Conversation
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/70e38c2c-f3d6-4572-a2d4-800cf23e119a Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/70e38c2c-f3d6-4572-a2d4-800cf23e119a Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the static analysis agentic workflow to use a gh-aw binary built from the current repository source (instead of installing the latest published gh extension release), and expands the workflow’s network allowlist to support Go module downloads during the build.
Changes:
- Replace
gh extension install github/gh-awwithmake buildand run the resulting binary from the workspace. - Update compilation step to invoke
$GITHUB_WORKSPACE/gh-aw compile ...consistently. - Allow Go-related network domains via
network.allowed: [defaults, go]and regenerate the compiled lock workflow.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/static-analysis-report.md | Builds gh-aw from repo source, runs the workspace binary for version/compile, and adds Go network allowlist. |
| .github/workflows/static-analysis-report.lock.yml | Recompiled workflow reflecting the source-build step, updated invocation paths, and expanded allowed domains. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 2
| echo "Running gh aw compile with security tools to download Docker images..." | ||
|
|
||
| # Run compile with all security scanner flags to download Docker images | ||
| # Store the output in a file for inspection | ||
| gh aw compile --zizmor --poutine --actionlint --runner-guard 2>&1 | tee /tmp/gh-aw/compile-output.txt | ||
| $GITHUB_WORKSPACE/gh-aw compile --zizmor --poutine --actionlint --runner-guard 2>&1 | tee /tmp/gh-aw/compile-output.txt |
There was a problem hiding this comment.
The compile … | tee … pipeline will mask a non-zero exit code from gh-aw because set -e doesn’t propagate failures through pipes unless pipefail is enabled. This can make the workflow appear successful even if compile fails and /tmp/gh-aw/compile-output.txt is incomplete. Consider enabling set -o pipefail (or otherwise capturing the gh-aw exit status) before piping to tee so failures correctly fail the step.
| - name: Build gh-aw from source | ||
| run: | | ||
| if gh extension list | grep -q "github/gh-aw"; then | ||
| gh extension upgrade gh-aw || true | ||
| else | ||
| gh extension install github/gh-aw | ||
| fi | ||
| gh aw --version | ||
| set -e | ||
| make build | ||
| $GITHUB_WORKSPACE/gh-aw --version |
There was a problem hiding this comment.
This job already builds and places a ./gh-aw binary earlier (see the generated "Build gh-aw CLI" step), and this step rebuilds it again via make build. If the intent is to use the Makefile build (e.g., to run the sync targets before embedding), consider updating the primary build step to use make build instead of adding a second build, or otherwise avoid rebuilding twice to save time and reduce duplicate Go module downloads.
See below for a potential fix:
- name: Verify prebuilt gh-aw binary
run: |
set -e
test -x "$GITHUB_WORKSPACE/gh-aw"
The static analysis workflow was installing
gh-awfrom the latest published release viagh extension install, meaning it always lagged behind HEAD and couldn't reflect unreleased changes.Changes
gh extension install github/gh-awwithmake build, producing a binary from the current source tree$GITHUB_WORKSPACE/gh-awconsistently (both version check andcompile --zizmor --poutine --actionlint --runner-guard)network.allowed: [defaults, go]to permit Go module proxy access during the build