Migrate threat detection to external threat-detect binary behind feature flag

[Copilot]

gh-aw currently runs threat detection inline — invoking the workflow's engine inside AWF and scraping the transcript for a THREAT_DETECTION_RESULT: line, concluded by parse_threat_detection_results.cjs. This migrates to the standalone versioned threat-detect binary from github/gh-aw-threat-detection, gated behind features: gh-aw-detection: true for incremental rollout.

What changes

Feature flag & version pin

• GHAWDetectionFeatureFlag = "gh-aw-detection" — opt-in, default off; existing compiled workflows unchanged
• DefaultThreatDetectVersion = "v0.2.2" in version_constants.go — hard-pinned like AWF/mcpg, no lifecycle registry
• Enabling features: gh-aw-detection: true now emits the standard compiler warning: Using experimental feature: gh-aw-detection

New constants

• ThreatDetectionDir = "/tmp/gh-aw/threat-detection"
• ThreatDetectionResultPath = ".../detection_result.json"

Install script (actions/setup/sh/install_threat_detect_binary.sh)

• Downloads threat-detect from GitHub Releases, SHA256-verified, Linux amd64/arm64 and macOS x64/arm64; follows install_awf_binary.sh pattern
• Linux x64 binary is named threat-detect-linux-amd64 matching the published release assets

Compiler (threat_detection.go)

• buildDetectionJobSteps branches at step 7 on the feature flag
• New path emits: install AWF binary → install selected detection engine binary (for example Copilot CLI when engine is copilot) → install threat-detect → AWF execute with /tmp/gh-aw/threat-detection mounted rw → upload detection_result.json + detection.log → threat-detect conclude --result-file
• Old path (inline engine + .cjs) unchanged

Experimental warning coverage

• Added regression coverage in pkg/workflow/compiler_validators_test.go for enabled/disabled/absent gh-aw-detection cases.

Early adopter workflows

• smoke-copilot.md opts in via features: gh-aw-detection: true
• changeset.md opts in via features: gh-aw-detection: true; the pre-existing threat-detection: engine: false config was replaced with threat-detection: {} so the detection job is compiled (when the inline engine is disabled with no custom steps, HasRunnableDetection() returns false and skips the job entirely, making the feature flag a no-op)

Gate contract preserved

The downstream interface is byte-identical to the inline path:

• detection_conclusion / detection_reason / detection_success job outputs
• GH_AW_DETECTION_CONCLUSION / GH_AW_DETECTION_REASON env vars
• GH_AW_DETECTION_CONTINUE_ON_ERROR warn-vs-strict semantics

Only the producer changes: structured detection_result.json + threat-detect conclude instead of transcript-scraped THREAT_DETECTION_RESULT: + .cjs.

Example

# workflow.md frontmatter
features:
  gh-aw-detection: true   # opts into external detector

Compiled detection job (new path):

# Step: Install threat-detect binary
bash install_threat_detect_binary.sh v0.2.2

# Step: Execute threat detection with AWF
sudo -E awf ... --mount /tmp/gh-aw/threat-detection:/tmp/gh-aw/threat-detection:rw \
  -- /bin/bash -c 'threat-detect --engine copilot /tmp/gh-aw/threat-detection'

# Step: Conclude threat detection
threat-detect conclude --result-file /tmp/gh-aw/threat-detection/detection_result.json

Notes

• parse_threat_detection_results.cjs is not referenced in new-flag workflows but is not yet deleted (per rollout plan)

---

---

✨ PR Review Safe Output Test - Run 27830499436

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 69.2 AIC · ⌖ 28 AIC · ⊞ 8.5K · ◷

[pelikhan]

@copilot the release is https://github.com/github/gh-aw-threat-detection/releases

[Copilot]

@copilot the release is https://github.com/github/gh-aw-threat-detection/releases

Updated DefaultThreatDetectVersion from the placeholder v0.1.0 to v0.2.2 (latest stable release). Also fixed the Linux binary name from threat-detect-linux-x64 to threat-detect-linux-amd64 to match the actual release asset name in checksums.txt. Commit: 6c2ced8.

