Skip to content

fix: add SHA256 checksum verification to install-gh-aw.sh curl-pipe-bash patterns#17856

Closed
Copilot wants to merge 2 commits intomainfrom
copilot/add-checksum-verification
Closed

fix: add SHA256 checksum verification to install-gh-aw.sh curl-pipe-bash patterns#17856
Copilot wants to merge 2 commits intomainfrom
copilot/add-checksum-verification

Conversation

Copy link
Contributor

Copilot AI commented Feb 23, 2026
edited
Loading

Two curl | bash invocations of install-gh-aw.sh executed the script without integrity verification, flagged as unverified_script_exec by Poutine at copilot-setup-steps.yml:17 and daily-copilot-token-report.lock.yml:302.

Changes

  • copilot-setup-steps.yml: Replaced direct curl | bash with download → sha256sum verify → bash execute:
curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/gh-aw-install.sh
echo "561f76eedd4b2c0448f21b0862a930784148ff4cc5491150f2bf5eb0bc6dd227  /tmp/gh-aw-install.sh" | sha256sum -c
bash /tmp/gh-aw-install.sh

  • Added inline comment documenting how to regenerate the checksum (sha256sum install-gh-aw.sh) when the script is updated.

  • daily-copilot-token-report.lock.yml: Updated automatically via make recompile — the lock file imports copilot-setup-steps.yml, so fixing the source propagates the fix here.

