Add SHA256 checksum verification for AWF binary installation via shell script

[Copilot]

Static analysis flagged unverified_script_exec in 127 workflows downloading AWF via curl | sudo bash without integrity checks. This creates supply chain risk if the installer script or download is compromised.

Changes

Replaced unverified script execution with dedicated shell script containing checksum verification:

• Created actions/setup/sh/install_awf_binary.sh - standalone script with full checksum verification logic
• Downloads binary and checksums.txt directly from GitHub releases
• Verifies SHA256 checksum before installation
• Fails fast with clear diagnostics on mismatch
• Eliminates trust dependency on installer script

Before:

curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash

After:

bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0

The shell script internally handles:

# Download from releases
curl -fsSL -o "${TEMP_DIR}/awf-linux-x64" "${BINARY_URL}"
curl -fsSL -o "${TEMP_DIR}/checksums.txt" "${CHECKSUMS_URL}"

# Verify checksum
EXPECTED_CHECKSUM=$(awk -v fname="awf-linux-x64" '$2 == fname {print $1}' checksums.txt | tr 'A-F' 'a-f')
ACTUAL_CHECKSUM=$(sha256sum "awf-linux-x64" | awk '{print $1}' | tr 'A-F' 'a-f')

if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]; then
  echo "ERROR: Checksum verification failed!"
  exit 1
fi

Files Modified

• actions/setup/sh/install_awf_binary.sh - NEW: Dedicated shell script with checksum verification logic
• pkg/workflow/copilot_engine_installation.go - Simplified to call shell script (60+ lines → 2 lines)
• pkg/workflow/firewall_version_pinning_test.go - Test validations updated
• 127 workflow .lock.yml files recompiled

Impact

• 127 workflows now verify binary integrity before execution
• 0 workflows use unverified installer script pattern
• Cryptographic verification of all AWF installations
• Validation logic centralized in maintainable shell script for easier auditing and testing

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[deep-report] Verify awf install script with checksum in workflow templates</issue_title>
<issue_description>Description
Static analysis reports flagged unverified_script_exec in 128 workflows that install the firewall agent via a remote script without integrity checks. Add checksum verification to the install step in the workflow template(s), then recompile workflows to propagate the fix.

Expected Impact
Mitigates a broad supply chain risk by ensuring the firewall installer script is verified before execution.

Suggested Agent
Static Analysis Report Agent

Estimated Effort
Medium (1-4 hours)

Data Source
DeepReport Intelligence Briefing - 2026-01-19 (workflow run 21142424190) referencing discussion #10694

AI generated by DeepReport - Intelligence Gathering Agent

Comments on the Issue (you are @copilot in this section)

• Fixes [deep-report] Verify awf install script with checksum in workflow templates #10707

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

---

Changeset

• Type: patch
• Description: Add SHA256 checksum verification for AWF binary installation; replace unverified curl | bash installer with actions/setup/sh/install_awf_binary.sh that verifies checksums before installing the binary.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

[pelikhan]

@copilot move new validation logic to shell script

[Copilot]

@copilot move new validation logic to shell script

Moved validation logic to shell script actions/setup/sh/install_awf_binary.sh. The Go code is now simplified to a single script call, and all 127 workflows use the dedicated script for checksum-verified AWF installation. Commit: 859f95c

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

Merged PRs:

• Fix TOCTOU race condition in Docker image download logic ✅
• chore: campaign generation cleanup ✅
  Serena go version ❌
  Playwright GitHub title ✅
  Tavily search ✅
  File write+cat ✅
  Overall: FAIL

AI generated by Smoke Codex

[github-actions]

Smoke Test: ⚠️ PARTIAL PASS

PR #10736: Fix TOCTOU race condition in Docker image download logic
PR #10731: chore: campaign generation cleanup

✅ GitHub MCP
❌ Serena Go (go not in PATH)
✅ Playwright
✅ File Write
✅ Bash

Run: https://github.com/githubnext/gh-aw/actions/runs/21150636088

cc @pelikhan @mnkiefer @Copilot

AI generated by Smoke Copilot

[github-actions]

Smoke Test: Claude - 21150636106

Status: ⚠️ PARTIAL PASS

Recent PRs:

• Fix TOCTOU race condition in Docker image download logic #10736: Fix TOCTOU race condition in Docker image download logic
• Recompile workflows after gh aw init #10719: Recompile workflows after gh aw init

Results:

• ✅ GitHub MCP
• ❌ Serena Go (not installed)
• ✅ Playwright
• ✅ Tavily Web Search
• ✅ File Writing
• ✅ Bash Tool

Full Results

AI generated by Smoke Claude