Skip to content

ci: include runner-guard in cgo security-scan matrix#27745

Merged
pelikhan merged 2 commits intomainfrom
copilot/add-runner-guard-to-security-scan
Apr 22, 2026
Merged

ci: include runner-guard in cgo security-scan matrix#27745
pelikhan merged 2 commits intomainfrom
copilot/add-runner-guard-to-security-scan

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 22, 2026
edited
Loading

This updates CI parity between the daily static-analysis workflow and main-branch push checks by adding runner-guard to the security-scan matrix in cgo.yml. As a result, taint analysis now runs alongside existing workflow security scanners in the same matrix job.

  • Security scan matrix update

    • Added a new matrix entry to jobs.security-scan.strategy.matrix.tool:
      • name: runner-guard
      • flag: --runner-guard
    • Existing entries (zizmor, actionlint, poutine) remain unchanged.

  • Execution behavior

    • The security-scan job continues to run ./gh-aw compile poem-bot <flag> --verbose per matrix item; this change extends that pattern to runner-guard without altering job structure or concurrency behavior.
matrix:
  tool:
    - name: zizmor
      flag: --zizmor
    - name: actionlint
      flag: --actionlint
    - name: poutine
      flag: --poutine
    - name: runner-guard
      flag: --runner-guard

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login &#43; &#34;/&#34; &#43; .name ntdrain.test GOINSECURE fips140/nistec/frev-parse ache/go/1.25.8/x--show-toplevel ntdrain.test 0914�� se 1442434/b022/vet.cfg .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh repo view owner/repo env 0309010/b230/_pkg_.a aMu6/n6X7R7Av3bGkLZAPaMu6 64/pkg/tool/linux_amd64/compile GOINSECURE contextprotocol/rev-parse GOMODCACHE 64/pkg/tool/linux_amd64/compile for-�� e-analyzer.md --merged=5d808016eb1393b7b8881a2c1292b7f93073e03d .cfg GOSUMDB GOWORK 64/bin/go ache/go/1.25.8/x^remote\..*\.gh-resolved$ (http block)
    • Triggering command: /usr/bin/gh gh repo view owner/repo env 997565399 gNV_/-ERQMY_tDmUJytyNgNV_ 64/pkg/tool/linux_amd64/link GOINSECURE contextprotocol/rev-parse GOMODCACHE 64/pkg/tool/linux_amd64/link cat-�� ger.test blob x_amd64/link GOSUMDB b/gh-aw/pkg/acticonfig 64/bin/go x_amd64/link (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 6d45fa2961359906-d GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv -v 64/pkg/tool/linu-trimpath /usr/bin/gh 0309010/b099/_pkgit rg/x/text@v0.36.rev-parse 64/pkg/tool/linu--show-toplevel gh repo�� view test-owner/test-repo-33375 /usr/bin/git 0309010/b251/_pknode 7Ps3/Xuna8G_bMUX/opt/hostedtoolcache/node/24.14.1/x64/bin/npm 64/pkg/tool/linuinstall git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv xterm-color go 1233249/b404/cli.test -json GO111MODULE n-dir/node 1233249/b404/cli.test ditD�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/pkg/tool/linuinstall git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/TestCompileUpdateDiscussionFieldEnforcement2756996654/001 remote /usr/bin/git -json GO111MODULE x_amd64/vet git remo�� GOMODCACHE l /usr/bin/git d GO111MODULE x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv user.email url /usr/bin/git e53be12a4b6ee6d0git GO111MODULE 64/bin/go git init�� GOMODCACHE go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv 5856/001/stability-test.md 1442434/b187/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -p internal/oserrordiff -lang=go1.25 ache/go/1.25.8/x--name-only -o /tmp/go-build3640309010/b210/_pkg_.a -trimpath .cfg -p vendor/golang.orrev-parse -lang=go1.25 ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linu-trimpath /usr/bin/git 1442434/b392/_pktr log .cfg git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linu-test.v=true /usr/bin/git 5017-33375/test-git pkg/mod/github.crev-parse ache/go/1.25.8/x--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile 1/x64/bin/npm 3477496215 -importcfg 1442434/b449=&gt; 1/x64/bin/npm rev-�� --show-toplevel git /usr/bin/git f1es/1UYObWDf37qgit -extld=gcc /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260422-025017-33375/test-2000437276/.gith.github/workflows/test.md remote /usr/bin/git h3916097496/001&#39;git h3916097496/001&#39;rev-parse x_amd64/compile git remo�� ub/gh-aw.git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --symref origin om/testowner/testrepo.git -json GO111MODULE 64/bin/go git -C /tmp/gh-aw-test-runs/20260422-02diagnostic noise should not be returned config /opt/hostedtoolcache/node/24.14.1/x64/bin/node remote.origin.urgit GO111MODULE 64/bin/go node (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/xREDACTED /usr/bin/git ExpressionCompilgit -trimpath ache/go/1.25.8/x-b git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git -unreachable=falgit /tmp/go-build309rev-parse