From e9ac25dfdabd7d06b3f9a548b1d5ce212fe7dbc9 Mon Sep 17 00:00:00 2001 From: James Devine Date: Sat, 7 Mar 2026 22:29:46 +0000 Subject: [PATCH 1/4] feat: migrate AWF download to GitHub Releases and align checksum model Replace the legacy DownloadPipelineArtifact@2 task (pipeline 2450, project 4x4) for the AWF binary with a curl-based download from GitHub Releases at github.com/github/gh-aw-firewall. Add a pinned AWF_VERSION constant in common.rs with a {{ firewall_version }} template marker. Also migrate the ado-aw compiler checksum verification from per-binary .sha256 files to checksums.txt with --ignore-missing, matching the gh-aw-firewall publishing convention. Both standalone and 1ES templates are updated. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- src/compile/common.rs | 5 +++ src/compile/onees.rs | 3 +- src/compile/standalone.rs | 3 +- templates/1es-base.yml | 18 ++++----- templates/base.yml | 82 ++++++++++++++++++++------------------- 5 files changed, 61 insertions(+), 50 deletions(-) diff --git a/src/compile/common.rs b/src/compile/common.rs index 137775a..8f31404 100644 --- a/src/compile/common.rs +++ b/src/compile/common.rs @@ -455,6 +455,11 @@ pub fn sanitize_filename(name: &str) -> String { /// Default pool name pub const DEFAULT_POOL: &str = "AZS-1ES-L-MMS-ubuntu-22.04"; +/// Version of the AWF (Agentic Workflow Firewall) binary to download from GitHub Releases. +/// Update this when upgrading to a new AWF release. +/// See: https://github.com/github/gh-aw-firewall/releases +pub const AWF_VERSION: &str = "0.23.1"; + /// Generate source path for the execute command. /// /// Returns a path using `{{ workspace }}` as the base, which gets resolved diff --git a/src/compile/onees.rs b/src/compile/onees.rs index 01e7693..6601aed 100644 --- a/src/compile/onees.rs +++ b/src/compile/onees.rs @@ -17,7 +17,7 @@ use std::path::Path; use super::Compiler; use super::common::{ - self, DEFAULT_POOL, compute_effective_workspace, generate_copilot_params, + self, AWF_VERSION, DEFAULT_POOL, compute_effective_workspace, generate_copilot_params, generate_checkout_self, generate_checkout_steps, generate_ci_trigger, generate_pipeline_path, generate_pipeline_resources, generate_pr_trigger, generate_repositories, generate_schedule, generate_source_path, @@ -117,6 +117,7 @@ displayName: "Finalize""#, let compiler_version = env!("CARGO_PKG_VERSION"); let replacements: Vec<(&str, &str)> = vec![ ("{{ compiler_version }}", compiler_version), + ("{{ firewall_version }}", AWF_VERSION), ("{{ pool }}", &pool), ("{{ schedule }}", &schedule), ("{{ pr_trigger }}", &pr_trigger), diff --git a/src/compile/standalone.rs b/src/compile/standalone.rs index 275325b..21dec18 100644 --- a/src/compile/standalone.rs +++ b/src/compile/standalone.rs @@ -14,7 +14,7 @@ use std::path::Path; use super::Compiler; use super::common::{ - self, DEFAULT_POOL, compute_effective_workspace, generate_copilot_params, + self, AWF_VERSION, DEFAULT_POOL, compute_effective_workspace, generate_copilot_params, generate_cancel_previous_builds, generate_checkout_self, generate_checkout_steps, generate_ci_trigger, generate_pipeline_path, generate_pipeline_resources, generate_pr_trigger, generate_repositories, generate_schedule, generate_source_path, generate_working_directory, @@ -123,6 +123,7 @@ impl Compiler for StandaloneCompiler { let compiler_version = env!