Enable checksum validation by default in install-gh-aw.sh

[Copilot]

Summary

Enable SHA256 checksum validation by default in install-gh-aw.sh. Previously, checksum validation was skipped by default (SKIP_CHECKSUM=true) with a comment saying it would be enabled in future releases. Since checksums are already generated for every release via scripts/build-release.sh, this change enables the validation immediately.

Changes

• Set SKIP_CHECKSUM=false as the default (was true)
• Remove the redundant SKIP_CHECKSUM=false override in the GitHub Actions block (now the default)
• Update header comments to reflect that checksum validation is enabled by default
• Update the --skip-checksum example in the header to show it used with a version argument

Behavior

• Before: Checksums were silently skipped for all direct installs; only GitHub Actions (INPUT_VERSION) had validation enabled
• After: Checksums are validated for all installs by default; users can opt out with --skip-checksum

The underlying checksum download, verification, and failure-handling logic was already fully implemented — this change simply switches the default to use it.

[Copilot]

Pull request overview

Enables SHA256 checksum verification by default in install-gh-aw.sh so installs validate downloaded binaries unless users explicitly opt out.

Changes:

• Flip default SKIP_CHECKSUM to false (enable checksum validation by default).
• Remove the GitHub Actions–specific override since validation is now the default.
• Update header comments/examples to reflect the new default behavior.

Show a summary per file

File	Description
install-gh-aw.sh	Enables checksum validation by default and updates related comments/examples.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 1

[Copilot]

The header usage/examples reference ./install.sh, but this file is install-gh-aw.sh and the script later prints guidance using ./install-gh-aw.sh ... --skip-checksum. To avoid confusing users (especially those downloading this script directly), update the header to consistently use ./install-gh-aw.sh (or explicitly mention that some distributions/actions copy it to install.sh).

See below for a potential fix:

# Usage: ./install-gh-aw.sh [version] [options]
#
# Examples:
#   ./install-gh-aw.sh                           # Install latest version
#   ./install-gh-aw.sh v1.0.0                    # Install specific version
#   ./install-gh-aw.sh v1.0.0 --skip-checksum    # Install without checksum validation

[pelikhan]

@copilot review all comments. Mention latest is the latest "stable"

[Copilot]

@copilot review all comments. Mention latest is the latest "stable"

Done in f2d59ef. Addressed both the review comment and your request:

• Fixed ./install.sh → ./install-gh-aw.sh in the header of install-gh-aw.sh
• Updated all references to "latest" to say "latest stable release" (header comments, example comment, and the runtime log message) in both install-gh-aw.sh and actions/setup-cli/install.sh

[github-actions]

Hey @Copilot 👋 — great work enabling SHA256 checksum validation by default across the install scripts! This is a meaningful security improvement that protects users against tampered binaries, and it's great to see the test script updated in sync with the behaviour change.

The PR is well-scoped, clearly described, and follows the project's agentic development process. It looks ready for maintainer review. 🚀

Generated by Contribution Check · ● 1.2M · ◷