From 3673ee13e34155a1b20eb2a52e31d3cf7cbc8d2c Mon Sep 17 00:00:00 2001
From: James Devine <james.devine@microsoft.com>
Date: Thu, 7 May 2026 14:32:59 +0100
Subject: [PATCH] fix(compile): fail pipeline step on AWF download errors

Add set -eo pipefail to all AWF download and docker pull steps in both
base.yml and 1es-base.yml templates. Remove the || echo fallback on
./awf --version that was silently swallowing download failures, causing
the step to report green even when the binary was not present.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 src/data/1es-base.yml | 12 ++++++++++--
 src/data/base.yml     | 12 ++++++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/data/1es-base.yml b/src/data/1es-base.yml
index e0407036..eb60e9b3 100644
--- a/src/data/1es-base.yml
+++ b/src/data/1es-base.yml
@@ -143,6 +143,8 @@ extends:
                     dockerVersion: 26.1.4
 
                 - bash: |
+                    set -eo pipefail
+
                     AWF_VERSION="{{ firewall_version }}"
                     DOWNLOAD_DIR="$(Pipeline.Workspace)/awf"
                     DOWNLOAD_URL="https://github.com/github/gh-aw-firewall/releases/download/v${AWF_VERSION}/awf-linux-x64"
@@ -159,10 +161,12 @@ extends:
                     mv awf-linux-x64 awf
                     chmod +x awf
                     echo "##vso[task.prependpath]$(Pipeline.Workspace)/awf"
-                    ./awf --version || echo "AWF binary ready"
+                    ./awf --version
                   displayName: "Download AWF (Agentic Workflow Firewall) v{{ firewall_version }}"
 
                 - bash: |
+                    set -eo pipefail
+
                     docker pull ghcr.io/github/gh-aw-firewall/squid:{{ firewall_version }}
                     docker pull ghcr.io/github/gh-aw-firewall/agent:{{ firewall_version }}
                     docker tag ghcr.io/github/gh-aw-firewall/squid:{{ firewall_version }} ghcr.io/github/gh-aw-firewall/squid:latest
@@ -451,6 +455,8 @@ extends:
                     dockerVersion: 26.1.4
 
                 - bash: |
+                    set -eo pipefail
+
                     AWF_VERSION="{{ firewall_version }}"
                     DOWNLOAD_DIR="$(Pipeline.Workspace)/awf"
                     DOWNLOAD_URL="https://github.com/github/gh-aw-firewall/releases/download/v${AWF_VERSION}/awf-linux-x64"
@@ -467,10 +473,12 @@ extends:
                     mv awf-linux-x64 awf
                     chmod +x awf
                     echo "##vso[task.prependpath]$(Pipeline.Workspace)/awf"
-                    ./awf --version || echo "AWF binary ready"
+                    ./awf --version
                   displayName: "Download AWF (Agentic Workflow Firewall) v{{ firewall_version }}"
 
                 - bash: |
+                    set -eo pipefail
+
                     docker pull ghcr.io/github/gh-aw-firewall/squid:{{ firewall_version }}
                     docker pull ghcr.io/github/gh-aw-firewall/agent:{{ firewall_version }}
                     docker tag ghcr.io/github/gh-aw-firewall/squid:{{ firewall_version }} ghcr.io/github/gh-aw-firewall/squid:latest
diff --git a/src/data/base.yml b/src/data/base.yml
index 24a9ba80..42c452fc 100644
--- a/src/data/base.yml
+++ b/src/data/base.yml
@@ -114,6 +114,8 @@ jobs:
           dockerVersion: 26.1.4
 
       - bash: |
+          set -eo pipefail
+
           AWF_VERSION="{{ firewall_version }}"
           DOWNLOAD_DIR="$(Pipeline.Workspace)/awf"
           DOWNLOAD_URL="https://github.com/github/gh-aw-firewall/releases/download/v${AWF_VERSION}/awf-linux-x64"
@@ -130,10 +132,12 @@ jobs:
           mv awf-linux-x64 awf
           chmod +x awf
           echo "##vso[task.prependpath]$(Pipeline.Workspace)/awf"
-          ./awf --version || echo "AWF binary ready"
+          ./awf --version
         displayName: "Download AWF (Agentic Workflow Firewall) v{{ firewall_version }}"
 
       - bash: |
+          set -eo pipefail
+
           docker pull ghcr.io/github/gh-aw-firewall/squid:{{ firewall_version }}
           docker pull ghcr.io/github/gh-aw-firewall/agent:{{ firewall_version }}
           docker tag ghcr.io/github/gh-aw-firewall/squid:{{ firewall_version }} ghcr.io/github/gh-aw-firewall/squid:latest
@@ -420,6 +424,8 @@ jobs:
           dockerVersion: 26.1.4
 
       - bash: |
+          set -eo pipefail
+
           AWF_VERSION="{{ firewall_version }}"
           DOWNLOAD_DIR="$(Pipeline.Workspace)/awf"
           DOWNLOAD_URL="https://github.com/github/gh-aw-firewall/releases/download/v${AWF_VERSION}/awf-linux-x64"
@@ -436,10 +442,12 @@ jobs:
           mv awf-linux-x64 awf
           chmod +x awf
           echo "##vso[task.prependpath]$(Pipeline.Workspace)/awf"
-          ./awf --version || echo "AWF binary ready"
+          ./awf --version
         displayName: "Download AWF (Agentic Workflow Firewall) v{{ firewall_version }}"
 
       - bash: |
+          set -eo pipefail
+
           docker pull ghcr.io/github/gh-aw-firewall/squid:{{ firewall_version }}
           docker pull ghcr.io/github/gh-aw-firewall/agent:{{ firewall_version }}
           docker tag ghcr.io/github/gh-aw-firewall/squid:{{ firewall_version }} ghcr.io/github/gh-aw-firewall/squid:latest