feat(engine): split copilot CLI install path by compile target

[Copilot]

Summary

Standalone pipelines previously depended on a 1ES-only NuGet feed to install Copilot CLI, which breaks for customers without that feed. This PR aligns installation behavior with gh-aw by using GitHub Releases for non-1ES targets while preserving NuGet-based install for 1ES.

• Install strategy split by target

  • target: 1es keeps the existing NuGetAuthenticate@1 + NuGetCommand@2 flow.
  • standalone / job / stage install Copilot CLI from github/copilot-cli release artifacts with SHA256SUMS.txt verification.

• Compiler wiring update

  • Engine::install_steps is target-aware.
  • Compile path passes front_matter.target into install-step generation.

• Follow-up from review feedback

  • Non-1ES release install generation is split into separate compile-time paths for:
    • latest (.../releases/latest/download)
    • pinned versions (.../releases/download/vX.Y.Z)
  • Runtime version branching was removed from the non-1ES bash step.
  • Added maintainability cleanup:
    • extracted releases base URL constant
    • extracted normalize_version_tag helper
  • Updated install docs/comments to reflect both 1ES and non-1ES behavior.
  • Added a debug directory listing after tar extraction in the non-1ES install step to improve diagnostics if release layout changes.

• Runtime contract preserved

  • Copilot binary is still staged at /tmp/awf-tools/copilot for AWF execution, so downstream invocation behavior is unchanged.

• Additional test coverage

  • Added coverage for target: 1es with engine.version: latest to ensure -Version is omitted.
  • Added coverage for v-prefixed pinned versions.
  • Added direct helper coverage for normalize_version_tag no double-prefix behavior.

Test plan

• cargo test engine_version_
• cargo test engine_install_onees_uses_nuget_feed
• cargo test engine_install_onees_latest_omits_version_argument
• cargo test engine_version_accepts_valid_with_v_prefix
• cargo test normalize_version_tag_does_not_double_prefix_v
• cargo build
• cargo test
• cargo clippy --all-targets --all-features
• parallel_validation (Code Review passed; CodeQL timed out in tool run)

[jamesadevine]

@copilot depending on version (i.e. latest/specific version), please have two separate steps. This bash script is unweildy

[Copilot]

Done in 5c51288 (plus cleanup in 65f6e60): non-1es install generation is now split into separate compile-time paths for latest vs pinned versions, so the runtime bash body no longer branches on version.

[jamesadevine]

/rust-review

[github-actions]

✅ Rust PR Reviewer completed successfully!

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/githubnext/ado-aw/issues
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-5cd66b4699336750 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-5cd66b4699336750 -m elf_x86_64 --hash-style=gnu --as-needed -dynamic-linker qvseffdkndnkhxhff4g.1g93inu.rcgu.o jyqtg774cdivnew6jsk.1g93inu.rcgu.o fltdes3f0edpkv4yf2a.1g93inu.rcgu.o akly42dpfw3k15d1yx5.1g93inu.rcgu.o xp86kyml15cwtauomgm.1g93inu.rcgu.o gp03fchodepel6au7m9.1g93inu.rcgu.o 9e1qdzuauv50j23qmn3.1g93inu.rcgu.o j1l0klnrsz418c4jsim.1g93inu.rcgu.o glsszxr4jmpum3vskwr.1g93inu.rcgu.o b9i81dqatl7h2iynjsq.1g93inu.rcgu.o uuya2loo4n1asb6fwcw.1g93inu.rcgu.o 22oecq3tg84vv5jynzk.1g93inu.rcgu.o ouowq4ivnonv6l4k2zy.1g93inu.rcgu.o 6qhxcbeym9fq8ya79wo.1g93inu.rcgu.o (http block)
• spsprodeus21.vssps.visualstudio.com
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-5cd66b4699336750 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-5cd66b4699336750 -m elf_x86_64 --hash-style=gnu --as-needed -dynamic-linker qvseffdkndnkhxhff4g.1g93inu.rcgu.o jyqtg774cdivnew6jsk.1g93inu.rcgu.o fltdes3f0edpkv4yf2a.1g93inu.rcgu.o akly42dpfw3k15d1yx5.1g93inu.rcgu.o xp86kyml15cwtauomgm.1g93inu.rcgu.o gp03fchodepel6au7m9.1g93inu.rcgu.o 9e1qdzuauv50j23qmn3.1g93inu.rcgu.o j1l0klnrsz418c4jsim.1g93inu.rcgu.o glsszxr4jmpum3vskwr.1g93inu.rcgu.o b9i81dqatl7h2iynjsq.1g93inu.rcgu.o uuya2loo4n1asb6fwcw.1g93inu.rcgu.o 22oecq3tg84vv5jynzk.1g93inu.rcgu.o ouowq4ivnonv6l4k2zy.1g93inu.rcgu.o 6qhxcbeym9fq8ya79wo.1g93inu.rcgu.o (dns block)
• spsprodweu4.vssps.visualstudio.com
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-5cd66b4699336750 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-5cd66b4699336750 -m elf_x86_64 --hash-style=gnu --as-needed -dynamic-linker qvseffdkndnkhxhff4g.1g93inu.rcgu.o jyqtg774cdivnew6jsk.1g93inu.rcgu.o fltdes3f0edpkv4yf2a.1g93inu.rcgu.o akly42dpfw3k15d1yx5.1g93inu.rcgu.o xp86kyml15cwtauomgm.1g93inu.rcgu.o gp03fchodepel6au7m9.1g93inu.rcgu.o 9e1qdzuauv50j23qmn3.1g93inu.rcgu.o j1l0klnrsz418c4jsim.1g93inu.rcgu.o glsszxr4jmpum3vskwr.1g93inu.rcgu.o b9i81dqatl7h2iynjsq.1g93inu.rcgu.o uuya2loo4n1asb6fwcw.1g93inu.rcgu.o 22oecq3tg84vv5jynzk.1g93inu.rcgu.o ouowq4ivnonv6l4k2zy.1g93inu.rcgu.o 6qhxcbeym9fq8ya79wo.1g93inu.rcgu.o (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

