354f48f0..c2c848142e 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -236,11 +236,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Download container images run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.28.1 ghcr.io/githubnext/gh-aw-mcpg:v0.0.69 node:lts-alpine - name: Write Safe Outputs Config diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 31ccb7a3fb..5edc690a53 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -181,11 +181,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index e446eeefcb..39d5d16c7c 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -153,11 +153,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 597c860b0d..46b35ca96e 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -149,11 +149,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 0572c1fedf..835d2bd0fd 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -173,11 +173,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index f7186a046b..414c682122 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -185,11 +185,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 0d46e1ca40..87ced7ef96 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -148,11 +148,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 33972296ea..30db95f64c 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -195,11 +195,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index f7b647415e..dfb0f04ba1 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -145,11 +145,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 0e49acc851..2b92656da5 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -154,11 +154,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index f73b00b257..b68c14f8bf 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -198,11 +198,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Install Claude Code CLI run: npm install -g --silent @anthropic-ai/claude-code@2.1.12 - name: Determine automatic lockdown mode for GitHub MCP server diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 2df4fb6d48..72db8055c5 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -164,11 +164,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index e33c7b501c..06c5d1f96c 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -171,11 +171,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 6b3c546ba1..c2dc9d81df 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -178,11 +178,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index be29cc3dba..558f660096 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -162,11 +162,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 3f33fe4e66..88cef1a851 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -172,11 +172,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 0f54ff6bec..efd6b0c037 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -155,11 +155,7 @@ jobs: # Verify installation copilot --version - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: diff --git a/actions/setup/sh/install_awf_binary.sh b/actions/setup/sh/install_awf_binary.sh new file mode 100755 index 0000000000..555f94f48b --- /dev/null +++ b/actions/setup/sh/install_awf_binary.sh @@ -0,0 +1,80 @@ +#!/usr/bin/env bash +# Install AWF (Agentic Workflow Firewall) binary with SHA256 checksum verification +# Usage: install_awf_binary.sh VERSION +# +# This script downloads the AWF binary directly from GitHub releases and verifies +# its SHA256 checksum before installation to protect against supply chain attacks. +# +# Arguments: +# VERSION - AWF version to install (e.g., v0.10.0) +# +# Security features: +# - Downloads binary directly from GitHub releases +# - Verifies SHA256 checksum against official checksums.txt +# - Fails fast if checksum verification fails +# - Eliminates trust dependency on installer scripts + +set -euo pipefail + +# Configuration +AWF_VERSION="${1:-}" +AWF_REPO="githubnext/gh-aw-firewall" +AWF_BINARY="awf-linux-x64" +AWF_INSTALL_DIR="/usr/local/bin" +AWF_INSTALL_NAME="awf" + +if [ -z "$AWF_VERSION" ]; then + echo "ERROR: AWF version is required" + echo "Usage: $0 VERSION" + exit 1 +fi + +echo "Installing awf binary with checksum verification (version: ${AWF_VERSION})" + +# Download URLs +BASE_URL="https://github.com/${AWF_REPO}/releases/download/${AWF_VERSION}" +BINARY_URL="${BASE_URL}/${AWF_BINARY}" +CHECKSUMS_URL="${BASE_URL}/checksums.txt" + +# Create temp directory +TEMP_DIR=$(mktemp -d) +trap 'rm -rf "$TEMP_DIR"' EXIT + +# Download binary and checksums +echo "Downloading binary from ${BINARY_URL}..." +curl -fsSL -o "${TEMP_DIR}/${AWF_BINARY}" "${BINARY_URL}" + +echo "Downloading checksums from ${CHECKSUMS_URL}..." +curl -fsSL -o "${TEMP_DIR}/checksums.txt" "${CHECKSUMS_URL}" + +# Verify checksum +echo "Verifying SHA256 checksum..." +cd "${TEMP_DIR}" +EXPECTED_CHECKSUM=$(awk -v fname="${AWF_BINARY}" '$2 == fname {print $1; exit}' checksums.txt | tr 'A-F' 'a-f') + +if [ -z "$EXPECTED_CHECKSUM" ]; then + echo "ERROR: Could not find checksum for ${AWF_BINARY} in checksums.txt" + exit 1 +fi + +ACTUAL_CHECKSUM=$(sha256sum "${AWF_BINARY}" | awk '{print $1}' | tr 'A-F' 'a-f') + +if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]; then + echo "ERROR: Checksum verification failed!" + echo " Expected: $EXPECTED_CHECKSUM" + echo " Got: $ACTUAL_CHECKSUM" + echo " The downloaded file may be corrupted or tampered with" + exit 1 +fi + +echo "✓ Checksum verification passed" + +# Make binary executable and install +chmod +x "${AWF_BINARY}" +sudo mv "${AWF_BINARY}" "${AWF_INSTALL_DIR}/${AWF_INSTALL_NAME}" + +# Verify installation +which awf +awf --version + +echo "✓ AWF installation complete" diff --git a/pkg/workflow/copilot_engine_installation.go b/pkg/workflow/copilot_engine_installation.go index 9b4bf360bc..85654ca6dc 100644 --- a/pkg/workflow/copilot_engine_installation.go +++ b/pkg/workflow/copilot_engine_installation.go @@ -144,7 +144,17 @@ func (e *CopilotEngine) GetInstallationSteps(workflowData *WorkflowData) []GitHu return steps } -// generateAWFInstallationStep creates a GitHub Actions step to install the AWF binary. +// generateAWFInstallationStep creates a GitHub Actions step to install the AWF binary +// with SHA256 checksum verification to