Hardening: workflows safety/robustness + installer integrity

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -8,7 +8,14 @@ body:
     attributes:
       value: |
         <br />
-        Thank you for taking the time to report a bug!  Please answer each question below to the best of your ability; it is okay to leave questions blank if you have to.
+        Thank you for taking the time to report a bug! Please answer each question below to the best of your ability; it is okay to leave questions blank if you have to.
+
+        ⚠️ **Security notice**: This is a public repository. Before sharing logs or files, please review them for:
+        - API keys, tokens, or credentials
+        - Personal identifiable information (PII)
+        - Internal URLs, hostnames, or filesystem paths
+
+        Please avoid sharing contents from `~/.copilot/` unless you've reviewed and redacted sensitive data.
   - type: textarea
     id: description
     attributes:

.github/workflows/close-invalid.yml

@@ -15,22 +15,29 @@ permissions:
 
 jobs:
   close-on-adding-invalid-label:
-    if:
-      github.repository == 'github/copilot-cli' && github.event.label.name ==
-      'invalid'
+    if: |
+      github.repository == 'github/copilot-cli' &&
+      github.event.label.name == 'invalid' &&
+      (
+        github.event_name == 'issues' ||
+        github.event.pull_request.head.repo.full_name == github.repository
+      )
     runs-on: ubuntu-latest
+    timeout-minutes: 5
 
     steps:
       - name: Close issue
         if: ${{ github.event_name == 'issues' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          URL: ${{ github.event.issue.html_url }}
-        run: gh issue close $URL
+          NUMBER: ${{ github.event.issue.number }}
+          REPO: ${{ github.repository }}
+        run: gh issue close "$NUMBER" --repo "$REPO"
 
       - name: Close PR
         if: ${{ github.event_name == 'pull_request_target' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          URL: ${{ github.event.pull_request.html_url }}
-        run: gh pr close $URL
+          NUMBER: ${{ github.event.pull_request.number }}
+          REPO: ${{ github.repository }}
+        run: gh pr close "$NUMBER" --repo "$REPO"

.github/workflows/close-single-word-issues.yml

@@ -11,10 +11,11 @@ permissions:
 jobs:
   close-issue:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
 
     steps:
       - name: Close Single-Word Issue
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -25,8 +26,10 @@ jobs:
               const issueNumber = context.payload.issue.number;
               const repo = context.repo.repo;
 
+              console.log(`Closing single-word issue #${issueNumber}: "${issueTitle}"`);
+
               // Close the issue and add the invalid label
-              github.rest.issues.update({
+              await github.rest.issues.update({
                 owner: context.repo.owner,
                 repo: repo,
                 issue_number: issueNumber,
@@ -41,4 +44,6 @@ jobs:
                 issue_number: issueNumber,
                 body: `This issue may have been opened accidentally. I'm going to close it now, but feel free to open a new issue with a more descriptive title.`
               });
+
+              console.log(`Successfully closed issue #${issueNumber}`);
             }

.github/workflows/feature-request-comment.yml

@@ -9,8 +9,9 @@ permissions:
 
 jobs:
   add-comment-to-enhancement-issues:
-    if: github.event.label.name == 'enhancement'
+    if: github.repository == 'github/copilot-cli' && github.event.label.name == 'enhancement'
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       GH_REPO: ${{ github.repository }}
@@ -29,3 +30,6 @@ jobs:
         contribute.
     steps:
       - run: gh issue comment "$NUMBER" --body "$BODY"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}

.github/workflows/no-response.yml

@@ -11,9 +11,11 @@ permissions:
 
 jobs:
   noResponse:
+    if: github.repository == 'github/copilot-cli'
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           only-issue-labels: 'more-info-needed'

.github/workflows/on-issue-close.yml

@@ -5,7 +5,9 @@ on:
       - closed
 jobs:
   label_issues:
+    if: github.repository == 'github/copilot-cli'
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     permissions:
       issues: write
     steps:

.github/workflows/remove-triage-label.yml

@@ -9,10 +9,9 @@ permissions:
 
 jobs:
   remove-triage-label-from-issues:
-    if:
-      github.event.label.name != 'triage' && github.event.label.name !=
-      'more-info-needed'
+    if: github.repository == 'github/copilot-cli' && github.event.label.name != 'triage' && github.event.label.name != 'more-info-needed'
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
       - run: gh issue edit "$NUMBER" --remove-label "$LABELS"
         env:

.github/workflows/stale-issues.yml

@@ -8,9 +8,11 @@ permissions:
 
 jobs:
   stale:
+    if: github.repository == 'github/copilot-cli'
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
         with:
           stale-issue-label: 'stale, triage' # The label that will be added to the issues when automatically marked as stale
           start-date: '2025-01-01T00:00:00Z' # Skip stale action for issues created before it

.github/workflows/triage-issues.yml

@@ -9,10 +9,15 @@ on:
 permissions:
   issues: write
 
+concurrency:
+  group: triage-${{ github.event.issue.number }}
+  cancel-in-progress: true
+
 jobs:
   label_incoming_issues:
+    if: github.repository == 'github/copilot-cli' && (github.event.action == 'opened' || github.event.action == 'reopened')
     runs-on: ubuntu-latest
-    if: github.event.action == 'opened' || github.event.action == 'reopened'
+    timeout-minutes: 5
     steps:
       - run: gh issue edit "$NUMBER" --add-label "$LABELS"
         env:
@@ -21,10 +26,9 @@ jobs:
           NUMBER: ${{ github.event.issue.number }}
           LABELS: triage
   label_more_info_issues:
-    if:
-      github.event.action == 'unlabeled' && github.event.label.name ==
-      'more-info-needed'
+    if: github.repository == 'github/copilot-cli' && github.event.action == 'unlabeled' && github.event.label.name == 'more-info-needed'
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
       - run: gh issue edit "$NUMBER" --add-label "$LABELS"
         env:

