Summary
AWF now supports a formal JSON/YAML configuration model as an alternative to its 53+ CLI flags. The gh-aw compiler should adopt this config file to configure AWF, replacing the growing list of --flag arguments on the awf command line.
Background
The AWF command line has become unwieldy — over 53 flags covering domains, DNS, proxy settings, container options, API proxy configuration, logging, and more. To address this, AWF now supports --config <path|-> which accepts a JSON or YAML configuration document.
The full specification and schema are published in the AWF repository:
Proposal
When gh-aw compiles a workflow lock file, it should:
- Generate an AWF config file (JSON) containing all firewall settings (allowed domains, DNS servers, proxy config, logging options, container settings, etc.)
- Write the config to a temp file in the workflow workspace (e.g.,
/tmp/gh-aw/awf-config.json)
- Invoke AWF with
--config instead of individual flags:
awf --config /tmp/gh-aw/awf-config.json -- <command>
awf --allow-domains "dom1,dom2,..." --dns-servers "8.8.8.8" --log-level info --proxy-logs-dir ... --audit-dir ... --session-state-dir ... --enable-host-access --build-local --enable-api-proxy --difc-proxy-host ... --difc-proxy-ca-cert ... -- <command>
Benefits
- Readability: Config is structured and self-documenting vs. a 500+ character command line
- Validation: JSON Schema provides static validation before AWF runs
- Maintainability: Adding new AWF options requires only schema + config changes, not flag parsing
- Debuggability: Config file can be inspected, diffed, and version-controlled
- Processing model: CLI flags still override config values, so per-invocation tweaks work
Config Structure Example
{
"allowDomains": ["github.com", "api.github.com", "registry.npmjs.org"],
"dnsServers": ["8.8.8.8", "8.8.4.4"],
"logLevel": "info",
"proxyLogsDir": "/tmp/gh-aw/sandbox/firewall/logs",
"auditDir": "/tmp/gh-aw/sandbox/firewall/audit",
"sessionStateDir": "/tmp/gh-aw/sandbox/agent/session-state",
"enableHostAccess": true,
"buildLocal": true,
"enableApiProxy": true,
"difcProxyHost": "host.docker.internal:18443",
"difcProxyCaCert": "/tmp/gh-aw/difc-proxy-tls/ca.crt",
"containerWorkdir": "/home/runner/work/repo/repo"
}Migration Path
This could be adopted incrementally:
- Start by generating the config file alongside the existing flags
- Validate that AWF produces identical behavior with
--config vs. flags
- Switch the compiled lock files to use
--config
- Eventually deprecate the long flag invocations in lock files
Summary
AWF now supports a formal JSON/YAML configuration model as an alternative to its 53+ CLI flags. The
gh-awcompiler should adopt this config file to configure AWF, replacing the growing list of--flagarguments on theawfcommand line.Background
The AWF command line has become unwieldy — over 53 flags covering domains, DNS, proxy settings, container options, API proxy configuration, logging, and more. To address this, AWF now supports
--config <path|->which accepts a JSON or YAML configuration document.The full specification and schema are published in the AWF repository:
docs/awf-config-spec.mddocs/awf-config.schema.jsonProposal
When
gh-awcompiles a workflow lock file, it should:/tmp/gh-aw/awf-config.json)--configinstead of individual flags:Benefits
Config Structure Example
{ "allowDomains": ["github.com", "api.github.com", "registry.npmjs.org"], "dnsServers": ["8.8.8.8", "8.8.4.4"], "logLevel": "info", "proxyLogsDir": "/tmp/gh-aw/sandbox/firewall/logs", "auditDir": "/tmp/gh-aw/sandbox/firewall/audit", "sessionStateDir": "/tmp/gh-aw/sandbox/agent/session-state", "enableHostAccess": true, "buildLocal": true, "enableApiProxy": true, "difcProxyHost": "host.docker.internal:18443", "difcProxyCaCert": "/tmp/gh-aw/difc-proxy-tls/ca.crt", "containerWorkdir": "/home/runner/work/repo/repo" }Migration Path
This could be adopted incrementally:
--configvs. flags--config