Note: The hardcoded SHA256 must be updated whenever install-gh-aw.sh changes.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw scripts/**/*.js 64/bin/go git -C /tmp/shared-actions-test3371443617 rev-parse /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE ode docker pull�� rhysd/actionlint:latest go /usr/bin/git -json GO111MODULE At,event,headBra--show-toplevel git (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -unreachable=false /tmp/go-build799005515/b098/vet.cfg 005515/b380/vet.cfg ripts/lint_errorgit ripts/lint_errorrev-parse 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build799005515/b202/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet 2555972/b412/_pkgit GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel go /opt/hostedtoolcache/node/24.13.0/x64/bin/node -json GO111MODULE 64/bin/go /opt/hostedtoolcache/node/24.13.0/x64/bin/node /tmp�� Safe: ${{ github.actor }}, Unsafe: ${{ secrets.TOKEN }} go /tmp/go-build160103125/b382/constants.test json' --ignore-pgit GO111MODULE 64/bin/go /tmp/go-build160103125/b382/constants.test (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel git 0/x64/bin/node --show-toplevel go /usr/bin/gh git cjs --show-toplevel gh /usr/bin/git /repos/actions/ggit --jq /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha ot-setup-steps.y-n1 git $name) { hasDiscussionsEnabled } } --show-toplevel git /usr/bin/sed git rev-�� --show-toplevel sed /usr/bin/git 64/bin/go gh 0/x64/bin/node git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha tformat GO111MODULE ache/go/1.25.0/x64/pkg/tool/linu-importcfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/pkg/styles/theme_test.go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha audit-workflows.md (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha matter-with-arrays.md git /usr/bin/git /usr/bin/git go 0/x64/bin/node git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/bash ithub/workflows/git Test commit /usr/bin/git bash (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha -json GO111MODULE Name,createdAt,startedAt,updated-lang=go1.25 GOINSECURE GOMOD GOMODCACHE util.test 9900�� runs/20260223-073019-29275/test-go1.25.0 /tmp/go-build799005515/b044/vet.-c=4 005515/b307/vet.cfg l GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.0/x/tmp/go-build799005515/b431/_testmain.go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha blog-auditor.md 005515/b061/vet.cfg 64/pkg/tool/linux_amd64/compile 1 1 /var/log/sysstat--show-toplevel 64/pkg/tool/linux_amd64/compile -uns�� runs/20260223-073019-29275/test-3585077339/.github/workflows /tmp/go-build799005515/b111/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet l GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha --show-current go /usr/bin/git -json GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git ays.md GO111MODULE x_amd64/vet git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 4104351883/.github/workflows cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json cfg x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 005515/b417/stringutil.test -buildtags 005515/b417/importcfg.link -errorsas -ifaceassert -nilfunc jb7L_MWnrvwk8/NW2GrHKbdPFsnY6xQzyS/oFy7E6D7PTBexQgP2YYC/SYVWI1Pjb7L_MWnrvwk8 -C ry=1 rev-parse 005515/b417/_pkg_.a k/gh-aw/gh-aw/ingit GOPROXY 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha user.name Test User /usr/bin/git -json GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE x_amd64/vet /usr/bin/git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.0/x-C /usr/bin/git git rev-�� --show-toplevel git /usr/bin/bash HEAD /usr/bin/git 0/x64/bin/node bash (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel I5FJTGxhE6zkMLRmjs/fuzz_sanitize_output_harness.cjs /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.13.0/x64/bin/node --show-toplevel git /usr/bin/git /opt/hostedtoolcache/node/24.13.0/x64/bin/node (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha npx prettier --cGOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh -c "prettier" --che-errorsas node 64/bin/go --write ../../../pkg/wor-atomic 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha che/go-build/d7/-errorsas **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti-unreachable=false u69dtnPwupbS @/tm�� de/node/bin/bash-json sh 64/bin/go "prettier" --wri/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti-bool go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha --show-toplevel git /usr/bin/bash new-feature.txt git 0/x64/bin/node bash -c source '/home/ruremote.origin.url git /usr/bin/git --show-toplevel git 0/x64/bin/node git (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha vaScript3056945266/001/test-simp-test.timeout=10m0s GO111MODULE /opt/hostedtoolcache/go/1.25.0/x-test.short=true GOINSECURE GOMOD GOMODCACHE /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� runs/20260223-073019-29275/test-3143264461/.github/workflows /tmp/go-build799005515/b050/vet.cfg 005515/b342/vet.cfg GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha 7 go ache/node/24.13.0/x64/bin/node re GO111MODULE 64/bin/go git t-37�� ository }} go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --exact-match --tags 0/x64/bin/node --show-toplevel go /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet 0/x64/bin/node tags/v5 -buildtags /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha --show-toplevel node /usr/bin/git install --package-lock-o-### /usr/bin/git git rev-�� ot-setup-steps.y- git /usr/bin/git --show-toplevel git /usr/bin/wc git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha --show-toplevel /opt/hostedtoolcache/node/24.13.0/x64/bin/npm /usr/bin/git --package-lock-ogit ache/go/1.25.0/xrev-parse /usr/bin/git git rev-�� ot-setup-steps.yml git /usr/bin/git --show-toplevel ache/go/1.25.0/x-C /usr/bin/basenam/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha eport.lock.yml 7b8b36be /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.13.0/x64/bin/node --show-toplevel git /usr/bin/git /opt/hostedtoolccb678b41a8db8dd71af0da7d4f9f8134a45bf044 (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git ty-test.md git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linu--norc /usr/bin/find git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha auto-triage-issues.md 005515/b074/vet.cfg /opt/hostedtoolcache/go/1.25.0/x-buildmode=exe GOINSECURE GOMOD GOMODCACHE /opt/hostedtoolcache/go/1.25.0/x-extld=gcc -uns�� snY6xQzyS /tmp/go-build799005515/b036/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/bot-detection.md-s go /usr/bin/git re GO111MODULE 64/bin/go git rev-�� runs/20260223-073404-42778/test-4214465149/.github/workflows go ache/node/24.13.0/x64/bin/node -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git 0/x64/bin/node --show-toplevel go /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link 0/x64/bin/node /tmp/go-build160git -importcfg /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha eport.lock.yml git /usr/bin/git --show-toplevel /usr/bin/git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel node /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha /tmp/callback-10405-ldPb85eM4kf6-code-review.json git /usr/bin/git ty-test.md git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.0/x--deserialize /tmp/TestGetNpmB65 git (http block)
  • https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha xterm-color git /usr/bin/git 8003/001/stabiliinfocmp git 0/x64/bin/node git rev-�� --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolc-C 0/x64/bin/node git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha --show-toplevel bash /usr/bin/bash 01/main.md infocmp 0/x64/bin/node bash -c source '/home/ruremote.origin.url git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel git 0/x64/bin/node git (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel git $name) { hasDiscussionsEnabled } } --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git in' && echo "$PAinfocmp git /usr/bin/git git (http block)