protect against supply chain attacks. +// +// The installation logic is implemented in a separate shell script (install_awf_binary.sh) +// which downloads the binary directly from GitHub releases, verifies its checksum against +// the official checksums.txt file, and installs it. This approach: +// - Eliminates trust in the installer script itself +// - Provides full transparency of the installation process +// - Protects against tampered or compromised installer scripts +// - Verifies the binary integrity before execution +// // If a custom command is specified in the agent config, the installation is skipped // as the custom command replaces the AWF binary. func generateAWFInstallationStep(version string, agentConfig *AgentSandboxConfig) GitHubActionStep { @@ -162,11 +172,7 @@ func generateAWFInstallationStep(version string, agentConfig *AgentSandboxConfig stepLines := []string{ " - name: Install awf binary", - " run: |", - fmt.Sprintf(" echo \"Installing awf via installer script (requested version: %s)\"", version), - fmt.Sprintf(" curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=%s bash", version), - " which awf", - " awf --version", + fmt.Sprintf(" run: bash /opt/gh-aw/actions/install_awf_binary.sh %s", version), } return GitHubActionStep(stepLines) diff --git a/pkg/workflow/firewall_version_pinning_test.go b/pkg/workflow/firewall_version_pinning_test.go index cec7f0cb31..0a8fc758c4 100644 --- a/pkg/workflow/firewall_version_pinning_test.go +++ b/pkg/workflow/firewall_version_pinning_test.go @@ -14,14 +14,25 @@ func TestAWFInstallationStepDefaultVersion(t *testing.T) { stepStr := strings.Join(step, "\n") expectedVersion := string(constants.DefaultFirewallVersion) - expectedInstaller := "curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=" + expectedVersion + " bash" - if !strings.Contains(stepStr, expectedInstaller) { - t.Errorf("Expected installer one-liner: %s", expectedInstaller) + // Verify version is passed to the installation script + if !strings.Contains(stepStr, expectedVersion) { + t.Errorf("Expected to pass version %s to installation script, but it was not found", expectedVersion) } - if !strings.Contains(stepStr, expectedVersion) { - t.Errorf("Expected to log requested version %s in installation step, but it was not found", expectedVersion) + // Verify it calls the install_awf_binary.sh script + if !strings.Contains(stepStr, "install_awf_binary.sh") { + t.Error("Expected to call install_awf_binary.sh script") + } + + // Verify it uses the script from /opt/gh-aw/actions/ + if !strings.Contains(stepStr, "/opt/gh-aw/actions/install_awf_binary.sh") { + t.Error("Expected to call script from /opt/gh-aw/actions/ directory") + } + + // Ensure it's NOT using inline bash or the old unverified installer script + if strings.Contains(stepStr, "raw.githubusercontent.com") { + t.Error("Should NOT download installer script from raw.githubusercontent.com") } }) @@ -30,14 +41,19 @@ func TestAWFInstallationStepDefaultVersion(t *testing.T) { step := generateAWFInstallationStep(customVersion, nil) stepStr := strings.Join(step, "\n") - expectedInstaller := "curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=" + customVersion + " bash" - + // Verify custom version is passed to the script if !strings.Contains(stepStr, customVersion) { - t.Errorf("Expected to log custom version %s in installation step", customVersion) + t.Errorf("Expected to pass custom version %s to installation script", customVersion) + } + + // Verify it calls the install_awf_binary.sh script + if !strings.Contains(stepStr, "install_awf_binary.sh") { + t.Error("Expected to call install_awf_binary.sh script") } - if !strings.Contains(stepStr, expectedInstaller) { - t.Errorf("Expected installer one-liner: %s", expectedInstaller) + // Ensure it's NOT using the old unverified installer pattern + if strings.Contains(stepStr, "raw.githubusercontent.com") { + t.Error("Should NOT download installer script from raw.githubusercontent.com") } }) } @@ -76,12 +92,17 @@ func TestCopilotEngineFirewallInstallation(t *testing.T) { t.Fatal("Expected to find AWF installation step when firewall is enabled") } - // Verify it logs the default version and uses installer script + // Verify it passes the default version to the script if !strings.Contains(awfStepStr, string(constants.DefaultFirewallVersion)) { - t.Errorf("AWF installation step should reference default version %s", string(constants.DefaultFirewallVersion)) + t.Errorf("AWF installation step should pass default version %s to script", string(constants.DefaultFirewallVersion)) } - if !strings.Contains(awfStepStr, "raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh") { - t.Error("AWF installation should use the installer script") + // Verify it calls the install_awf_binary.sh script + if !strings.Contains(awfStepStr, "install_awf_binary.sh") { + t.Error("AWF installation should call install_awf_binary.sh script") + } + // Verify it's NOT using the old unverified installer script pattern + if strings.Contains(awfStepStr, "raw.githubusercontent.com") { + t.Error("AWF installation should NOT download from raw.githubusercontent.com") } }) @@ -119,13 +140,19 @@ func TestCopilotEngineFirewallInstallation(t *testing.T) { t.Fatal("Expected to find AWF installation step when firewall is enabled") } - // Verify it logs the custom version + // Verify it passes the custom version to the script if !strings.Contains(awfStepStr, customVersion) { - t.Errorf("AWF installation step should use custom version %s", customVersion) + t.Errorf("AWF installation step should pass custom version %s to script", customVersion) + } + + // Verify it calls the install_awf_binary.sh script + if !strings.Contains(awfStepStr, "install_awf_binary.sh") { + t.Error("AWF installation should call install_awf_binary.sh script") } - if !strings.Contains(awfStepStr, "raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh") { - t.Error("AWF installation should use the installer script") + // Verify it's NOT using the old unverified installer script pattern + if strings.Contains(awfStepStr, "raw.githubusercontent.com") { + t.Error("AWF installation should NOT download from raw.githubusercontent.com") } })