[pelikhan]

@copilot enable feature flag for smoke-copilot and changeset generator agentic workflows

[Copilot]

@copilot enable feature flag for smoke-copilot and changeset generator agentic workflows

Added features: gh-aw-detection: true to both .github/workflows/smoke-copilot.md and .github/workflows/changeset.md, and recompiled both workflows. Both lock files now include the threat-detect binary install and conclude steps.

[pelikhan]

@copilot not seeing the new codegen in compiled changeset lock.yml file

[Copilot]

@copilot not seeing the new codegen in compiled changeset lock.yml file

The root cause was threat-detection: engine: false in changeset.md — when the inline engine is disabled with no custom steps, HasRunnableDetection() returns false and the entire detection job is skipped, so the feature flag never takes effect. Fixed by replacing engine: false with {} (default config), which lets the detection job be compiled and routes through the external binary path via features: gh-aw-detection: true. Both changeset.lock.yml and smoke-copilot.lock.yml now include the Install threat-detect binary and threat-detect conclude steps.

[pelikhan]

@copilot do not inject Python script in detection. Use bash or actions/github-script

[Copilot]

@copilot do not inject Python script in detection. Use bash or actions/github-script

Fixed in the latest commit. Added buildArcDindChrootConfigPatchBodyBash() which uses jq instead of Python to patch the AWF chroot config. BuildAWFCommand now selects the bash version for detection runs (IsDetectionRun: true), so no Python script is injected in the detection job. The agent job path is unchanged.

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

Smoke Test: Gemini - 27830499361\n\n- GitHub MCP Testing: ✅\n- Web Fetch Testing: ✅\n- File Writing Testing: ✅\n- Bash Tool Testing: ✅\n- Build gh-aw: ❌\n\nOverall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

✨ Smoke Gemini — Powered by Gemini · ◷

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.54.0
jq	✅	1.7
yq	✅	v4.53.3
curl	✅	8.5.0
gh	✅	2.94.0
node	✅	v22.22.3
python3	✅	3.11.15 (PyPy)
go	✅	1.24.13
java	✅	21.0.11
dotnet	✅	10.0.301

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test · 17.9 AIC · ⌖ 9.1 AIC · ⊞ 5.4K · ◷

[github-actions]

Smoke test PASS
PR: Migrate threat detection to external threat-detect binary behind feature flag
✅ #1-#10
Overall: PASS

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · 10.2 AIC · ⌖ 0.707 AIC · ⊞ 11.8K · ◷

[github-actions]

🧪 Smoke Test: Claude — Run 27830499436

Core #1-12: ✅ all passed
PR Review #13-18: ✅ all passed | #19 Close PR: ⚠️ skipped

Overall: PASS ✅

Run

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 69.2 AIC · ⌖ 28 AIC · ⊞ 8.5K · ◷

[github-actions]

💥 Automated smoke test review - all systems nominal!

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 69.2 AIC · ⌖ 28 AIC · ⊞ 8.5K

[github-actions]

Smoke test: consider documenting this new features block in the workflow guide.

[github-actions]

Smoke test: confirm gh-aw-detection: true is intended to be enabled by default here.

[pelikhan]

@copilot merge main, recompile
update wasm golden
fix tests https://github.com/github/gh-aw/actions/runs/27830941656/job/82367263443?pr=40166

[github-actions]

Smoke review: the requested PR review tools completed for run 27830567569.

Warning

Firewall blocked 5 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 254.4 AIC · ⊞ 19.9K

[Copilot]

@copilot merge main, recompile
update wasm golden
fix tests https://github.com/github/gh-aw/actions/runs/27830941656/job/82367263443?pr=40166

Done in cd71c4d. I merged latest main (already up to date), recompiled, updated wasm golden fixtures, and fixed the failing tests from that run.

[pelikhan]

@copilot fix https://github.com/github/gh-aw/actions/runs/27834486005/job/82379087667?pr=40166

[Copilot]

@copilot fix https://github.com/github/gh-aw/actions/runs/27834486005/job/82379087667?pr=40166

Fixed in a771413. I investigated run 27834486005 and addressed the failing test by restoring lexicographic ordering for containers in actions-lock.json (and synced generated action-pins copies), which resolves TestActionsLockJSONFieldsAreSorted.