("CARGO_PKG_VERSION"); let replacements: Vec<(&str, &str)> = vec![ ("{{ compiler_version }}", compiler_version), + ("{{ firewall_version }}", AWF_VERSION), ("{{ pool }}", &pool), ("{{ setup_job }}", &setup_job), ("{{ teardown_job }}", &teardown_job), diff --git a/templates/1es-base.yml b/templates/1es-base.yml index 2034b7e..3114e21 100644 --- a/templates/1es-base.yml +++ b/templates/1es-base.yml @@ -58,16 +58,16 @@ extends: COMPILER_VERSION="{{ compiler_version }}" DOWNLOAD_DIR="$(Pipeline.Workspace)/agentic-pipeline-compiler" DOWNLOAD_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/ado-aw-linux-x64" - CHECKSUM_URL="${DOWNLOAD_URL}.sha256" + CHECKSUM_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/checksums.txt" mkdir -p "$DOWNLOAD_DIR" echo "Downloading ado-aw v${COMPILER_VERSION} from GitHub Releases..." curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64" "$DOWNLOAD_URL" - curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64.sha256" "$CHECKSUM_URL" + curl -fsSL -o "$DOWNLOAD_DIR/checksums.txt" "$CHECKSUM_URL" echo "Verifying checksum..." cd "$DOWNLOAD_DIR" - sha256sum --check ado-aw-linux-x64.sha256 + sha256sum -c checksums.txt --ignore-missing mv ado-aw-linux-x64 ado-aw chmod +x ado-aw displayName: "Download agentic pipeline compiler (v{{ compiler_version }})" @@ -171,16 +171,16 @@ extends: COMPILER_VERSION="{{ compiler_version }}" DOWNLOAD_DIR="$(Pipeline.Workspace)/agentic-pipeline-compiler" DOWNLOAD_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/ado-aw-linux-x64" - CHECKSUM_URL="${DOWNLOAD_URL}.sha256" + CHECKSUM_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/checksums.txt" mkdir -p "$DOWNLOAD_DIR" echo "Downloading ado-aw v${COMPILER_VERSION} from GitHub Releases..." curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64" "$DOWNLOAD_URL" - curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64.sha256" "$CHECKSUM_URL" + curl -fsSL -o "$DOWNLOAD_DIR/checksums.txt" "$CHECKSUM_URL" echo "Verifying checksum..." cd "$DOWNLOAD_DIR" - sha256sum --check ado-aw-linux-x64.sha256 + sha256sum -c checksums.txt --ignore-missing mv ado-aw-linux-x64 ado-aw chmod +x ado-aw displayName: "Download agentic pipeline compiler (v{{ compiler_version }})" @@ -315,16 +315,16 @@ extends: COMPILER_VERSION="{{ compiler_version }}" DOWNLOAD_DIR="$(Pipeline.Workspace)/agentic-pipeline-compiler" DOWNLOAD_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/ado-aw-linux-x64" - CHECKSUM_URL="${DOWNLOAD_URL}.sha256" + CHECKSUM_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/checksums.txt" mkdir -p "$DOWNLOAD_DIR" echo "Downloading ado-aw v${COMPILER_VERSION} from GitHub Releases..." curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64" "$DOWNLOAD_URL" - curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64.sha256" "$CHECKSUM_URL" + curl -fsSL -o "$DOWNLOAD_DIR/checksums.txt" "$CHECKSUM_URL" echo "Verifying checksum..." cd "$DOWNLOAD_DIR" - sha256sum --check ado-aw-linux-x64.sha256 + sha256sum -c checksums.txt --ignore-missing mv ado-aw-linux-x64 ado-aw chmod +x ado-aw displayName: "Download agentic pipeline compiler (v{{ compiler_version }})" diff --git a/templates/base.yml b/templates/base.yml index 9c287fb..dd9f876 100644 --- a/templates/base.yml +++ b/templates/base.yml @@ -56,16 +56,16 @@ jobs: COMPILER_VERSION="{{ compiler_version }}" DOWNLOAD_DIR="$(Pipeline.Workspace)/agentic-pipeline-compiler" DOWNLOAD_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/ado-aw-linux-x64" - CHECKSUM_URL="${DOWNLOAD_URL}.sha256" + CHECKSUM_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/checksums.txt" mkdir -p "$DOWNLOAD_DIR" echo "Downloading ado-aw v${COMPILER_VERSION} from GitHub Releases..." curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64" "$DOWNLOAD_URL" - curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64.sha256" "$CHECKSUM_URL" + curl -fsSL -o "$DOWNLOAD_DIR/checksums.txt" "$CHECKSUM_URL" echo "Verifying checksum..." cd "$DOWNLOAD_DIR" - sha256sum --check ado-aw-linux-x64.sha256 + sha256sum -c checksums.txt --ignore-missing mv ado-aw-linux-x64 