🔍 Rust PR Review

Summary: Looks good overall — the target-aware split is well-structured and the SHA256 verification is a solid security addition. A few things worth addressing before merge.

Findings

🐛 Bugs / Logic Issues

• src/engine.rs:625-627 — Tarball structure assumption, no fallback: The bash script does tar -xz -C "$TOOLS_DIR" -f ... then immediately cp "$TOOLS_DIR/copilot" /tmp/awf-tools/copilot. This hard-codes an expectation that copilot is at the root of the tarball (not in a subdirectory). If the release layout changes (e.g., adds a copilot-linux-x64/ prefix), set -euo pipefail will catch it, but the error message will be a cryptic cp: cannot stat '$TOOLS_DIR/copilot': No such file or directory. Worth adding a ls -la "$TOOLS_DIR" debug line (like the NuGet path does) before the cp, or extracting to $TEMP_DIR and using find to locate the binary.

• src/engine.rs:563-568 — version == "latest" bypasses URL injection check for 1ES path implicitly, but not explicitly: The is_valid_version guard runs before the target branch, which means an invalid version string like 1.0.0$(evil) is correctly rejected for both paths. ✅ However, "latest" passes is_valid_version and takes the early-return GitHub Releases branch — NuGet would have treated "latest" as a literal package version and failed at runtime. The new code is actually more correct here; just worth calling out in a comment that this is intentional and that the NuGet path deliberately omits -Version for "latest".

⚠️ Suggestions

• src/engine.rs:515-516 — Stale comment: The comment says "Validate version to prevent NuGet argument injection — the version string is embedded directly into NuGet command arguments." This is now only true for 1ES. For other targets the version lands in a GitHub URL. Suggest: "Validate version to prevent injection (NuGet arguments for 1ES, URL construction for other targets)."

• src/engine.rs:501-503 — Stale doc comment: The function-level doc still describes only the NuGet path (NuGetAuthenticate@1, Microsoft.Copilot.CLI.linux-x64). Should mention the GitHub Releases path for non-1ES.

• Missing engine_install_onees_latest test: There is a test for 1ES + pinned version and non-1ES + latest/pinned, but no test for 1ES + version: latest. The latest → empty -Version logic exists in the 1ES branch and would be easy to accidentally break.

• Missing normalize_version_tag round-trip test: normalize_version_tag must not double-prefix v1.0.34 → vv1.0.34. A quick unit test (or at least one engine_version_accepts_valid variant with a v-prefixed version) would pin this.

✅ What Looks Good

• SHA256 verification with graceful fallback (sha256sum → shasum) is well-handled.
• The normalize_version_tag helper correctly handles already-prefixed v strings.
• is_valid_version continues to run before any target-branching, so injection protection applies universally.
• Rust's \{\{ / }} escaping in the awk format! strings is correct.
• The new engine_install_onees_uses_nuget_feed test gives good explicit coverage of the 1ES NuGet path.

Generated by Rust PR Reviewer for issue #584 · ● 272.3K · ◷

[jamesadevine]

@copilot implement review feedback and suggestions

[Copilot]

