Skip to content

Generate poutine untrusted_checkout_exec suppression for workflow_call save-base steps#26552

Merged
pelikhan merged 5 commits intomainfrom
copilot/static-analysis-report-2026-04-15
Apr 16, 2026
Merged

Generate poutine untrusted_checkout_exec suppression for workflow_call save-base steps#26552
pelikhan merged 5 commits intomainfrom
copilot/static-analysis-report-2026-04-15

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 16, 2026
edited
Loading

Daily static analysis reported new poutine untrusted_checkout_exec findings in the two workflow_call smoke workflows. The flagged executions were trusted setup scripts under ${RUNNER_TEMP}/gh-aw/actions/ but were missing explicit suppressions on one step in each lockfile.

  • Problem context

    • Static analysis regression: +2 untrusted_checkout_exec findings in:
      • .github/workflows/smoke-workflow-call.lock.yml
      • .github/workflows/smoke-workflow-call-with-inputs.lock.yml

  • Change made

    • Added the suppression at the compiler source so it is generated consistently:
      • Updated pkg/workflow/pr.go in generateSaveBaseGitHubFoldersStep to emit:
        • # poutine:ignore untrusted_checkout_exec
    • Recompiled the affected workflows so lockfiles include the generated suppression:
      • .github/workflows/smoke-workflow-call.lock.yml
      • .github/workflows/smoke-workflow-call-with-inputs.lock.yml
    • Updated related workflow compiler golden fixtures:
      • pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden
      • pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden

  • Why this location

    • The step executes save_base_github_folders.sh from ${RUNNER_TEMP}/gh-aw/actions/, populated by the trusted setup action in the same job, matching the intended suppression criteria from the report.
    • Placing this in compiler generation avoids lockfile-only drift and ensures future recompiles preserve the suppression.
- name: Save agent config folders for base branch restoration
  env:
    GH_AW_AGENT_FOLDERS: ".agents .claude .codex .gemini .github"
    GH_AW_AGENT_FILES: "AGENTS.md CLAUDE.md GEMINI.md"
  # poutine:ignore untrusted_checkout_exec
  run: bash "${RUNNER_TEMP}/gh-aw/actions/save_base_github_folders.sh"

[!WARNING]

Copilot AI linked an issue Apr 16, 2026 that may be closed by this pull request
[static-analysis] Report - 2026-04-15 #26489
Closed
5 tasks
Copilot AI and others added 2 commits April 16, 2026 04:03
Copilot AI changed the title [WIP] Update static analysis report for 2026-04-15 findings Suppress new poutine untrusted_checkout_exec findings in workflow_call smoke lockfiles Apr 16, 2026
Copilot AI requested a review from pelikhan April 16, 2026 04:08
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 16, 2026

@copilot update the compiler code that generates those steps

Copilot AI and others added 2 commits April 16, 2026 05:26
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 16, 2026
edited
Loading

