From 50b1bacff961b4664960d4df1aa73d43ac3224c7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 22 Feb 2026 11:49:50 +0000 Subject: [PATCH 1/4] Initial plan From ae82f7cb93e736c4dc50fcebddc6d61dbf463da2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 22 Feb 2026 12:00:49 +0000 Subject: [PATCH 2/4] Initial plan for supply chain security fixes Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/smoke-gemini.lock.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index d1d6955c678..3e2b7c571ba 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -404,7 +404,7 @@ jobs: version: "", agent_version: "", workflow_name: "Smoke Gemini", - experimental: true, + experimental: false, supports_tools_allowlist: true, run_id: context.runId, run_number: context.runNumber, From aee8297ff2f3cb2160323847d5c742f9f750deb6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 22 Feb 2026 12:11:52 +0000 Subject: [PATCH 3/4] Fix supply chain security: replace curl|sh for uv with astral-sh/setup-uv action pinned to commit SHA Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/copilot-setup-steps.yml | 2 +- .github/workflows/daily-copilot-token-report.lock.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 1df298d612a..fc2696a5fbd 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -39,7 +39,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} - name: Install uv - run: curl -LsSf https://astral.sh/uv/install.sh | sh + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 - name: Install Go language server (gopls) run: go install golang.org/x/tools/gopls@latest - name: Install TypeScript language server diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index a3bb599bbee..41110d1a8be 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -358,7 +358,7 @@ jobs: name: Recompile workflows run: make recompile - name: Install uv - run: curl -LsSf https://astral.sh/uv/install.sh | sh + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 - name: Install Go language server (gopls) run: go install golang.org/x/tools/gopls@latest - name: Install TypeScript language server From ed1e45f5cb593785b48cd6900956635dc3d9b487 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 22 Feb 2026 12:19:31 +0000 Subject: [PATCH 4/4] Update astral-sh/setup-uv SHA from v5.4.2 to v7.3.0 (latest) Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/copilot-setup-steps.yml | 2 +- .github/workflows/daily-copilot-token-report.lock.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index fc2696a5fbd..6ab8dbf3648 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -39,7 +39,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} - name: Install uv - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 + uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0 - name: Install Go language server (gopls) run: go install golang.org/x/tools/gopls@latest - name: Install TypeScript language server diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 41110d1a8be..750f140b20a 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -358,7 +358,7 @@ jobs: name: Recompile workflows run: make recompile - name: Install uv - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 + uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # eac588ad8def6316056a12d4907a9d4d84ff7a3b - name: Install Go language server (gopls) run: go install golang.org/x/tools/gopls@latest - name: Install TypeScript language server