ache/go/1.25.8/x--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.8/x-b git rev-�� --show-toplevel erignore /usr/bin/git /ref/tags/v9 GO111MODULE sv git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json .go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD bytealg/indexbyt--show-toplevel x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/vet /usr/bin/git -json .cfg 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git ortcfg .cfg 64/pkg/tool/linu--show-toplevel /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --git-dir go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git 39/001/test-simpgit GO111MODULE tions/node_modul--show-toplevel git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/compile /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json .cfg 64/pkg/tool/linu--show-toplevel node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/architecture-guardian.md 64/pkg/tool/linux_amd64/vet /usr/bin/gh itbranch_with_hygit itbranch_with_hyrev-parse 64/pkg/tool/linu--show-toplevel gh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv user.name Test User /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel resolved$ /usr/bin/git 39/001/test-emptgit GO111MODULE tions/setup/js/n--show-toplevel git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv xterm-color -goversion /usr/bin/git -c=4 -nolocalimports -importcfg git conf�� runs/20260422-025017-33375/test-2675759091 test@example.com /usr/bin/infocmp s/test.md GO111MODULE x_amd64/compile infocmp (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows/artifacts-summary.md -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git rev-�� ons-test2596347825 -tests ow-without-reaction.lock.yml -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv ple.com&#34; git $name) { hasDiscussionsEnabled } } ion-test..token-git Initial commit n-dir/git git show�� 76f1f446..HEAD f3a138c5eeaa913076f1f446 odules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/git -m Token option bas-C es/.bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv ules/.bin/git git modules/@npmcli/run-script/lib/node-gyp-bin/go -m Initial commit it git show�� 76f1f446..HEAD f3a138c5eeaa913076f1f446 cal/bin/git -u origin es/.bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv --count st/suppress-warnings.cjs $name) { hasDiscussionsEnabled } } README.md ion-test..token---experimental-import-meta-resolve k/node_modules/.--require st/dist/workers//home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/suppress-warnings.cjs show�� email &#34;test@examnode 9d9e9eb0 bin/node token-test.txt (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/vet /usr/bin/git DIATz0CEW .cfg 64/pkg/tool/linu--show-toplevel git rev-�� --git-dir 64/pkg/tool/linux_amd64/vet /usr/lib/git-core/git ned-imports-enabgit om/segmentio/encrev-parse 64/pkg/tool/linu--show-toplevel /usr/lib/git-core/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv user.name Test User /usr/bin/git -json GO111MODULE 64/bin/go git init�� GOMODCACHE go r,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,disp--show-toplevel -json flow-ci-test-678rev-parse ode git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv bility_SameInputSameOutput3847805856/001/stability-test.md config /usr/bin/git remote.origin.urgit -nolocalimports -importcfg git rev-�� s/test.md /home/REDACTED/work/gh-aw/gh-aw/pkg/logger/logger.go 64/pkg/tool/linux_amd64/vet -json GO111MODULE x_amd64/compile 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv . (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv --show-toplevel -tests ache/go/1.25.8/x64/pkg/tool/linux_amd64/link -json 8601/parse.go x_amd64/compile ache/go/1.25.8/x64/pkg/tool/linux_amd64/link -C 1442434/b472/scripts.test config ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet remote.origin.urgit GO111MODULE x_amd64/compile ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv y -goversion /usr/bin/git -c=4 -nolocalimports -importcfg git -C /tmp/gh-aw-test-runs/20260422-025617-76446/test-2866212606/.github/workflows remote /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 0309010/b253/_pkg_.a GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE /semver GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/tmp/go-build3091442434/b114/vet.cfg env 874015706/custom/workflows HCmd/oMQac4bC0uy1Yg0zHCmd ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe GOINSECURE contextprotocol/rev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-extld=gcc (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE k/gh-aw/gh-aw/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go env Onlymin-integrity_with_repos=public_3122609162/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/sha3 GOMODCACHE 64/pkg/tool/linuTest User env 3810151490 