diff --git a/.github/workflows/smoke-macos-arm64.lock.yml b/.github/workflows/smoke-macos-arm64.lock.yml
index 0c7cc2494b6..8b605c64f19 100644
--- a/.github/workflows/smoke-macos-arm64.lock.yml
+++ b/.github/workflows/smoke-macos-arm64.lock.yml
@@ -431,8 +431,6 @@ jobs:
           COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
       - name: Install GitHub Copilot CLI
         run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.411
-      - name: Install Docker on macOS
-        run: bash /opt/gh-aw/actions/install_docker_macos.sh
       - name: Install awf binary
         run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.20.2
       - name: Determine automatic lockdown mode for GitHub MCP Server
diff --git a/pkg/stringutil/sanitize.go b/pkg/stringutil/sanitize.go
index c27c411247b..c09d9f59a31 100644
--- a/pkg/stringutil/sanitize.go
+++ b/pkg/stringutil/sanitize.go
@@ -62,6 +62,10 @@ func SanitizeErrorMessage(message string) string {
 		if commonWorkflowKeywords[match] {
 			return match
 		}
+		// Don't redact gh-aw public configuration variables (e.g., GH_AW_SKIP_NPX_VALIDATION)
+		if strings.HasPrefix(match, "GH_AW_") {
+			return match
+		}
 		sanitizeLog.Printf("Redacted snake_case secret pattern: %s", match)
 		return "[REDACTED]"
 	})
diff --git a/pkg/stringutil/sanitize_test.go b/pkg/stringutil/sanitize_test.go
index d06ac628c67..af401bc5bf5 100644
--- a/pkg/stringutil/sanitize_test.go
+++ b/pkg/stringutil/sanitize_test.go
@@ -209,6 +209,49 @@ func TestSanitizeErrorMessage_EdgeCases(t *testing.T) {
 	}
 }
 
+func TestSanitizeErrorMessage_GhAwVariables(t *testing.T) {
+	tests := []struct {
+		name     string
+		message  string
+		expected string
+	}{
+		{
+			name:     "GH_AW_SKIP_NPX_VALIDATION not redacted",
+			message:  "Alternatively, disable validation by setting GH_AW_SKIP_NPX_VALIDATION=true",
+			expected: "Alternatively, disable validation by setting GH_AW_SKIP_NPX_VALIDATION=true",
+		},
+		{
+			name:     "GH_AW_SKIP_UV_VALIDATION not redacted",
+			message:  "Alternatively, disable validation by setting GH_AW_SKIP_UV_VALIDATION=true",
+			expected: "Alternatively, disable validation by setting GH_AW_SKIP_UV_VALIDATION=true",
+		},
+		{
+			name:     "GH_AW_SKIP_PIP_VALIDATION not redacted",
+			message:  "Alternatively, disable validation by setting GH_AW_SKIP_PIP_VALIDATION=true",
+			expected: "Alternatively, disable validation by setting GH_AW_SKIP_PIP_VALIDATION=true",
+		},
+		{
+			name:     "generic GH_AW prefix not redacted",
+			message:  "Set GH_AW_SOME_OPTION to configure this feature",
+			expected: "Set GH_AW_SOME_OPTION to configure this feature",
+		},
+		{
+			name:     "non-GH_AW still redacted",
+			message:  "Error accessing MY_SECRET_KEY",
+			expected: "Error accessing [REDACTED]",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := SanitizeErrorMessage(tt.message)
+			if result != tt.expected {
+				t.Errorf("SanitizeErrorMessage(%q) = %q; want %q", tt.message, result, tt.expected)
+			}
+		})
+	}
+}
+
 func TestSanitizeErrorMessage_RealWorldExamples(t *testing.T) {
 	tests := []struct {
 		name     string