Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
… dev otherwise Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR aims to prevent development builds from leaking non-release version strings (e.g., git commit hashes) to running agents via the GH_AW_VERSION environment variable by emitting the real version only for release builds and using "dev" otherwise.
Changes:
- Update engine env construction to set
GH_AW_VERSIONtoGetVersion()only whenIsRelease()is true, otherwise"dev". - Regenerate compiled workflow lock files (
.lock.yml) (currently still showing commit-hash values forGH_AW_VERSION).
Reviewed changes
Copilot reviewed 170 out of 170 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/copilot_engine_execution.go | Gate GH_AW_VERSION behind IsRelease() in Copilot execution env. |
| pkg/workflow/claude_engine.go | Gate GH_AW_VERSION behind IsRelease() in Claude execution env. |
| pkg/workflow/gemini_engine.go | Gate GH_AW_VERSION behind IsRelease() in Gemini execution env. |
| pkg/workflow/codex_engine.go | Gate GH_AW_VERSION behind IsRelease() in Codex execution env. |
| .github/workflows/*.lock.yml (many) | Updates compiled workflow env blocks; should reflect "dev" for GH_AW_VERSION when compiled from non-release builds. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} | ||
| GH_AW_VERSION: 0238dc8 | ||
| GH_AW_VERSION: 0ffaddb | ||
| GITHUB_API_URL: ${{ github.api_url }} |
There was a problem hiding this comment.
The compiled workflow still hardcodes GH_AW_VERSION to a git hash. With the new engine logic, non-release builds should emit GH_AW_VERSION: dev, so the .lock.yml files should be regenerated with a non-release build of gh aw to reflect that behavior (and avoid continuing to leak commit hashes to agents at runtime).
| // Include the compiler version so agents can identify which gh-aw version generated the workflow. | ||
| // Only emit the real version in release builds; otherwise use "dev". | ||
| if IsRelease() { | ||
| env["GH_AW_VERSION"] = GetVersion() | ||
| } else { | ||
| env["GH_AW_VERSION"] = "dev" | ||
| } |
There was a problem hiding this comment.
This introduces new branching behavior for GH_AW_VERSION (release -> real version, non-release -> "dev"), but there doesn’t appear to be a unit test asserting the rendered step env contains the expected value in both modes. Adding/adjusting engine tests to cover both IsRelease()==false and IsRelease()==true would prevent regressions (especially since this value is emitted into committed .lock.yml workflows).
| if IsRelease() { | ||
| env["GH_AW_VERSION"] = GetVersion() | ||
| } else { | ||
| env["GH_AW_VERSION"] = "dev" | ||
| } |
There was a problem hiding this comment.
The same IsRelease() / GetVersion() vs "dev" branching is now duplicated across multiple engines. Consider centralizing this into a small helper (e.g., a function that returns the value for GH_AW_VERSION, or a helper that sets it on an env map) to reduce repetition and the chance of future engines diverging.
Summary
In all four engine files (
copilot_engine_execution.go,claude_engine.go,gemini_engine.go,codex_engine.go), theGH_AW_VERSIONenvironment variable was unconditionally set toGetVersion(). This meant that dev builds would expose a git commit hash or other non-release string to agents at runtime.Changes
IsRelease():GH_AW_VERSION = GetVersion()(e.g.v1.2.3)GH_AW_VERSION = "dev"