Harden gh-aw installation in agentic workflow lock files

[Copilot]

The scheduled CI/CD Pipelines and Integration Tests Gap Assessment workflow was failing before agent execution because its gh-aw setup step could leave no executable binary for downstream MCP/containerization steps. This aligns the affected lock files with the repository’s more resilient install pattern.

• Workflow fix

  • Replaced the brittle gh extension install/upgrade flow in:
    • .github/workflows/ci-cd-gaps-assessment.lock.yml
    • .github/workflows/pelis-agent-factory-advisor.lock.yml
  • Switched both to the fallback installer pattern that:
    • discovers an existing executable gh-aw binary if present
    • installs via install-gh-aw.sh only when needed
    • re-resolves the binary after install before copying it into ${RUNNER_TEMP}/gh-aw

• Failure mode addressed

  • Avoids relying on gh extension list / gh extension install state alone.
  • Ensures later steps fail only if no executable gh-aw binary can actually be found.

• Regression coverage

  • Added scripts/ci/workflow-gh-aw-install.test.ts to guard lock workflows against reintroducing the legacy install pattern.

- name: Install gh-aw extension
  run: |
    GH_AW_BIN=$(command -v gh-aw 2>/dev/null || find "${HOME}/.local/share/gh/extensions/gh-aw" -name 'gh-aw' -type f -executable 2>/dev/null | head -1)
    if [ -z "$GH_AW_BIN" ] || [ ! -x "$GH_AW_BIN" ]; then
      curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh -o /tmp/install-gh-aw.sh
      bash /tmp/install-gh-aw.sh
      GH_AW_BIN=$(command -v gh-aw 2>/dev/null || find "${HOME}/.local/share/gh/extensions/gh-aw" -name 'gh-aw' -type f -executable 2>/dev/null | head -1)
    fi

[Copilot]

Pull request overview

This PR hardens how gh-aw is installed in GitHub Actions workflow lock files so downstream MCP/containerization steps always have an executable gh-aw binary available, aligning the affected workflows with the repo’s resilient install pattern.

Changes:

• Replaced the legacy gh extension install/upgrade approach with a binary-first discovery + install-gh-aw.sh fallback in two lock workflows.
• Ensured the binary is re-resolved post-install and only copied to ${RUNNER_TEMP}/gh-aw if it’s executable.
• Added a Jest regression test to prevent reintroducing the legacy install pattern in .lock.yml workflows.

Show a summary per file

File	Description
scripts/ci/workflow-gh-aw-install.test.ts	Adds a regression test to enforce resilient gh-aw installation patterns in lock workflows.
.github/workflows/pelis-agent-factory-advisor.lock.yml	Updates the gh-aw install step to use the fallback installer pattern and require an executable binary before copying.
.github/workflows/ci-cd-gaps-assessment.lock.yml	Same installer hardening as above to prevent pre-agent workflow failures due to missing gh-aw binary.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 1

[lpcox]

@copilot merge main

[Copilot]

@copilot merge main

Merged main into this branch in b3ea91e.

[github-actions]

Smoke Test Results

Test	Status
GitHub API (merged PRs)	❌ FAIL
Playwright (github.com title)	✅ PASS
File verify (smoke-test artifact)	✅ PASS

Overall: 2/3 PASS — GitHub API authentication issue detected (HTTP 401 on gh CLI)

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔥 Smoke Test: Copilot BYOK (Offline) Mode

Test	Status
GitHub MCP connectivity	❌ 401 (sandbox auth limitation)
GitHub.com HTTP connectivity	✅ (pre-step passed)
File write/read (/tmp/gh-aw/agent/smoke-test-copilot-byok-25969560604.txt)	✅
BYOK inference (agent → api-proxy → api.githubcopilot.com)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

Overall: PASS (MCP 401 is a sandbox constraint, not a BYOK failure)

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	❌ 401 Bad credentials
GitHub.com HTTP	⚠️ Template vars not expanded
File write/read	⚠️ Template vars not expanded

Overall: FAIL

Template variables (${{ steps.smoke-data.outputs.* }}) were not substituted — pre-step data was not passed to the agent. GitHub MCP returned 401 Bad credentials.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: FAIL
PRs: Optimize export-audit workflow token usage by precomputing audits and bounding verification; [awf] Support Azure Copilot BYOK env routing in api-proxy and resolve gpt-5.4 via gpt-5 family aliases
✅ GitHub PR review (public API fallback)
❌ safeinputs-gh unavailable; ✅ Playwright title contains GitHub
❌ Tavily search unavailable; ✅ file/bash; ⏭️ discussion skipped
✅ npm ci && npm run build
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Note (Java): Maven's default local repo path (~/.m2/repository) was not writable due to directory ownership. Tests were run with -Dmaven.repo.local=/tmp/gh-aw/agent/m2-repo as a workaround. All 2 Java tests passed successfully.

Generated by Build Test Suite for issue #3260 · ● 4.7M · ◷

[github-actions]

Smoke test result: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

Check	Result
Redis PING	❌ Timeout (no response on host.docker.internal:6379)
PostgreSQL pg_isready	❌ No response on host.docker.internal:5432
PostgreSQL SELECT 1	❌ Timeout (connection failed)

Overall: FAIL — Neither Redis nor PostgreSQL service containers were reachable from the runner.

🔌 Service connectivity validated by Smoke Services