Ldjv/q8rDzC5dO2KyVIFwLdjv ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE able GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet ortc�� 997565399 stmain.go .cfg GOINSECURE g/x/net/idna GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE in/sh GOINSECURE GOMOD GOMODCACHE ortcfg env 5617-76446/test-2866212606/.github/workflows GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/sha512 GOMODCACHE 64/pkg/tool/linutest@example.com env 3810151490 ZDcH/WlCyhVRj9mWQyquJZDcH x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 om/yosida95/uritemplate/v3@v3.0.2/compile.go 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 997565399 3zY_/HcUWNrRjpCKdAR9m3zY_ util.test GOINSECURE GOMOD GOMODCACHE util.test (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE ache/node/24.14.1/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/sh GOINSECURE GOMOD GOMODCACHE ortcfg env 5617-76446/test-2866212606/.github/workflows GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 0309010/b007/sym-unreachable=false 64/pkg/tool/linu/tmp/go-build3091442434/b111/vet.cfg ache�� til.go til_test.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE b/gh-aw/pkg/semvrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE ntio/encoding/isconfig 0309010/b029/symuser.email Vgol9MA/jtMHmSR1test@example.com env 0309010/b225/_pkg_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE ce GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE k/gh-aw/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go env ck &#39;scripts/**/*.js&#39; --ignore-path .prettierignoremote.origin.url GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 0309010/b007/sym--show-toplevel 64/pkg/tool/linux_amd64/vet env 1297572540/.github/workflows fWCy/na03iXLzDBM34i--fWCy ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe GOINSECURE b/gh-aw/pkg/actirev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-test.v=true (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE ntio/asm/base64 GOMODCACHE 64/pkg/tool/linuTest User env 0309010/b235/_pkg_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE osh-tekuri/jsonsrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-importcfg (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE e_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go env Onlymin-integrity_with_repos_array_c3841879849/001 GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE 0309010/b092/ GOMODCACHE 64/pkg/tool/linux_amd64/vet env 1297572540/.github/workflows GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE g/x/net/http/httrev-parse ache/go/1.25.8/x--show-toplevel ache/go/1.25.8/x64/pkg/tool/linu-buildtags (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 .cfg 64/pkg/tool/linu-buildmode=exe GOINSECURE GOMOD 0309010/b029/sym-unreachable=false 64/pkg/tool/linu/tmp/go-build3091442434/b115/vet.cfg env 0309010/b228/_pkg_.a 7gve/JS7DQw3o9RuNG8R67gve ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE l/httpcommon GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go env 3828194650 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/cgo GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/cgo (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name _tJr/waAXa3f4EjDQWGZF_tJr 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 1297572540/.github/workflows k-ff/hcoMcb4nJlDk1Ubnk-ff .cfg GOINSECURE g/x/net/http/httrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-buildtags (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE 0309010/b021/atorev-parse ache/go/1.25.8/x--git-dir 64/pkg/tool/linux_amd64/vet env 0309010/b194/_pkg_.a SK0W/BJGJRDpSI4wKt0zQSK0W ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE At,event,headBranch,headSha,displayTitle GOINSECURE GOMOD GOMODCACHE go env 3828194650 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x--json (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -c=4 -nolocalimports -importcfg /tmp/go-build3091442434/b419/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD cpu/cpu.s x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD s/js_js.s x_amd64/vet env successfully&#34; GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 0309010/b006/ GOMODCACHE 64/pkg/tool/linux_amd64/vet env 0309010/b195/_pkg_.a GO111MODULE util.test GOINSECURE 0309010/b006/asmrev-parse ache/go/1.25.8/x--show-toplevel util.test (http block)
  • https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
