Skip to content

Disable shell history expansion for bash scripts and MCP CLI wrappers#27851

Open
Copilot wants to merge 2 commits intomainfrom
copilot/disable-shell-history-expansion
Open

Disable shell history expansion for bash scripts and MCP CLI wrappers#27851
Copilot wants to merge 2 commits intomainfrom
copilot/disable-shell-history-expansion

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 22, 2026

Summary

  • disabled bash history expansion in tracked bash shell scripts by adding set +o histexpand
  • disabled bash history expansion in generated MCP CLI wrapper scripts from actions/setup/js/mount_mcp_as_cli.cjs
  • ensures safe-outputs/mcp-cli generated shell wrappers also run with history expansion disabled

Validation

  • make agent-finish (fails due to pre-existing unrelated testifylint issues in pkg/agentdrain/spec_test.go)
  • npx vitest run mount_mcp_as_cli.test.cjs
  • parallel_validation (Code Review + CodeQL)

🤖 Smoke CI completed — https://github.com/github/gh-aw/actions/runs/24787448895

Generated by Smoke CI for issue #27851 · ● 444.3K ·



✨ PR Review Safe Output Test - Run 24787456549

💥 [THE END] — Illustrated by Smoke Claude · ● 165K ·

Copilot AI requested a review from pelikhan April 22, 2026 14:22
@pelikhan pelikhan marked this pull request as ready for review April 22, 2026 14:22
Copilot AI review requested due to automatic review settings April 22, 2026 14:22
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Disables Bash history expansion across repository Bash scripts and generated MCP CLI wrapper scripts to avoid unintended ! history-expansion behavior.

Changes:

  • Adds set +o histexpand near the top of tracked Bash scripts.
  • Updates actions/setup/js/mount_mcp_as_cli.cjs so generated MCP CLI wrapper scripts also disable history expansion.
  • Extends the same behavior to safe-outputs/mcp-cli generated wrappers via the shared generator.
Show a summary per file
File Description
test-setup-local.sh Disables history expansion for local setup test script.
socials/scripts.sh Disables history expansion for socials automation script.
skills/github-pr-query/query-prs.sh Disables history expansion for PR query script.
skills/github-issue-query/query-issues.sh Disables history expansion for issue query script.
skills/github-discussion-query/query-discussions.sh Disables history expansion for discussion query script.
scripts/test-install-script.sh Disables history expansion for install test script.
scripts/test-build-release.sh Disables history expansion for build-release test script.
scripts/report-test-failures_test.sh Disables history expansion for report-test-failures test.
scripts/report-test-failures.sh Disables history expansion for report-test-failures script.
scripts/list-all-tests.sh Disables history expansion for test listing script.
scripts/generate-video-posters.sh Disables history expansion for video poster generation script.
scripts/extract-executed-tests.sh Disables history expansion for executed-tests extraction script.
scripts/delete-old-copilot-branches.sh Disables history expansion for branch cleanup script.
scripts/convert-astro-to-gfm.sh Disables history expansion for Astro→GFM conversion script.
scripts/compare-test-coverage.sh Disables history expansion for coverage comparison script.
scripts/check-validator-sizes.sh Disables history expansion for validator size checker.
scripts/check-safe-outputs-conformance.sh Disables history expansion for safe-outputs conformance checker.
scripts/check-file-sizes.sh Disables history expansion for file size checker.
scripts/bundle-wasm-docs.sh Disables history expansion for wasm docs bundling script.
scripts/build-release.sh Disables history expansion for release build script.
scripts/apply-astro-conversion.sh Disables history expansion for bulk Astro conversion script.
install-gh-aw.sh Disables history expansion for installer script.
actions/setup/sh/verify_mcp_gateway_health.sh Disables history expansion for setup health-check script.
actions/setup/sh/validate_prompt_placeholders_test.sh Disables history expansion for placeholder validation test.
actions/setup/sh/validate_prompt_placeholders.sh Disables history expansion for placeholder validation script.
actions/setup/sh/validate_multi_secret.sh Disables history expansion for multi-secret validation script.
actions/setup/sh/validate_gatewayed_server_test.sh Disables history expansion for gatewayed-server validation test.
actions/setup/sh/validate_gatewayed_server.sh Disables history expansion for gatewayed-server validation script.
actions/setup/sh/stop_mcp_gateway.sh Disables history expansion for gateway stop script.
actions/setup/sh/stop_difc_proxy.sh Disables history expansion for DIFC proxy stop script.
actions/setup/sh/stop_cli_proxy.sh Disables history expansion for CLI proxy stop script.
actions/setup/sh/start_safe_outputs_server.sh Disables history expansion for safe-outputs server start script.
actions/setup/sh/start_mcp_scripts_server.sh Disables history expansion for scripts server start script.
actions/setup/sh/start_mcp_gateway_test.sh Disables history expansion for gateway start test.
actions/setup/sh/start_mcp_gateway.sh Disables history expansion for gateway start script.
actions/setup/sh/start_difc_proxy.sh Disables history expansion for DIFC proxy start script.
actions/setup/sh/start_cli_proxy.sh Disables history expansion for CLI proxy start script.
actions/setup/sh/setup_cache_memory_git_test.sh Disables history expansion for cache-memory git setup test.
actions/setup/sh/setup_cache_memory_git.sh Disables history expansion for cache-memory git setup script.
actions/setup/sh/save_base_github_folders_test.sh Disables history expansion for base snapshot test script.
actions/setup/sh/save_base_github_folders.sh Disables history expansion for base snapshot script.
actions/setup/sh/sanitize_path_test.sh Disables history expansion for sanitize_path test script.
actions/setup/sh/sanitize_path.sh Disables history expansion for sanitize_path script (sourced usage noted).
actions/setup/sh/restore_base_github_folders_test.sh Disables history expansion for base restore test script.
actions/setup/sh/restore_base_github_folders.sh Disables history expansion for base restore script.
actions/setup/sh/parse_guard_list.sh Disables history expansion for guard list parser script.
actions/setup/sh/install_gh_cli.sh Disables history expansion for GH CLI install script.
actions/setup/sh/install_docker_macos.sh Disables history expansion for Docker-on-macOS install script.
actions/setup/sh/install_copilot_cli.sh Disables history expansion for Copilot CLI install script.
actions/setup/sh/install_awf_binary.sh Disables history expansion for AWF install script.
actions/setup/sh/download_docker_images_test.sh Disables history expansion for docker image download test.
actions/setup/sh/download_docker_images.sh Disables history expansion for docker image download script.
actions/setup/sh/copy_copilot_session_state.sh Disables history expansion for session-state copy script.
actions/setup/sh/convert_gateway_config_gemini.sh Disables history expansion for Gemini config converter.
actions/setup/sh/convert_gateway_config_crush.sh Disables history expansion for Crush config converter.
actions/setup/sh/convert_gateway_config_copilot.sh Disables history expansion for Copilot config converter.
actions/setup/sh/convert_gateway_config_codex_test.sh Disables history expansion for Codex config converter test.
actions/setup/sh/convert_gateway_config_codex.sh Disables history expansion for Codex config converter.
actions/setup/sh/convert_gateway_config_claude.sh Disables history expansion for Claude config converter.
actions/setup/sh/configure_gh_for_ghe_test.sh Disables history expansion for GHE config test.
actions/setup/sh/configure_gh_for_ghe.sh Disables history expansion for GHE config script.
actions/setup/sh/compute_artifact_prefix.sh Disables history expansion for artifact prefix computation script.
actions/setup/sh/commit_cache_memory_git.sh Disables history expansion for cache-memory git commit script.
actions/setup/sh/clone_repo_memory_branch.sh Disables history expansion for repo-memory clone script.
actions/setup/sh/clean_git_credentials_test.sh Disables history expansion for credential cleanup test.
actions/setup/sh/clean_git_credentials.sh Disables history expansion for credential cleanup script.
actions/setup/sh/check_mcp_servers_test.sh Disables history expansion for MCP servers check test.
actions/setup/sh/check_mcp_servers.sh Disables history expansion for MCP servers check script.
actions/setup/sh/append_agent_step_summary.sh Disables history expansion for step-summary append script.
actions/setup/setup.sh Disables history expansion for setup entrypoint script.
actions/setup/js/mount_mcp_as_cli.cjs Injects set +o histexpand into generated MCP CLI wrapper scripts.
actions/setup/clean.sh Disables history expansion for setup clean/post script.
actions/setup-cli/install_test.sh Disables history expansion for setup-cli install test.
actions/setup-cli/install.sh Disables history expansion for setup-cli install script.
.devcontainer/setup.sh Disables history expansion for devcontainer setup script.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 75/75 changed files
  • Comments generated: 1