@copilot update the compiler code that generates those steps

Updated to generate this in compiler code: added # poutine:ignore untrusted_checkout_exec in generateSaveBaseGitHubFoldersStep (pkg/workflow/pr.go) and regenerated the two smoke workflow-call lockfiles. Included fixture updates for workflow golden tests. Commit: 8482cf9.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw tzcC/sQ1_Lstm3LLrev-parse ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git /ref/tags/v9 3NxN/fOrMapTM_Strev-parse sv git (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE y.s (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 64/pkg/tool/linu--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� GOMODCACHE 64/pkg/tool/linu--auto /usr/bin/git g_.a rotocol/go-sdk@vrev-parse 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_only_defaults_repo2710411089/001 config /usr/bin/git remote.origin.urgit 02/work 64/bin/go git -C /tmp/gh-aw-test-runs/20260416-053050-33173/test-4024757224 show ache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv g_.a Y9sJvruy0 ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE er GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu/tmp/go-build3584739112/b115/vet.cfg env 2kAZlPnX2 dE5S/nPvk3w7LQzW_3ywvdE5S ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE hlite GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git /workflows V3gqgd2UJ 64/pkg/tool/linu--show-toplevel git rev-�� it/ref/tags/v4 64/pkg/tool/linux_amd64/compile sv g_.a R30X4Bcts ache/go/1.25.8/x--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/go/1.25.8/x-importcfg /usr/bin/git LSb9/FFPqv11X6qagit -trimpath (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel eutil.test /usr/bin/git SROtdanAd GO111MODULE ache/go/1.25.8/x-m git rev-�� --show-toplevel ache/go/1.25.8/x5 /usr/bin/git 7144041/b157/_pkgit d/gh-aw-wasm/mairev-parse ache/go/1.25.8/x--show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build1837144041/b253/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD e_wasm.s go env -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json .go 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv image:v1.0.0 x_amd64/compile /usr/bin/git rity2708801121/0git GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv om/owner/repo.git -extld=gcc /usr/bin/git rity2708801121/0git GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json @v1.1.3/internalrev-parse 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv t0 -trimpath (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /opt/hostedtoolcache/node/24.14.1/x64/bin/node repo2507392835/0git GO111MODULE nch,headSha,disp--show-toplevel node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/ace-editor.md x_amd64/vet /usr/bin/infocmp -json GO111MODULE 64/pkg/tool/linu--show-toplevel infocmp (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv g/timeutil/format.go g/timeutil/format_test.go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -goversion go1.25.8 -c=4 /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -ato�� -bool -buildtags /usr/bin/gh -errorsas -ifaceassert -nilfunc gh (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv sistency_GoAndJavaScript1377577806/001/test-simple-frontmatter.md stmain.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -p github.com/githurev-parse -lang=go1.25 ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet remo�� -v -goversion /usr/bin/git -c=4 -nolocalimports -importcfg git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name 0/language/coverage.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile env 2794426755 ortcfg ache/go/1.25.8/x64/pkg/tool/linu-nilfunc GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-tests (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile env 3025274970/.github/workflows ortcfg util.test GOINSECURE flow GOMODCACHE util.test (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a 5-yTJqrnP /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 0/internal/stringset/set.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis WKKjjpb/pnOHWmOW0VPsKVyXPZlC env 298955460 LamLkoYmy 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a uVfRvwDwi /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile 64/s�� 298955460 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name 4/apic.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linutest@example.com env 2794426755 bBouUBHdz ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE util GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 rotocol/go-sdk@v1.5.0/mcp/client.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile env 3025274970/.github/workflows GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE er GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-importcfg (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name til.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 2794426755 DfcRFzBGz 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 rotocol/go-sdk@v-nolocalimports 64/pkg/tool/linu-importcfg GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env g_.a sYAOo28ie ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE go-sdk/mcp GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE essage abis 64/pkg/tool/linux_amd64/compile env 2794426755 ke8fejfLv 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 rotocol/go-sdk@v1.5.0/oauthex/auth_meta.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env g_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE go-sdk/auth GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile env g_.a fG0BeREzZ ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE g GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 n.go 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link env 3025274970 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linuremote1 env g_.a Fs27lbYse 64/pkg/tool/linux_amd64/compile GOINSECURE a20 GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/link /usr/bin/git 525900665/001 GO111MODULE ortcfg.link git rev-�� --show-toplevel C8VDaeR5BBetMK-NLH/Nv2_tVD2ybqix43F4gVV/exMRDV8Gho9PK6LCawUa /usr/bin/git 7144041/b185/_pkls om/modelcontextp-lh g_.a git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv g_.a Fs27lbYse 64/pkg/tool/linux_amd64/compile GOINSECURE a20 GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE iE8t3kR/vbNrLVZ2rev-parse (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv tants.go ne_constants.go x_amd64/vet GOINSECURE js.o 64/src/syscall/j--get x_amd64/vet env g_.a 1iP8YSgUm ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuTest User (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env IIAr-WTp5 GO111MODULE ck GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build3584739112/b400/cli.test /tmp/go-build3584739112/b400/cli.test -test.testlogfile=/tmp/go-build3584739112/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build1837144041/b224/importcfg -pack env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title Suppress new poutine untrusted_checkout_exec findings in workflow_call smoke lockfiles Generate poutine untrusted_checkout_exec suppression for workflow_call save-base steps Apr 16, 2026
@pelikhan pelikhan marked this pull request as ready for review April 16, 2026 05:49
Copilot AI review requested due to automatic review settings April 16, 2026 05:49
@pelikhan pelikhan merged commit 4eb6e54 into main Apr 16, 2026
54 checks passed
@pelikhan pelikhan deleted the copilot/static-analysis-report-2026-04-15 branch April 16, 2026 05:49
Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes newly reported poutine static-analysis untrusted_checkout_exec findings by ensuring the workflow compiler consistently emits an explicit suppression comment for the “save base GitHub folders” step that runs a trusted setup script from ${RUNNER_TEMP}/gh-aw/actions/.

Changes:

  • Updated the workflow compiler to generate # poutine:ignore untrusted_checkout_exec immediately before running save_base_github_folders.sh.
  • Recompiled the affected workflow_call smoke workflow lockfiles so the generated suppression is present.
  • Updated workflow compiler golden fixtures to match the newly generated YAML.
Show a summary per file
File Description
pkg/workflow/pr.go Adds generation of the poutine suppression comment for the save-base step.
.github/workflows/smoke-workflow-call.lock.yml Regenerated lockfile to include the suppression on the relevant step.
.github/workflows/smoke-workflow-call-with-inputs.lock.yml Regenerated lockfile to include the suppression on the relevant step.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden Updates golden output to reflect the new generated suppression line.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden Updates golden output to reflect the new generated suppression line.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 5/5 changed files
  • Comments generated: 0

@github-actions github-actions bot mentioned this pull request Apr 16, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[static-analysis] Report - 2026-04-15

3 participants

@pelikhan