From b60643ffeaf41990c318a97758bc2e0df11c2029 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 24 Mar 2026 21:31:50 +0000
Subject: [PATCH 1/3] Initial plan


From df9c624b29e2aef08b02c27527f67734d6188255 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 24 Mar 2026 21:36:21 +0000
Subject: [PATCH 2/3] fix: use %q instead of single-quoted format for
 GH_AW_LABEL_NAMES env var

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/4d6e97a5-04c4-4da6-a7ba-4e6d38cc6339
---
 .github/workflows/daily-fact.lock.yml |  8 ++++----
 pkg/workflow/data/action_pins.json    | 11 +++--------
 2 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml
index 32934a1334d..21fe31d0bcb 100644
--- a/.github/workflows/daily-fact.lock.yml
+++ b/.github/workflows/daily-fact.lock.yml
@@ -58,7 +58,7 @@ jobs:
       secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
     steps:
       - name: Setup Scripts
-        uses: github/gh-aw-actions/setup@50f4fc16883c6c6672d8879affa8fd15d5cc79a4 # v0
+        uses: github/gh-aw-actions/setup@v0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
       - name: Generate agentic run info
@@ -325,7 +325,7 @@ jobs:
       output_types: ${{ steps.collect_output.outputs.output_types }}
     steps:
       - name: Setup Scripts
-        uses: github/gh-aw-actions/setup@50f4fc16883c6c6672d8879affa8fd15d5cc79a4 # v0
+        uses: github/gh-aw-actions/setup@v0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
       - name: Set runtime paths
@@ -920,7 +920,7 @@ jobs:
       total_count: ${{ steps.missing_tool.outputs.total_count }}
     steps:
       - name: Setup Scripts
-        uses: github/gh-aw-actions/setup@50f4fc16883c6c6672d8879affa8fd15d5cc79a4 # v0
+        uses: github/gh-aw-actions/setup@v0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
       - name: Download agent output artifact
@@ -1039,7 +1039,7 @@ jobs:
       process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
     steps:
       - name: Setup Scripts
-        uses: github/gh-aw-actions/setup@50f4fc16883c6c6672d8879affa8fd15d5cc79a4 # v0
+        uses: github/gh-aw-actions/setup@v0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
       - name: Download agent output artifact
diff --git a/pkg/workflow/data/action_pins.json b/pkg/workflow/data/action_pins.json
index 81223426c5b..d52621b08c9 100644
--- a/pkg/workflow/data/action_pins.json
+++ b/pkg/workflow/data/action_pins.json
@@ -148,15 +148,10 @@
       "version": "v4.34.1",
       "sha": "cb06a0a8527b2c6970741b3a0baa15231dc74a4c"
     },
-    "github/gh-aw-actions/setup@v0": {
+    "github/gh-aw-actions/setup@v0.63.1": {
       "repo": "github/gh-aw-actions/setup",
-      "version": "v0",
-      "sha": "50f4fc16883c6c6672d8879affa8fd15d5cc79a4"
-    },
-    "github/gh-aw-actions/setup@v0.62.5": {
-      "repo": "github/gh-aw-actions/setup",
-      "version": "v0.62.5",
-      "sha": "dc50be57c94373431b49d3d0927f318ac2bb5c4c"
+      "version": "v0.63.1",
+      "sha": "53e09ec0be6271e81a69f51ef93f37212c8834b0"
     },
     "github/stale-repos@v9.0.4": {
       "repo": "github/stale-repos",

From d35b9a3e0fd1399753a5ea489a2c4e5d9f3713d1 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 24 Mar 2026 21:38:01 +0000
Subject: [PATCH 3/3] fix(security): use %q instead of single-quoted format for
 GH_AW_LABEL_NAMES env var (CodeQL #559)

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/4d6e97a5-04c4-4da6-a7ba-4e6d38cc6339
---
 .github/workflows/ci-doctor.lock.yml     | 2 +-
 .github/workflows/cloclo.lock.yml        | 2 +-
 .github/workflows/dev.lock.yml           | 2 +-
 .github/workflows/smoke-copilot.lock.yml | 2 +-
 pkg/workflow/compiler_activation_job.go  | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml
index a526df0ae46..0c67ab87185 100644
--- a/.github/workflows/ci-doctor.lock.yml
+++ b/.github/workflows/ci-doctor.lock.yml
@@ -161,7 +161,7 @@ jobs:
         id: remove_trigger_label
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
-          GH_AW_LABEL_NAMES: '["ci-doctor"]'
+          GH_AW_LABEL_NAMES: "[\"ci-doctor\"]"
         with:
           script: |
             const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml
index 66b22e8fd81..89398e9dd0b 100644
--- a/.github/workflows/cloclo.lock.yml
+++ b/.github/workflows/cloclo.lock.yml
@@ -190,7 +190,7 @@ jobs:
         id: remove_trigger_label
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
-          GH_AW_LABEL_NAMES: '["cloclo"]'
+          GH_AW_LABEL_NAMES: "[\"cloclo\"]"
         with:
           script: |
             const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml
index 1c71db27faf..5c44138862b 100644
--- a/.github/workflows/dev.lock.yml
+++ b/.github/workflows/dev.lock.yml
@@ -162,7 +162,7 @@ jobs:
         id: remove_trigger_label
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
-          GH_AW_LABEL_NAMES: '["dev"]'
+          GH_AW_LABEL_NAMES: "[\"dev\"]"
         with:
           script: |
             const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml
index 95b6bf560d5..20ebbb44a54 100644
--- a/.github/workflows/smoke-copilot.lock.yml
+++ b/.github/workflows/smoke-copilot.lock.yml
@@ -169,7 +169,7 @@ jobs:
         id: remove_trigger_label
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
-          GH_AW_LABEL_NAMES: '["smoke"]'
+          GH_AW_LABEL_NAMES: "[\"smoke\"]"
         with:
           github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
           script: |
diff --git a/pkg/workflow/compiler_activation_job.go b/pkg/workflow/compiler_activation_job.go
index 201bda10c1a..fb7808c531b 100644
--- a/pkg/workflow/compiler_activation_job.go
+++ b/pkg/workflow/compiler_activation_job.go
@@ -329,7 +329,7 @@ func (c *Compiler) buildActivationJob(data *WorkflowData, preActivationJobCreate
 		if err != nil {
 			return nil, fmt.Errorf("failed to marshal label-command names: %w", err)
 		}
-		steps = append(steps, fmt.Sprintf("          GH_AW_LABEL_NAMES: '%s'\n", string(labelNamesJSON)))
+		steps = append(steps, fmt.Sprintf("          GH_AW_LABEL_NAMES: %q\n", string(labelNamesJSON)))
 		steps = append(steps, "        with:\n")
 		// Use GitHub App or custom token if configured (avoids needing elevated GITHUB_TOKEN permissions)
 		labelToken := c.resolveActivationToken(data)