    • Triggering command: /tmp/go-build3091442434/b404/cli.test /tmp/go-build3091442434/b404/cli.test -test.testlogfile=/tmp/go-build3091442434/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /tmp/go-build3211233249/b404/cli.test /tmp/go-build3211233249/b404/cli.test -test.testlogfile=/tmp/go-build3211233249/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/compile /usr/bin/git efaultBranchFromgit efaultBranchFromrev-parse .cfg git rev-�� --show-toplevel ache/go/1.25.8/xremote /usr/bin/git 770479072/.githuls 1442434/b211/vet-lh ache/go/1.25.8/x/tmp/gh-aw/aw-feature-branch.patch git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git L7KOxx5Xg GO111MODULE At,event,headBra--show-toplevel git rev-�� --show-toplevel ortcfg (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv 1442434/b001/_pkg_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE b/gh-aw/actions/rev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-test.v=true (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE go 1/x6�� -json GO111MODULE 1/x64/bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env g_.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env tmatter-with-env-template-expressions.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet 9436�� g_.a tants.go x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env g_.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet 9436�� g_.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv se 1442434/b012/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/xremote.origin.url -o 0309010/b158/importcfg -trimpath .cfg -p github.com/githurun -lang=go1.25 ache/go/1.25.8/x12345 (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env &#39;**/*.ts&#39; &#39;**/*.json&#39; --ignore-path ../../../.pr**/*.json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE ntio/asm/keyset GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env sm-opt &gt;/dev/null 2&gt;&amp;1; then \ echo &#34;Running wasm-opt -Oz (size optimization)...&#34;; \ BEFORE=$(git GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE 1/x64/bin/node (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json age.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json g/catmsg.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 38e31520e5ec228f-d GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/test/repo
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch 0309010/b225/_pkg_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE ce GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet ranc�� /tmp/go-build3640309010/b029/_pkg_.a tlUh/9pw3AB5m6U_Ak5qHtlUh .cfg -p internal/runtimerun -lang=go1.25 ache/go/1.25.8/x4 (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch run l /usr/bin/git --detach GO111MODULE /sh git -C runs/20260422-025617-76446/test-3828194650 rev-parse /usr/bin/git s/test.md GO111MODULE 64/bin/go git (http block)
  • invalid.example.invalid
    • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git git conf�� --local --get ode_modules/.bin/git ache/uv/0.11.7/x/usr/lib/git-core/git git /git git add . git tions/setup/node_modules/.bin/git -M main bin/git git (dns block)
    • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git git conf�� --local --get ode_modules/.bin/git 64/bin/git git /git git add . git tions/setup/node_modules/.bin/git -M main bin/git git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 22, 2026 that may be closed by this pull request
[q] ci: add runner-guard to security-scan matrix (#27661) #27667
Closed
@pelikhan
ci: add runner-guard to cgo security-scan matrix
cfb811d 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/8a4e1835-0b8e-4535-9583-7cb5766a10fc

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add runner-guard to security-scan matrix ci: include runner-guard in cgo security-scan matrix Apr 22, 2026
Copilot AI requested a review from pelikhan April 22, 2026 03:04
@pelikhan pelikhan marked this pull request as ready for review April 22, 2026 03:14
Copilot AI review requested due to automatic review settings April 22, 2026 03:14
@pelikhan pelikhan merged commit b257978 into main Apr 22, 2026
19 checks passed
@pelikhan pelikhan deleted the copilot/add-runner-guard-to-security-scan branch April 22, 2026 03:14
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates CI parity by adding the runner-guard scanner to the security-scan job’s matrix in .github/workflows/cgo.yml, so it runs alongside existing security tools on main.

Changes:

  • Added runner-guard as a new jobs.security-scan.strategy.matrix.tool entry with flag: --runner-guard.
  • Extends the existing per-matrix-item ./gh-aw compile poem-bot <flag> --verbose execution pattern to include runner-guard.
Show a summary per file
File Description
.github/workflows/cgo.yml Adds runner-guard to the security scan matrix so it runs as an additional scanner in CI on main.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 0

@github-actions github-actions Bot mentioned this pull request Apr 22, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[q] ci: add runner-guard to security-scan matrix (#27661)

3 participants

@pelikhan