github
diff --git a/‎.github/workflows/test-action.yml‎
Lines changed: 116 additions & 0 deletions b/‎.github/workflows/test-action.yml‎
Lines changed: 116 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 75 additions & 1 deletion b/‎README.md‎
Lines changed: 75 additions & 1 deletion
diff --git a/‎action.yml‎
Lines changed: 186 additions & 0 deletions b/‎action.yml‎
Lines changed: 186 additions & 0 deletions
@@ -0,0 +1,116 @@
+name: Test Setup Action
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  test-action-latest:
+    name: Test Action (Latest Version)
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+
+      - name: Setup awf using action
+        id: setup-awf
+        uses: ./
+
+      - name: Verify awf is installed
+        run: |
+          echo "Installed version: ${{ steps.setup-awf.outputs.version }}"
+          which awf
+          awf --version
+          awf --help
+
+  test-action-specific-version:
+    name: Test Action (Specific Version)
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+
+      - name: Setup awf using action with specific version
+        id: setup-awf
+        uses: ./
+        with:
+          version: 'v0.7.0'
+
+      - name: Verify awf is installed with correct version
+        run: |
+          echo "Installed version: ${{ steps.setup-awf.outputs.version }}"
+          echo "Image tag: ${{ steps.setup-awf.outputs.image-tag }}"
+          which awf
+          awf --version
+          # Verify the version matches
+          if [[ "${{ steps.setup-awf.outputs.version }}" != "v0.7.0" ]]; then
+            echo "::error::Version mismatch! Expected v0.7.0, got ${{ steps.setup-awf.outputs.version }}"
+            exit 1
+          fi
+          # Verify image tag is set correctly (without 'v' prefix)
+          if [[ "${{ steps.setup-awf.outputs.image-tag }}" != "0.7.0" ]]; then
+            echo "::error::Image tag mismatch! Expected 0.7.0, got ${{ steps.setup-awf.outputs.image-tag }}"
+            exit 1
+          fi
+
+  test-action-with-images:
+    name: Test Action (With Image Pull)
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+
+      - name: Setup awf with image pull
+        id: setup-awf
+        uses: ./
+        with:
+          version: 'v0.7.0'
+          pull-images: 'true'
+
+      - name: Verify awf and images are available
+        run: |
+          echo "Installed version: ${{ steps.setup-awf.outputs.version }}"
+          echo "Image tag: ${{ steps.setup-awf.outputs.image-tag }}"
+          which awf
+          awf --version
+          
+          # Verify Docker images are pulled
+          echo "Checking for pulled images..."
+          docker images ghcr.io/githubnext/gh-aw-firewall/squid
+          docker images ghcr.io/githubnext/gh-aw-firewall/agent
+
+  test-action-invalid-version:
+    name: Test Action (Invalid Version - Should Fail)
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+
+      - name: Setup awf with invalid version (should fail)
+        id: setup-awf
+        uses: ./
+        with:
+          version: 'invalid-version'
+        continue-on-error: true
+
+      - name: Verify action failed as expected
+        run: |
+          if [[ "${{ steps.setup-awf.outcome }}" == "success" ]]; then
+            echo "::error::Action should have failed with invalid version"
+            exit 1
+          fi
+          echo "Action correctly rejected invalid version format"
@@ -34,7 +34,81 @@ sudo -E awf \
 
 For checksum verification, version pinning, and manual installation steps, see [Quick start](docs/quickstart.md).
 
-All published container images are cryptographically signed with cosign. See [docs/image-verification.md](docs/image-verification.md) for verification instructions.
