feat: add version update check for compile-agentic activation

[Copilot]

Summary

This PR adds a runtime version update check to the activation job that validates whether the compiled workflow's gh-aw version is still supported, before allowing the agentic job to run.

How it works

1. .github/aw/releases.json – A new file in the protected .github/aw/ directory defines blocked versions, a minimum supported version, and a minimum recommended version. The .github/aw/releases.schema.json schema validates its structure. Both minimumVersion and minRecommendedVersion are set to v0.64.4 (current release).

2. check_version_updates.cjs – A JavaScript script added to the activation job that:

   • Downloads .github/aw/releases.json from https://raw.githubusercontent.com/github/gh-aw/main/.github/aw/releases.json via raw.githubusercontent.com
   • Uses the built-in Node.js fetch API (available in Node 24, the runtime used by actions/github-script)
   • Wraps the fetch call with withRetry/isTransientError from error_recovery.cjs to handle intermittent network failures (transient errors such as ECONNRESET, timeouts, and 5xx responses are retried up to 3 times with exponential backoff)
   • If the download fails after all retries, or if the response is invalid JSON, the check is skipped (soft failure)
   • Only versions in strict vMAJOR.MINOR.PATCH format are treated as official releases; any other format (missing v prefix, non-numeric parts, etc.) is ignored and the check is skipped
   • Checks if the compiled version is in blockedVersions (e.g. revoked security-compromised versions); blocked list entries with unknown/invalid format are silently ignored
   • Checks if the compiled version is below minimumVersion (hard failure); if minimumVersion has unknown/invalid format it is treated as absent and the check is skipped
   • Checks if the compiled version is below minRecommendedVersion (soft nudge via core.warning); if minRecommendedVersion has unknown/invalid format it is treated as absent and the check is skipped
   • Fails the activation job only for blocked or below-minimum versions; below-recommended versions emit a warning only

3. check-for-updates: false frontmatter flag – Disables the update check step:

   • Strict mode: raises a compilation error
   • Non-strict mode: emits a warning

4. Activation job step – Added for release builds only (dev builds skip it). The step runs after the timestamp check.

5. CI validation – A new step in the validate-yaml job validates .github/aw/releases.json against .github/aw/releases.schema.json using actions/github-script (inline JavaScript). Version patterns in both the schema and CI validation require the v prefix.

Files changed

• .github/aw/releases.json – New update check configuration file with minimumVersion: v0.64.4 and minRecommendedVersion: v0.64.4, placed in the protected .github/aw/ directory
• .github/aw/releases.schema.json – JSON schema for releases.json; includes minimumVersion and minRecommendedVersion properties; version patterns require strict vMAJOR.MINOR.PATCH format
• actions/setup/js/check_version_updates.cjs – Version check script (native fetch wrapped in withRetry/isTransientError; strict vMAJOR.MINOR.PATCH enforcement; unknown version formats ignored; core.warning nudge for minRecommendedVersion)
• actions/setup/js/check_version_updates.test.cjs – Extensive test suite (46 tests) covering: skip cases, network failures, retry success, soft-fail for invalid JSON, version comparison edge cases, blocked/minimum version scenarios, minRecommendedVersion soft-warning scenarios, and config structure edge cases
• pkg/workflow/frontmatter_types.go – Added UpdateCheck *bool field with JSON tag check-for-updates
• pkg/parser/schemas/main_workflow_schema.json – Added check-for-updates property
• pkg/workflow/compiler_types.go – Added UpdateCheckDisabled bool to WorkflowData
• pkg/workflow/compiler_orchestrator_workflow.go – Extracts check-for-updates flag
• pkg/workflow/update_check_validation.go – New validateUpdateCheck function
• pkg/workflow/update_check_validation_test.go – Unit tests
• pkg/workflow/compiler_orchestrator_engine.go – Calls validateUpdateCheck
• pkg/workflow/compiler_activation_job.go – Adds update check step for release builds
• .github/workflows/ci.yml – Adds .github/aw/releases.json schema validation step (via actions/github-script) + path triggers for .github/aw/releases.schema.json; validates minRecommendedVersion field

[pelikhan]

@copilot move config.json to .github/aw/config.json to make it protected

[Copilot]

@copilot move config.json to .github/aw/config.json to make it protected

Done in 75c692d — moved config.json to .github/aw/config.json. Updated the raw.githubusercontent.com URL in the fetch script, the CI validation step, and the path trigger accordingly.

