Skip to content

[aw-compat] Add gh aw fix codemod to auto-set checkout: false for safe pull_request_target workflows#30596

Merged
pelikhan merged 4 commits into
mainfrom
copilot/add-checkout-false-for-pull-request-target
May 6, 2026
Merged

[aw-compat] Add gh aw fix codemod to auto-set checkout: false for safe pull_request_target workflows#30596
pelikhan merged 4 commits into
mainfrom
copilot/add-checkout-false-for-pull-request-target

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 6, 2026
edited
Loading

Daily cross-repo compile audits show pull_request_target without checkout: false as the top failure mode, and gh aw fix did not remediate it. This PR adds a targeted codemod so safe cases are auto-fixed during gh aw fix --write.

  • What changed

    • Added new codemod: pull-request-target-checkout-false.
    • Detects workflows where:
      • on.pull_request_target is present
      • checkout: false is missing (or checkout: true)
    • Applies frontmatter edit to insert/normalize checkout: false.

  • Safety gating (no auto-fix in risky/ambiguous cases)

    • Codemod now skips when workflow content appears to explicitly checkout PR code, including markers like:
      • actions/checkout
      • gh pr checkout
      • git checkout
      • refs/pull/
    • Codemod also skips when frontmatter explicitly sets:
      • strict: false

  • Registry + coverage updates

    • Registered codemod in GetAllCodemods() in deterministic order.
    • Updated codemod registry tests (count, inclusion, order).
    • Added focused codemod tests for apply/skip paths, including strict: false no-op behavior.
# before
---
on:
  pull_request_target:
description: Review PR metadata
---

# after (auto-applied when no explicit checkout usage is detected)
---
on:
  pull_request_target:
checkout: false
description: Review PR metadata
---

> [!WARNING]
>
>

Copilot AI linked an issue May 6, 2026 that may be closed by this pull request
[aw-compat] Codemod proposal: auto-add checkout: false for pull_request_target workflows (25% failure rate) #30560
Closed
Copilot AI changed the title [WIP] Codemod proposal to auto-add checkout: false for pull_request_target workflows [aw-compat] Add gh aw fix codemod to auto-set checkout: false for safe pull_request_target workflows May 6, 2026
Copilot AI requested a review from pelikhan May 6, 2026 12:09
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented May 6, 2026

@copilot do not apply on strict: false

@pelikhan pelikhan marked this pull request as ready for review May 6, 2026 12:50
Copilot AI review requested due to automatic review settings May 6, 2026 12:50
Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 6, 2026
edited
Loading

