feat: enable checksum validation by default in install-gh-aw.sh

[Copilot]

Summary

Enable SHA256 checksum validation by default when installing the gh-aw binary, and fix several latent issues that became reachable once checksum validation runs on every install.

Background

scripts/build-release.sh already generates a checksums.txt file during the build process, and the release workflow uploads all dist/* files (including checksums.txt) to every GitHub release. The validation logic in both install scripts was fully implemented but gated behind SKIP_CHECKSUM=true (the default), pending checksums being available in releases.

Since checksums are now consistently published, this PR flips the default to SKIP_CHECKSUM=false.

Changes

Install scripts (install-gh-aw.sh / actions/setup-cli/install.sh)

• Change default SKIP_CHECKSUM=true → SKIP_CHECKSUM=false; remove redundant SKIP_CHECKSUM=false override in the GitHub Actions context block; update header comment
• Fix checksum lookup: replace grep "$EXPECTED_FILENAME" | awk '{print $1}' (substring match) with awk -v f="$EXPECTED_FILENAME" '$2 == f {print $1}' (exact field match) to prevent false positives
• Add --connect-timeout 15 --max-time 120/60 to curl calls to prevent indefinite hangs when connections stall on Windows runners
• Add BINARY_EXEC_TIMEOUT="timeout 30" on Windows wrapping the post-install binary verification calls (--help, version), matching the existing pattern for gh extension install; on timeout a warning is emitted and the install completes (the binary already passed checksum verification)

.github/workflows/install.yml

• Add timeout-minutes: 5 to the test-install job so hung Windows runners are cancelled quickly
• Wrap the workflow step's own binary verification calls (version, --help) with timeout 60 on Windows, preventing the step itself from hanging after the install script completes

pkg/cli/update_extension_check.go

• macOS prerelease upgrade fix: gh extension upgrade --force resolves the upgrade target via /releases/latest which excludes prereleases; on macOS the binary is not locked so the first attempt "succeeds" but installs an older stable release instead of the desired prerelease. When --pre-releases is set on macOS, skip gh extension upgrade --force entirely and use gh extension remove + gh extension install --pin <latestVersion> to ensure the exact version is installed.
• Windows prerelease upgrade fix (cross-drive rename): The backup move used os.Rename(backup, os.TempDir()+...) which fails with EXDEV when the extension directory (C:) and %TEMP% (D:) are on different drives — common on GitHub Actions runners. Added a same-drive fallback that moves the backup to the parent of the extension directory, which is guaranteed to be on the same drive.
• Windows prerelease upgrade fix (stale .bak cleanup): The gh CLI has its own Windows rename-and-retry mechanism that creates {exe}.{pid}.bak files. If such a file is left behind and briefly locked by Windows Defender after the originating process exits, gh extension upgrade --force fails with "failed to remove previous extension update state: Access is denied". Added cleanupStaleWindowsBackups() — called after our own backup is relocated — which retries removal of any foreign .bak files in the extension directory with short delays to outlast transient antivirus locks. Added "failed to remove previous extension update state" to isWindowsLockError so the Windows manual-upgrade guidance is shown when the gh CLI surfaces this message.

.github/workflows/upgrade-test.yml

• macOS old-binary compatibility: Binaries older than v0.71.3 (which pre-date the macOS prerelease fix) call gh extension upgrade --force on macOS and may install the latest stable release instead of the target prerelease. Added a post-upgrade check on macOS: if the installed version does not match the expected prerelease, log a warning and correct via gh extension install --pin <target> so the version verification step can still confirm the target works correctly.

Testing

• bash -n syntax check passes on both scripts
• scripts/test-install-script.sh — all 10 test groups pass
• All existing unit tests in pkg/cli/ pass
• New unit tests added for cleanupStaleWindowsBackups and the new isWindowsLockError pattern

[pelikhan]

@copilot review checksum code

[Copilot]

@copilot review checksum code

Found one bug: the checksum lookup used grep "$EXPECTED_FILENAME" | awk '{print $1}' which matches any line where the filename appears as a substring — e.g. searching for linux-amd64 would also match an entry named gh-aw-linux-amd64-extra.tar.gz, returning multiple hashes and causing a spurious verification failure.

