feat: enable checksum validation by default in install-gh-aw.sh

[Copilot]

Summary

Enable SHA256 checksum validation by default when installing the gh-aw binary.

Background

scripts/build-release.sh already generates a checksums.txt file during the build process, and the release workflow uploads all dist/* files (including checksums.txt) to every GitHub release. The validation logic in both install scripts was fully implemented but gated behind SKIP_CHECKSUM=true (the default), pending checksums being available in releases.

Since checksums are now consistently published, this PR flips the default to SKIP_CHECKSUM=false.

Changes

• install-gh-aw.sh: Change default SKIP_CHECKSUM=true → SKIP_CHECKSUM=false; remove redundant SKIP_CHECKSUM=false override in the GitHub Actions context block; update header comment
• actions/setup-cli/install.sh: Same changes (these two files are kept in sync)

No logic changes — the existing checksum download, verification, and graceful-fallback code paths are unchanged. Users can still pass --skip-checksum to bypass verification.

Testing

• bash -n syntax check passes on both scripts
• scripts/test-install-script.sh — all 10 test groups pass

[pelikhan]

@copilot review checksum code

[Copilot]

@copilot review checksum code

Found one bug: the checksum lookup used grep "$EXPECTED_FILENAME" | awk '{print $1}' which matches any line where the filename appears as a substring — e.g. searching for linux-amd64 would also match an entry named gh-aw-linux-amd64-extra.tar.gz, returning multiple hashes and causing a spurious verification failure.

Fixed in d4d43bb by replacing it with awk -v f="$EXPECTED_FILENAME" '$2 == f {print $1}' which matches only when field 2 is an exact equal to the expected filename.

Everything else in the checksum path looks solid:

• Tool detection (sha256sum / shasum -a 256) with graceful skip if neither is available
• Retry loop with 3 attempts for both the binary and checksums file downloads
• Corrupt binary is deleted before exiting on mismatch
• Checksums file is cleaned up after use

[Copilot]

Pull request overview

Enables SHA256 checksum validation by default in the gh-aw installer scripts now that checksums.txt is consistently published with releases.

Changes:

• Flip default SKIP_CHECKSUM from true → false in both install scripts.
• Remove the GitHub Actions-only SKIP_CHECKSUM=false override (now redundant).
• Tighten checksum lookup to an exact filename match using awk (instead of substring grep).

Show a summary per file

File	Description
install-gh-aw.sh	Enables checksum verification by default and improves checksum lookup precision.
actions/setup-cli/install.sh	Mirrors the same default checksum behavior and checksum lookup update for the GitHub Action installer.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

install-gh-aw.sh:16

• Header docs still reference ./install.sh for usage/examples, but this script is install-gh-aw.sh (and later messaging already uses that name). This can mislead users copy/pasting the examples; update the Usage/Examples lines here to match the actual filename.

# Usage: ./install.sh [version] [options]
#
# Examples:
#   ./install.sh                           # Install latest version
#   ./install.sh v1.0.0                    # Install specific version
#   ./install.sh --skip-checksum           # Skip checksum validation
#

• Files reviewed: 2/2 changed files
• Comments generated: 0

[pelikhan]

@copilot investigate failure at https://github.com/github/gh-aw/actions/runs/25141957823/job/73694097432

[Copilot]

@copilot investigate failure at https://github.com/github/gh-aw/actions/runs/25141957823/job/73694097432

The Windows job ran for ~3 hours before being killed by the runner. Root cause: the two curl calls in the install script had no --connect-timeout or --max-time options. If the connection stalls (common on Windows GitHub Actions runners), curl blocks indefinitely and the retry loop never advances.

Fixed in e5b1ac6 by adding:

• --connect-timeout 15 --max-time 120 to the binary download
• --connect-timeout 15 --max-time 60 to the checksums download

This was a latent bug that became newly reachable for the checksums path once we flipped the SKIP_CHECKSUM default to false.

[github-actions]

✅ smoke-ci: safeoutputs CLI comment + comment-memory run (25191069502)

Generated by Smoke CI for issue #29223 · ◷

[github-actions]

Comment Memory

CI lights the path
Green checks bloom at dawn
Quiet bots still sing

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Generated by Smoke CI for issue #29223 · ◷