ado-aw chmod +x ado-aw displayName: "Download agentic pipeline compiler (v{{ compiler_version }})" @@ -172,23 +172,25 @@ jobs: - task: DockerInstaller@0 displayName: "Install Docker" - - task: DownloadPipelineArtifact@2 - displayName: "Download AWF (Agentic Workflow Firewall)" - name: awfdrop - inputs: - source: "specific" - project: "4x4" - pipeline: 2450 - runVersion: "latestFromBranch" - branchName: "refs/heads/ms/main" - artifact: "gh-aw-firewall-linux-x64" - targetPath: "$(Pipeline.Workspace)/awf" - - bash: | - chmod +x "$(Pipeline.Workspace)/awf/awf" + AWF_VERSION="{{ firewall_version }}" + DOWNLOAD_DIR="$(Pipeline.Workspace)/awf" + DOWNLOAD_URL="https://github.com/github/gh-aw-firewall/releases/download/v${AWF_VERSION}/awf-linux-x64" + CHECKSUM_URL="https://github.com/github/gh-aw-firewall/releases/download/v${AWF_VERSION}/checksums.txt" + + mkdir -p "$DOWNLOAD_DIR" + echo "Downloading AWF v${AWF_VERSION} from GitHub Releases..." + curl -fsSL -o "$DOWNLOAD_DIR/awf-linux-x64" "$DOWNLOAD_URL" + curl -fsSL -o "$DOWNLOAD_DIR/checksums.txt" "$CHECKSUM_URL" + + echo "Verifying checksum..." + cd "$DOWNLOAD_DIR" + sha256sum -c checksums.txt --ignore-missing + mv awf-linux-x64 awf + chmod +x awf echo "##vso[task.prependpath]$(Pipeline.Workspace)/awf" - "$(Pipeline.Workspace)/awf/awf" --version || echo "AWF binary ready" - displayName: "Setup AWF" + ./awf --version || echo "AWF binary ready" + displayName: "Download AWF (Agentic Workflow Firewall) v{{ firewall_version }}" - bash: | docker pull ghcr.io/github/gh-aw-firewall/squid:latest @@ -312,16 +314,16 @@ jobs: COMPILER_VERSION="{{ compiler_version }}" DOWNLOAD_DIR="$(Pipeline.Workspace)/agentic-pipeline-compiler" DOWNLOAD_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/ado-aw-linux-x64" - CHECKSUM_URL="${DOWNLOAD_URL}.sha256" + CHECKSUM_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/checksums.txt" mkdir -p "$DOWNLOAD_DIR" echo "Downloading ado-aw v${COMPILER_VERSION} from GitHub Releases..." curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64" "$DOWNLOAD_URL" - curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64.sha256" "$CHECKSUM_URL" + curl -fsSL -o "$DOWNLOAD_DIR/checksums.txt" "$CHECKSUM_URL" echo "Verifying checksum..." cd "$DOWNLOAD_DIR" - sha256sum --check ado-aw-linux-x64.sha256 + sha256sum -c checksums.txt --ignore-missing mv ado-aw-linux-x64 ado-aw chmod +x ado-aw displayName: "Download agentic pipeline compiler (v{{ compiler_version }})" @@ -329,23 +331,25 @@ jobs: - task: DockerInstaller@0 displayName: "Install Docker" - - task: DownloadPipelineArtifact@2 - displayName: "Download AWF (Agentic Workflow Firewall)" - name: awfdrop - inputs: - source: "specific" - project: "4x4" - pipeline: 2450 - runVersion: "latestFromBranch" - branchName: "refs/heads/ms/main" - artifact: "gh-aw-firewall-linux-x64" - targetPath: "$(Pipeline.Workspace)/awf" - - bash: | - chmod +x "$(Pipeline.Workspace)/awf/awf" + AWF_VERSION="{{ firewall_version }}" + DOWNLOAD_DIR="$(Pipeline.Workspace)/awf" + DOWNLOAD_URL="https://github.com/github/gh-aw-firewall/releases/download/v${AWF_VERSION}/awf-linux-x64" + CHECKSUM_URL="https://github.com/github/gh-aw-firewall/releases/download/v${AWF_VERSION}/checksums.txt" + + mkdir -p "$DOWNLOAD_DIR" + echo "Downloading AWF v${AWF_VERSION} from GitHub Releases..." + curl -fsSL -o "$DOWNLOAD_DIR/awf-linux-x64" "$DOWNLOAD_URL" + curl -fsSL -o "$DOWNLOAD_DIR/checksums.txt" "$CHECKSUM_URL" + + echo "Verifying checksum..." + cd "$DOWNLOAD_DIR" + sha256sum -c checksums.txt --ignore-missing + mv awf-linux-x64 awf + chmod +x awf echo "##vso[task.prependpath]$(Pipeline.Workspace)/awf" - "$(Pipeline.Workspace)/awf/awf" --version || echo "AWF binary ready" - displayName: "Setup AWF" + ./awf --version || echo "AWF binary ready" + displayName: "Download AWF (Agentic Workflow Firewall) v{{ firewall_version }}" - bash: | docker pull ghcr.io/github/gh-aw-firewall/squid:latest @@ -504,16 +508,16 @@ jobs: COMPILER_VERSION="{{ compiler_version }}" DOWNLOAD_DIR="$(Pipeline.Workspace)/agentic-pipeline-compiler" DOWNLOAD_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/ado-aw-linux-x64" - CHECKSUM_URL="${DOWNLOAD_URL}.sha256" + CHECKSUM_URL="https://github.com/githubnext/ado-aw/releases/download/v${COMPILER_VERSION}/checksums.txt" mkdir -p "$DOWNLOAD_DIR" echo "Downloading ado-aw v${COMPILER_VERSION} from GitHub Releases..." curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64" "$DOWNLOAD_URL" - curl -fsSL -o "$DOWNLOAD_DIR/ado-aw-linux-x64.sha256" "$CHECKSUM_URL" + curl -fsSL -o "$DOWNLOAD_DIR/checksums.txt" "$CHECKSUM_URL" echo "Verifying checksum..." cd "$DOWNLOAD_DIR" - sha256sum --check ado-aw-linux-x64.sha256 + sha256sum -c checksums.txt --ignore-missing mv ado-aw-linux-x64 ado-aw chmod +x ado-aw displayName: "Download agentic pipeline compiler (v{{ compiler_version }})" From 85dd9e3b29b470afeec59e4e841eb0058fc6d185 Mon Sep 17 00:00:00 2001 From: James Devine Date: Sat, 7 Mar 2026 22:29:55 +0000 Subject: [PATCH 2/4] test: add assertions for AWF GitHub Releases download and checksums.txt Verify the standalone template no longer references ADO pipeline 2450 or DownloadPipelineArtifact, and instead downloads AWF from GitHub Releases with firewall_version marker and checksums.txt verification. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- tests/compiler_tests.rs | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/tests/compiler_tests.rs b/tests/compiler_tests.rs index 0743338..ca370d9 100644 --- a/tests/compiler_tests.rs +++ b/tests/compiler_tests.rs @@ -145,8 +145,26 @@ fn test_compiled_yaml_structure() { "Template should download the compiler from GitHub Releases" ); assert!( - template_content.contains("sha256sum --check"), - "Template should verify checksum of downloaded compiler" + template_content.contains("sha256sum -c checksums.txt --ignore-missing"), + "Template should verify checksum using checksums.txt" + ); + + // Verify AWF (Agentic Workflow Firewall) is downloaded from GitHub Releases, not ADO pipeline artifacts + assert!( + !template_content.contains("pipeline: 2450"), + "Template should not reference ADO pipeline 2450 for the firewall" + ); + assert!( + !template_content.contains("DownloadPipelineArtifact"), + "Template should not use DownloadPipelineArtifact task" + ); + assert!( + template_content.contains("github.com/github/gh-aw-firewall/releases"), + "Template should download AWF from GitHub Releases" + ); + assert!( + template_content.contains("{{ firewall_version }}"), + "Template should contain firewall_version marker" ); } From 5bc15340a2f6314f395e969426eb8d8291245087 Mon Sep 17 00:00:00 2001 From: James Devine Date: Sat, 7 Mar 2026 22:30:03 +0000 Subject: [PATCH 3/4] docs: update release workflow and AGENTS.md for checksums.txt Update release.yml to publish checksums.txt instead of per-binary .sha256 files. Add {{ firewall_version }} marker documentation to AGENTS.md and update the Network Isolation section to reflect GitHub Releases for AWF. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/release.yml | 4 ++-- AGENTS.md | 15 +++++++++++++-- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 294882b..ef35369 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,7 +48,7 @@ jobs: set -euo pipefail cd target/release cp ado-aw ado-aw-linux-x64 - sha256sum ado-aw-linux-x64 > ado-aw-linux-x64.sha256 + sha256sum ado-aw-linux-x64 > checksums.txt - name: Upload release assets env: @@ -56,5 +56,5 @@ jobs: run: | gh release upload ${{ needs.release-please.outputs.tag_name }} \ target/release/ado-aw-linux-x64 \ - target/release/ado-aw-linux-x64.sha256 \ + target/release/checksums.txt \ --clobber diff --git a/AGENTS.md b/AGENTS.md index 822893d..800fc5d 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -582,7 +582,18 @@ The generated pipelines download the compiler binary from: https://github.com/githubnext/ado-aw/releases/download/v{VERSION}/ado-aw-linux-x64 ``` -A SHA256 checksum file (`ado-aw-linux-x64.sha256`) is also downloaded and verified to ensure binary integrity. This replaces the previous approach of downloading from an internal ADO pipeline artifact. +A `checksums.txt` file is also downloaded and verified via `sha256sum -c checksums.txt --ignore-missing` to ensure binary integrity. + +## {{ firewall_version }} + +Should be replaced with the pinned version of the AWF (Agentic Workflow Firewall) binary (defined as `AWF_VERSION` constant in `src/compile/common.rs`). This version is used to construct the GitHub Releases download URL for the AWF binary. + +The generated pipelines download the AWF binary from: +``` +https://github.com/github/gh-aw-firewall/releases/download/v{VERSION}/awf-linux-x64 +``` + +A `checksums.txt` file is also downloaded and verified via `sha256sum -c checksums.txt --ignore-missing` to ensure binary integrity. ### 1ES-Specific Template Markers @@ -955,7 +966,7 @@ mcp-servers: Network isolation is provided by AWF (Agentic Workflow Firewall), which provides L7 (HTTP/HTTPS) egress control using Squid proxy and Docker containers. AWF restricts network access to a whitelist of approved domains. -The `ado-aw` compiler binary is distributed via [GitHub Releases](https://github.com/githubnext/ado-aw/releases) with SHA256 checksum verification. The AWF binary is downloaded from an internal ADO pipeline (pipeline 2450, branch `ms/main`, artifact `gh-aw-firewall-linux-x64`). Docker is sourced via the `DockerInstaller@0` ADO task. +The `ado-aw` compiler binary is distributed via [GitHub Releases](https://github.com/githubnext/ado-aw/releases) with SHA256 checksum verification. The AWF binary is distributed via [GitHub Releases](https://github.com/github/gh-aw-firewall/releases) with SHA256 checksum verification. Docker is sourced via the `DockerInstaller@0` ADO task. ### Default Allowed Domains From 7d91ccf58c52d025ef31a2de9fa4070b7c8e96ec Mon Sep 17 00:00:00 2001 From: James Devine Date: Sat, 7 Mar 2026 22:38:30 +0000 Subject: [PATCH 4/4] fix: harden checksum verification and address review feedback Add grep confirmation after sha256sum to ensure at least one file was verified, preventing silent success on naming mismatches. Add compiled output test asserting AWF GitHub Releases URL appears in final YAML. Add clarifying comment for no-op firewall_version in 1ES compiler. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- src/compile/onees.rs | 1 + templates/1es-base.yml | 6 +++--- templates/base.yml | 10 +++++----- tests/compiler_tests.rs | 12 +++++++++--- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/src/compile/onees.rs b/src/compile/onees.rs index 6601aed..b3f754c 100644 --- a/src/compile/onees.rs +++ b/src/compile/onees.rs @@ -117,6 +117,7 @@ displayName: "Finalize""#, let compiler_version = env!