Pin agentic engine CLIs to fixed versions for supply chain security#25111
Pin agentic engine CLIs to fixed versions for supply chain security#25111
Conversation
…rity - Pin DefaultCopilotVersion=1.0.20, DefaultClaudeCodeVersion=2.1.92, DefaultCodexVersion=0.118.0, DefaultGeminiVersion=0.36.0 - Add validateEngineVersion() warning when engine.version: latest is set - Always use --ignore-scripts for engine CLI npm installs - Update golden test data and all compiled lock files Agent-Logs-Url: https://github.com/github/gh-aw/sessions/6febda3c-ad27-41a8-9d4f-553aa6b045fa Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Pins agentic engine CLI versions to fixed releases and hardens installation behavior to improve supply chain security and reproducibility, while surfacing explicit engine.version: latest usage during compilation.
Changes:
- Pin default engine CLI versions in constants (Copilot/Claude/Codex/Gemini) instead of using
"latest". - Add a compiler validation that warns (or errors in strict mode) when
engine.version: latestis explicitly set. - Force engine CLI npm installs to always use
--ignore-scripts, independent of the workflow’srun-install-scriptssetting, and update golden/lock artifacts accordingly.
Show a summary per file
| File | Description |
|---|---|
| pkg/constants/version_constants.go | Replaces "latest" defaults with pinned engine CLI versions. |
| pkg/workflow/engine_validation.go | Adds validateEngineVersion() to warn/error on explicit engine.version: latest. |
| pkg/workflow/compiler_orchestrator_workflow.go | Wires validateEngineVersion() into the workflow parse/compile pipeline. |
| pkg/workflow/engine_helpers.go | Forces GenerateNpmInstallSteps(..., runInstallScripts=false) for engine CLI installs (always --ignore-scripts). |
| pkg/workflow/copilot_installer.go | Updates installer comment to reflect pinned default behavior. |
| pkg/workflow/engine_validation_test.go | Adds tests for validateEngineVersion(). |
| pkg/workflow/testdata/**.golden | Updates wasm golden outputs to reflect pinned versions. |
| .github/workflows/.lock.yml and pkg/workflow/.lock.yml | Bulk updates compiled/locked workflows to use pinned engine versions instead of latest. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 195/195 changed files
- Comments generated: 2
| if workflowData.EngineConfig == nil || workflowData.EngineConfig.Version == "" { | ||
| // No explicit version set; the compiler uses its own pinned default. | ||
| return nil | ||
| } | ||
|
|
||
| if !strings.EqualFold(workflowData.EngineConfig.Version, "latest") { | ||
| return nil | ||
| } |
There was a problem hiding this comment.
validateEngineVersion compares workflowData.EngineConfig.Version to "latest" without trimming whitespace. Because version values come from YAML via stringutil.ParseVersionValue (which preserves quoted whitespace), a workflow could set engine.version: "latest " and bypass this validation. Consider normalizing with strings.TrimSpace (or trimming at parse time) before the EqualFold check.
| tests := []struct { | ||
| name string | ||
| engineCfg *EngineConfig | ||
| strictMode bool | ||
| expectWarn bool | ||
| expectError bool | ||
| }{ |
There was a problem hiding this comment.
TestValidateEngineVersion defines expectWarn in the table but never asserts it, so the test won’t fail if the warning path stops incrementing the warning counter. Mirror TestValidateRunInstallScripts_Warning by resetting/asserting compiler.GetWarningCount() (and/or capturing stderr) for the non-strict "latest" cases, or remove the unused expectWarn field.
Summary
Pins all agentic engine CLIs from
"latest"to specific fixed versions, adds a compiler warning when a user explicitly setsengine.version: latest, and ensures engine CLI npm installs always use--ignore-scripts.Changes
pkg/constants/version_constants.go: PinDefaultCopilotVersion=1.0.20,DefaultClaudeCodeVersion=2.1.92,DefaultCodexVersion=0.118.0,DefaultGeminiVersion=0.36.0pkg/workflow/engine_validation.go: AddvalidateEngineVersion()that warns (non-strict) or errors (strict) whenengine.version: latestis explicitly set in a workflowpkg/workflow/compiler_orchestrator_workflow.go: WirevalidateEngineVersioninto the compilation pipelinepkg/workflow/engine_helpers.go:BuildStandardNpmEngineInstallStepsnow always passesfalseforrunInstallScripts, ensuring engine CLI installs always use--ignore-scriptsregardless of the workflow'srun-install-scriptssettingpkg/workflow/copilot_installer.go: Update stale commentpkg/workflow/engine_validation_test.go: Add tests forvalidateEngineVersionSecurity
latestversions can change unpredictably and introduce vulnerabilities or breaking changes--ignore-scriptseven whenrun-install-scripts: trueis set for user packagesvalidateEngineVersionvalidator surfaces explicitengine.version: latestusage as a supply chain security warning at compile time