Compat-based Copilot CLI install: single remote fetch, jq-only resolution, TTL-aware cache, and gh-aw-actions-sourced release policy

[Copilot]

This PR updates Copilot CLI installation to resolve versions via compat.json while keeping compatibility behavior resilient and bounded.

• Compat fetch + fallback behavior

  • Uses a single remote fetch (COPILOT_COMPAT_URL) to avoid double network latency.
  • Falls back to bundled .github/aw/compat.json with ::warning:: when network fetch fails.

• Resolver runtime path

  • Removes Python fallback from newly added compat resolution logic.
  • Uses jq-only compat resolution with clearer error surfacing when parsing fails or no row matches.

• Cache selection + install behavior

  • Toolcache lookup uses full compat window [min-agent, max-agent].
  • Installs max-agent only when no cached version satisfies that window.
  • Explicit engine.version pins bypass compat resolution.

• Soft cache expiry (TTL)

  • Reads agent-compat-v1.cache-ttl-days and skips stale cache entries.
  • TTL bypasses when cached version already equals max-agent, or when explicit version is pinned.

• Backward compatibility for in-flight versions

  • Keeps release-policy compatibility for older gh-aw versions by restoring/retaining releases.json + schema paths while newer logic uses compat.json.

• Release policy source

  • Updates check_version_updates.cjs to fetch compat policy from github/gh-aw-actions (https://raw.githubusercontent.com/github/gh-aw-actions/main/.github/aw/compat.json) instead of github/gh-aw.

• Regression coverage

  • Adds test guard asserting compat.json is fetched exactly once (no extra network fallback).
  • Verifies compat-window cache filtering and resolver behavior in install tests.

[salmanmkc]

/smoke-copilot

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this issue comment. Sources say the story is developing...

[Copilot]

Pull request overview

This PR makes GitHub Copilot CLI installation default to a compatibility-matrix-selected version (keyed off GH_AW_COMPILED_VERSION) and consolidates runtime “release gating” policy into .github/aw/compat.json, so installs and activation checks stay within the intended gh-aw↔agent compatibility window.

Changes:

• Resolve the default Copilot CLI version from .github/aw/compat.json (with primary/fallback fetch URLs) before toolcache lookup when no explicit version is provided.
• Move/validate runtime version policy (blockedVersions, minimumVersion, minRecommendedVersion) under compat.json and update the activation-time checker to read from that source.
• Add targeted tests and update docs/workflow step labels to reflect the new policy source and clearer SDK install labeling.

Show a summary per file

File	Description
pkg/cli/install_copilot_cli_test.go	Adds test coverage ensuring compat-driven version resolution happens before toolcache lookup.
docs/src/content/docs/reference/releases.md	Updates docs to state activation fetches compat.json for runtime version policies.
actions/setup/sh/install_copilot_cli.sh	Implements compat.json download + window match to select default Copilot CLI version.
actions/setup/js/check_version_updates.cjs	Switches runtime policy source from releases.json to compat.json.
.github/workflows/smoke-copilot-sdk.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/q.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/python-data-charts.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/pr-triage-agent.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/pr-nitpick-reviewer.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/pr-code-quality-reviewer.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/plan.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/pdf-summary.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/org-health-report.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/metrics-collector.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/mergefest.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/mcp-inspector.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/linter-miner.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/layout-spec-maintainer.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/jsweep.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/firewall.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/firewall-escape.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/draft-pr-cleanup.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/docs-noob-tester.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/discussion-task-miner.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/dictation-prompt.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/dev-hawk.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/deployment-incident-monitor.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/delight.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/dead-code-remover.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-workflow-updater.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-testify-uber-super-expert.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-syntax-error-quality.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-spdd-spec-planner.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-skill-optimizer.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-sentrux-report.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-security-observability.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-secrets-analysis.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-safe-output-integrator.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-repo-chronicle.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-performance-summary.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-model-inventory.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-mcp-concurrency-analysis.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-malicious-code-scan.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-issues-report.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-geo-optimizer.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-experiment-report.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-compiler-quality.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-cli-performance.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-assign-issue-to-user.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-architecture-diagram.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/craft.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/copilot-pr-prompt-analysis.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/copilot-pr-nlp-analysis.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/copilot-pr-merged-report.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/copilot-opt.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/copilot-cli-deep-research.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/code-scanning-fixer.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/cli-consistency-checker.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/ci-coach.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/cgo.yml	Extends compat.json validation to enforce the merged top-level policy keys and formats.
.github/workflows/breaking-change-checker.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/brave.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/artifacts-summary.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/architecture-guardian.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/workflows/agent-performance-analyzer.lock.yml	Renames workflow step label to “Install GitHub Copilot SDK (Node.js)”.
.github/aw/compat.schema.json	Adds the release-gating policy keys to the compat schema contract.
.github/aw/compat.json	Adds the release-gating policy keys to the compat config file.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 69/69 changed files
• Comments generated: 2