("CARGO_PKG_VERSION"); let replacements: Vec<(&str, &str)> = vec![ ("{{ compiler_version }}", compiler_version), + // No-op for 1ES (template doesn't use AWF), but included for forward-compatibility ("{{ firewall_version }}", AWF_VERSION), ("{{ pool }}", &pool), ("{{ schedule }}", &schedule), diff --git a/templates/1es-base.yml b/templates/1es-base.yml index 3114e21..e159209 100644 --- a/templates/1es-base.yml +++ b/templates/1es-base.yml @@ -67,7 +67,7 @@ extends: echo "Verifying checksum..." cd "$DOWNLOAD_DIR" - sha256sum -c checksums.txt --ignore-missing + sha256sum -c checksums.txt --ignore-missing | grep -q ": OK" mv ado-aw-linux-x64 ado-aw chmod +x ado-aw displayName: "Download agentic pipeline compiler (v{{ compiler_version }})" @@ -180,7 +180,7 @@ extends: echo "Verifying checksum..." cd "$DOWNLOAD_DIR" - sha256sum -c checksums.txt --ignore-missing + sha256sum -c checksums.txt --ignore-missing | grep -q ": OK" mv ado-aw-linux-x64 ado-aw chmod +x ado-aw displayName: "Download agentic pipeline compiler (v{{ compiler_version }})" @@ -324,7 +324,7 @@ extends: echo "Verifying checksum..." cd "$DOWNLOAD_DIR" - sha256sum -c checksums.txt --ignore-missing + sha256sum -c checksums.txt --ignore-missing | grep -q ": OK" mv ado-aw-linux-x64 ado-aw chmod +x ado-aw displayName: "Download agentic pipeline compiler (v{{ compiler_version }})" diff --git a/templates/base.yml b/templates/base.yml index dd9f876..b913366 100644 --- a/templates/base.yml +++ b/templates/base.yml @@ -65,7 +65,7 @@ jobs: echo "Verifying checksum..." cd "$DOWNLOAD_DIR" - sha256sum -c checksums.txt --ignore-missing + sha256sum -c checksums.txt --ignore-missing | grep -q ": OK" mv ado-aw-linux-x64 ado-aw chmod +x ado-aw displayName: "Download agentic pipeline compiler (v{{ compiler_version }})" @@ -185,7 +185,7 @@ jobs: echo "Verifying checksum..." cd "$DOWNLOAD_DIR" - sha256sum -c checksums.txt --ignore-missing + sha256sum -c checksums.txt --ignore-missing | grep -q ": OK" mv awf-linux-x64 awf chmod +x awf echo "##vso[task.prependpath]$(Pipeline.Workspace)/awf" @@ -323,7 +323,7 @@ jobs: echo "Verifying checksum..." cd "$DOWNLOAD_DIR" - sha256sum -c checksums.txt --ignore-missing + sha256sum -c checksums.txt --ignore-missing | grep -q ": OK" mv ado-aw-linux-x64 ado-aw chmod +x ado-aw displayName: "Download agentic pipeline compiler (v{{ compiler_version }})" @@ -344,7 +344,7 @@ jobs: echo "Verifying checksum..." cd "$DOWNLOAD_DIR" - sha256sum -c checksums.txt --ignore-missing + sha256sum -c checksums.txt --ignore-missing | grep -q ": OK" mv awf-linux-x64 awf chmod +x awf echo "##vso[task.prependpath]$(Pipeline.Workspace)/awf" @@ -517,7 +517,7 @@ jobs: echo "Verifying checksum..." cd "$DOWNLOAD_DIR" - sha256sum -c checksums.txt --ignore-missing + sha256sum -c checksums.txt --ignore-missing | grep -q ": OK" mv ado-aw-linux-x64 ado-aw chmod +x ado-aw displayName: "Download agentic pipeline compiler (v{{ compiler_version }})" diff --git a/tests/compiler_tests.rs b/tests/compiler_tests.rs index ca370d9..5416c21 100644 --- a/tests/compiler_tests.rs +++ b/tests/compiler_tests.rs @@ -145,8 +145,8 @@ fn test_compiled_yaml_structure() { "Template should download the compiler from GitHub Releases" ); assert!( - template_content.contains("sha256sum -c checksums.txt --ignore-missing"), - "Template should verify checksum using checksums.txt" + template_content.contains("sha256sum -c checksums.txt --ignore-missing | grep -q \": OK\""), + "Template should verify checksum using checksums.txt with grep confirmation" ); // Verify AWF (Agentic Workflow Firewall) is downloaded from GitHub Releases, not ADO pipeline artifacts @@ -366,7 +366,13 @@ fn test_compiled_output_no_unreplaced_markers() { ); assert!( compiled.contains("github.com/githubnext/ado-aw/releases"), - "Compiled output should reference GitHub Releases" + "Compiled output should reference GitHub Releases for the compiler" + ); + + // Verify the AWF firewall version was correctly substituted + assert!( + compiled.contains("github.com/github/gh-aw-firewall/releases"), + "Compiled output should reference GitHub Releases for AWF" ); let _ = fs::remove_dir_all(&temp_dir);