  • https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha xterm-color git /usr/bin/git 8003/001/stabiligit /opt/hostedtoolc-C 0/x64/bin/node git rev-�� --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolcapi 0/x64/bin/node git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/bash -m Update initial f-1 0/x64/bin/node bash -c source '/home/REDACTED/work/gh-aw/gh-aw/actions/setup/sh/sanitize_path.sh' ':/usr/bin:::/usr/local/usr/bin/gh git /usr/bin/git --show-toplevel git 0/x64/bin/node git (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha xterm-color git /usr/bin/git 01/main.md --tags 0/x64/bin/node git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 103125/b423/workapi 0/x64/bin/node git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha /repos/actions/github-script/git/ref/tags/v8 --jq /usr/bin/bash run --auto 0/x64/bin/node bash -c source '/home/REDACTED/work/gh-aw/gh-aw/actions/setup/sh/sanitize_path.sh' ':::/usr/bin:/usr/local/usr/bin/gh git /usr/bin/git --show-toplevel /opt/hostedtoolcapi 0/x64/bin/node git (http block)
  • https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha xterm-color git /usr/bin/git user.email test@example.com-1 0/x64/bin/node git rev-�� --show-toplevel git /usr/bin/git --show-toplevel /tmp/go-build160-C 0/x64/bin/node git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha --show-toplevel git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-current /usr/bin/git 0/x64/bin/node bash -c source '/home/REDACTED/work/gh-aw/gh-aw/actions/setup/sh/sanitize_path.sh' '/usr/bin' && echo "$PA/usr/bin/gh git /usr/bin/git --show-toplevel git 0/x64/bin/node git (http block)
  • https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel git /usr/bin/git 8003/001/stabiliinfocmp git 0/x64/bin/node git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.0/x-C 0/x64/bin/node git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel /usr/lib/git-core/git /usr/bin/bash run --auto 0/x64/bin/node bash -c source '/home/ruremote.origin.url git /usr/bin/git audit-workflows.gh git 0/x64/bin/node git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 lint:cjs /home/REDACTED/work/_temp/uv-python-dir/sh GOSUMDB GOWORK 64/bin/go sh -c "prettier" --check 'scripts/**/*.js' --ignore-path .prettierignore git ache/node/24.13.0/x64/bin/node --show-toplevel git 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet stlo�� -json cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuorigin (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 l /opt/hostedtoolcache/uv/0.10.4/x86_64/node GOINSECURE GOMOD GOMODCACHE node /hom�� --check l 64/pkg/tool/linux_amd64/vet **/*.json --ignore-path ../../../.pretti--show-toplevel 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/cgo GOINSECURE GOMOD GOMODCACHE x_amd64/cgo env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE ache/node/24.13.0/x64/bin/node GOINSECURE GOMOD GOMODCACHE node t-11�� k/gh-aw/gh-aw/.github/workflows/agent-performancOUTPUT **/*.cjs 64/pkg/tool/linux_amd64/link **/*.json --ignore-path ../../../.pretti--show-toplevel 64/pkg/tool/linux_amd64/link (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 lint:cjs (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 lint:cjs /home/REDACTED/work/node_modules/.bin/sh GOSUMDB GOWORK 64/bin/go sh -c "prettier" --check 'scripts/**/*remote.origin.url git /usr/bin/git --show-toplevel git 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE x_amd64/cgo GOINSECURE GOMOD GOMODCACHE x_amd64/cgo env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 lint:cjs /home/REDACTED/node_modules/.bin/sh l GOWORK run-script/lib/n--show-toplevel sh -c "prettier" --check 'scripts/**/*.js' --ignore-path .prettierignore git 64/pkg/tool/linux_amd64/link --show-toplevel git 64/bin/go 64/pkg/tool/linux_amd64/link (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE IKEP8dB/iAJz33n4qBSgoBRlrikz (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 lint:cjs At,event,headBranch,headSha,displayTitle GOSUMDB GOWORK 64/bin/go RM/788KaSlanoh1QIKEP8dB/gr5YJZJe3V5jbfOQgglN out�� "prettier" --check 'scripts/**/*.js' --ignore-path .prettierignore git clusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --show-toplevel git 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path npx prettier --cGOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh -c "prettier" --check 'scripts/**/*GOINSECURE node 64/bin/go tierignore ../../../pkg/wor-atomic 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha --show-toplevel gh /opt/hostedtoolcache/node/24.13.0/x64/bin/node /repos/actions/cgit --jq /usr/bin/git /opt/hostedtoolcache/node/24.13.0/x64/bin/node /tmp�� ${{github.actor}} git /usr/bin/git bin' && echo "$Pgit git x_amd64/vet git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env ty-test.md cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env ub/workflows GO111MODULE cal/bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel sh /usr/bin/git TH" GOPROXY ache/node/24.13.0/x64/bin/node git rev-�� --show-toplevel git ch k/gh-aw/gh-aw/.gnode %(refname) /usr/bin/git git (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha ACCEPT git /usr/bin/git es.md git /usr/bin/git git rev-�� -copilot-token-report.lock.yml 0537d8f7ea8294937b8b36be /usr/bin/git --show-toplevel git 0/x64/bin/node git (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha t2651172849/.github/workflows GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE k/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel x_amd64/link /opt/hostedtoolcache/node/24.13.0/x64/bin/node $PATH" GOPROXY /opt/hostedtoolcache/go/1.25.0/x--show-toplevel /opt/hostedtoolcache/node/24.13.0/x64/bin/node /tmp�� github.event.release.assets[0].id iJ/ayhSE8dLALOlLpWr7SR4/gfgI4uSYtest@example.com /usr/bin/git assword=$GITHUB_node assword=$GITHUB_js/fuzz_sanitize_output_harness.cjs /usr/bin/git git (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linu-buildtags t-24�� k/gh-aw/gh-aw/.github/workflows/blog-auditor.md sh /usr/bin/git npx prettier --wgit gh 64/bin/go git (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go node /hom�� --check scripts/**/*.js 64/bin/go .prettierignore (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go **/*.ts **/*.json --ignore-path /bin/sh -c GOPATH=$(go env -errorsas /bin/sh 64/bin/go tierignore (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go --show-toplevel x_amd64/vet /usr/bin/git node /opt�� prettier --write de !../../../pkg/wonode --ignore-path ../../../.prettiprettier go (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build799005515/b381/cli.test /tmp/go-build799005515/b381/cli.test -test.testlogfile=/tmp/go-build799005515/b381/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti-bool go (http block)
    • Triggering command: /tmp/go-build767296107/b381/cli.test /tmp/go-build767296107/b381/cli.test -test.testlogfile=/tmp/go-build767296107/b381/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true **/*.ts **/*.json --ignore-path npm run format:pkg-json git 64/bin/go tierignore 64/pkg/tool/linu-c /usr/bin/git go (http block)
    • Triggering command: /tmp/go-build160103125/b001/cli.test /tmp/go-build160103125/b001/cli.test -test.testlogfile=/tmp/go-build160103125/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s ules�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 3227562092/.github/workflows GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name npx prettier --cGOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK run-script/lib/n-bool sh -c "prettier" --che-errorsas node 64/bin/go tierignore ../../../pkg/wor-unsafeptr=false 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name "prettier" --wriGOINSECURE git 64/bin/go uest|push_to_pulgo x_amd64/vet /usr/bin/git sh -c npx prettier --wGOINSECURE git 64/bin/go --show-toplevel 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/prettier /usr/bin/git go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE tions/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>[plan] Fix unverified_script_exec: Add checksum verification to install-gh-aw.sh curl-pipe-bash patterns</issue_title>
<issue_description>## Objective

