From cab496f80e8905dd4c70eb78ad7d00db4ece7fc1 Mon Sep 17 00:00:00 2001
From: "Jiaxiao (mossaka) Zhou" <duibao55328@gmail.com>
Date: Sat, 14 Feb 2026 00:35:46 +0000
Subject: [PATCH] feat(ci): add api-proxy image to release pipeline

The api-proxy sidecar container (containers/api-proxy/) exists in the repo
but was never wired into the release workflow. This means the image
ghcr.io/github/gh-aw-firewall/api-proxy:<version> was never published to
GHCR, causing smoke tests to fail when --enable-api-proxy is used:

  Container awf-api-proxy  Error response from daemon: No such image:
  ghcr.io/github/gh-aw-firewall/api-proxy:0.16.5

Add build, push, cosign signing, and SBOM attestation steps for the
api-proxy image, matching the existing pattern for squid and agent images.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 31 +++++++++++++++++++++++++++++++
 package-lock.json             |  4 ++--
 package.json                  |  2 +-
 3 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3cc372b24..32fc8324b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -122,6 +122,37 @@ jobs:
             --type spdxjson \
             ghcr.io/${{ github.repository }}/agent@${{ steps.build_agent.outputs.digest }}
 
+      - name: Build and push API Proxy image
+        id: build_api_proxy
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
+        with:
+          context: ./containers/api-proxy
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository }}/api-proxy:${{ steps.version_early.outputs.version_number }}
+            ghcr.io/${{ github.repository }}/api-proxy:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Sign API Proxy image with cosign
+        run: |
+          cosign sign --yes \
+            ghcr.io/${{ github.repository }}/api-proxy@${{ steps.build_api_proxy.outputs.digest }}
+
+      - name: Generate SBOM for API Proxy image
+        uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
+        with:
+          image: ghcr.io/${{ github.repository }}/api-proxy@${{ steps.build_api_proxy.outputs.digest }}
+          format: spdx-json
+          output-file: api-proxy-sbom.spdx.json
+
+      - name: Attest SBOM for API Proxy image
+        run: |
+          cosign attest --yes \
+            --predicate api-proxy-sbom.spdx.json \
+            --type spdxjson \
+            ghcr.io/${{ github.repository }}/api-proxy@${{ steps.build_api_proxy.outputs.digest }}
+
       # Build agent-act image with catthehacker/ubuntu:act-24.04 base for GitHub Actions parity
       - name: Build and push Agent-Act image
         id: build_agent_act
diff --git a/package-lock.json b/package-lock.json
index 6f4505e9a..a9034be80 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@github/agentic-workflow-firewall",
-  "version": "0.16.4",
+  "version": "0.16.5",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@github/agentic-workflow-firewall",
-      "version": "0.16.4",
+      "version": "0.16.5",
       "license": "MIT",
       "dependencies": {
         "chalk": "^4.1.2",
diff --git a/package.json b/package.json
index b67d279a8..51ef19f1d 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@github/agentic-workflow-firewall",
-  "version": "0.16.4",
+  "version": "0.16.5",
   "description": "Network firewall for agentic workflows with domain whitelisting",
   "main": "dist/cli.js",
   "bin": {