Compat-based Copilot CLI install: single remote fetch, jq-only resolution, TTL-aware cache, and gh-aw-actions-sourced release policy#36676
Conversation
Co-authored-by: salmanmkc <32169182+salmanmkc@users.noreply.github.com>
Co-authored-by: salmanmkc <32169182+salmanmkc@users.noreply.github.com>
Co-authored-by: salmanmkc <32169182+salmanmkc@users.noreply.github.com>
|
/smoke-copilot |
|
📰 BREAKING: Smoke Copilot is now investigating this issue comment. Sources say the story is developing... |
There was a problem hiding this comment.
Pull request overview
This PR makes GitHub Copilot CLI installation default to a compatibility-matrix-selected version (keyed off GH_AW_COMPILED_VERSION) and consolidates runtime “release gating” policy into .github/aw/compat.json, so installs and activation checks stay within the intended gh-aw↔agent compatibility window.
Changes:
- Resolve the default Copilot CLI version from
.github/aw/compat.json(with primary/fallback fetch URLs) before toolcache lookup when no explicit version is provided. - Move/validate runtime version policy (
blockedVersions,minimumVersion,minRecommendedVersion) undercompat.jsonand update the activation-time checker to read from that source. - Add targeted tests and update docs/workflow step labels to reflect the new policy source and clearer SDK install labeling.
Show a summary per file
| File | Description |
|---|---|
pkg/cli/install_copilot_cli_test.go |
Adds test coverage ensuring compat-driven version resolution happens before toolcache lookup. |
docs/src/content/docs/reference/releases.md |
Updates docs to state activation fetches compat.json for runtime version policies. |
actions/setup/sh/install_copilot_cli.sh |
Implements compat.json download + window match to select default Copilot CLI version. |
actions/setup/js/check_version_updates.cjs |
Switches runtime policy source from releases.json to compat.json. |
.github/workflows/smoke-copilot-sdk.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/q.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/python-data-charts.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/pr-triage-agent.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/pr-nitpick-reviewer.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/pr-code-quality-reviewer.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/plan.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/pdf-summary.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/org-health-report.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/metrics-collector.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/mergefest.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/mcp-inspector.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/linter-miner.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/layout-spec-maintainer.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/jsweep.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/firewall.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/firewall-escape.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/draft-pr-cleanup.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/docs-noob-tester.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/discussion-task-miner.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/dictation-prompt.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/dev-hawk.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/deployment-incident-monitor.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/delight.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/dead-code-remover.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-workflow-updater.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-testify-uber-super-expert.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-syntax-error-quality.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-spdd-spec-planner.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-skill-optimizer.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-sentrux-report.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-security-observability.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-secrets-analysis.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-safe-output-integrator.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-repo-chronicle.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-performance-summary.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-model-inventory.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-mcp-concurrency-analysis.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-malicious-code-scan.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-issues-report.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-geo-optimizer.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-experiment-report.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-compiler-quality.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-cli-performance.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-assign-issue-to-user.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-architecture-diagram.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/craft.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/copilot-pr-prompt-analysis.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/copilot-pr-nlp-analysis.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/copilot-pr-merged-report.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/copilot-opt.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/copilot-cli-deep-research.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/code-scanning-fixer.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/cli-consistency-checker.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/ci-coach.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/cgo.yml |