[pelikhan]

@copilot use actions/github-script, not Python.

[Copilot]

Done in dbd3916 — replaced the Python step with actions/github-script. The validation logic is now inline JavaScript that reads and validates .github/aw/config.json using fs and core.

[pelikhan]

@copilot use nodejs fetch function. Actions/github-script uses node 24

[Copilot]

Done in dbd3916 — removed the https module and fetchText wrapper; main() now uses fetch directly (built-in since Node 18, available in the Node 24 environment used by actions/github-script).

[pelikhan]

@copilot the minimum version should be the current release v0.64.4

[Copilot]

@copilot the minimum version should be the current release v0.64.4

Done in ba800d8 — set "minimumVersion": "v0.64.4" in .github/aw/config.json.

[pelikhan]

@copilot use withRetry to handle intermittent failures of fetch

[Copilot]

@copilot use withRetry to handle intermittent failures of fetch

Done in e45dd40 — the fetch call inside check_version_updates.cjs is now wrapped with withRetry/isTransientError from error_recovery.cjs. Transient errors (network timeouts, resets, 5xx responses) are retried up to 3 times with exponential backoff; if all retries fail the check is still skipped gracefully. Tests use vi.useFakeTimers() + vi.runAllTimersAsync() so retry delays are simulated instantly (all 14 tests pass in ~31ms).

[pelikhan]

@copilot move to .github/aw folder

[Copilot]

Done in 9849ac9 — moved config.schema.json to .github/aw/config.schema.json, updated the $schema reference in config.json, the path trigger in ci.yml, and the schema file path in the validation step.

[pelikhan]

@copilot do not handle both format, if the version is not vmajor.minor.patch, it should NOT be treated as an official release and ignore.

[Copilot]

Done in 9849ac9 — removed normalizeVersion. parseVersion now requires a leading v; any version without it returns null. In main(), after the dev-build skip, the compiled version is parsed and if it's not vMAJOR.MINOR.PATCH the check is skipped entirely ("not an official release version"). Blocked version config entries without a v prefix are also silently ignored.

[pelikhan]

@copilot ignore unknown versions, or unknown syntax

[Copilot]

Done in 9849ac9 — unknown/non-parseable versions are now ignored at every point: compiled version with unknown syntax skips the check early; blocked version entries with unknown syntax are filtered out; a minimumVersion with unknown syntax is treated as absent and the minimum check is skipped.

[Copilot]

Pull request overview

Adds a runtime “compiled version support” gate to the activation job so workflows compiled with blocked/outdated gh-aw releases fail fast (with an opt-out in non-strict mode).

Changes:

• Introduces remote update-check configuration (.github/aw/config.json) with a JSON schema and CI validation.
• Adds an activation-job GitHub Script step that fetches the remote config and enforces blocked/minimum supported versions for release builds.
• Adds update-check frontmatter support, compiler plumbing, and strict/non-strict validation behavior (+ tests).