Fixed in d4d43bb by replacing it with awk -v f="$EXPECTED_FILENAME" '$2 == f {print $1}' which matches only when field 2 is an exact equal to the expected filename.

Everything else in the checksum path looks solid:

• Tool detection (sha256sum / shasum -a 256) with graceful skip if neither is available
• Retry loop with 3 attempts for both the binary and checksums file downloads
• Corrupt binary is deleted before exiting on mismatch
• Checksums file is cleaned up after use

[Copilot]

Pull request overview

Enables SHA256 checksum validation by default in the gh-aw installer scripts now that checksums.txt is consistently published with releases.

Changes:

• Flip default SKIP_CHECKSUM from true → false in both install scripts.
• Remove the GitHub Actions-only SKIP_CHECKSUM=false override (now redundant).
• Tighten checksum lookup to an exact filename match using awk (instead of substring grep).

Show a summary per file

File	Description
install-gh-aw.sh	Enables checksum verification by default and improves checksum lookup precision.
actions/setup-cli/install.sh	Mirrors the same default checksum behavior and checksum lookup update for the GitHub Action installer.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

install-gh-aw.sh:16

• Header docs still reference ./install.sh for usage/examples, but this script is install-gh-aw.sh (and later messaging already uses that name). This can mislead users copy/pasting the examples; update the Usage/Examples lines here to match the actual filename.

# Usage: ./install.sh [version] [options]
#
# Examples:
#   ./install.sh                           # Install latest version
#   ./install.sh v1.0.0                    # Install specific version
#   ./install.sh --skip-checksum           # Skip checksum validation
#

• Files reviewed: 2/2 changed files
• Comments generated: 0

[pelikhan]

@copilot investigate failure at https://github.com/github/gh-aw/actions/runs/25141957823/job/73694097432

[Copilot]

@copilot investigate failure at https://github.com/github/gh-aw/actions/runs/25141957823/job/73694097432

The Windows job ran for ~3 hours before being killed by the runner. Root cause: the two curl calls in the install script had no --connect-timeout or --max-time options. If the connection stalls (common on Windows GitHub Actions runners), curl blocks indefinitely and the retry loop never advances.

Fixed in e5b1ac6 by adding:

• --connect-timeout 15 --max-time 120 to the binary download
• --connect-timeout 15 --max-time 60 to the checksums download

This was a latent bug that became newly reachable for the checksums path once we flipped the SKIP_CHECKSUM default to false.

[pelikhan]

@copilot add a 5 minute timeout on the jobs for the installation scripts test.

Investigate why this one gets stuck: https://github.com/github/gh-aw/actions/runs/25191069497/job/73860917300?pr=29223

[Copilot]

@copilot add a 5 minute timeout on the jobs for the installation scripts test.

Investigate why this one gets stuck: https://github.com/github/gh-aw/actions/runs/25191069497/job/73860917300?pr=29223

Root cause found: the install script executes "$BINARY_PATH" --help and "$BINARY_PATH" version directly after download (lines 376 and 399). On Windows, Windows Defender scans the newly downloaded executable before allowing it to run, which can block indefinitely — this is the same issue already documented for gh extension install in the same script.

Fixed in 623d0ea:

• .github/workflows/install.yml: added timeout-minutes: 5 to the test-install job so a hung Windows runner is killed quickly
• install-gh-aw.sh / actions/setup-cli/install.sh: added BINARY_EXEC_TIMEOUT="timeout 30" on Windows (matching the existing pattern for gh extension install), wrapping both binary verification calls; on timeout a warning is emitted and the install completes — the binary is safe to use since it already passed checksum verification

[Copilot]

@copilot review failure at https://github.com/github/gh-aw/actions/runs/25267327147/job/74089167913#step:8:1

Root cause identified and fixed in 04a4a55:

Two separate bugs triggered the failure:

1. Cross-drive os.Rename failure — On GitHub Actions Windows runners the extension directory is on C: while %TEMP% is on D:. os.Rename cannot cross drives, so os.Rename(backup, tempBackup) failed silently and the backup stayed inside the extension directory (locked by the running process), causing gh extension remove to fail. Fixed by adding a same-drive fallback: filepath.Dir(extDir) (parent of the extension directory, guaranteed same drive).

2. Stale .bak from the gh CLI's own rename mechanism — The gh CLI has its own Windows rename-and-retry mechanism that creates {exe}.{pid}.bak files. When a previous gh extension install --force ran with a live gh-aw.exe process (PID 2412), the gh CLI created gh-aw.exe.2412.bak. Windows Defender briefly locked this file after PID 2412 exited, causing gh extension upgrade to print "failed to remove previous extension update state: Access is denied" and return non-zero, sending our code into the rename+retry path with an already-dirty extension directory. Fixed by adding cleanupStaleWindowsBackups() — called after our own backup is moved out — which retries .bak removal with 300 ms delays to outlast transient antivirus locks.