[salmanmkc]

@copilot the plan ebfore was:the gh-aw-actions/setup action will fetch the latest copy from main at runtime it will try it's best, with a bundled copy as fallback, then pass the matched window directly to the tool cache, installing max-agent only when no cached version satisfies it.

[salmanmkc]

@copilot address the comments

[Copilot]

@copilot the plan ebfore was:the gh-aw-actions/setup action will fetch the latest copy from main at runtime it will try it's best, with a bundled copy as fallback, then pass the matched window directl...

Updated in 5788468 to match that plan: runtime compat fetch remains best-effort with bundled compat.json fallback, toolcache lookup now uses the matched compat window, and max-agent is only installed when no cached version satisfies that window.

[github-actions]

Smoke 26901496067
Titles: #36676 Drive Copilot CLI install from compat matrix and fold release gating into compat.json; #36679 Remove copilot SDK driver inlined mode; #36665 Normalize report-formatting guidance in daily MCP concurrency and news workflows
GitHub✅ mcpscripts✅ Serena✅ Playwright✅ WebFetch❌
File✅ Bash✅ Discussion✅ Build✅ Artifact✅ DiscussionCreate✅
Dispatch✅ PRReview✅ CommentMemory❌ SubAgent✅ CheckRun✅
Overall: FAIL · Author: @app/copilot-swe-agent · Assignees: @salmanmkc, @Copilot

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · gpt54 6.5M · ◷

[salmanmkc]

@copilot can you do one more pass on this for behavior/edge-case alignment?

I specifically want to verify:

• compat fetch failures degrade gracefully with a ::warning:: + bundled fallback, instead of failing closed
• the fallback order is intentional (gh-aw-actions fetch vs extra gh-aw network fallback vs bundled local file)
• cache lookup really uses the full [min-agent, max-agent] window and only installs max-agent on miss
• explicit engine.version pins bypass compat resolution entirely
• we either implemented or explicitly deferred soft cache expiry / TTL behavior
• failure-path coverage is solid for no python3, malformed compat payloads, and no matching compat row
• Mainly want to make sure we didn’t make install-time compatibility stricter in a way that could break runs when the fetch/parse path is unhealthy.

[Copilot]

@copilot address the comments

Both review comments have been addressed in commits d5cded8 and 5788468:

Python3 availability check (commit d5cded8, lines 198-201):
Added guard that gracefully returns when python3 is unavailable, allowing fallback to latest.

Python exception handling (commits d5cded8 + 5788468, lines 261-267):
Wrapped file read and JSON parse in try-except that exits with code 0 on any exception, returning empty string to trigger fallback to latest.

All error paths now fall back gracefully—no hard exits under set -e. Tests pass.

[salmanmkc]

@copilot pretty sure we don't want to fall back to latest? that's dangerous?

[salmanmkc]

@copilot can you update the title and description of this pr to reflect all the changes now, it seems you just have described the last commit

[salmanmkc]

@copilot are you not repeating the same msg?

