feat: enable checksum validation by default in install-gh-aw.sh#29223
feat: enable checksum validation by default in install-gh-aw.sh#29223
Conversation
- Change SKIP_CHECKSUM default from true to false in both install-gh-aw.sh and actions/setup-cli/install.sh - Remove redundant SKIP_CHECKSUM=false in GitHub Actions context block (no longer needed since it's now the default) - Update header comments to reflect checksums are validated by default Agent-Logs-Url: https://github.com/github/gh-aw/sessions/73f24b82-4807-40b8-a61b-c662ee683ab0 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Replace `grep "$EXPECTED_FILENAME" | awk '{print $1}'` with
`awk -v f="$EXPECTED_FILENAME" '$2 == f {print $1}'` to avoid
false matches when the filename appears as a substring in another
entry (e.g. matching 'gh-aw-linux-amd64-extra.tar.gz' when
searching for 'linux-amd64').
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/057dcad8-6129-46c2-8ce5-d318e1698526
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Found one bug: the checksum lookup used Fixed in d4d43bb by replacing it with Everything else in the checksum path looks solid:
|
There was a problem hiding this comment.
Pull request overview
Enables SHA256 checksum validation by default in the gh-aw installer scripts now that checksums.txt is consistently published with releases.
Changes:
- Flip default
SKIP_CHECKSUMfromtrue→falsein both install scripts. - Remove the GitHub Actions-only
SKIP_CHECKSUM=falseoverride (now redundant). - Tighten checksum lookup to an exact filename match using
awk(instead of substringgrep).
Show a summary per file
| File | Description |
|---|---|
| install-gh-aw.sh | Enables checksum verification by default and improves checksum lookup precision. |
| actions/setup-cli/install.sh | Mirrors the same default checksum behavior and checksum lookup update for the GitHub Action installer. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comments suppressed due to low confidence (1)
install-gh-aw.sh:16
- Header docs still reference
./install.shfor usage/examples, but this script isinstall-gh-aw.sh(and later messaging already uses that name). This can mislead users copy/pasting the examples; update the Usage/Examples lines here to match the actual filename.
# Usage: ./install.sh [version] [options]
#
# Examples:
# ./install.sh # Install latest version
# ./install.sh v1.0.0 # Install specific version
# ./install.sh --skip-checksum # Skip checksum validation
#
- Files reviewed: 2/2 changed files
- Comments generated: 0
|
@copilot investigate failure at https://github.com/github/gh-aw/actions/runs/25141957823/job/73694097432 |
The binary download and checksums download curl calls had no timeout options, causing them to hang indefinitely if a connection stalled. This was most visible on Windows GitHub Actions runners where the CI job ran for 3 hours before being killed. Add --connect-timeout 15 --max-time 120 to the binary download and --connect-timeout 15 --max-time 60 to the checksums download so the retry loop can cycle and eventually fail with a clear error instead of hanging forever. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/1b540671-88f4-4de1-a709-01352e1f5788 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
The Windows job ran for ~3 hours before being killed by the runner. Root cause: the two Fixed in e5b1ac6 by adding:
This was a latent bug that became newly reachable for the checksums path once we flipped the |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
@copilot add a 5 minute timeout on the jobs for the installation scripts test. Investigate why this one gets stuck: https://github.com/github/gh-aw/actions/runs/25191069497/job/73860917300?pr=29223 |
…30s timeout The Windows CI job was hanging in the install script at the binary verification step (lines 376/399): `"$BINARY_PATH" --help` and `"$BINARY_PATH" version` can stall indefinitely while Windows Defender scans the newly downloaded executable. - .github/workflows/install.yml: add `timeout-minutes: 5` to the test-install job so a hung Windows runner is killed in under 5 minutes instead of consuming the full runner quota (previously 3+ hours) - install-gh-aw.sh / actions/setup-cli/install.sh: set BINARY_EXEC_TIMEOUT to `timeout 30` on Windows, wrap both binary verification calls with it; on timeout emit a warning and continue rather than failing the install (the binary has already passed checksum verification so it is safe to use) Agent-Logs-Url: https://github.com/github/gh-aw/sessions/9be8cef1-6312-4362-a598-ab4c831a4838 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Root cause found: the install script executes Fixed in
|
Summary
Enable SHA256 checksum validation by default when installing the gh-aw binary.
Background
scripts/build-release.shalready generates achecksums.txtfile during the build process, and the release workflow uploads alldist/*files (includingchecksums.txt) to every GitHub release. The validation logic in both install scripts was fully implemented but gated behindSKIP_CHECKSUM=true(the default), pending checksums being available in releases.Since checksums are now consistently published, this PR flips the default to
SKIP_CHECKSUM=false.Changes
install-gh-aw.sh: Change defaultSKIP_CHECKSUM=true→SKIP_CHECKSUM=false; remove redundantSKIP_CHECKSUM=falseoverride in the GitHub Actions context block; update header commentactions/setup-cli/install.sh: Same changes (these two files are kept in sync)No logic changes — the existing checksum download, verification, and graceful-fallback code paths are unchanged. Users can still pass
--skip-checksumto bypass verification.Testing
bash -nsyntax check passes on both scriptsscripts/test-install-script.sh— all 10 test groups pass