@copilot do not apply on strict: false

Implemented in 92a85e2. The codemod now exits early when frontmatter explicitly sets strict: false, and I added a focused test (does not modify when strict is explicitly false) to lock that behavior.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linurev-parse (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE go env -json GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name prettier --check 64/bin/go --ignore-path .prettierignore 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name h ../../../.prettierignore --jq sv --show-toplevel git x86_64/node git rev-�� w/js/**/*.json' --ignore-path git /usr/bin/git ithub-script/gitgit git bject.type] | @t/tmp/gh-aw-test-runs/20260506-125206-38071/test-add-source-path-3647121115/.github/workflows git (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel node /usr/bin/git --write scripts/**/*.js /bin/sh git rev-�� --show-toplevel /bin/sh /usr/bin/git licyTrustedUsersgh git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 go sv repo4211154713/0gh GO111MODULE 64/bin/go git remo�� waysRecompiles2426853888/001 remote2 /usr/bin/git -json GO111MODULE ed } } git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv add myorg /usr/bin/git e-analyzer.md ker/cli-plugins/api n-dir/sh git rev-�� --git-dir resolved$ (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv s/1234567890 GO111MODULE umber, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPa/repos/actions/github-script/git/ref/tags/v9 GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet env CommaSeparatedCompiledOutput3237960307/001 GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 ache/node/24.14.1/x64/bin/node bject.type] | @tsv /tmp/TestHashCongit -tests /usr/bin/infocmp--show-toplevel git rev-�� --show-toplevel infocmp /usr/bin/git xterm-color node /usr/bin/gh git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel sh /usr/bin/infocmp printf '%s' "$1"git sh /usr/bin/infocmp--show-toplevel infocmp -1 xterm-color infocmp /usr/bin/git heckout/git/ref/git go bject.type] | @t--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv licyMinIntegrityOnlymin-integrity_with_repos_array_c4018989922/001 GO111MODULE /usr/bin/git GOINSECURE GOMOD GOMODCACHE git -C 4836-25650/test-4287536121 remote /usr/lib/git-core/git GOSUMDB GOWORK 64/bin/go /usr/lib/git-core/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv GOMODCACHE node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/infocmp 01 GO111MODULE 64/bin/go infocmp -1 26853888/001 l clusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle -json GO111MODULE 64/bin/go gh (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv xterm-color git /usr/bin/git user.name Test User /usr/bin/git git rev-�� --show-toplevel git /usr/bin/infocmp --show-toplevel go /usr/bin/git infocmp (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv xterm-color git /usr/bin/git --get remote.origin.urrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/infocmp -m Initial commit /usr/bin/git infocmp (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE 660362/b432/impoGO111MODULE -c che/go-build/4b/GOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcGO111MODULE (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti-json go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE node /opt�� prettier --check 64/bin/go --ignore-path .prettierignore 64/bin/go go (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9.0.0
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE 660362/b420/impoGO111MODULE -c che/go-build/65/GOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcGO111MODULE (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti-json go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv npx prettier --cGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh -c "prettier" --cheGOINSECURE go 64/bin/go tierignore GO111MODULE 64/bin/go go (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/infocmp Onlyrepos_only_winfocmp GO111MODULE 1/x64/bin/node infocmp -1 xterm-color 1/x64/bin/node /usr/bin/git ts.TOKEN GO111MODULE (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv xterm-color node /usr/bin/git ithub/workflows/gh on ache/node/24.14./repos/actions/github-script/git/ref/tags/v9 git rev-�� --show-toplevel hanges) /usr/bin/gh 5206-38071/test-git gh es.lock.yml gh (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv GOMODCACHE go ps -json GO111MODULE 64/bin/go ps git git --jq /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/gh Onlyrepos_only_wgh GO111MODULE ache/node/24.14./repos/actions/github-script/git/ref/tags/v9 gh api /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/git 4836-25650/test-git GO111MODULE xpires.lock.yml git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel sh /opt/hostedtoolc--show-toplevel git rev-�� /ref/tags/v9 /opt/hostedtoolcache/node/24.14.-f sv inputs.version go /usr/bin/git gh (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv licyMinIntegrityOnlymin-integrity_with_repos_array_c4018989922/001 GO111MODULE /usr/bin/gh GOINSECURE GOMOD GOMODCACHE gh api runs/20260506-124836-25650/test-3680029316/.github/workflows --jq /bin/sh GOSUMDB GOWORK 64/bin/go /bin/sh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /tmp/TestParseDefaultBranchFromLsRemoteWithRealGitbranch_with_hyphen1230639551/001 l /usr/bin/git --check **/*.cjs 64/bin/go git -C ithub-script/git/ref/tags/v9 config bject.type] | @tsv remote.origin.urgit GO111MODULE 64/bin/go gh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260506-124836-25650/test-1436483354 rev-parse /usr/bin/infocmp -json GO111MODULE 64/bin/go infocmp -1 /ref/tags/v9 go sv -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 070824483/001 go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/infocmp -json GO111MODULE 64/bin/go infocmp (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /repos/actions/gremote.origin.url s/2/artifacts /usr/bin/git cp .github/aw/acgit --jq x86_64/sh git rev-�� /ref/tags/v9 l sv */*.ts' '**/*.jsgit git de_modules/.bin/--show-toplevel git (http block)
  • https://api.github.com/repos/aws-actions/configure-aws-credentials/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git config /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git 64/bin/go go /opt/hostedtoolcstatus git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/gh-aw-test-gh config /usr/bin/git git rev-�� /ref/tags/v9 git sv 64/bin/go go /usr/bin/git infocmp (http block)
    • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git remote /usr/bin/infocmp--show-toplevel git rev-�� --show-toplevel infocmp /usr/bin/git runs/20260506-12gh git /opt/hostedtoolcstatus git (http block)
  • https://api.github.com/repos/azure/login/git/ref/tags/v2
    • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git rev-parse e/git git rev-�� --show-toplevel e/git /usr/bin/git xterm-color go /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git config /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel node /usr/bin/git /home/REDACTED/worinfocmp s/test.md /usr/bin/git git (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel infocmp /usr/bin/git xterm-color node /usr/bin/gh git rev-�� --show-toplevel gh /usr/bin/infocmp /repos/actions/ginfocmp --jq /usr/bin/git infocmp (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/infocmp runs/20260506-12infocmp rev-parse /usr/bin/git infocmp (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv xterm-color go /usr/bin/git -json GO111MODULE (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/infocmp kflow.test git ortcfg.link infocmp -1 xterm-color O0rsZGiOgeHLq6_-3 /usr/bin/git npx prettier --winfocmp infocmp 3d83894d330994a2xterm-color git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 go sv iant-2752912636/git GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/infocmp --show-toplevel git ules/.bin/node infocmp -1 xterm-color gh (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv --show-toplevel l /usr/bin/infocmp -json GO111MODULE 64/bin/go infocmp -1 xterm-color go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git iant-1327862553 git tions/setup/js/n--show-toplevel git -C /ref/tags/v9 show sv ithub-script/gitgit git ules/.bin/sh git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-29 GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-06 GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-02-05 GOMOD GOMODCACHE go env agent-persona-explorer.md GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linustatus (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go env /ref/tags/v9 GO111MODULE sv GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu.github/workflows/test.md (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 4836-25650/test-187413265/.github/workflows GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE 1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name --log-level e_modules/.bin/node ./../.prettieriggit journal-or-kmsg sv sh ranc�� (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE go t-ha�� ithub/workflows/ace-editor.md GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuAdd workflow (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go env 4836-25650/test-2078320220/.github/workflows GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name git bin/sh nore git sv node /opt�� te '**/*.cjs' '**/*.ts' '**/*.json' --ignore-pat--repo --write nfig/composer/vendor/bin/sh **/*.ts **/*.json --ignore-path sh (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1234567890
    • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, "prettier" --cheGOINSECURE go 64/bin/go tierignore GO111MODULE 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, h ../../../.pret.prettierignore git /usr/bin/git --show-toplevel git 64/bin/node git rev-�� ./../pkg/workflo-errorsas git /usr/bin/git ithub-script/gitnode git bject.type] | @t/tmp/TestHashConsistency_GoAndJavaScript3202367110/001/test-complex-frontmatter-with-tools.md git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE sv GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu--auto (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE go -has�� ithub/workflows/agent-performance-analyzer.md GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name --jq ck nore git /usr/bin/git node sRem�� te '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore --write .cfg **/*.ts **/*.json --ignore-path sh (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go env 4836-25650/test-485971951/.github/workflows GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE 1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE 1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name gh es/.bin/node ./../.prettieriggit --jq /usr/bin/git sh k/gh�� "prettier" --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore git .cfg /ref/tags/v9 git erignore node (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name -S in/node ./../.prettieriggit 1 /var/log/sysstat sh k/gh�� "prettier" --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore git k/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/sh --show-toplevel git erignore node (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE go t-ha�� ithub/workflows/ai-moderator.md GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE 1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 1/x64/bin/node s-in-body.md GOMOD GOMODCACHE go t-ha�� ithub/workflows/archie.md GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name git k ./../.prettieriggit git ode-gyp-bin/sh sh sRem�� "prettier" --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore git k/gh-aw/gh-aw/actions/setup/node_modules/.bin/sh /ref/tags/v9 git erignore node (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go env 4836-25650/test-485971951/.github/workflows GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 4836-25650/test-187413265/.github/workflows GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE 1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name gh k/gh-aw/gh-aw/actions/setup/node_modules/.bin/node ./../.prettieriggit --jq bject.type] | @t--show-toplevel sh k/gh�� "prettier" --write '**/*.cjs' '**/*.ts' '**/*.jsremote.origin.url git k/gh-aw/gh-aw/actions/node_modules/.bin/sh ithub-script/gitgit git erignore node (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path prettier --check 64/bin/go --ignore-path .prettierignore 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE go env -json GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE 1/x64/bin/node (http block)
  • https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
    • Triggering command: /tmp/go-build1122416804/b404/cli.test /tmp/go-build1122416804/b404/cli.test -test.testlogfile=/tmp/go-build1122416804/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE node /opt�� prettier --check 64/bin/go **/*.ts **/*.json --ignore-path git (http block)
    • Triggering command: /tmp/go-build1529108372/b404/cli.test /tmp/go-build1529108372/b404/cli.test -test.testlogfile=/tmp/go-build1529108372/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true /ref/tags/v9 --jq sv gh api /repos/actions/github-script/git**/*.ts --jq ode_modules/.bin/prettier --show-toplevel git /usr/bin/infocmpnpx prettier --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git ithub-script/gitdu remote bject.type] | @t/tmp/gh-aw/aw-feature-branch.patch git rev-�� --show-toplevel infocmp /usr/bin/infocmp xterm-color go /tmp/go-build112--show-toplevel infocmp (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/gh git rev-�� --show-toplevel gh /usr/bin/infocmp /repos/actions/ggit --jq repository(owne--show-toplevel infocmp (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ub/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv xterm-color git 1/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node --show-toplevel git /usr/bin/git git tion�� 07/001 git son ignore infocmp /usr/bin/infocmp git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv --show-toplevel git ode --show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env lGitbranch_with_hyphen1230639551/001' lGitbranch_with_hyphen1230639551/001' 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv iant-3867598671/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv json' --ignore-path ../../../.pr**/*.json git 9ab01eb3df283d3e-d --show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv y-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv json' --ignore-p--exclude-hidden=receive --jq n-dir/node --show-toplevel git /usr/bin/git git 1/x6�� Gitbranch_with_hyphen4288201752/001' Gitbranch_with_hyphen4288201752/001' ode_modules/.bin/node --show-toplevel git /usr/bin/infocmp--show-toplevel git (http block)
  • https://api.github.com/repos/google-github-actions/auth/git/ref/tags/v2
    • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git image:v1.0.0 rev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git k/gh-aw/gh-aw/pkgit go /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git remote /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git ithub-script/gitgit Test User bject.type] | @t--show-toplevel git (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv ./../pkg/workflow/js/**/*.json' --ignore-path gh x_amd64/vet 3c5ec60b..HEAD --jq /usr/bin/gh x_amd64/vet rev-�� --show-toplevel gh bin/sh ithub-script/git/opt/hostedtoolcache/node/24.14.1/x64/bin/node --jq bject.type] | @tValue: ${{ github.actor }} git (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env ApprovalLabelsCompiledOutput916928678/001 GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion /ref/tags/v9 erignore sv sh ache�� 5206-38071/test-191941871/.github/workflows sed on rkflow/js/**/*.j/usr/bin/git git erignore bash (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go -json GO111MODULE 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state 2416804/b424/vet.cfg GOINSECURE GOMOD GOMODCACHE go env runs/20260506-124836-25650/test-485971951/.github/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /usr/bin/infocmp --show-toplevel git /usr/bin/git infocmp -1 w/js/**/*.json' --ignore-path git x_amd64/vet ithub-script/gitgh git bject.type] | @t/repos/actions/github-script/git/ref/tags/v9 x_amd64/vet (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name prettier --check 64/bin/go --ignore-path .prettierignore 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name h ../../../.prettierignore git (http block)
  • https://api.github.com/repos/test/repo
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch /tmp/gh-aw-test-runs/20260506-124836-25650/test-source-field-variant-2752912636 show /usr/lib/git-core/git GOSUMDB GOWORK 64/bin/go /usr/lib/git-core/git unpa�� --pack_header=2,3 l (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch -stringintconv -tests /usr/bin/git /repos/actions/ggit --jq _modules/.bin/no--show-toplevel git rev-�� --show-toplevel git /usr/bin/git --show-toplevel infocmp /usr/bin/git git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new gh aw fix codemod to automatically enforce checkout: false for safe pull_request_target workflows, along with registry and test updates to ensure deterministic inclusion and ordering.

