Skip to content

[plan] Address poutine supply chain findings: replace curl | bash patterns and review ARM self-hosted runner PR usage #17672

New issue
New issue
Closed
#17688
Closed
[plan] Address poutine supply chain findings: replace curl | bash patterns and review ARM self-hosted runner PR usage#17672
#17688
Assignees
pelikhancopilot-swe-agent
Labels
ai-generatedcookieIssue Monster Loves Cookies!plan
@github-actions

Description

@github-actions
github-actions
bot
opened on Feb 22, 2026

Objective

Address poutine supply chain security findings: replace curl | bash install patterns with checksum-verified downloads, and review the self-hosted runner PR workflow.

Context

From Static Analysis Report discussion #17668 (2026-02-22 scan):

Finding 1: unverified_script_exec (4 occurrences, info severity)

File Line Command
copilot-setup-steps.yml 17 curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash
copilot-setup-steps.yml 42 curl -LsSf (astral.sh/redacted) | sh
daily-copilot-token-report.lock.yml 349 curl -fsSL .../install-gh-aw.sh | bash
daily-copilot-token-report.lock.yml 361 curl -LsSf (astral.sh/redacted) | sh

Finding 2: pr_runs_on_self_hosted (1 occurrence, warning severity)

  • .github/workflows/smoke-copilot-arm.lock.yml:347runs-on: ubuntu-24.04-arm in a PR-triggered workflow
  • Risk: untrusted PR code can interact with the self-hosted runner

Required Changes

For unverified_script_exec:

  1. For install-gh-aw.sh: Download the script first, verify checksum against a pinned known hash, then execute — OR use the GitHub CLI to install from a pinned release tag
  2. For astral.sh/uv: Use uv GitHub releases directly via actions/setup-python + pip install uv or use the official astral-sh/setup-uv action pinned to a commit SHA

For pr_runs_on_self_hosted:

  1. Investigate smoke-copilot-arm.md — determine if ubuntu-24.04-arm is required for PR runs
  2. If possible, restrict the ARM runner to non-PR triggers (push/workflow_dispatch) and use GitHub-hosted runners for PR events

Acceptance Criteria

  • copilot-setup-steps.yml no longer uses curl | bash for either install script
  • daily-copilot-token-report.md updated and recompiled without curl | bash
  • smoke-copilot-arm PR trigger safety reviewed and addressed or documented with justification
  • make recompile succeeds
  • make agent-finish passes

Generated by Plan Command for issue #discussion #17668

  • expires on Feb 24, 2026, 7:00 AM UTC

Metadata

Metadata

Assignees

Labels

ai-generatedcookieIssue Monster Loves Cookies!plan

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions