Skip to content

fix(security): replace curl-pipe-bash with actions/setup-cli (RGS-006)#29209

Closed
Copilot wants to merge 4 commits into
mainfrom
copilot/rgs-006-fix-remote-code-execution
Closed

fix(security): replace curl-pipe-bash with actions/setup-cli (RGS-006)#29209
Copilot wants to merge 4 commits into
mainfrom
copilot/rgs-006-fix-remote-code-execution

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 29, 2026
edited
Loading

copilot-token-audit.lock.yml (and its source imports) used curl -fsSL .../refs/heads/main/install-gh-aw.sh | bash — a mutable branch reference piped directly to bash. Static analysis flagged this as RGS-006 (curl-pipe-bash RCE vector).

Changes

Source workflow files

  • .github/workflows/copilot-setup-steps.yml — checkout moved first, install step now uses ./actions/setup-cli with version: latest
  • .github/workflows/shared/mcp/gh-aw.md — conditional fallback uses gh extension install (only triggers if gh-aw is not pre-installed)

Go codegen (pkg/cli/copilot_setup.go)

  • Dev-mode YAML template updated to emit a checkout step + github/gh-aw/actions/setup-cli@main with version: latest (mirrors the release-mode pattern)
  • Detection logic: hasCurlBashInstall (legacy curl-pipe-bash), hasActionInstall (setup-cli), and hasGHExtensionInstall (gh extension install) all retained for backward compatibility
  • renderCopilotSetupUpdateInstructions emits the checkout + setup-cli pattern in instructions

Before → After

# Before (vulnerable)
- name: Install gh-aw extension
  run: curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash

# After
- name: Checkout repository
  uses: actions/checkout@v6
- name: Install gh-aw extension
  uses: github/gh-aw/actions/setup-cli@main  # or ./actions/setup-cli for in-repo use
  with:
    version: latest

Lock files — all 205 workflows recompiled; copilot-token-audit.lock.yml and copilot-token-optimizer.lock.yml are the two directly affected.

Tests — assertions updated to check for actions/setup-cli; backward-compat fixtures retained since old curl-pipe-bash and gh extension install patterns are still recognized and not overwritten.

Copilot AI linked an issue Apr 29, 2026 that may be closed by this pull request
[static-analysis] RGS-006: Curl-Pipe-Bash Remote Code Execution in copilot-token-audit.lock.yml #29179
Closed
6 tasks
Copilot AI and others added 2 commits April 29, 2026 23:34
@pelikhan
fix(security): replace curl-pipe-bash with gh extension install to re…
80e2d4a 
…mediate RGS-006

Replace `curl -fsSL ... | bash` with `gh extension install github/gh-aw`
in all gh-aw installation steps to eliminate the curl-pipe-bash remote
code execution vector (RGS-006).

Changes:
- .github/workflows/copilot-setup-steps.yml: use gh extension install
- .github/workflows/shared/mcp/gh-aw.md: use gh extension install in fallback
- pkg/cli/copilot_setup.go: update dev-mode template + recognition logic
- pkg/cli/copilot_setup_test.go, init_mcp_test.go: update tests

Recompile all lock files (205 workflows) to propagate the fix.

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/16240971-387e-441e-997c-6205297382b6

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
refactor: rename hasLegacyInstall to hasCurlBashInstall and fix test …
647b9e5 
…function name per code review

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/16240971-387e-441e-997c-6205297382b6

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix remote code execution vulnerability in copilot-token-audit.lock.yml fix(security): replace curl-pipe-bash with gh extension install (RGS-006) Apr 29, 2026
Copilot AI requested a review from pelikhan April 29, 2026 23:40
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 30, 2026

@copilot use actions/setup-cli to install gh-aw

@pelikhan
fix(security): use actions/setup-cli to install gh-aw instead of gh e…
832e460 
…xtension install

Per @pelikhan review feedback, replace `gh extension install github/gh-aw`
with the `actions/setup-cli` action in all dev-mode installation steps:

- .github/workflows/copilot-setup-steps.yml: reorder checkout first,
  then use ./actions/setup-cli with version: latest
- pkg/cli/copilot_setup.go: dev-mode template uses
  github/gh-aw/actions/setup-cli@main (adds checkout step)
- renderCopilotSetupUpdateInstructions: show checkout + setup-cli in instructions
- Tests updated to assert setup-cli pattern; backward-compat detection
  retained for existing files using gh extension install or curl-pipe-bash

Recompile all 205 lock files.

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/c6515ff4-e02b-48b7-83c3-81c5b3f62d8d

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 30, 2026
edited
Loading

@copilot use actions/setup-cli to install gh-aw

Done in 832e460.

