What's Changed
New Feature: --allow-host-service-ports
Adds a new --allow-host-service-ports <ports> CLI flag for accessing GitHub Actions services: containers (e.g., PostgreSQL, Redis, MySQL) from within the AWF sandbox.
Why: GitHub Actions services: containers publish ports to the host via port mapping. These are typically on "dangerous" ports (5432, 6379, 3306) that AWF blocks by default. This flag allows agents to reach these specific ports on the host gateway only — traffic to the same ports on the internet remains blocked.
Usage:
# Allow PostgreSQL and Redis access to host services
sudo awf --allow-domains github.com --allow-host-service-ports 5432,6379 -- pytest
# Multiple services
sudo awf --allow-domains github.com --allow-host-service-ports 5432,6379,3306 -- npm testKey behaviors:
- Auto-enables
--enable-host-access(with explicit warning about ports 80/443 also opening) - Traffic restricted to host gateway IPs only (172.17.0.1 and 172.30.0.1) — cannot reach internet
- Port validation: single numeric ports 1-65535 (no ranges)
- Enforced at both host-level (FW_WRAPPER/DOCKER-USER) and container-level iptables
- SSH risk documented in
--helpwhen allowing port 22
Changes
Full Changelog: v0.25.1...v0.25.2
Contributors
Mossaka