@copilot implement review feedback and suggestions

Implemented the rust-review feedback in 65e2a91: updated stale install/version comments, added debug listing after tar extraction, and added tests for 1ES latest and v-prefixed normalization behavior.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/githubnext/ado-aw/issues
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-5cd66b4699336750 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-5cd66b4699336750 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/bash_lint_tests-56c66bd4895040cd.124m6rz6vd3x0wwrliv5sjvjv.05dn50g.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/bash_lint_tests-56c66bd4895040cd.12onb32qpy4330qs0xiz440ki.05dn50g.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/bash_lint_tests-56c66bd4895040cd.18724chohqva3pxqhzzvyuwkl.05dn50g.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/bash_lint_tests-56c66bd4895040cd.1ff6vymvowlswq67lvunowhji.05dn50g.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/bash_lint_tests-56c66bd4895040cd.1l9kq22di5vq39dk3mr0icb8u.05dn50g.rcgu.o qvseffdkndnkhxhff4g.0rf5x0s.rcgu.o jyqtg774cdivnew6jsk.0rf5x0s.rcgu.o fltdes3f0edpkv4yf2a.0rf5x0s.rcgu.o akly42dpfw3k15d1yx5.0rf5x0s.rcgu.o xp86kyml15cwtauomgm.0rf5x0s.rcgu.o gp03fchodepel6au7m9.0rf5x0s.rcgu.o 9e1qdzuauv50j23qmn3.0rf5x0s.rcgu.o j1l0klnrsz418c4jsim.0rf5x0s.rcgu.o glsszxr4jmpum3vskwr.0rf5x0s.rcgu.o b9i81dqatl7h2iynjsq.0rf5x0s.rcgu.o uuya2loo4n1asb6fwcw.0rf5x0s.rcgu.o 22oecq3tg84vv5jynzk.0rf5x0s.rcgu.o ouowq4ivnonv6l4k2zy.0rf5x0s.rcgu.o 6qhxcbeym9fq8ya79wo.0rf5x0s.rcgu.o (http block)
• spsprodeus21.vssps.visualstudio.com
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-5cd66b4699336750 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-5cd66b4699336750 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/bash_lint_tests-56c66bd4895040cd.124m6rz6vd3x0wwrliv5sjvjv.05dn50g.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/bash_lint_tests-56c66bd4895040cd.12onb32qpy4330qs0xiz440ki.05dn50g.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/bash_lint_tests-56c66bd4895040cd.18724chohqva3pxqhzzvyuwkl.05dn50g.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/bash_lint_tests-56c66bd4895040cd.1ff6vymvowlswq67lvunowhji.05dn50g.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/bash_lint_tests-56c66bd4895040cd.1l9kq22di5vq39dk3mr0icb8u.05dn50g.rcgu.o qvseffdkndnkhxhff4g.0rf5x0s.rcgu.o jyqtg774cdivnew6jsk.0rf5x0s.rcgu.o fltdes3f0edpkv4yf2a.0rf5x0s.rcgu.o akly42dpfw3k15d1yx5.0rf5x0s.rcgu.o xp86kyml15cwtauomgm.0rf5x0s.rcgu.o gp03fchodepel6au7m9.0rf5x0s.rcgu.o 9e1qdzuauv50j23qmn3.0rf5x0s.rcgu.o j1l0klnrsz418c4jsim.0rf5x0s.rcgu.o glsszxr4jmpum3vskwr.0rf5x0s.rcgu.o b9i81dqatl7h2iynjsq.0rf5x0s.rcgu.o uuya2loo4n1asb6fwcw.0rf5x0s.rcgu.o 22oecq3tg84vv5jynzk.0rf5x0s.rcgu.o ouowq4ivnonv6l4k2zy.0rf5x0s.rcgu.o 6qhxcbeym9fq8ya79wo.0rf5x0s.rcgu.o (dns block)
• spsprodweu4.vssps.visualstudio.com
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-5cd66b4699336750 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-5cd66b4699336750 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/bash_lint_tests-56c66bd4895040cd.124m6rz6vd3x0wwrliv5sjvjv.05dn50g.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/bash_lint_tests-56c66bd4895040cd.12onb32qpy4330qs0xiz440ki.05dn50g.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/bash_lint_tests-56c66bd4895040cd.18724chohqva3pxqhzzvyuwkl.05dn50g.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/bash_lint_tests-56c66bd4895040cd.1ff6vymvowlswq67lvunowhji.05dn50g.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/bash_lint_tests-56c66bd4895040cd.1l9kq22di5vq39dk3mr0icb8u.05dn50g.rcgu.o qvseffdkndnkhxhff4g.0rf5x0s.rcgu.o jyqtg774cdivnew6jsk.0rf5x0s.rcgu.o fltdes3f0edpkv4yf2a.0rf5x0s.rcgu.o akly42dpfw3k15d1yx5.0rf5x0s.rcgu.o xp86kyml15cwtauomgm.0rf5x0s.rcgu.o gp03fchodepel6au7m9.0rf5x0s.rcgu.o 9e1qdzuauv50j23qmn3.0rf5x0s.rcgu.o j1l0klnrsz418c4jsim.0rf5x0s.rcgu.o glsszxr4jmpum3vskwr.0rf5x0s.rcgu.o b9i81dqatl7h2iynjsq.0rf5x0s.rcgu.o uuya2loo4n1asb6fwcw.0rf5x0s.rcgu.o 22oecq3tg84vv5jynzk.0rf5x0s.rcgu.o ouowq4ivnonv6l4k2zy.0rf5x0s.rcgu.o 6qhxcbeym9fq8ya79wo.0rf5x0s.rcgu.o (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[jamesadevine]

@copilot Are these covered by our bash linter?

[Copilot]

@copilot Are these covered by our bash linter?

Yes. compiled_bash_bodies_pass_shellcheck in tests/bash_lint_tests.rs compiles fixtures and shellchecks every extracted bash: step across standalone, 1es, job, and stage. I also ran cargo test --test bash_lint_tests compiled_bash_bodies_pass_shellcheck -- --nocapture and it passed.