Problem
The cli-proxy sidecar container was added in PR #1730 (Phase 1) but the release workflow does not build or publish the cli-proxy Docker image to GHCR. This means --enable-cli-proxy fails in any workflow that uses pre-built images (i.e., all production/CI usage).
Error observed
Smoke Copilot workflow in gh-aw-mcpg with features: cli-proxy: true fails at container startup:
Container awf-cli-proxy Error response from daemon: No such image: ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.14
Failed run: https://github.com/github/gh-aw-mcpg/actions/runs/24109450405/job/70340738499
Root cause
release.yml builds and pushes 3 container images — squid, agent, and api-proxy — but has no job for cli-proxy. The containers/cli-proxy/ directory and Dockerfile exist, and AWF generates the correct docker-compose config referencing ghcr.io/github/gh-aw-firewall/cli-proxy:{version}, but the image is never published.
Additionally, the gh-aw compiler's image pre-download step does not include cli-proxy in the list of images to pull when --enable-cli-proxy is active (tracked separately in gh-aw#24996).
What needs to change
1. Add cli-proxy to release.yml
Add a new job (or steps within the existing publish job) following the exact same pattern as the api-proxy image:
File: .github/workflows/release.yml
Add these steps after the API Proxy image build:
- Build and push CLI Proxy image —
docker/build-push-action with:
context: ./containers/cli-proxy- Tags:
ghcr.io/${{ github.repository }}/cli-proxy:{version} and ghcr.io/${{ github.repository }}/cli-proxy:latest
push: true
- Sign CLI Proxy image with cosign — same pattern as other images
- Generate SBOM for CLI Proxy image —
anchore/sbom-action
- Attest SBOM for CLI Proxy image —
actions/attest-sbom
2. Add cli-proxy to predownload logic
File: src/commands/predownload.ts
The resolveImages() function needs to include cli-proxy in the list of images to resolve/predownload when enableCliProxy is set. Check if this was already done in PR #1730 — if so, the only missing piece is the release workflow.
3. Verify Dockerfile exists
File: containers/cli-proxy/Dockerfile — should already exist from PR #1730. Confirm it builds correctly with:
docker build -t cli-proxy-test ./containers/cli-proxy
Testing
After the release workflow is updated:
- Run the Release workflow to publish all images including
cli-proxy
- Verify
ghcr.io/github/gh-aw-firewall/cli-proxy:{version} exists
- Re-run the failing smoke-copilot workflow in gh-aw-mcpg to confirm it passes
References
Problem
The
cli-proxysidecar container was added in PR #1730 (Phase 1) but the release workflow does not build or publish thecli-proxyDocker image to GHCR. This means--enable-cli-proxyfails in any workflow that uses pre-built images (i.e., all production/CI usage).Error observed
Smoke Copilot workflow in
gh-aw-mcpgwithfeatures: cli-proxy: truefails at container startup:Failed run: https://github.com/github/gh-aw-mcpg/actions/runs/24109450405/job/70340738499
Root cause
release.ymlbuilds and pushes 3 container images —squid,agent, andapi-proxy— but has no job forcli-proxy. Thecontainers/cli-proxy/directory and Dockerfile exist, and AWF generates the correct docker-compose config referencingghcr.io/github/gh-aw-firewall/cli-proxy:{version}, but the image is never published.Additionally, the gh-aw compiler's image pre-download step does not include
cli-proxyin the list of images to pull when--enable-cli-proxyis active (tracked separately in gh-aw#24996).What needs to change
1. Add cli-proxy to
release.ymlAdd a new job (or steps within the existing publish job) following the exact same pattern as the
api-proxyimage:File:
.github/workflows/release.ymlAdd these steps after the API Proxy image build:
docker/build-push-actionwith:context: ./containers/cli-proxyghcr.io/${{ github.repository }}/cli-proxy:{version}andghcr.io/${{ github.repository }}/cli-proxy:latestpush: trueanchore/sbom-actionactions/attest-sbom2. Add cli-proxy to predownload logic
File:
src/commands/predownload.tsThe
resolveImages()function needs to includecli-proxyin the list of images to resolve/predownload whenenableCliProxyis set. Check if this was already done in PR #1730 — if so, the only missing piece is the release workflow.3. Verify Dockerfile exists
File:
containers/cli-proxy/Dockerfile— should already exist from PR #1730. Confirm it builds correctly with:Testing
After the release workflow is updated:
cli-proxyghcr.io/github/gh-aw-firewall/cli-proxy:{version}existsReferences