  • .github/workflows/copilot-setup-steps.yml: checkout moved first, install step now uses ./actions/setup-cli with version: latest
  • pkg/cli/copilot_setup.go dev-mode template: generates github/gh-aw/actions/setup-cli@main + checkout step (mirrors what release mode already does)
  • Backward compat retained — existing files using gh extension install or the old curl pattern are still recognized as up-to-date

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw KafNhgaKfwLg (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -embedcfg /tmp/go-build3714333073/b063/embedcfg -pack (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name ithub/workflows pull.rebase ache/node/24.14.1/x64/lib/node_modules/npm/node_-f (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git 2378411874/.githgit show sue-summary.lock--show-toplevel git rev-�� ansitiveImports1901388970/001 resolved$ /usr/bin/git /home/REDACTED/wornode rev-parse (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/git --noprofile (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows config 1/x64/bin/bash remote.origin.urgit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel infocmp /usr/bin/infocmp efaultBranchFromtr efaultBranchFrom\n tartedAt,updated: infocmp -1 xterm-color git /usr/bin/git k/gh-aw/gh-aw/.ggit rev-parse ache/go/1.25.8/x--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel /usr/lib/git-core/git /usr/bin/git for-each-ref --format=%(objecrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git config /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv INVALID,NEW -j DROP (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --get-regexp --global ock.yml (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ormat:pkg-json -remote.origin.url --global yml (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel /usr/bin/gh /usr/bin/git graphql -f /usr/bin/git git rev-�� --show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv get --local e_modules/.bin/sh nore (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv get --local r: $owner, name: $name) { hasDiscussionsEnabled } } nore (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git k/gh-aw/gh-aw rev-parse l-workflow.lock.--show-toplevel git rev-�� --show-toplevel infocmp /usr/bin/git 37/001/test-inligit (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 git bject.type] | @tsv --local committer.name ck.yml git -C /tmp/compile-instructions-test-3348627612/.github/workflows rev-parse /usr/bin/gh te &#39;../../../**/git copilot/rgs-006-rev-parse (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel /usr/bin/gh /usr/bin/git ithub/workflows -f (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --get-regexp --global 64/pkg/tool/linu-f (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv Onlymin-integrity_with_repos=public_2840887297/001 show /usr/bin/git l (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv -stringintconv l /usr/bin/git --local credential.usernrev-parse repository(owne--show-toplevel git -C /tmp/gh-aw-test-runs/20260430-002025-10571/test-2279962754/.github/workflows rev-parse ache/node/24.14.1/x64/bin/node ithub/workflows commit.gpgsign es ache/node/24.14.config (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch --get-regexp --local r: $owner, name: $name) { hasDiscussionsEnabled } } son (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git ithub/workflows config er: String!, $na--show-toplevel git rev-�� --show-toplevel git /usr/bin/git 37/001/test-frongit config kflows/duplicate--show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv run --auto om/testorg/testrepo.git --detach user.email /opt/hostedtoolc--show-toplevel git -C /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_repos_array_c1571768183/001 remote /usr/bin/git rite &#39;../../../*git origin me: String!) { --show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created &gt;=2026-04-23 (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created &gt;=2026-03-31 (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created &gt;=2026-01-30 (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name -f /usr/bin/git -f owner=github -f git -C /home/REDACTED/work/gh-aw/gh-aw show /usr/bin/git &#39;**/*.ts&#39; &#39;**/*.git (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 config /usr/bin/git remote.origin.urgit (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name -- /usr/bin/infocmp name (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 show (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name -- /usr/bin/git name (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 x_amd64/link sv (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name show /usr/bin/gh (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 show e/git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name rev-parse 1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name config /usr/bin/infocmp remote.origin.urgit (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 rev-parse ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path ithub/workflows pull.rebase .cfg (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)
  • https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
    • Triggering command: /tmp/go-build931305069/b404/cli.test /tmp/go-build931305069/b404/cli.test -test.testlogfile=/tmp/go-build931305069/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true committer.name (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git SameOutput192521git show /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git 3864331728 config ache/go/1.25.8/x/tmp/gh-aw/aw-feature-branch.patch git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv ithub/workflows scripts/**/*.js inputs.lock.yml .prettierignore --log-level=erroconfig (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv ignore-path ../../../.prettierignore (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv ithub/workflows (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv ignore-path ../../../.prettierignore (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv ithub/workflows pkg/workflow/compiled_lock_files_test.go yml pkg/workflow/comgit pkg/workflow/comrev-parse ed } } d43tsyO/DAaZteIL-3lxG0HoYBiF /opt�� y-frontmatter.md --write 66da8775fd6964359a2d00bd8b79e366-d --ignore-path .prettierignore --log-level=erroxterm-color sh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv run format:cjs l-instrumentatio-nilfunc (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv ignore-path ../../../.prettierignore (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv echo &#34;��� Formatting JavaScript files...&#34; (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv phen3833078995/001 phen3833078995/002/work (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion remote.origin.urgit ame r: $owner, name:--show-toplevel git -C runs/20260430-002025-10571/test-2279962754/.github/workflows config 1/x64/bin/node remote.origin.ur/usr/bin/git --global ache/node/24.14.-v 1/x64/bin/node (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo in/sh (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo repository(owner: $owner, name:-f (http block)
    • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state /usr/bin/git ithub/workflows user.email k.yml git rev-�� --show-toplevel git /usr/bin/git led-with-body-cogit on rkflow/js/**/*.j--show-toplevel git (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --local pull.rebase k/node_modules/.bin/sh (http block)
  • https://api.github.com/repos/test/repo
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/approach-validator.md node /usr/bin/git ithub/workflows format:cjs repository(owne--show-toplevel git -C /tmp/shared-actions-test2780236716 config /usr/bin/git remote.origin.urgit (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title fix(security): replace curl-pipe-bash with gh extension install (RGS-006) fix(security): replace curl-pipe-bash with actions/setup-cli (RGS-006) Apr 30, 2026
@pelikhan pelikhan closed this Apr 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[static-analysis] RGS-006: Curl-Pipe-Bash Remote Code Execution in copilot-token-audit.lock.yml

2 participants

@pelikhan