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
pkg/workflow/update_check_validation.go	Implements strict/non-strict policy for update-check: false.
pkg/workflow/update_check_validation_test.go	Tests strict/non-strict validation and activation job step inclusion/exclusion.
pkg/workflow/frontmatter_types.go	Adds typed UpdateCheck *bool frontmatter field.
pkg/workflow/compiler_types.go	Adds UpdateCheckDisabled flag to WorkflowData.
pkg/workflow/compiler_orchestrator_workflow.go	Plumbs update-check into WorkflowData.UpdateCheckDisabled.
pkg/workflow/compiler_orchestrator_engine.go	Enforces update-check policy during compilation.
pkg/workflow/compiler_activation_job.go	Adds the activation-job step to check compiled version (release builds only).
pkg/parser/schemas/main_workflow_schema.json	Documents/adds update-check boolean to the frontmatter schema.
actions/setup/js/check_version_updates.cjs	Implements remote config fetch + blocked/minimum version enforcement.
actions/setup/js/check_version_updates.test.cjs	Adds a comprehensive Vitest suite for the update-check script.
.github/workflows/ci.yml	Adds CI validation for .github/aw/config.json and path triggers.
.github/aw/config.schema.json	Defines JSON schema for the remote update-check config.
.github/aw/config.json	Sets initial minimumVersion and blocked list (empty).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

parseVersion() claims to enforce strict vMAJOR.MINOR.PATCH but currently accepts versions with extra dot segments (e.g. v1.2.3.4 parses as [1,2,3]). This can incorrectly treat non-release/invalid versions as official releases and run comparisons against truncated versions. Require exactly 3 numeric parts (or use a strict regex) and add a unit test for an extra-segment version to prevent regressions.

[Copilot]

The retry behavior for HTTP responses does not match the PR description (“5xx responses are retried”). Here, a non-OK response throws Error("HTTP <status> fetching ..."), but isTransientError() only matches specific strings like "502 bad gateway"/"503 service unavailable" and will treat HTTP 500 ... as non-retryable (so no retries happen). Consider making the fetch retry predicate explicitly retry on res.status >= 500 (e.g., by throwing an error that carries status, or by checking status before throwing) and add a test asserting a 500 triggers retries.

[Copilot]

JSON.parse(await res.text()) can legally return null. If the remote config ever becomes null (valid JSON) this will later throw a TypeError when reading config.blockedVersions / config.minimumVersion. Guard by normalizing non-object/null values to {} before accessing properties, and add a unit test for a null config payload.

[Copilot]

This step is labeled as validating config.json “against JSON schema”, but the script never loads or applies the schema file—it performs a separate, hand-maintained validation (allowedKeys/regexes) that can drift from .github/aw/config.schema.json. Either use an actual JSON Schema validator (e.g., Ajv) with config.schema.json, or rename the step to reflect that it’s a manual validation and keep the schema/validation logic single-sourced.

[pelikhan]

@copilot rename field "check-for-updates"

[Copilot]