Also added "failed to remove previous extension update state" to isWindowsLockError so the Windows manual-upgrade guidance is shown when the gh CLI surfaces that message.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 2973448526/.github/workflows GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE go env /ref/tags/v9 GO111MODULE sv GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw util GOMODCACHE go env t_NmpAeXU GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE ortcfg (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c "prettier" --cheGOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.8/xGO111MODULE (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git runs/20260503-19git GO111MODULE /tmp/go-build366--show-toplevel git rev-�� --show-toplevel /tmp/go-build366--jq /usr/bin/git g/cli -test.v=true /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel infocmp /usr/bin/git ithub-script/gitgit git bject.type] | @t--show-toplevel git rev-�� --show-toplevel infocmp /usr/bin/git ithub-script/gitgh git bject.type] | @t/repos/actions/github-script/git/ref/tags/v9 git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv GOMODCACHE x_amd64/vet /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --git-dir go /usr/bin/infocmp -json GO111MODULE 64/bin/go infocmp (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 gh bject.type] | @tsv /repos/actions/ggit --jq /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel node /usr/bin/git /tmp/TestHashCongit l /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git runs/20260503-19gh sh /usr/bin/infocmp/repos/actions/github-script/git/ref/tags/v9 git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu^remote\..*\.gh-resolved$ bject.type] | @tsv :latest -importcfg /usr/bin/git git rev-�� /ref/tags/v9 git sv /tmp/compile-allinfocmp rev-parse /opt/hostedtoolcxterm-color gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git 64/pkg/tool/linu/repos/actions/github-script/git/ref/tags/v9 git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv .test GO111MODULE ortcfg.link GOINSECURE GOMOD GOMODCACHE 0ui0x2Iv4Z-LYbBHBh/hKJC44cVKMHVnpBvTgXO/G1KutSxXremote.origin.url env -json GO111MODULE g_.a GOINSECURE GOMOD GOMODCACHE bash (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/infocmp --show-toplevel go /usr/bin/git infocmp -1 xterm-color git /usr/bin/gh ATH="$(find "/tmgit go /usr/bin/git gh (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv 0400-65261/test-1309992193 go x_amd64/vet ck 'scripts/**/*git GO111MODULE 64/bin/go x_amd64/vet ls-r�� --symref origin /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows/archie.md remote e/git -json GO111MODULE 64/bin/go e/git conf�� k/gh-aw/gh-aw/scripts/lint_error_messages.go k/gh-aw/gh-aw/scripts/lint_error_messages_test.gowner=github /usr/bin/git --check **/*.cjs 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 /opt/hostedtoolcremote sv 1/x64/lib/node_mgit go 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 git sv --show-toplevel go /usr/bin/git infocmp -1 xterm-color git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 64/pkg/tool/linux_amd64/vet sv --show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9.0.0
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv 1056046/b388/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env AOwd/xa2YTVTI-qlGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 1056046/b388/imp-trimpath (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv xterm-color ache/go/1.25.8/x64/pkg/tool/linuorigin /usr/bin/git 1186626/b399/_pkgit GO111MODULE 1186626/b399=> git rev-�� --show-toplevel go /usr/bin/git ithub-script/gitgit GO111MODULE 1/x64/bin/node git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv xterm-color git /usr/bin/git -m Initial /usr/bin/gh git rev-�� --show-toplevel gh /usr/bin/git /repos/actions/ggit --jq (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv user.name Test User /usr/bin/git -json GO111MODULE 64/bin/go git bran�� --show-current resolved$ /usr/bin/git le-frontmatter.mgit GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x1 /usr/bin/git ExpressionCompilgh GO111MODULE tartedAt,updated/repos/actions/github-script/git/ref/tags/v9 git rev-�� --show-toplevel 64/pkg/tool/linu-buildtags /usr/bin/git runs/20260503-19git GO111MODULE 1186626/b395/_pk--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/infocmp /tmp/gh-aw-test-git l /opt/hostedtoolc--show-toplevel infocmp -1 xterm-color node /usr/bin/git /tmp/TestHashStainfocmp node /usr/bin/gh git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv bility_SameInputSameOutput331398-f -test.v=true ache/go/1.25.8/x64/pkg/tool/linu-f -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv xterm-color go /usr/bin/git -json k 64/bin/go git conf�� --get s/3/artifacts (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolc--jq /usr/bin/git /tmp/go-build274git -trimpath 64/bin/go git rev-�� --show-toplevel go /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv -unreachable=false /tmp/go-build3661186626/b111/vet.cfg /usr/bin/docker -json GO111MODULE 64/bin/go docker pull�� test/race-image:v1.0.0 go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git (http block)
• https://api.github.com/repos/aws-actions/configure-aws-credentials/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 git bject.type] | @tsv /tmp/gh-aw-test-git l /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x--jq /usr/bin/git /tmp/go-build366gh -trimpath /usr/bin/infocmpstatus git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git k/gh-aw/gh-aw/.ggit remote /opt/hostedtoolcuser.name git rev-�� --show-toplevel node /usr/bin/gh runs/20260503-19git sh /opt/hostedtoolc--show-toplevel gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 git bject.type] | @tsv --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 1/x64/bin/npm /usr/bin/git git (http block)
• https://api.github.com/repos/azure/login/git/ref/tags/v2
  • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git rev-parse /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel node /usr/bin/git /tmp/TestHashStainfocmp sh /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git 64/pkg/tool/linuxterm-color git (http block)
