Fix untrusted_checkout_exec poutine finding in smoke-workflow-call workflows#22608
Merged
Fix untrusted_checkout_exec poutine finding in smoke-workflow-call workflows#22608
Conversation
Closed
4 tasks
… workflows Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/f7f7341e-f884-4fee-8662-a6802688b882
Copilot
AI
changed the title
[WIP] Fix untrusted_checkout_exec in smoke workflow call files
Fix untrusted_checkout_exec poutine finding in smoke-workflow-call workflows
Mar 24, 2026
pelikhan
approved these changes
Mar 24, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request makes the untrusted_checkout_exec suppression durable by moving it into the workflow compiler outputs, then recompiles workflows and updates golden fixtures so the generated .lock.yml files retain the suppression across future recompiles.
Changes:
- Add
# poutine:ignore untrusted_checkout_execlines to compiler-generated YAML steps that executecreate_prompt_first.sh,validate_prompt_placeholders.sh, andprint_prompt_summary.sh - Regenerate workflow
.lock.ymlartifacts so the suppressions appear in compiled workflows - Update wasm golden fixtures to match the new compiler output
Reviewed changes
Copilot reviewed 182 out of 182 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/unified_prompt_step.go | Inserts poutine suppression comment before the prompt creation `run: |
| pkg/workflow/compiler_yaml.go | Inserts poutine suppression comments before prompt validation and summary run: steps |
| pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden | Updates golden output to include new suppression comments |
| pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden | Updates golden output to include new suppression comments |
| pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden | Updates golden output to include new suppression comments |
| .github/workflows/workflow-skill-extractor.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/workflow-normalizer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/workflow-health-manager.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/workflow-generator.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/weekly-safe-outputs-spec-review.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/weekly-issue-summary.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/weekly-editors-health-check.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/weekly-blog-post-writer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/video-analyzer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/update-astro.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/unbloat-docs.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/ubuntu-image-analyzer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/typist.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/tidy.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/test-workflow.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/test-project-url-default.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/test-dispatcher.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/test-create-pr-error-handling.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/terminal-stylist.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/technical-doc-writer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/super-linter.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/sub-issue-closer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/step-name-alignment.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/static-analysis-report.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/stale-repo-identifier.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-workflow-call.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-workflow-call-with-inputs.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-update-cross-repo-pr.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-test-tools.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-temporary-id.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-project.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-multi-pr.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-gemini.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-create-cross-repo-pr.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-copilot.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-copilot-arm.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-codex.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-claude.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-call-workflow.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-agent-scoped-approved.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-agent-public-none.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-agent-public-approved.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-agent-all-none.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/smoke-agent-all-merged.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/slide-deck-maintainer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/sergo.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/semantic-function-refactor.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/security-review.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/security-compliance.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/scout.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/schema-feature-coverage.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/schema-consistency-checker.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/safe-output-health.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/research.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/repository-quality-improver.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/repo-tree-map.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/repo-audit-analyzer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/release.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/refiner.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/q.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/python-data-charts.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/prompt-clustering-analysis.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/pr-triage-agent.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/pr-nitpick-reviewer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/portfolio-analyst.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/poem-bot.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/plan.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/pdf-summary.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/org-health-report.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/notion-issue-summary.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/metrics-collector.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/mergefest.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/mcp-inspector.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/lockfile-stats.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/layout-spec-maintainer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/jsweep.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/issue-triage-agent.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/issue-monster.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/issue-arborist.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/instructions-janitor.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/hourly-ci-cleaner.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/grumpy-reviewer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/gpclean.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/go-pattern-detector.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/go-logger.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/go-fan.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/glossary-maintainer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/github-remote-mcp-auth-test.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/github-mcp-tools-report.