Apply DIFC integrity filtering to the main agent job (post-activation only)

[Copilot]

Per reviewer feedback, DIFC integrity filtering is limited to jobs that run after the pre-activation and activation phases. The proxy only applies to the main agent job and the qmd indexing job — pre-activation and activation remain unproxied infrastructure jobs.

Changes

• compiler_activation_job.go: No proxy injection (reverted). Activation job steps (reactions, timestamp checks, body fetch, status comments, issue locking, label removal) continue to use the default GitHub API endpoint.

• compiler_difc_proxy.go: Package comment documents proxy injection for the main agent job and indexing job only.

• compiler_difc_proxy_test.go: Tests cover proxy injection for the main agent job and indexing job.

How it works

The existing proxy startup script exports GITHUB_API_URL, GITHUB_GRAPHQL_URL, NODE_EXTRA_CA_CERTS, and GH_HOST via $GITHUB_ENV — all subsequent Octokit calls in github-script steps within the agent job are intercepted automatically.

Coverage

Job	Proxy coverage
pre_activation	❌ not proxied (infrastructure job)
activation	❌ not proxied (infrastructure job)
Main agent job	✅ existing coverage
indexing (qmd)	✅ existing coverage

[!WARNING]

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

[pelikhan]

@lpcox are you wrapping the user injected steps?

[lpcox]

@pelikhan it should be but I will double check.

[lpcox]

@copilot make sure that you are proxying compiler-added steps and user defined steps (from the front matter). is there a way to also proxy imported steps? can imported steps access GH_TOKEN?

[Copilot]

@copilot make sure that you are proxying compiler-added steps and user defined steps (from the front matter). is there a way to also proxy imported steps? can imported steps access GH_TOKEN?

Done in ac14b09.

Compiler-added steps: All steps in the activation job (reactions, timestamp check, compute_text, status comments, lock, label removal) are wrapped — proxy starts right after setup, stops before artifact upload.

User-defined steps from frontmatter:

• on.steps / jobs.pre-activation custom steps: now also wrapped. The proxy is injected into the pre-activation job (start after setup, stop after all steps including on.steps). All membership checks, rate-limit, skip-if queries, command position checks, and user on.steps run through the proxy when min-integrity is set.
• steps: (main job): already wrapped by the existing pre-agent proxy.

Imported steps (RepositoryImports): these are checked out and used in the main agent job, which already has proxy coverage from the pre-existing DIFC implementation.

Can imported steps access GH_TOKEN?: Yes — both the pre-activation and main jobs have GITHUB_TOKEN available. The proxy intercepts Octokit calls via GITHUB_API_URL / GITHUB_GRAPHQL_URL set in $GITHUB_ENV by the startup script, so all subsequent actions/github-script calls in those jobs are routed through integrity filtering automatically.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git *.json' '!../../git GO111MODULE cal/bin/node git (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name "prettier" --cheGOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.0/xGO111MODULE -o h ../../../.prettierignore -trimpath 64/bin/go -d github.com/githu/home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/prettier -lang=go1.25 go (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel go /usr/bin/git json' --ignore-pgit GO111MODULE 64/bin/go git rev-�� --git-dir go /usr/bin/gh b/workflows GO111MODULE 64/bin/go gh (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha "prettier" --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' ---errorsas go 0/x64/bin/node rror GO111MODULE run-script/lib/n--show-toplevel 0/x64/bin/node -o ons-test3342656162 -trimpath /usr/bin/git l github.com/githurev-parse -lang=go1.25 git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE tions/setup/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go env *.json' '!../../../pkg/workflow/js/**/*.json' ---errorsas GO111MODULE k/_temp/ghcca-node/node/bin/bash GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git ../pkg/workflow/git GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE ode git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git 3932-30179/test-git GO111MODULE nfig/composer/ve--show-toplevel git rev-�� --show-toplevel go 0/x64/bin/node audit-workflows.git GO111MODULE /opt/hostedtoolc--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/go-build1999536239/b447/_pkg_.a -trimpath /usr/bin/git -p main -lang=go1.25 git -C /tmp/gh-aw-test-runs/20260325-033932-30179/test-3409121192 status /usr/bin/git .github/workflowgit -c=4 -nolocalimports git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha uts.version -importcfg /usr/bin/git -s -w -buildmode=exe git chec�� .github/workflows/test.md -extld=gcc /usr/bin/git -json GO111MODULE odules/npm/node_--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git e0Ym01Ca4 GO111MODULE k/gh-aw/gh-aw/no--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha prettier --check de **/*.ts **/*.json --ignore-path /bin/sh -c GOPATH=$(go env --ignore-path node 64/bin/go tierignore --write 64/bin/go go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha ath ../../../.pr**/*.json --ignore-path 64/bin/go tierignore ache/go/1.25.0/x-c 64/bin/go go env re --log-level=error GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha ath ../../../.pr**/*.json scripts/**/*.js 64/bin/go .prettierignore --write 64/bin/go go er -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha k/gh-aw/gh-aw/.github/workflows/bot-detection.md -test.v=true /usr/bin/git -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel git rev-�� --git-dir siWHJxF12LLI /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /tmp/go-build1999536239/b447/timeutil.test -importcfg /usr/bin/git -s -w -buildmode=exe git chec�� .github/workflows/test.md -extld=gcc /usr/bin/git -json GO111MODULE es/.bin/node git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha npx prettier --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GOPROXY /home/REDACTED/.npm/_npx/b388654678d519d9/node_modules/.bin/prettier GOSUMDB GOWORK 64/bin/go prettier --wr�� runs/20260325-033932-30179/test-1887717827/.github/workflows --ignore-path /home/node_modules/.bin/node l GO111MODULE 64/bin/go node (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha prettier --write /bin/sh **/*.ts **/*.json --ignore-path /bin/sh -c k/gh-aw/gh-aw ache/go/1.25.0/xGO111MODULE 9536239/b434/vet.cfg tierignore GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha 3932-30179/test-3409121192 --write 0/x64/bin/node **/*.ts **/*.json --ignore-path node t-ha�� ithub/workflows/agent-persona-explorer.md scripts/**/*.js /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile .prettierignore --log-level=errorev-parse 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go 0/x6�� -json GO111MODULE h GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go 0/x6�� -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE h GOINSECURE GOMOD GOMODCACHE go estl�� '**/*.ts' '**/*.json' --ignore-premote.origin.url GO111MODULE de/node/bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE ef/N6GE9dzJuLpfUe9tz4e_/ThKvzodBlPIPkS6j74YO (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path k/gh-aw/gh-aw/scGOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.0/xGO111MODULE -o h ../../../.prettierignore -trimpath 64/bin/go -d github.com/githu/home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/prettier -lang=go1.25 go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 github.com/githu-atomic -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE go env -json GO111MODULE tions/node_modules/.bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha /\1/p GO111MODULE At,event,headBranch,headSha,displayTitle GOINSECURE GOMOD GOMODCACHE go env y_with_repos_array_c1614436499/001 GO111MODULE ules/.bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env js/**/*.json' ---p GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha nore --log-level=error 2>&1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env js/**/*.json' ---errorsas GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha re --log-level=e!../../../pkg/workflow/js/**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env js/**/*.json' ---errorsas GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha re --log-level=e!../../../pkg/workflow/js/**/*.json GO111MODULE /node GOINSECURE GOMOD GOMODCACHE go /pre�� -json GO111MODULE _modules/.bin/sh-lang=go1.25 GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env js/**/*.json' ---errorsas GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha )$/\1/p GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env ithout_min-integrity1814204060/001 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go 0/x6�� 4077260802/.github/workflows GO111MODULE 86_64/node GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc--ignore-path -o h ../../../.pret--log-level=error -trimpath 64/bin/go -p github.com/githu/home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/prettier -lang=go1.25 go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo modules/@npmcli/run-script/lib/node-gyp-bin/sh GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcscripts/**/*.js -o h ../../../.pret.prettierignore -trimpath 64/bin/go -p github.com/githu/home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/prettier -lang=go1.25 go (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build1999536239/b402/cli.test /tmp/go-build1999536239/b402/cli.test -test.testlogfile=/tmp/go-build1999536239/b402/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOSUMDB GOWORK 64/bin/go sh -c ath ../../../.pr**/*.json sh 64/bin/go tierignore ache/go/1.25.0/x-c 64/bin/go go (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name prettier --check 64/bin/go **/*.ts **/*.json --ignore-path git stat�� --porcelain node 64/bin/go -d --write 64/bin/go go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

Are you going to break these steps?

[pelikhan]

I'd like to discuss this one... preactivation/activation is infrastructure

[lpcox]

@pelikhan happy to chat. we can limit to post-preactivation/activation

[github-actions]

Hey @Copilot 👋 — great work extending DIFC proxy coverage to the activation and pre-activation jobs! Closing a real security gap where pre-agentic github-script and gh CLI calls were bypassing the integrity proxy is a solid, well-scoped contribution.

The PR is well-structured, the description is thorough, and the test suite (TestDIFCProxyInjectedInActivationJob + TestDIFCProxyInjectedInPreActivationJob with 8 sub-tests) covers the right scenarios. The recompiled .lock.yml files are consistent with the Go compiler changes.

This looks ready for maintainer review! 🟢

Generated by Contribution Check · ◷

[lpcox]

@copilot limit integrity filtering to jobs after preactivation/activation

[Copilot]

@copilot limit integrity filtering to jobs after preactivation/activation

Done in 3c16f0b. Reverted DIFC proxy injection from both the activation and pre_activation jobs. Integrity filtering now only applies to jobs that run after them (main agent job and indexing/qmd job), which is the pre-existing behavior. Lock files recompiled across all 178 workflows.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw util (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ,short (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha kysWS_1Th .cfg 64/pkg/tool/linux_amd64/vet credential.helpebash (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility copilot/apply-difc-integrity-filtering^{commit} (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha get .cfg 64/pkg/tool/linux_amd64/vet credential.usern/bin/sh (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha get .cfg .cfg commit.gpgsign (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[lpcox]

@pelikhan PR now limits integrity filtering to jobs after preactivation/activation