Done in 3df3708 — renamed update-check to check-for-updates across the schema, struct tag, frontmatter lookup, validation logic, error/warning messages, comments, and tests.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw EeZIaaIzA 874519615c985302--show-toplevel git rev-�� --show-toplevel go /usr/bin/git $(go env GOROOT)git mf6mihAfk ache/go/1.25.0/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -trimpath /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile /usr/bin/git k/gh-aw/gh-aw/.ggit -trimpath 0/x64/bin/node git (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -trimpath 4141431/b001/vet--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile /usr/bin/git k/gh-aw/gh-aw -trimpath /opt/hostedtoolc--show-toplevel git (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build3820542201/b139/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/oauth2@v0.34.0/internal/doc.go -o /tmp/go-build500-p -trimpath 64/bin/go -p github.com/githu-o -lang=go1.25 go (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha user.email test@example.com /usr/bin/git -json l/format/format.rev-parse x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/compile /usr/bin/git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha sistency_GoAndJavaScript1408538240/001/test-complex-frontmatter-with-tools.md 4141431/b425/_testmain.go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link o mime/multipart -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link -o /tmp/go-build3464141431/b425/logger.test (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 2753441903 0/internal/number/common.go 64/pkg/tool/linux_amd64/compile GOINSECURE .o 64/src/internal/--get-regexp 64/pkg/tool/linu^remote\..*\.gh-resolved$ env g_.a miIXZcA9G 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha list --json /usr/bin/git --workflow nonexistent-workrev-parse --limit git rev-�� --show-toplevel 64/pkg/tool/linuremote.origin.url /usr/bin/git g_.a GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile /usr/bin/git 0542201/b100/_pkgit GO111MODULE ceutil.test git rev-�� --show-toplevel ceutil.test /usr/bin/git HEo-/7ZUmFARFGAKgit GO111MODULE x_amd64/link git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha ue.number go /usr/bin/git -json GO111MODULE x_amd64/compile git rese�� HEAD .github/workflows/test.md /usr/bin/git -json GO111MODULE x_amd64/compile git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/asm /usr/bin/git 4723-31067/test-git om/goccy/go-yamlrev-parse .cfg git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile /usr/bin/git agent-performancgit GO111MODULE ache/go/1.25.0/x--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -goversion go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build3820542201/b204/importcfg -pack conf�� extensions.objec-p sh 64/bin/go "prettier" --wri/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile x_amd64/vet 64/bin/go go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --check scripts/**/*.js 64/bin/go .prettierignore x_amd64/vet 64/bin/go go env -json .go 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -mod=readonly -f 64/bin/go -d unsafe 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel -tests /usr/bin/git -json GO111MODULE x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /opt/hostedtoolcache/node/24.14.0/x64/bin/node -json GO111MODULE x_amd64/compile node (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /tmp/TestHashStability_SameInputSameOutput3853685298/001/stabili-test.timeout=10m0s go r,url,status,conclusion,workflowName,createdAt,startedAt,updated-test.short=true -json flow-12345 x_amd64/compile git add .github/workflows/test.md x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/compile git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha 0542201/b128/importcfg -trimpath g_.a -p vendor/golang.orrev-parse -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -o /tmp/go-build3820542201/b134/_pkg_.a -trimpath ache/node/24.14.0/x64/bin/node -p github.com/googlrev-parse -lang=go1.23 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile /usr/bin/git /tmp/go-build382git -trimpath 0/x64/bin/node git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linu1 /usr/bin/git ithub/workflows/docker -trimpath /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility --show-toplevel git /usr/bin/git --show-toplevel go ache/node/24.14./home/REDACTED/work/gh-aw/gh-aw/.github/workflows git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile r: $owner, name: $name) { hasDiscussionsEnabled } } k/gh-aw/gh-aw/.gdocker -trimpath /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git /tmp/go-build382git -trimpath /opt/hostedtoolc--show-toplevel git rev-�� etup-go/git/ref/tags/v4 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git -bool -buildtags 4141431/b431/vet/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha /tmp/TestHashConsistency_GoAndJavaScript1408538240/001/test-inlined-imports-enabled-with-env-temgit go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --git-dir go /usr/bin/git -json GO111MODULE x_amd64/compile git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha runs/20260330-214723-31067/test-1077233069/.github/workflows -trimpath g_.a l iter -lang=go1.25 4141431/b395/importcfg -o k/gh-aw/gh-aw/pkg/cli/access_log.go k/gh-aw/gh-aw/pkg/cli/actionlint.go 0/x64/bin/node -p compress/flate -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha AZcA/kl_dtpEM1NLxpmvuAZcA -trimpath /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -I /tmp/go-build382rev-parse -I 4141431/b393/importcfg -o k/gh-aw/gh-aw/internal/tools/generate-action-metadata/main.go -trimpath 0/x64/bin/node -p net/netip -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linuREDACTED (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env g_.a GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a t.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/asm env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/asm env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build3820542201/b248/importcfg -embedcfg /tmp/go-build3820542201/b248/embedcfg -o /tmp/go-build500-p -trimpath 64/bin/go -p github.com/githu-o -lang=go1.25 go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env ub/workflows GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel x_amd64/link /usr/bin/git successfully" GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel Ds/WrsaZCqRpvSTiHMe1VZH/FYqRAzfHFWjSaK8IOMJz /usr/bin/git ut2686020750/001sed GO111MODULE x_amd64/compile git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json 9a45e550:go.mod 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a @v1.1.3/cpu/arm/arm.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD wasm.s go env -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --show-toplevel gcc $name) { hasDiscussionsEnabled } } ithub/workflows/infocmp c /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git rev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a @v1.1.3/cpu/x86/x86.go x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 80386629/.github/workflows GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-trimpath -o /tmp/go-build500-p -trimpath 64/bin/go -p github.com/githu-c -lang=go1.25 go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-trimpath -o /tmp/go-build500-p -trimpath 64/bin/go -p main -lang=go1.25 go (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build3464141431/b404/cli.test /tmp/go-build3464141431/b404/cli.test -test.testlogfile=/tmp/go-build3464141431/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build3820542201/b200/importcfg -pack --ch�� scripts/**/*.js --ignore-path 64/bin/go tierignore x_amd64/vet 64/bin/go go (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build3820542201/b237/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/text@v0.35.0/feature/plural/common.go -o /tmp/go-build500-p -trimpath 64/bin/go -p github.com/ayman-o -lang=go1.24 go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot rename this file to "releases.json" and rename json schema accordingly. Update all references.