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/github-mcp-structural-analysis.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/functional-pragmatist.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/firewall.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/firewall-escape.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/example-workflow-analyzer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/example-permissions-warning.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/duplicate-code-detector.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/draft-pr-cleanup.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/docs-noob-tester.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/discussion-task-miner.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/dictation-prompt.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/developer-docs-consolidator.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/dev.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/dev-hawk.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/dependabot-go-checker.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/dependabot-burner.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/delight.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/deep-report.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/dead-code-remover.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-workflow-updater.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-testify-uber-super-expert.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-team-status.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-team-evolution-insights.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-syntax-error-quality.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-semgrep-scan.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-security-red-team.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-secrets-analysis.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-safe-outputs-conformance.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-safe-output-optimizer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-safe-output-integrator.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-repo-chronicle.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-rendering-scripts-verifier.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-regulatory.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-performance-summary.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-observability-report.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-news.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-multi-device-docs-tester.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-mcp-concurrency-analysis.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-malicious-code-scan.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-issues-report.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-integrity-analysis.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-function-namer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-firewall-report.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-file-diet.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-fact.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-doc-updater.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-doc-healer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-copilot-token-report.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-compiler-quality.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-community-attribution.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-code-metrics.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-cli-tools-tester.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-cli-performance.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-choice-test.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-assign-issue-to-user.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/daily-architecture-diagram.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/craft.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/copilot-session-insights.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/copilot-pr-prompt-analysis.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/copilot-pr-nlp-analysis.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/copilot-pr-merged-report.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/copilot-cli-deep-research.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/copilot-agent-analysis.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/contribution-check.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/constraint-solving-potd.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/commit-changes-analyzer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/code-simplifier.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/code-scanning-fixer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/cloclo.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/cli-version-checker.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/cli-consistency-checker.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/claude-code-user-docs-review.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/ci-doctor.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/ci-coach.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/changeset.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/breaking-change-checker.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/brave.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/bot-detection.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/blog-auditor.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/auto-triage-issues.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/audit-workflows.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/artifacts-summary.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/archie.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/ai-moderator.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/agent-persona-explorer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/agent-performance-analyzer.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
| .github/workflows/ace-editor.lock.yml | Regenerated lock workflow to include suppression comments on relevant bash steps |
Comments suppressed due to low confidence (1)
pkg/workflow/compiler_yaml.go:539
- Same as above: this new
# poutine:ignore untrusted_checkout_execsuppression would benefit from an adjacent justification comment so future reviewers understand whyprint_prompt_summary.shexecution is safe despite the rule being disabled.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+370
to
372
| yaml.WriteString(" # poutine:ignore untrusted_checkout_exec\n") | ||
| yaml.WriteString(" run: |\n") | ||
| yaml.WriteString(" bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh\n") |
There was a problem hiding this comment.
The new # poutine:ignore untrusted_checkout_exec suppression is security-significant but currently has no human-readable justification. Please add an adjacent comment explaining why executing ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh is safe in this context (e.g., how the script is sourced/pinned), while keeping the poutine directive on its own line so the scanner continues to recognize it.
Comment on lines
+531
to
532
| yaml.WriteString(" # poutine:ignore untrusted_checkout_exec\n") | ||
| yaml.WriteString(" run: bash ${RUNNER_TEMP}/gh-aw/actions/validate_prompt_placeholders.sh\n") |
There was a problem hiding this comment.
The added # poutine:ignore untrusted_checkout_exec suppression should include an explicit justification comment for maintainability/auditing, since it disables a security finding. Consider adding a brief YAML comment immediately above it describing why running validate_prompt_placeholders.sh from ${RUNNER_TEMP}/gh-aw/actions/ is trusted (source/pinning), keeping the directive line unchanged for poutine parsing.