Add SHA256 checksum verification to the two curl | bash patterns that execute install-gh-aw.sh without integrity checking.

Context

From static analysis discussion #17844: Poutine flags two unverified_script_exec findings (info severity):

  • .github/workflows/copilot-setup-steps.yml:17
  • .github/workflows/daily-copilot-token-report.lock.yml:302

Both execute curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash without verifying the script's integrity. If the script is tampered with (compromised repo or CDN), the runner executes malicious code.

Approach

  1. Open .github/workflows/copilot-setup-steps.yml and find the curl-pipe-bash pattern
  2. Open the source .md file that compiles to daily-copilot-token-report.lock.yml (likely .github/workflows/daily-copilot-token-report.md) and find the same pattern
  3. Replace direct curl | bash with a download-then-verify-then-execute pattern: 
    curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/gh-aw-install.sh
echo "EXPECTED_SHA256  /tmp/gh-aw-install.sh" | sha256sum -c
bash /tmp/gh-aw-install.sh
  4. The expected SHA256 should be computed from the current install-gh-aw.sh and stored as a workflow variable or inline constant
  5. Run make recompile after modifying any .md files
  6. Run make agent-finish before committing

Files to Modify

  • .github/workflows/copilot-setup-steps.yml (direct YAML — not compiled)
  • Find and update the .md source file that generates daily-copilot-token-report.lock.yml

Acceptance Criteria

  • Both curl | bash patterns are replaced with download + verify + execute
  • The expected SHA256 checksum is documented and maintained
  • make recompile runs without errors (for any modified .md files)
  • make agent-finish passes
  • Poutine unverified_script_exec findings drop to 0

Generated by Plan Command for issue #discussion #17844

  • expires on Feb 25, 2026, 7:18 AM UTC

Comments on the Issue (you are @copilot in this section)

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

@pelikhan
fix: add SHA256 checksum verification to install-gh-aw.sh curl-pipe-b…
f782db5 
…ash patterns

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add SHA256 checksum verification to curl-bash patterns fix: add SHA256 checksum verification to install-gh-aw.sh curl-pipe-bash patterns Feb 23, 2026
@pelikhan pelikhan closed this Feb 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[plan] Fix unverified_script_exec: Add checksum verification to install-gh-aw.sh curl-pipe-bash patterns

2 participants

@pelikhan