• https://api.github.com/repos/docker/login-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel tl/eVMO4YIwMcNgnhigj0kp/ZJJD1S3VLLPPaXUks2gS /usr/bin/git --show-toplevel l /usr/bin/infocmp--show-toplevel git rev-�� /ref/tags/v9 infocmp sv xterm-color node /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /ref/tags/v9 git sv git rev-�� /ref/tags/v9 git sv /ref/tags/v9 git 64/pkg/tool/linuxterm-color git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/git vaScript29708003git GO111MODULE /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel go /usr/bin/infocmp 0400-65261/test-infocmp GO111MODULE (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/git [:lower:] git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq /usr/bin/infocmp -json GO111MODULE ed } } infocmp -1 xterm-color go /usr/bin/git ub/workflows GO111MODULE x_amd64/vet git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/gh --show-toplevel git /usr/bin/git gh api /repos/actions/github-script/git/ref/tags/v9 --jq (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv --show-toplevel -dwarf=false /usr/bin/git go1.25.8 -c=4 -nolocalimports git -C /tmp/shared-actions-test3881251200 remote .cfg -json GO111MODULE x_amd64/vet e/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv kflow.test git ortcfg.link --show-toplevel git /usr/bin/git TpbBkfxBoVsN08LXtl/eVMO4YIwMcNgnhigj0kp/ZJJD1S3VLLPPaXUks2gS rev-�� --show-toplevel git a449d86f6b0c7bcc343c048f0af06ae9f1a8bb9981fba16dab4d4f1718078a03-d --show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-26 GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-03 GOMOD GOMODCACHE go env itcustom_branch765358079/001 itcustom_branch765358079/002/work ndor/bin/bash GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-02-02 GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE Bh/hKJC44cVKMHVnpBvTgXO/G1KutSxXremote.origin.url (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 321251342 GO111MODULE sv GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1234567890
  • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c "prettier" --che-p GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE 06/m1mI9m8ZybBw5VAsfaec/Pi1C9UClconfig env 0400-65261/test-source-field-varremote.origin.url GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link env (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 4935/001/stabili--limit GO111MODULE ache/go/1.25.8/x--created GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE ger.test GOINSECURE GOMOD GOMODCACHE ger.test 6611�� -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� mjwtT1DUj GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 321251342 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE k GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 0400-65261/test-source-field-variant-3435595247 GO111MODULE ow.lock.yml GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c "prettier" --cheGOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK run-script/lib/n--show-toplevel /opt/hostedtoolcache/go/1.25.8/xGO111MODULE (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/vet 6611�� -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
  • Triggering command: /tmp/go-build3661186626/b404/cli.test /tmp/go-build3661186626/b404/cli.test -test.testlogfile=/tmp/go-build3661186626/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD erignore go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/TestGuardPobasename s/12346/artifact/tmp/gh-aw/aw-feature-branch.patch /usr/bin/git git rev-�� --show-toplevel git /usr/bin/gh /tmp/gh-aw-test-gh config /usr/bin/git gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /ref/tags/v9 git sv git rev-�� --show-toplevel git /usr/bin/gh ithub-script/gitgh git bject.type] | @t/repos/actions/github-script/git/ref/tags/v9 gh (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE tartedAt,updatedAt,event,headBranch,headSha,displayTitle GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x--jq (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 git sv --show-toplevel 1186626/b431/parrev-parse /usr/bin/git git rev-�� ithub-script/git/ref/tags/v9 git bject.type] | @tsv --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ub/workflows GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ub/workflows GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/google-github-actions/auth/git/ref/tags/v2
  • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel /tmp/go-build3661186626/b435/repoutil.test /usr/bin/git k/gh-aw/gh-aw/.ggit -test.v=true /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git -bool -buildtags 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv 1561435009/custom/workflows GO111MODULE g_.a GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linumyorg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /ref/tags/v9 1186626/b438/semrev-parse sv git rev-�� --show-toplevel git /usr/bin/gh --show-toplevel ache/go/1.25.8/x-1 /usr/bin/git gh (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE AcFeXp_lh9T_UQ2dPZ/4y85XzUZCelVTfnTc37x/IH1APZsa--auto env -json GO111MODULE g_.a GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c "prettier" --che- GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcshow (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE 1056046/b388/imp-trimpath -c che/go-build/41/-p GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-goversion (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c "prettier" --cheGOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolctest@example.com (http block)
• https://api.github.com/repos/test/repo
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch 7/001/noflag-a.md GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go ortc�� -json stmain.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuorigin (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot review https://github.com/github/gh-aw/actions/runs/25288090288/job/74135703663#step:9:1