This issue also appears on line 538 of the same file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Poutine flagged
untrusted_checkout_execon three bash script executions in compiled lock files forsmoke-workflow-callandsmoke-workflow-call-with-inputs. Prior fixes regressed because they were applied directly to generated.lock.ymlfiles and got overwritten on recompile.Changes
# poutine:ignore untrusted_checkout_execcomments in the compiler output generators so suppressions survive recompilation:pkg/workflow/unified_prompt_step.go— before therun: |block executingcreate_prompt_first.shpkg/workflow/compiler_yaml.go— beforevalidate_prompt_placeholders.shandprint_prompt_summary.shrun steps.lock.ymlfiles now contain the suppression commentsWarning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/graphql/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw(http block)/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw a0OomhkzJTeA(http block)/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 9789391/b196/_pkgit _BiU/tfAtsOls4drrev-parse .cfg git(http block)https://api.github.com/orgs/test-owner/actions/secrets/usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)/usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile /usr/bin/git 7921143/b445/_pknode -buildtags 7921143/b445=> git rev-�� ath ../../../.pr**/*.json gh /usr/bin/git y5oJ/g5FpiJ9ENbZnode --json /usr/bin/infocmpprettier git(http block)https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha user.email test@example.com /usr/bin/git -json GO111MODULE x_amd64/vet git conf�� user.name Test User /usr/bin/git g_.a oding@v0.5.4/isorev-parse x_amd64/vet /usr/bin/git(http block)/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel git /usr/bin/git js/**/*.json' --git node /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git(http block)/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha "prettier" --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore git /home/REDACTED/node_modules/.bin/node --show-toplevel git /usr/bin/git node /opt�� prettier --write /opt/hostedtoolcache/go/1.25.0/x64/bin/bash !../../../pkg/wogit --ignore-path ../../../.pretti--show-toplevel bash(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v3/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha sistency_GoAndJavaScript939485619/001/test-complex-frontmatter-w-test.timeout=10m0s /tmp/go-build3927921143/b300/vet.cfg 0/x64/bin/node -json GO111MODULE 64/bin/go 0/x64/bin/node -ato�� -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha runs/20260324-054635-36998/test-973989874 git 709953/b429/vet.cfg --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git sh -c npx prettier --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path git /usr/bin/git --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git /usr/bin/git son 64/bin/gofmt /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git nore ns_validation_terev-parse /usr/bin/git git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v5/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha plorer.md GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu--json env 9789391/b184/_pk--workflow Qwdw/E38ZNRQiZFunonexistent-workflow-12345 .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linu.github/workflows/test.md(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git matter-with-env-git GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json .cfg 64/pkg/tool/linu--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git /ref/tags/v8 -trimpath ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet 86_64/node /tmp/go-build181git -trimpath 7921143/b182/vet--show-toplevel git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v6/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha add origin /usr/lib/git-core/git -json GO111MODULE x_amd64/vet /usr/lib/git-core/git main�� nt/action/git/ref/tags/v999.999.999 --auto /usr/bin/git --detach GO111MODULE nch,headSha,disp--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/TestHashStability_SameInputSameOutput3672220975/001/stabiliv1.0.0 x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/vet git -C /tmp/gh-aw-test-runs/20260324-054412-31948/test-2682250685 rev-parse /usr/bin/git @{u} GO111MODULE x_amd64/vet git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 9789391/b071/impgit 0KEG/1ZcA2yt9nzRrev-parse .cfg git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git 4412-31948/test-git -trimpath .cfg git(http block)https://api.github.com/repos/actions/github-script/git/ref/tags/v8/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json gset/set.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json age.