+#### GitHub Action (recommended for CI/CD)
+
+Use the setup action in your workflows:
+
+```yaml
+steps:
+  - name: Setup awf
+    uses: githubnext/gh-aw-firewall@main
+    with:
+      # version: 'v1.0.0'    # Optional: defaults to latest
+      # pull-images: 'true'  # Optional: pre-pull Docker images for the version
+
+  - name: Run command with firewall
+    run: sudo awf --allow-domains github.com -- curl https://api.github.com
+```
+
+To pin Docker images to match the installed version, use `pull-images: 'true'` and pass the image tag to awf:
+
+```yaml
+steps:
+  - name: Setup awf
+    id: setup-awf
+    uses: githubnext/gh-aw-firewall@main
+    with:
+      version: 'v0.7.0'
+      pull-images: 'true'
+
+  - name: Run with pinned images
+    run: |
+      sudo awf --allow-domains github.com \
+        --image-tag ${{ steps.setup-awf.outputs.image-tag }} \
+        -- curl https://api.github.com
+```
+
+#### Shell script
+
+```bash
+# Install latest version
+curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo bash
+
+# Install a specific version
+curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo bash -s -- v1.0.0
+
+# Or using environment variable
+curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v1.0.0 bash
+```
+
+The shell installer automatically:
+- Downloads the latest release binary (or a specified version)
+- Verifies SHA256 checksum to detect corruption or tampering
+- Validates the file is a valid Linux executable
+- Protects against 404 error pages being saved as binaries
+- Installs to `/usr/local/bin/awf`
+
+**Alternative: Manual installation**
+
+```bash
+# Download the latest release binary
+curl -fL https://github.com/githubnext/gh-aw-firewall/releases/latest/download/awf-linux-x64 -o awf
+
+# Download checksums for verification
+curl -fL https://github.com/githubnext/gh-aw-firewall/releases/latest/download/checksums.txt -o checksums.txt
+
+# Verify SHA256 checksum
+sha256sum -c checksums.txt --ignore-missing
+
+# Install
+chmod +x awf
+sudo mv awf /usr/local/bin/
+
+# Verify installation
+sudo awf --help
+```
+
+**Docker Image Verification:** All published container images are cryptographically signed with cosign. See [docs/image-verification.md](docs/image-verification.md) for verification instructions.
 
 ## Explore the docs
 
 
@@ -0,0 +1,186 @@
+name: 'Setup AWF'
+description: 'Install the Agentic Workflow Firewall (awf) CLI tool'
+author: 'GitHub'
+branding:
+  icon: 'shield'
+  color: 'blue'
+
+inputs:
+  version:
+    description: 'Version to install (e.g., v1.0.0). Defaults to latest release.'
+    required: false
+    default: 'latest'
+  pull-images:
+    description: 'Pull Docker images for the installed version. Set to "true" to pre-pull squid and agent images.'
+    required: false
+    default: 'false'
+
+outputs:
+  version:
+    description: 'The version of awf that was installed'
+    value: ${{ steps.install.outputs.version }}
+  image-tag:
+    description: 'The image tag that matches the installed version (without the v prefix)'
+    value: ${{ steps.install.outputs.image_tag }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Validate runner OS and architecture
+      shell: bash
+      run: |
+        if [ "$RUNNER_OS" != "Linux" ]; then
+          echo "::error::This action only supports Linux runners. Current OS: $RUNNER_OS"
+          exit 1
+        fi
+
+        # Validate architecture (only x64 is supported)
+        ARCH=$(uname -m)
+        if [ "$ARCH" != "x86_64" ] && [ "$ARCH" != "amd64" ]; then
+          echo "::error::This action only supports x64 architecture. Current architecture: $ARCH"
+          exit 1
+        fi
+
+    - name: Install awf
+      id: install
+      shell: bash
+      env:
+        INPUT_VERSION: ${{ inputs.version }}
+      run: |
+        set -euo pipefail
+
+        REPO="githubnext/gh-aw-firewall"
+        BINARY_NAME="awf-linux-x64"
+        INSTALL_DIR="${RUNNER_TEMP}/awf-bin"
+
+        # Create install directory
+        mkdir -p "$INSTALL_DIR"
+
+        # Determine version
+        if [ "$INPUT_VERSION" = "latest" ] || [ -z "$INPUT_VERSION" ]; then
+          echo "Fetching latest release version..."
+          # Use jq if available, fallback to grep/sed
+          if command -v jq &> /dev/null; then
+            VERSION=$(curl -fsSL "https://api.github.com/repos/${REPO}/releases/latest" | jq -r '.tag_name')
+          else
+            VERSION=$(curl -fsSL "https://api.github.com/repos/${REPO}/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
+          fi
+          if [ -z "$VERSION" ] || [ "$VERSION" = "null" ]; then
+            echo "::error::Failed to fetch latest version from GitHub API"
+            exit 1
+          fi
+          echo "Latest version: $VERSION"
+        else
+          VERSION="$INPUT_VERSION"
+          # Validate version format (supports v1.0.0, v1.0.0-beta.1, v1.0.0-rc.1, etc.)