[Copilot]

You’re right — that update was repetitive. The current state is unchanged from the prior note: single remote compat fetch with bundled fallback, jq-only resolver (no Python fallback), and no code change in that follow-up message.

[Copilot]

@copilot can you update the title and description of this pr to reflect all the changes now, it seems you just have described the last commit

I can’t directly edit PR metadata from this environment, but here is updated text you can paste.

Title
Compat-based Copilot CLI install: single remote fetch, jq-only resolution, TTL-aware cache, and backward-compatible release policy

Description
This PR updates Copilot CLI installation to resolve versions via compat.json while keeping compatibility behavior resilient and bounded.

• Compat fetch + fallback behavior

  • Uses a single remote fetch (COPILOT_COMPAT_URL) to avoid double network latency.
  • Falls back to bundled .github/aw/compat.json with ::warning:: when network fetch fails.

• Resolver runtime path

  • Removes Python fallback from newly added compat resolution logic.
  • Uses jq-only compat resolution with clearer error surfacing when parsing fails or no row matches.

• Cache selection + install behavior

  • Toolcache lookup uses full compat window [min-agent, max-agent].
  • Installs max-agent only when no cached version satisfies that window.
  • Explicit engine.version pins bypass compat resolution.

• Soft cache expiry (TTL)

  • Reads agent-compat-v1.cache-ttl-days and skips stale cache entries.
  • TTL bypasses when cached version already equals max-agent, or when explicit version is pinned.

• Backward compatibility for in-flight versions

  • Keeps release-policy compatibility for older gh-aw versions by restoring/retaining releases.json + schema paths while newer logic uses compat.json.

• Regression coverage

  • Adds test guard asserting compat.json is fetched exactly once (no extra network fallback).
  • Verifies compat-window cache filtering and resolver behavior in install tests.

[salmanmkc]

/smoke-copilot

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this issue comment. Sources say the story is developing...

[github-actions]

PR titles:

• Compat-based Copilot CLI install: single remote fetch, jq-only resolution, TTL-aware cache, and backward-compatible release policy
• Align copilot harness test with reflect helper API contract
• Restore digest pinning for default MCP GHCR images on compile
  ✅ GitHub reads, mcpscripts, Playwright, file/bash, build, artifact, workflow, review, sub-agent, check run
  ❌ Serena, web-fetch, comment-memory, discussion metadata
  FAIL — author @app/copilot-swe-agent; assignees @salmanmkc @Copilot

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · gpt54 7.7M · ◷

[salmanmkc]

@copilot check the failing run https://github.com/github/gh-aw/actions/runs/26931330849/job/79451820647?pr=36676

[Copilot]

@copilot check the failing run https://github.com/github/gh-aw/actions/runs/26931330849/job/79451820647?pr=36676

Checked it. The failure is in js-typecheck with TS2322 at actions/setup/js/copilot_sdk_driver.cjs:514 ({ type: "openai", baseUrl: ... } inferred as type: string, not ProviderConfig).

This is not specific to this PR: latest main is failing with the same error in CJS run 26931814186 (job 79452893777).

[salmanmkc]

@copilot merge in main

[Copilot]

@copilot merge in main

Merged latest main into this PR branch in ca3e20d.

[pelikhan]

I think we decide if we read compat from gh-aw or gh-aw-actions.

gh-aw-actions is more locked down.

[salmanmkc]

@copilot we want to read the compat from here instead: https://github.com/github/gh-aw-actions/blob/main/.github/aw/compat.json instead of from github/gh-aw

[Copilot]

@copilot we want to read the compat from here instead: https://github.com/github/gh-aw-actions/blob/main/.github/aw/compat.json instead of from github/gh-aw

Updated in 36b62d9: compat policy fetch now reads from https://raw.githubusercontent.com/github/gh-aw-actions/main/.github/aw/compat.json (including check_version_updates.cjs).