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)https://api.github.com/repos/actions/setup-go/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --get remote.origin.url /usr/bin/git -json GO111MODULE x_amd64/vet git -C /tmp/gh-aw-test-runs/20260324-054412-31948/test-2682250685 rev-parse /usr/bin/git @{u} GO111MODULE x_amd64/vet git(http block)/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq /usr/local/sbin/iptables h ../../../.pretgit git /usr/bin/git iptables -w -t security /usr/bin/git -nxv infocmp /usr/bin/git git(http block)/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git /home/node_modules/.bin/node --show-toplevel git /usr/bin/git node /opt�� prettier --write /opt/hostedtoolcache/node/24.14.0/x64/bin/npm **/*.ts **/*.json --ignore-path npm(http block)https://api.github.com/repos/actions/setup-node/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --get remote.origin.url /usr/bin/git(http block)/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq clusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle h ../../../.pretgit 7921143/b435/imprev-parse /usr/bin/git iptables -w -t security /usr/bin/git OUTPUT -d 168.63.129.16 git(http block)/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /home/REDACTED/work/node_modules/.bin/node --show-toplevel git /usr/bin/git node /opt�� prettier --write /bin/sh **/*.ts **/*.json --ignore-path /bin/sh(http block)https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -unreachable=false /tmp/go-build3927921143/b050/vet.cfg 7921143/b358/vet.cfg -goversion go1.25.0 -c=4 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build3927921143/b222/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -mod=readonly -f 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha te '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettieriggit git /home/REDACTED/work/_temp/uv-python-dir/node --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git node /opt�� run format:cjs /home/REDACTED/work/gh-aw/node_modules/.bin/sh --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git sh(http block)/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json git /usr/bin/git --show-toplevel git .0/x64/bin/go git rev-�� .js' --ignore-path .prettierignore --log-level=error git tions/setup/node_modules/.bin/node --show-toplevel x_amd64/vet /usr/bin/git git(http block)https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b/usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha(http block)https://api.github.com/repos/github/gh-aw/usr/bin/gh gh api /repos/github/gh-aw --jq .visibility(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha runs/20260324-054412-31948/test-821148830/.github/workflows /tmp/go-build3927921143/b088/vet.cfg 7921143/b363/vet.cfg l go1.25.0 -c=4 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� k/gh-aw/gh-aw/.github/workflows /tmp/go-build3927921143/b238/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /tmp/go-build427git -trimpath 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linu-buildtags(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel on rkflow/js/**/*.json /../../.prettiergit erignore /usr/bin/git sh -c runs/20260324-054635-36998/test-3134032519/.github/workflows git /home/REDACTED/.cargo/bin/sh l ache/go/1.25.0/xrev-parse /usr/bin/git sh(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git 86_64/node --show-toplevel git /usr/bin/git git 8d51�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha 4412-31948/test-2682250685 /tmp/go-build3927921143/b054/vet.cfg 7921143/b361/vet.cfg go1.25.0 -c=4 -nolocalimports /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build3927921143/b239/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -x c 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel on rkflow/js/**/*.json /../../.prettiergit erignore /usr/bin/git sh -c npx prettier --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json git /home/REDACTED/.local/bin/sh --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git sh(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json git 0/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node --show-toplevel git /usr/bin/git git 8d51�� --show-toplevel git 0/x64/bin/node --show-toplevel git /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts/usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE v3 abis 0XVD7GS/mRL0tEU7JbrieQ94-F8q env oHGgQi2eq .cfg 64/pkg/tool/linux_amd64/vet wc -c < gh-aw.wagit %H %ct %D d92563ec8a5a6d749d63be76 64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh run download 1 --dir test-logs/run-1 git /usr/bin/git 738/001/go/1.25.git 64/pkg/tool/linurev-parse /usr/bin/git git tion�� --show-toplevel git son ignore 64/pkg/tool/linurev-parse /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts/usr/bin/gh gh run download 12345 --dir test-logs/run-12345 FBrfd97FY 64/pkg/tool/linux_amd64/vet GOINSECURE(http block)/usr/bin/gh gh run download 12345 --dir test-logs/run-12345 git /usr/bin/git --show-toplevel -tests /usr/bin/git git rev-�� *.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore git k/_temp/uv-python-dir/node --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts/usr/bin/gh gh run download 12346 --dir test-logs/run-12346 HC8Jsm53M x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env TV6rN00-c GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE HC/wPHmRHH07drGotDxh6_4/9rUbv3kNVNgnGPLEQds7(http block)/usr/bin/gh gh run download 12346 --dir test-logs/run-12346 git ndor/bin/sh --show-toplevel -extld=gcc /usr/bin/git git rev-�� *.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore git ache/node/24.14.0/x64/bin/npm --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts/usr/bin/gh gh run download 2 --dir test-logs/run-2 ipBU_UDMP x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env ortcfg .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE d92563ec8a5a6d74/tmp/js-hash-test-300519077/test-hash.js GOMODCACHE 64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh run download 2 --dir test-logs/run-2 git tions/setup/node_modules/.bin/node --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git tion�� --show-toplevel git son ignore 64/pkg/tool/linurev-parse /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts/usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/compile GOINSECURE GOMOD abis x_amd64/compile env YFesNwKSb .