+          if ! echo "$VERSION" | grep -qE '^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$'; then
+            echo "::error::Invalid version format: $VERSION. Expected format: v1.0.0 or v1.0.0-beta.1"
+            exit 1
+          fi
+        fi
+
+        echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+        
+        # Extract image tag (version without 'v' prefix)
+        IMAGE_TAG="${VERSION#v}"
+        echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
+
+        # Download URLs
+        BASE_URL="https://github.com/${REPO}/releases/download/${VERSION}"
+        BINARY_URL="${BASE_URL}/${BINARY_NAME}"
+        CHECKSUMS_URL="${BASE_URL}/checksums.txt"
+
+        # Download binary
+        echo "Downloading awf ${VERSION}..."
+        if ! curl -fsSL "$BINARY_URL" -o "$INSTALL_DIR/awf"; then
+          echo "::error::Failed to download binary from $BINARY_URL"
+          exit 1
+        fi
+
+        # Download checksums
+        echo "Downloading checksums..."
+        if ! curl -fsSL "$CHECKSUMS_URL" -o "$INSTALL_DIR/checksums.txt"; then
+          echo "::error::Failed to download checksums from $CHECKSUMS_URL"
+          exit 1
+        fi
+
+        # Verify checksum
+        echo "Verifying SHA256 checksum..."
+        
+        # Validate checksums.txt format (should have "checksum  filename" format)
+        if ! grep -qE '^[a-fA-F0-9]{64}  ' "$INSTALL_DIR/checksums.txt"; then
+          echo "::error::checksums.txt has unexpected format"
+          exit 1
+        fi
+        
+        EXPECTED_SUM=$(awk -v fname="$BINARY_NAME" '$2 == fname {print $1; exit}' "$INSTALL_DIR/checksums.txt")
+
+        if [ -z "$EXPECTED_SUM" ]; then
+          echo "::error::Could not find checksum for $BINARY_NAME in checksums.txt"
+          exit 1
+        fi
+
+        # Validate checksum format (64 hex characters)
+        if ! echo "$EXPECTED_SUM" | grep -qE '^[a-fA-F0-9]{64}$'; then
+          echo "::error::Invalid checksum format: $EXPECTED_SUM"
+          exit 1
+        fi
+
+        # Normalize to lowercase for comparison
+        EXPECTED_SUM=$(echo "$EXPECTED_SUM" | tr '[:upper:]' '[:lower:]')
+        ACTUAL_SUM=$(sha256sum "$INSTALL_DIR/awf" | awk '{print $1}' | tr '[:upper:]' '[:lower:]')
+
+        if [ "$EXPECTED_SUM" != "$ACTUAL_SUM" ]; then
+          echo "::error::Checksum verification failed!"
+          echo "Expected: $EXPECTED_SUM"
+          echo "Got:      $ACTUAL_SUM"
+          exit 1
+        fi
+
+        echo "Checksum verification passed ✓"
+
+        # Verify it's a valid ELF executable
+        if ! file "$INSTALL_DIR/awf" | grep -q "ELF.*executable"; then
+          echo "::error::Downloaded file is not a valid Linux executable"
+          exit 1
+        fi
+
+        # Make executable
+        chmod +x "$INSTALL_DIR/awf"
+
+        # Clean up checksums file
+        rm -f "$INSTALL_DIR/checksums.txt"
+
+        # Add to PATH
+        echo "$INSTALL_DIR" >> "$GITHUB_PATH"
+
+        echo "Successfully installed awf ${VERSION} to $INSTALL_DIR"
+        echo "awf is now available in PATH for subsequent steps"
+
+    - name: Pull Docker images
+      if: ${{ inputs.pull-images == 'true' }}
+      shell: bash
+      env:
+        IMAGE_TAG: ${{ steps.install.outputs.image_tag }}
+      run: |
+        set -euo pipefail
+        
+        REGISTRY="ghcr.io/githubnext/gh-aw-firewall"
+        
+        echo "Pulling awf Docker images with tag: ${IMAGE_TAG}"
+        
+        # Pull squid image
+        echo "Pulling ${REGISTRY}/squid:${IMAGE_TAG}..."
+        if ! docker pull "${REGISTRY}/squid:${IMAGE_TAG}"; then
+          echo "::warning::Failed to pull squid image with tag ${IMAGE_TAG}, trying 'latest'"
+          docker pull "${REGISTRY}/squid:latest"
+        fi
+        
+        # Pull agent image
+        echo "Pulling ${REGISTRY}/agent:${IMAGE_TAG}..."
+        if ! docker pull "${REGISTRY}/agent:${IMAGE_TAG}"; then
+          echo "::warning::Failed to pull agent image with tag ${IMAGE_TAG}, trying 'latest'"
+          docker pull "${REGISTRY}/agent:latest"
+        fi
+        
+        echo "Docker images pulled successfully ✓"