feat(ci): add api-proxy image to release pipeline (#846)

Mossaka · claude · web-flow · commit 3ce3a8fcfd0c · 2026-02-13T16:38:31.000-08:00
The api-proxy sidecar container (containers/api-proxy/) exists in the repo
but was never wired into the release workflow. This means the image
ghcr.io/github/gh-aw-firewall/api-proxy:&lt;version&gt; was never published to
GHCR, causing smoke tests to fail when --enable-api-proxy is used:

  Container awf-api-proxy  Error response from daemon: No such image:
  ghcr.io/github/gh-aw-firewall/api-proxy:0.16.5

Add build, push, cosign signing, and SBOM attestation steps for the
api-proxy image, matching the existing pattern for squid and agent images.

Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -122,6 +122,37 @@ jobs:
             --type spdxjson \
             ghcr.io/${{ github.repository }}/agent@${{ steps.build_agent.outputs.digest }}
 
+      - name: Build and push API Proxy image
+        id: build_api_proxy
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
+        with:
+          context: ./containers/api-proxy
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository }}/api-proxy:${{ steps.version_early.outputs.version_number }}
+            ghcr.io/${{ github.repository }}/api-proxy:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Sign API Proxy image with cosign
+        run: |
+          cosign sign --yes \
+            ghcr.io/${{ github.repository }}/api-proxy@${{ steps.build_api_proxy.outputs.digest }}
+
+      - name: Generate SBOM for API Proxy image
+        uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
+        with:
+          image: ghcr.io/${{ github.repository }}/api-proxy@${{ steps.build_api_proxy.outputs.digest }}
+          format: spdx-json
+          output-file: api-proxy-sbom.spdx.json
+
+      - name: Attest SBOM for API Proxy image
+        run: |
+          cosign attest --yes \
+            --predicate api-proxy-sbom.spdx.json \
+            --type spdxjson \
+            ghcr.io/${{ github.repository }}/api-proxy@${{ steps.build_api_proxy.outputs.digest }}
+
       # Build agent-act image with catthehacker/ubuntu:act-24.04 base for GitHub Actions parity
       - name: Build and push Agent-Act image
         id: build_agent_act
