feat: add AWF JSON/YAML config ingestion with schema validation and CLI precedence#2018
Merged
feat: add AWF JSON/YAML config ingestion with schema validation and CLI precedence#2018
Conversation
Copilot
AI
changed the title
[WIP] Add JSON/YAML config file as alternative to CLI flags
Add AWF JSON/YAML config ingestion with schema validation, CLI precedence, and formal config spec
Apr 16, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Adds first-class AWF config-file support (JSON/YAML, including stdin) with early shape validation, a deterministic precedence model (CLI overrides config), and a formal config contract for tooling.
Changes:
- Introduces
--config <path|->to load JSON/YAML config files (or stdin via-) and merge into Commander options with CLI precedence. - Adds runtime config parsing + validation + CLI option mapping (
src/config-file.ts) and corresponding Jest coverage. - Publishes a JSON Schema + normative spec documenting the config model and CLI mapping, and links them from the README.
Show a summary per file
| File | Description |
|---|---|
| src/config-file.ts | Implements config parsing (JSON/YAML/stdin), validation, mapping to existing CLI option names, and CLI-precedence merge. |
| src/config-file.test.ts | Adds unit tests for validation, parsing (file/stdin), mapping, and precedence behavior. |
| src/cli.ts | Wires --config into the CLI and applies config-derived options before existing option validation/processing. |
| docs/awf-config.schema.json | Defines the machine-readable schema for config files (closed-world / additionalProperties: false). |
| docs/awf-config-spec.md | Documents the normative processing model, precedence rules, and CLI mapping contract for tooling. |
| README.md | Links the new schema and spec for discoverability. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 6/6 changed files
- Comments generated: 0
Contributor
Contributor
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 85.35% | 84.41% | 📉 -0.94% |
| Statements | 85.24% | 83.64% | 📉 -1.60% |
| Functions | 87.96% | 87.39% | 📉 -0.57% |
| Branches | 77.95% | 74.82% | 📉 -3.13% |
📁 Per-file Coverage Changes (2 files)
| File | Lines (Before → After) | Statements (Before → After) |
|---|---|---|
src/cli.ts |
59.5% → 58.9% (-0.61%) | 60.0% → 59.4% (-0.61%) |
src/docker-manager.ts |
86.8% → 87.1% (+0.30%) | 86.4% → 86.7% (+0.29%) |
✨ New Files (1 files)
src/config-file.ts: 65.6% lines
Coverage comparison generated by scripts/ci/compare-coverage.ts
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…o local variable' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Contributor
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 85.35% | 84.41% | 📉 -0.94% |
| Statements | 85.24% | 83.64% | 📉 -1.60% |
| Functions | 87.96% | 87.39% | 📉 -0.57% |
| Branches | 77.95% | 74.82% | 📉 -3.13% |
📁 Per-file Coverage Changes (2 files)
| File | Lines (Before → After) | Statements (Before → After) |
|---|---|---|
src/cli.ts |
59.5% → 58.9% (-0.61%) | 60.0% → 59.4% (-0.61%) |
src/docker-manager.ts |
86.8% → 87.1% (+0.30%) | 86.4% → 86.7% (+0.29%) |
✨ New Files (1 files)
src/config-file.ts: 65.3% lines
Coverage comparison generated by scripts/ci/compare-coverage.ts
The initial apt-get update can fail with hash mismatches when Ubuntu mirrors are mid-sync. The existing retry logic only covered apt-get install failures, not apt-get update failures. This adds a retry with cache clear for the initial apt-get update in both agent and squid Dockerfiles. Fixes: squid-proxy build failure (exit code 100) in --build-local CI Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 85.35% | 84.41% | 📉 -0.94% |
| Statements | 85.24% | 83.64% | 📉 -1.60% |
| Functions | 87.96% | 87.39% | 📉 -0.57% |
| Branches | 77.95% | 74.82% | 📉 -3.13% |
📁 Per-file Coverage Changes (2 files)
| File | Lines (Before → After) | Statements (Before → After) |
|---|---|---|
src/cli.ts |
59.5% → 58.9% (-0.61%) | 60.0% → 59.4% (-0.61%) |
src/docker-manager.ts |
86.8% → 87.1% (+0.30%) | 86.4% → 86.7% (+0.29%) |
✨ New Files (1 files)
src/config-file.ts: 65.3% lines
Coverage comparison generated by scripts/ci/compare-coverage.ts
The byok-copilot feature flag generates an empty COPILOT_MODEL fallback, but BYOK providers require an explicit model. This patches the lock file with claude-sonnet-4.5 as the default. Workaround for: github/gh-aw#26565 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 85.35% | 84.41% | 📉 -0.94% |
| Statements | 85.24% | 83.64% | 📉 -1.60% |
| Functions | 87.96% | 87.39% | 📉 -0.57% |
