[plan] Fix unverified_script_exec (curl | bash) in copilot-setup-steps and daily-copilot-token-report

[github-actions]

Objective

Fix unverified_script_exec supply chain findings (poutine) in workflows that execute scripts via curl ... | bash without integrity verification, as reported in discussion #18283.

Context

Two workflows execute scripts fetched from raw.githubusercontent.com via curl | bash without checksum verification. If the remote URL is compromised or points to a mutable ref, malicious code could execute.

• Tool: poutine
• Severity: Note
• Affected files:
  • .github/workflows/copilot-setup-steps.yml (line 17)
  • .github/workflows/daily-copilot-token-report.md (compiles to line 298 in .lock.yml)

Approach

For each affected location:

1. Locate the curl ... | bash pattern (e.g., curl -fsSL (url) | bash)
2. Replace with a safer two-step approach that downloads, verifies, then executes:

# Option A: Pin to a specific immutable commit SHA in the URL
curl -fsSL https://raw.githubusercontent.com/owner/repo/(full-commit-sha)/script.sh | bash

# Option B: Download and verify checksum before executing
curl -fsSL https://raw.githubusercontent.com/.../script.sh -o /tmp/script.sh
sha256sum -c <<'EOF'
(expected-sha256)  /tmp/script.sh
EOF
bash /tmp/script.sh

3. If the script URL already points to an immutable commit SHA, document this in a comment to suppress the warning
4. Run make recompile after modifying .md files
5. Run make agent-finish to validate

Files to Modify

• .github/workflows/copilot-setup-steps.yml — fix curl | bash at line ~17
• .github/workflows/daily-copilot-token-report.md — fix curl | bash

Acceptance Criteria

• curl | bash patterns either use immutable SHAs or are replaced with checksum-verified downloads
• make recompile succeeds
• make agent-finish passes
• poutine no longer reports unverified_script_exec for these workflows

Generated by Plan Command for issue #discussion #18283

• expires on Feb 27, 2026, 6:53 AM UTC