Changes:

  • Added pull-request-target-checkout-false codemod to insert/normalize checkout: false when on.pull_request_target is present and no explicit checkout usage is detected.
  • Registered the new codemod in GetAllCodemods() and updated registry tests (count, inclusion, order).
  • Added focused unit tests covering apply/skip scenarios for the new codemod.
Show a summary per file
File Description
pkg/cli/fix_codemods.go Registers the new codemod in the global codemod list (deterministic order).
pkg/cli/fix_codemods_test.go Updates registry tests to account for the new codemod (count/inclusion/order).
pkg/cli/codemod_pull_request_target_checkout_false.go Implements the new codemod logic and safety gating.
pkg/cli/codemod_pull_request_target_checkout_false_test.go Adds unit tests for apply/skip behavior of the new codemod.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 4/4 changed files
  • Comments generated: 2

Comment thread pkg/cli/codemod_pull_request_target_checkout_false.go
Comment on lines +154 to +162
if idx := strings.Index(valueAndComment, "#"); idx >= 0 {
comment = valueAndComment[idx:]
}

if comment == "" {
return "checkout: false", true
}

return "checkout: false" + comment, true
Comment thread pkg/cli/codemod_pull_request_target_checkout_false.go
Comment on lines +81 to +88

func hasExplicitCheckoutCommands(content string) bool {
lowerContent := strings.ToLower(content)

unsafeCheckoutPatterns := []string{
"actions/checkout",
"uses: actions/checkout",
"gh pr checkout",
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented May 6, 2026

@copilot review all comments

Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 6, 2026

@copilot review all comments

Done in 48119a3. I reviewed and addressed all actionable review comments: fixed inline checkout: comment spacing preservation and hardened git checkout detection to cover whitespace variants, with focused tests added for both paths.

@pelikhan pelikhan merged commit 65bc25a into main May 6, 2026
@pelikhan pelikhan deleted the copilot/add-checkout-false-for-pull-request-target branch May 6, 2026 13:19
Copilot stopped work on behalf of pelikhan due to an error May 6, 2026 13:20
The session was cancelled by the user.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[aw-compat] Codemod proposal: auto-add checkout: false for pull_request_target workflows (25% failure rate)

3 participants

@pelikhan