[Copilot]

@copilot review https://github.com/github/gh-aw/actions/runs/25288090288/job/74135703663#step:9:1

Root cause: the test installs v0.71.2 (PREVIOUS) and runs gh aw upgrade --pre-releases. But v0.71.2's code pre-dates our macOS prerelease fix (added in this PR, commit 3bedb0f) — it still calls gh extension upgrade --force, which resolves via /releases/latest and installs v0.71.1 (latest stable) instead of v0.71.3 (prerelease). The log confirms this:

[aw]: upgraded from v0.71.2 to v0.71.1    ← gh CLI output (old code path)
✓ gh-aw extension upgraded to v0.71.3      ← our code believed latestVersion
Installed: v0.71.1
Expected:  v0.71.3
❌ Version mismatch

Once v0.71.3 is the PREVIOUS binary, the macOS fix takes effect and pin-based install is used correctly. For now, fixed in a6127a7 by adding a compatibility block in the upgrade step: on macOS, after gh aw upgrade, check if the installed version matches the expected prerelease; if not (old binary issue), fall back to gh extension install --pin $LATEST and log a warning. The "Verify version after upgrade" step then confirms the target version works.

[pelikhan]

@copilot review and fix https://github.com/github/gh-aw/actions/runs/25289169592/job/74138654501#step:9:1

[Copilot]

@copilot review and fix https://github.com/github/gh-aw/actions/runs/25289169592/job/74138654501#step:9:1

Root cause: the compatibility workaround ran correctly and detected v0.71.1 ≠ v0.71.3, but gh extension install github/gh-aw --pin v0.71.3 --force printed [aw]: already up to date and did nothing. The gh CLI's internal extension metadata had been updated by the old upgrade flow to record v0.71.3 as the installed version, so --force didn't help — it just checked the metadata, not the actual binary on disk.

Fixed in 1daa063 by replacing gh extension install ... --pin "$LATEST" --force with gh extension remove github/gh-aw + gh extension install github/gh-aw --pin "$LATEST". Removing the extension clears gh's metadata, so the subsequent install always fetches and places the correct binary.

[pelikhan]

@copilot fix https://github.com/github/gh-aw/actions/runs/25290360553/job/74142906630#step:8:1

[Copilot]

@copilot fix https://github.com/github/gh-aw/actions/runs/25290360553/job/74142906630#step:8:1

Root cause: Windows job running the old v0.71.2 binary. When gh extension upgrade --force ran, gh CLI's rename mechanism created gh-aw.exe.8272.bak, Windows Defender briefly locked it, so upgrade failed with "failed to remove previous extension update state: Access is denied". v0.71.2's fallback then tried gh extension install --pin v0.71.3 which also failed with "there is already an installed extension" (the locked .bak was still present). The step exited 1.

The v0.71.3 cleanupStaleWindowsBackups() fix only helps when v0.71.3 is doing the upgrade — not when v0.71.2 runs it.

Fixed in cde230e with a Windows compatibility workaround in upgrade-test.yml, mirroring the existing macOS workaround: capture the exit code of gh aw upgrade without set -e aborting the step; if it fails on Windows, fall back to gh extension remove + gh extension install --pin "$LATEST" to get the correct binary installed so the verification step can pass.

[pelikhan]

@copilot merge main and recompile

[Copilot]

@copilot merge main and recompile

Done in 962c9f0 — merged main (no conflicts) and recompiled. All lock files were already up to date.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw hh-V4nwnO4Vm (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw SDcKrwS/nJf-hb70-1 (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ksum-validation-install-gh-aw^{commit} --local stency-checker.lock.yml user.name (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ithub/workflows --local /opt/hostedtoolcache/go/1.25.8/x-f user.name (http block)
• https://api.github.com/repos/actions/download-artifact/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv g_.a ame r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv pkg/actionpins/data/action_pins.json; \ cp .github/aw/actions-lock.json pkg/workflow/data/action_pins.json; \ echo "��� Action pins synced successfully"; \ else \ echo "��� (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -c=4 -nolocalimports -importcfg /tmp/go-build3176805392/b288/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/stringutil/ansi.go /home/REDACTED/work/gh-aw/gh-aw/pkg/stringutil/identifiers.go (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv get --local /opt/hostedtoolcache/uv/0.11.8/x86_64/git user.name (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv onrpc.go (http block)
• https://api.github.com/repos/docker/metadata-action/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)