From 7bea0234aee6a838fc53ccc983bd534d3d956342 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 1 Apr 2026 16:30:35 +0000
Subject: [PATCH 1/2] Initial plan


From 959dab4a2961a503b0d839331cc668026d0c7d11 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 1 Apr 2026 16:41:56 +0000
Subject: [PATCH 2/2] fix(security): clear .git/hooks/ and disable hooksPath
 before git ops in setup_cache_memory_git.sh

- Clear all non-sample git hook files immediately after cache restore and
  before any git checkout or merge operations, preventing a compromised
  agent run from executing arbitrary code on the host runner via preserved
  post-checkout/post-merge hooks.
- Set git config core.hooksPath /dev/null in both the new-init and
  existing-repo paths as belt-and-suspenders protection.
- Fix legacy flat-file migration: commit pre-existing files to the 'none'
  branch only (not 'merged'), preventing trust escalation of data written
  at unknown integrity in prior gh-aw versions.

Fixes: cache-memory setup must clear .git/hooks/ after cache restore

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/b35702d1-ef6e-4fb9-a039-99e93de0b243

Co-authored-by: szabta89 <1330202+szabta89@users.noreply.github.com>
---
 actions/setup/sh/setup_cache_memory_git.sh | 35 +++++++++++++++++++---
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/actions/setup/sh/setup_cache_memory_git.sh b/actions/setup/sh/setup_cache_memory_git.sh
index 34d94ffadba..36634b7ea0c 100644
--- a/actions/setup/sh/setup_cache_memory_git.sh
+++ b/actions/setup/sh/setup_cache_memory_git.sh
@@ -21,25 +21,52 @@ LEVELS=("merged" "approved" "unapproved" "none")
 mkdir -p "$CACHE_DIR"
 cd "$CACHE_DIR"
 
+# --- Security: clear git hooks before any git operations ---
+# Git hook files under .git/hooks/ are preserved in the cache but are NOT tracked
+# by git (git add -A ignores .git/). A compromised agent run could write executable
+# hooks (e.g. post-checkout, post-merge) that would be restored from cache and
+# executed on the host runner before the AWF sandbox is established. Remove all
+# non-sample hook files immediately after cache restore to prevent this.
+if [ -d .git/hooks ]; then
+  find .git/hooks -type f ! -name '*.sample' -delete
+fi
+
 # --- Format detection & migration ---
 if [ ! -d .git ]; then
   # No git repo yet — either a fresh cache or a legacy flat-file cache.
-  # Initialize a git repository and import existing files onto the merged branch,
-  # then create all integrity branches from the same baseline.
+  # Initialize a git repository with an empty baseline commit on the highest-trust
+  # branch, then create all other integrity branches from that empty state.
+  # IMPORTANT: Legacy flat files (written at unknown/none integrity in a previous
+  # version of gh-aw) are committed to the 'none' branch only to prevent trust
+  # escalation — do NOT commit them to 'merged' or any higher-trust branch.
   git init -b merged -q
   git config user.email "gh-aw@github.com"
   git config user.name "gh-aw"
-  git add -A
+  # Disable hooks immediately after init so that no cached hook file can fire
+  # during checkout or merge operations later in this script.
+  git config core.hooksPath /dev/null
+  # Create an empty initial commit as the trusted baseline for all branches
   git commit --allow-empty -m "initial" -q
 
-  # Create all integrity branches from the same baseline
+  # Create all integrity branches from the empty baseline
   for level in "${LEVELS[@]}"; do
     if [ "$level" != "merged" ]; then
       git branch "$level" 2>/dev/null || true
     fi
   done
 
+  # Migrate any pre-existing flat files to the 'none' branch only (lowest trust).
+  # Switching to 'none' before staging ensures legacy data cannot be read by
+  # higher-integrity runs via the merge-down step.
+  git checkout -q none
+  git add -A
+  git commit --allow-empty -m "migrate-legacy-files" -q
+
   echo "Cache memory git repository initialized with branches: ${LEVELS[*]}"
+else
+  # Existing repo: disable hooks as belt-and-suspenders after the hook-file
+  # deletion above, ensuring no residual configuration can re-enable hooks.
+  git config core.hooksPath /dev/null
 fi
 
 # --- Checkout current integrity branch ---