From c6c93235009f43a08ce725aec94a2dd3a22d7205 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 5 Mar 2026 04:06:37 +0000
Subject: [PATCH 1/2] Initial plan


From 7545ddd9563499bdc0841a1a59ae42b32a6c3263 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 5 Mar 2026 04:18:42 +0000
Subject: [PATCH 2/2] fix: migrate version-pinning fix to install-gh-aw.sh
 source file and sync to setup-cli action

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 actions/setup-cli/install.sh | 15 ++++++++++++---
 install-gh-aw.sh             | 15 ++++++++++++---
 2 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/actions/setup-cli/install.sh b/actions/setup-cli/install.sh
index e1ac3479a12..58d73c6805d 100755
--- a/actions/setup-cli/install.sh
+++ b/actions/setup-cli/install.sh
@@ -239,8 +239,17 @@ fi
 if [ "$TRY_GH_INSTALL" = true ] && command -v gh &> /dev/null; then
     print_info "Attempting to install gh-aw using 'gh extension install'..."
     
-    # Try to install using gh
-    if gh extension install "$REPO" --force 2>&1 | tee /tmp/gh-install.log; then
+    # Call gh extension install directly to avoid command injection
+    install_result=0
+    if [ -n "$VERSION" ] && [ "$VERSION" != "latest" ]; then
+        gh extension install "$REPO" --force --pin "$VERSION" 2>&1 | tee /tmp/gh-install.log
+        install_result=${PIPESTATUS[0]}
+    else
+        gh extension install "$REPO" --force 2>&1 | tee /tmp/gh-install.log
+        install_result=${PIPESTATUS[0]}
+    fi
+    
+    if [ $install_result -eq 0 ]; then
         # Verify the installation succeeded
         if gh aw version &> /dev/null; then
             INSTALLED_VERSION=$(gh aw version 2>&1 | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' | head -1)
@@ -249,7 +258,7 @@ if [ "$TRY_GH_INSTALL" = true ] && command -v gh &> /dev/null; then
             
             # Set output for GitHub Actions
             if [ -n "${GITHUB_OUTPUT}" ]; then
-                echo "installed_version=${VERSION}" >> "${GITHUB_OUTPUT}"
+                echo "installed_version=${INSTALLED_VERSION}" >> "${GITHUB_OUTPUT}"
             fi
             
             exit 0
diff --git a/install-gh-aw.sh b/install-gh-aw.sh
index e1ac3479a12..58d73c6805d 100755
--- a/install-gh-aw.sh
+++ b/install-gh-aw.sh
@@ -239,8 +239,17 @@ fi
 if [ "$TRY_GH_INSTALL" = true ] && command -v gh &> /dev/null; then
     print_info "Attempting to install gh-aw using 'gh extension install'..."
     
-    # Try to install using gh
-    if gh extension install "$REPO" --force 2>&1 | tee /tmp/gh-install.log; then
+    # Call gh extension install directly to avoid command injection
+    install_result=0
+    if [ -n "$VERSION" ] && [ "$VERSION" != "latest" ]; then
+        gh extension install "$REPO" --force --pin "$VERSION" 2>&1 | tee /tmp/gh-install.log
+        install_result=${PIPESTATUS[0]}
+    else
+        gh extension install "$REPO" --force 2>&1 | tee /tmp/gh-install.log
+        install_result=${PIPESTATUS[0]}
+    fi
+    
+    if [ $install_result -eq 0 ]; then
         # Verify the installation succeeded
         if gh aw version &> /dev/null; then
             INSTALLED_VERSION=$(gh aw version 2>&1 | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' | head -1)
@@ -249,7 +258,7 @@ if [ "$TRY_GH_INSTALL" = true ] && command -v gh &> /dev/null; then
             
             # Set output for GitHub Actions
             if [ -n "${GITHUB_OUTPUT}" ]; then
-                echo "installed_version=${VERSION}" >> "${GITHUB_OUTPUT}"
+                echo "installed_version=${INSTALLED_VERSION}" >> "${GITHUB_OUTPUT}"
             fi
             
             exit 0