[plan] Fix unverified_script_exec: Add checksum verification to install-gh-aw.sh curl-pipe-bash patterns #17852
Closed as not planned
Description
Objective
Add SHA256 checksum verification to the two curl | bash patterns that execute install-gh-aw.sh without integrity checking.
Context
From static analysis discussion #17844: Poutine flags two unverified_script_exec findings (info severity):
.github/workflows/copilot-setup-steps.yml:17.github/workflows/daily-copilot-token-report.lock.yml:302
Both execute curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash without verifying the script's integrity. If the script is tampered with (compromised repo or CDN), the runner executes malicious code.
Approach
- Open
.github/workflows/copilot-setup-steps.ymland find the curl-pipe-bash pattern - Open the source
.mdfile that compiles todaily-copilot-token-report.lock.yml(likely.github/workflows/daily-copilot-token-report.md) and find the same pattern - Replace direct
curl | bashwith a download-then-verify-then-execute pattern:curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/gh-aw-install.sh echo "EXPECTED_SHA256 /tmp/gh-aw-install.sh" | sha256sum -c bash /tmp/gh-aw-install.sh
- The expected SHA256 should be computed from the current
install-gh-aw.shand stored as a workflow variable or inline constant - Run
make recompileafter modifying any.mdfiles - Run
make agent-finishbefore committing
Files to Modify
.github/workflows/copilot-setup-steps.yml(direct YAML — not compiled)- Find and update the
.mdsource file that generatesdaily-copilot-token-report.lock.yml
Acceptance Criteria
- Both
curl | bashpatterns are replaced with download + verify + execute - The expected SHA256 checksum is documented and maintained
-
make recompileruns without errors (for any modified.mdfiles) -
make agent-finishpasses - Poutine
unverified_script_execfindings drop to 0
Generated by Plan Command for issue #discussion #17844
- expires on Feb 25, 2026, 7:18 AM UTC