| Branches | 77.95% | 74.82% | 📉 -3.13% |
📁 Per-file Coverage Changes (2 files)
| File | Lines (Before → After) | Statements (Before → After) |
|---|---|---|
src/cli.ts |
59.5% → 58.9% (-0.61%) | 60.0% → 59.4% (-0.61%) |
src/docker-manager.ts |
86.8% → 87.1% (+0.30%) | 86.4% → 86.7% (+0.29%) |
✨ New Files (1 files)
src/config-file.ts: 65.3% lines
Coverage comparison generated by scripts/ci/compare-coverage.ts
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
lpcox
changed the title
Replace single-retry apt-get update with a 3-attempt retry loop using exponential backoff (10s, 20s, 30s). The single retry was insufficient when Ubuntu mirrors are in prolonged sync states (observed in CI where mirror hash mismatches persisted across multiple minutes). The apt_update_retry function clears the apt cache before each attempt, ensuring a clean state. Applied to all apt-get update calls in both agent and squid Dockerfiles, including the install-retry fallback paths. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 85.35% | 84.41% | 📉 -0.94% |
| Statements | 85.24% | 83.64% | 📉 -1.60% |
| Functions | 87.96% | 87.39% | 📉 -0.57% |
| Branches | 77.95% | 74.82% | 📉 -3.13% |
📁 Per-file Coverage Changes (2 files)
| File | Lines (Before → After) | Statements (Before → After) |
|---|---|---|
src/cli.ts |
59.5% → 58.9% (-0.61%) | 60.0% → 59.4% (-0.61%) |
src/docker-manager.ts |
86.8% → 87.1% (+0.30%) | 86.4% → 86.7% (+0.29%) |
✨ New Files (1 files)
src/config-file.ts: 65.3% lines
Coverage comparison generated by scripts/ci/compare-coverage.ts
GitHub Actions runners are Azure-hosted, so azure.archive.ubuntu.com is geographically closer and more reliable than archive.ubuntu.com. This reduces Hash Sum mismatch failures during Ubuntu mirror syncs. Handles both traditional sources.list (jammy/22.04) and DEB822 format (noble/24.04+) used by ubuntu/squid:latest. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 85.35% | 84.41% | 📉 -0.94% |
| Statements | 85.24% | 83.64% | 📉 -1.60% |
| Functions | 87.96% | 87.39% | 📉 -0.57% |
| Branches | 77.95% | 74.82% | 📉 -3.13% |
📁 Per-file Coverage Changes (2 files)
| File | Lines (Before → After) | Statements (Before → After) |
|---|---|---|
src/cli.ts |
59.5% → 58.9% (-0.61%) | 60.0% → 59.4% (-0.61%) |
src/docker-manager.ts |
86.8% → 87.1% (+0.30%) | 86.4% → 86.7% (+0.29%) |
✨ New Files (1 files)
src/config-file.ts: 65.3% lines
Coverage comparison generated by scripts/ci/compare-coverage.ts
Contributor
Smoke Test Results✅ GitHub MCP: chore: recompile workflows for gh-aw v0.68.5 / chore: upgrade gh-aw to v0.68.4 and recompile workflows Overall: PASS
|
Contributor
Copilot Smoke Test Results ✅GitHub MCP: ✅ Listed PR #2006 by Status: PASS cc
|
Closed
Contributor
Smoke Test: GitHub Actions Services Connectivity
All checks passed.
|
Contributor
🤖 OpenCode Smoke Test Results
Overall: PASS
|
Contributor
Smoke Test Status
|
Contributor
Chroot Version Comparison Results
Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.
|
Contributor
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
This was referenced Apr 16, 2026
[awf] API Proxy: Copilot CLI model validation fails with classic PAT when COPILOT_MODEL is set
#2010
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
AWF’s growing flag surface made non-trivial invocations hard to maintain and share. This change introduces JSON/YAML config-file support (including stdin), validates config shape early, and formalizes a tooling-oriented configuration contract that
gh-awcan consume.CLI config ingestion + precedence
--config <path|->to load config from JSON/YAML files or stdin (--config -).Structured config parsing/validation
src/config-file.tsfor:--no-rate-limit).Schema + W3C-style spec for compiler/tooling
docs/awf-config.schema.json(machine-readable schema for IDE/completion/validation).docs/awf-config-spec.md(normative processing model, conformance, precedence, and CLI mapping) to serve as the contract forgh-awcompiler integration.Coverage and docs updates
src/config-file.test.tsfor parsing, validation, stdin mode, mapping, and precedence behavior.Example config usage:
Example schema-backed config shape:
{ "$schema": "https://raw.githubusercontent.com/github/gh-aw-firewall/main/docs/awf-config.schema.json", "network": { "allowDomains": ["github.com", "api.github.com"], "dnsServers": ["1.1.1.1", "1.0.0.1"] }, "apiProxy": { "enabled": true, "targets": { "openai": { "host": "api.openai.com", "basePath": "/v1" } } }, "logging": { "logLevel": "debug" } }