Extends compat.json validation to enforce the merged top-level policy keys and formats. |
.github/workflows/breaking-change-checker.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/brave.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/artifacts-summary.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/architecture-guardian.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/workflows/agent-performance-analyzer.lock.yml |
Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”. |
.github/aw/compat.schema.json |
Adds the release-gating policy keys to the compat schema contract. |
.github/aw/compat.json |
Adds the release-gating policy keys to the compat config file. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 69/69 changed files
- Comments generated: 2
| return 1 | ||
| fi | ||
|
|
||
| resolved_info="$(python3 - "$compat_file" "$compiled_version" <<'PY' |
| with open(compat_path, "r", encoding="utf-8") as f: | ||
| data = json.load(f) | ||
|
|
||
| rows = ( | ||
| data.get("agent-compat-v1", {}) | ||
| .get("copilot", []) | ||
| ) |
|
@copilot the plan ebfore was:the gh-aw-actions/setup action will fetch the latest copy from main at runtime it will try it's best, with a bundled copy as fallback, then pass the matched window directly to the tool cache, installing max-agent only when no cached version satisfies it. |
|
@copilot address the comments |
Co-authored-by: salmanmkc <32169182+salmanmkc@users.noreply.github.com>
Co-authored-by: salmanmkc <32169182+salmanmkc@users.noreply.github.com>
Updated in |
|
Smoke 26901496067 Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
|
@copilot can you do one more pass on this for behavior/edge-case alignment? I specifically want to verify:
|
Both review comments have been addressed in commits d5cded8 and 5788468: Python3 availability check (commit d5cded8, lines 198-201): Python exception handling (commits d5cded8 + 5788468, lines 261-267): All error paths now fall back gracefully—no hard exits under |
|
@copilot pretty sure we don't want to fall back to latest? that's dangerous? |
|
@copilot merge in main |
…l-copilot-cli-script Co-authored-by: salmanmkc <32169182+salmanmkc@users.noreply.github.com>
Merged latest |
| * 1. Reads the compiled version from GH_AW_COMPILED_VERSION env var. | ||
| * 2. Skips the check if the version is not in vMAJOR.MINOR.PATCH official release format. | ||
| * 3. Fetches .github/aw/releases.json from the gh-aw repository via raw.githubusercontent.com. | ||
| * 3. Fetches .github/aw/compat.json from the gh-aw repository via raw.githubusercontent.com. |
There was a problem hiding this comment.
I think we decide if we read compat from gh-aw or gh-aw-actions.
gh-aw-actions is more locked down.
|
@copilot we want to read the compat from here instead: https://github.com/github/gh-aw-actions/blob/main/.github/aw/compat.json instead of from github/gh-aw |
Co-authored-by: salmanmkc <32169182+salmanmkc@users.noreply.github.com>
Updated in |
|
|
|
|
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨ |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Smoke Test: Gemini - 26951642513
Overall Status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
Smoke test: FAIL
Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
🤖 Smoke Test: Claude — Run 26951642303Core #1-13: 1✅ 2✅ 3❌(Serena MCP unavailable) 4✅ 5✅ 6✅ 7✅ 8✅ 9✅ 10✅ 11✅ 12✅ 13✅ Overall: PARTIAL — 1 failed (Serena), 1 skipped (no safe PR to close). Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · opus48 4.4M
| SECONDS_PER_DAY=86400 | ||
| VERSION="${1:-}" | ||
| COPILOT_REPO="github/copilot-cli" | ||
| INSTALL_DIR="/usr/local/bin" |
There was a problem hiding this comment.
Smoke test: nice work using a single remote fetch here to avoid double network latency — consider asserting a non-empty response before falling back.
| COPILOT_TOOLCACHE_MAX_DEPTH=4 | ||
| COMPAT_URL="${COPILOT_COMPAT_URL:-https://raw.githubusercontent.com/github/gh-aw-actions/main/.github/aw/compat.json}" | ||
| COMPILED_GH_AW_VERSION="${GH_AW_COMPILED_VERSION:-}" | ||
| SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" |
There was a problem hiding this comment.
Smoke test: good defensive fallback to the bundled compat.json with a ::warning:: — clear and resilient.
|
Compat-based Copilot CLI install: single remote fetch, jq-only resolution, TTL-aware cache, and gh-aw-actions-sourced release policy Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
This PR updates Copilot CLI installation to resolve versions via
compat.jsonwhile keeping compatibility behavior resilient and bounded.Compat fetch + fallback behavior
COPILOT_COMPAT_URL) to avoid double network latency..github/aw/compat.jsonwith::warning::when network fetch fails.Resolver runtime path
Cache selection + install behavior
[min-agent, max-agent].max-agentonly when no cached version satisfies that window.engine.versionpins bypass compat resolution.Soft cache expiry (TTL)
agent-compat-v1.cache-ttl-daysand skips stale cache entries.max-agent, or when explicit version is pinned.Backward compatibility for in-flight versions
releases.json+ schema paths while newer logic usescompat.json.Release policy source
check_version_updates.cjsto fetch compat policy fromgithub/gh-aw-actions(https://raw.githubusercontent.com/github/gh-aw-actions/main/.github/aw/compat.json) instead ofgithub/gh-aw.Regression coverage
compat.jsonis fetched exactly once (no extra network fallback).Changeset
✨ PR Review Safe Output Test - Run 26951642303
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.