.github/workflows/unable-to-reproduce-comment.yml

@@ -9,8 +9,9 @@ permissions:
 
 jobs:
   add-comment-to-unable-to-reproduce-issues:
-    if: github.event.label.name == 'unable-to-reproduce'
+    if: github.repository == 'github/copilot-cli' && github.event.label.name == 'unable-to-reproduce'
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
       - name: Update issue
         env:

.github/workflows/winget.yml

@@ -6,39 +6,75 @@ on:
 
 jobs:
   publish-winget:
+    if: github.repository == 'github/copilot-cli'
     name: Submit to WinGet repository
 
     # GitHub token permissions needed for winget-create to submit a PR
     permissions:
       contents: read
-      pull-requests: write
 
     # winget-create is only supported on Windows
     runs-on: windows-latest
+    timeout-minutes: 30
 
     # winget-create will read the following environment variable to access the GitHub token needed for submitting a PR
     # See https://aka.ms/winget-create-token
     env:
       WINGET_CREATE_GITHUB_TOKEN: ${{ secrets.WINGET_CREATE_GITHUB_TOKEN }}
+      RELEASE_ASSETS_JSON: ${{ toJSON(github.event.release.assets) }}
+      RELEASE_TAG: ${{ github.event.release.tag_name }}
+      IS_PRERELEASE: ${{ github.event.release.prerelease }}
 
     steps:
+      - name: Validate required secret
+        shell: pwsh
+        run: |
+          if ([string]::IsNullOrWhiteSpace($env:WINGET_CREATE_GITHUB_TOKEN)) {
+            Write-Error "WINGET_CREATE_GITHUB_TOKEN secret is not configured"
+            exit 1
+          }
+
       - name: Submit package using wingetcreate
+        shell: pwsh
         run: |
           # Set the package ID based on the release info
-          $packageId = if ('${{ !github.event.release.prerelease }}' -eq 'true') { 'GitHub.Copilot' } else { 'GitHub.Copilot.Prerelease' }
-
-          # Get installer info from release event
-          $assets = '${{ toJSON(github.event.release.assets) }}' | ConvertFrom-Json
-          $packageVersion = (${{ toJSON(github.event.release.tag_name) }})
-
+          $isPrerelease = ($env:IS_PRERELEASE -eq 'true')
+          $packageId = if ($isPrerelease) { 'GitHub.Copilot.Prerelease' } else { 'GitHub.Copilot' }
+
+          # Get installer info from release event (passed via env to avoid script injection patterns)
+          $assets = $env:RELEASE_ASSETS_JSON | ConvertFrom-Json
+          $packageVersion = $env:RELEASE_TAG
+
           # Find the download URLs for the x64 and arm64 installers separately
           # This allows overrides to be used so that wingetcreate does not have to guess the architecture from the filename
           $installerUrlx64 = $assets | Where-Object -Property name -like '*win32-x64.zip' | Select-Object -ExpandProperty browser_download_url
           $installerUrlarm64 = $assets | Where-Object -Property name -like '*win32-arm64.zip' | Select-Object -ExpandProperty browser_download_url
-
+
+          if ([string]::IsNullOrWhiteSpace($installerUrlx64) -or [string]::IsNullOrWhiteSpace($installerUrlarm64)) {
+            Write-Error "Could not determine installer URLs from release assets"
+            exit 1
+          }
+
+          # Download wingetcreate (with retries)
+          $maxRetries = 3
+          $retryDelaySeconds = 5
+          for ($i = 1; $i -le $maxRetries; $i++) {
+            try {
+              curl.exe -JLO https://aka.ms/wingetcreate/latest
+              if (Test-Path "wingetcreate.exe") { break }
+            } catch {
+              Write-Warning "Download attempt $i failed: $($_.Exception.Message)"
+            }
+            Start-Sleep -Seconds $retryDelaySeconds
+          }
+
+          if (-not (Test-Path "wingetcreate.exe")) {
+            Write-Error "Failed to download wingetcreate after $maxRetries attempts"
+            exit 1
+          }
+
           # Update package using wingetcreate
-          curl.exe -JLO https://aka.ms/wingetcreate/latest
           .\wingetcreate.exe update $packageId `
-            --version $packageVersion `
+            --version "$packageVersion" `
             --urls "$installerUrlx64|x64" "$installerUrlarm64|arm64" `
             --submit

README.md

@@ -1,5 +1,9 @@
 # GitHub Copilot CLI (Public Preview)
 
+## Workflow Status
+![Stale Issues](https://github.com/github/copilot-cli/actions/workflows/stale-issues.yml/badge.svg)
+![No Response](https://github.com/github/copilot-cli/actions/workflows/no-response.yml/badge.svg)
+
 The power of GitHub Copilot, now in your terminal.
 
 GitHub Copilot CLI brings AI-powered coding assistance directly to your command line, enabling you to build, debug, and understand code through natural language conversations. Powered by the same agentic harness as GitHub's Copilot coding agent, it provides intelligent assistance while staying deeply integrated with your GitHub workflow.