[Copilot]

Done in 04475fd — renamed config.json → releases.json and config.schema.json → releases.schema.json. Updated the $schema reference inside releases.json, the raw.githubusercontent.com URL in check_version_updates.cjs, the path triggers and validation step in ci.yml, and the comment in compiler_activation_job.go.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw 1K/ceuZCgl3Wb-XP/home/REDACTED/.npm/_npx/b388654678d519d9/node_modules/.bin/prettier (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw J1z3gtl7YRHEhwhK-1 (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha ath ../../../.pr**/*.json (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility get .cfg 64/pkg/tool/linux_amd64/vet committer.email (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha ath ../../../.prettierignore (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot add a "minRecommendedVersion" that adds a soft check to nudge the user to do a recommended upgrade. This nudge leads to a "warning" in the Actions run (core.warning). Current minRecommendedVersion is minVersion.

[pelikhan]

@copilot review comments

[Copilot]

@copilot add a "minRecommendedVersion" that adds a soft check to nudge the user to do a recommended upgrade. This nudge leads to a "warning" in the Actions run (core.warning). Current minRecommendedVe...

Done in 4c4d242 — added minRecommendedVersion as a soft check. When the compiled version is below minRecommendedVersion, core.warning is issued (no failure). The current value is set to v0.64.4 (same as minimumVersion). Also added 8 new tests and updated the CI validation step to accept the new field.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/github/gh-aw/contents/.github%2Fworkflows%2Faudit-workflows.md
  • Triggering command: /opt/hostedtoolcache/node/24.14.0/x64/bin/node /opt/hostedtoolcache/node/24.14.0/x64/bin/node --experimental-import-meta-resolve --require /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/suppress-warnings.cjs --conditions node --conditions development /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/dist/workers/forks.js (http block)
• invalid.example.invalid
  • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git git conf�� user.name lure tions/setup/js/node_modules/.bin/git -M main n-dir/git git init�� --bare --initial-branch=main gin/auth-cleanup-failure user.name Test User git git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

@copilot review comments

Done in 9363d66 — addressed all four review comments:

1. parseVersion extra segments — changed parts.length < 3 to parts.length !== 3 so v1.2.3.4 is now rejected as non-official.
2. 5xx retry — replaced the fixed { shouldRetry: isTransientError } with a combined predicate (err) => isTransientError(err) || err.status >= 500 so HTTP 5xx responses are retried. Added tests asserting 500 triggers retries and retry-then-succeed.
3. JSON.parse null guard — normalized the parsed result: if it's null, an array, or a non-object, it's treated as {} (empty config) rather than crashing on property access. Added test for "null" JSON body.
4. CI step label — renamed from "Validate releases.json against JSON schema" to "Validate releases.json structure and version formats" to accurately reflect the manual validation approach.