Investigate Copilot review from autoloop install — 8 proposed issues

[Copilot]

Deep review of install.md, workflows, and supporting materials to identify actionable items from the Copilot review on github/gh-aw#24345. Could not access the original review (SAML-protected) or create GitHub issues (no API write access), so findings are documented here for manual issue creation.

Proposed Issues

• Security: curl | bash in install.md — Pipes remote code directly to shell with -s (silent) flag. Should download-then-execute, use -f, and prefer gh extension install as primary method.
• Fragile install via git clone + manual copy — No version pinning, fixed /tmp/autoloop path, cp -r overwrites without warning, aggressive rm -rf cleanup. Should use mktemp -d, pin to tag/SHA, check for existing files.
• ~370-line inline Python pre-step — Untestable without AST extraction hacks (conftest.py), unlintable, uses chr(96) workaround for backticks. Extract to standalone script. Related to Usie actions/github-script rather than python to implement the loop #11.
• Issue discovery capped at 100, no pagination — per_page=100 with no Link header follow. Silent data loss at scale.
• Broad except Exception swallows errors — Issue fetch failures silently skip all issue-based programs. Should catch specific exceptions and surface failures.
• No uninstall/rollback docs — Install adds files across .github/, .autoloop/, branches, and labels with no removal guidance.
• Sync-branches silent on conflicts — Merge failures logged but no issue/comment created, workflow exits 0. Conflicts go unnoticed.
• Missing prerequisites in install.md — No mention of Actions enabled, Copilot access, required permissions, branch protection handling, or Python 3 dependency.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• deepwiki.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh auth status (http block)
  • Triggering command: /usr/bin/gh gh issue list --limit 5 (http block)
• https://api.github.com/repos/githubnext/autoloop
  • Triggering command: /usr/bin/python3 python3 -c import urllib.request, json, os token = os.environ.get('GITHUB_TOKEN', '') req = urllib.request.Request( 'REDACTED', headers={ 'Authorization': f'token {token}', 'Accept': 'application/vnd.g (http block)
• https://api.github.com/repos/githubnext/autoloop/issues
  • Triggering command: /usr/bin/curl curl -s -H Authorization: token ****** REDACTED (http block)
  • Triggering command: /usr/bin/python3 python3 -c import urllib.request, json, os token = os.environ.get('GITHUB_TOKEN', '') data = json.dumps({'title': 'test'}).encode() req = urllib.request.Request( 'REDACTED', data=data, headers={ 'Au (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)