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE %H %ct %D GOMODCACHE 64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh run download 3 --dir test-logs/run-3 git tions/node_modules/.bin/node 4 -type d -namegit 64/pkg/tool/linurev-parse /usr/bin/git git tion�� --show-toplevel git son ignore x_amd64/compile /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts/usr/bin/gh gh run download 4 --dir test-logs/run-4 PZlisUvcs 64/pkg/tool/linux_amd64/vet GOINSECURE gset GOMODCACHE 64/pkg/tool/linux_amd64/vet env RHWPMZAE3 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh run download 4 --dir test-logs/run-4 git 0/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git tion�� --show-toplevel git son ignore 64/pkg/tool/linurev-parse $name) { has--show-toplevel git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts/usr/bin/gh gh run download 5 --dir test-logs/run-5 fJrNJ1ZO5 64/pkg/tool/linux_amd64/vet GOINSECURE age GOMODCACHE 64/pkg/tool/linux_amd64/vet env _jk-OnU_6 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh run download 5 --dir test-logs/run-5 git tions/setup/js/node_modules/.bin/node --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git tion�� --show-toplevel git son ignore 64/pkg/tool/linurev-parse /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/actions/workflows/usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linu.github/workflows/test.md env ortcfg .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha ortcfg .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env ithout_min-integrity1810250120/001 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE l GOMODCACHE 64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel sh /usr/bin/git npx prettier --wnode git /usr/bin/git git rev-�� h ../../../.pret.prettierignore git /node --show-toplevel git /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha h ../../../.prettierignore git /usr/bin/git /tmp/TestGuardPonode config 7921143/b455/vet--write git rev-�� w/js/**/*.json' --ignore-path /tmp/go-build392../../../.prettierignore /usr/bin/git -test.paniconexigit -test.v=true /opt/hostedtoolc/tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_only_defaults_repo334431409/001 git(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE FMXAZENQ7Ra6 env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json 4/arm64.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json cii.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha h ../../../.prettierignore git /usr/bin/git --show-toplevel -dwarf=false /usr/bin/infocmp--write git rev-�� w/js/**/*.json' --ignore-path infocmp /usr/bin/git xterm-color l /usr/bin/git git(http block)https://api.github.com/repos/githubnext/agentics/git/ref/tags//usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha(http block)https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json .cfg At,event,headBranch,headSha,displayTitle GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env e-analyzer.md GO111MODULE x_amd64/link GOINSECURE contextprotocol/rev-parse GOMODCACHE x_amd64/link(http block)/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel sh /usr/bin/git npx prettier --wnode l /usr/bin/git git rev-�� h ../../../.pret.prettierignore git /usr/bin/git --show-toplevel git /usr/bin/git git(http block)https://api.github.com/repos/nonexistent/repo/actions/runs/12345/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE chema/v6 GOMODCACHE 64/pkg/tool/linuTest User env 821148830/.github/workflows .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion son 64/pkg/tool/linurev-parse /usr/bin/git 64/pkg/tool/linux_amd64/vet rev-�� --show-toplevel git k/gh-aw/gh-aw/actions/node_modules/.bin/node --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git(http block)https://api.github.com/repos/owner/repo/actions/workflows/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json .go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json exer.go x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm(http block)/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /usr/bin/git ithub/workflows/node -buildtags /usr/bin/git git rev-�� ath ../../../.pr**/*.json git /usr/bin/git --show-toplevel -tests /usr/bin/infocmp"prettier" --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' ---errorsas git(http block)https://api.github.com/repos/owner/repo/contents/file.md/tmp/go-build3927921143/b400/cli.test /tmp/go-build3927921143/b400/cli.test -test.testlogfile=/tmp/go-build3927921143/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)/tmp/go-build495709953/b400/cli.test /tmp/go-build495709953/b400/cli.test -test.testlogfile=/tmp/go-build495709953/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -bool -buildtags /usr/bin/git git ache�� --show-toplevel nly /usr/bin/git --show-toplevel -tests /usr/bin/infocmpnpx prettier --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path git(http block)https://api.github.com/repos/test-owner/test-repo/actions/secrets/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name ignore-path ../../../.prettierignore 7921143/b432/importcfg /usr/bin/git sistency_GoAndJash k/gh-aw/gh-aw/pk-c ipts.test git rev-�� --show-toplevel ipts.test /usr/bin/git list --json /usr/bin/git git(http block)If you need me to access, download, or install something from one of these locations, you can either:
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.