Comment on lines 1 to +3
#!/usr/bin/env bash
set +o histexpand

Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sanitize_path.sh is explicitly intended to be sourced; unconditionally running set +o histexpand will permanently change the caller’s shell option state. Consider capturing whether history expansion was enabled (e.g., via $- containing H), disabling it for the script body, then restoring it before returning so sourcing doesn’t leave the user’s shell modified beyond PATH.

Copilot uses AI. Check for mistakes.
This was referenced Apr 22, 2026
@pelikhan
Copy link
Copy Markdown
Collaborator

@copilot review all comments

@pelikhan
Copy link
Copy Markdown
Collaborator

@lpcox

@pelikhan pelikhan added the smoke label Apr 22, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 22, 2026

Smoke CI completed successfully!

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 22, 2026

⚠️ Smoke Gemini failed. Gemini encountered unexpected challenges...

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 22, 2026

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

@github-actions
Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 22, 2026

⚠️ Smoke OpenCode failed. OpenCode encountered unexpected challenges...

@github-actions github-actions Bot removed the smoke label Apr 22, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 22, 2026

⚠️ Smoke Crush failed. Crush encountered unexpected challenges...

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 22, 2026

🎬 THE ENDSmoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

@github-actions
Copy link
Copy Markdown
Contributor

🚀 Smoke CI passed — Run: https://github.com/github/gh-aw/actions/runs/24787448895

Generated by Smoke CI for issue #27851 · ● 444.3K ·

@github-actions
Copy link
Copy Markdown
Contributor

Agent Container Tool Check

Tool Status Version
bash 5.2.21
sh available
git 2.53.0
jq 1.7
yq 4.52.5
curl 8.5.0
gh 2.89.0
node 20.20.2
python3 3.12.3
go 1.24.13
java 21.0.10
dotnet 10.0.201

Result: 12/12 tools available ✅ — PASS

🔧 Tool validation by Agent Container Smoke Test · ● 199.3K ·

@github-actions
Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

Caution

Security scanning requires review for Smoke Copilot

Details

The threat detection results could not be parsed. The workflow output should be reviewed before merging.

Review the workflow run logs for details.

@github-actions
Copy link
Copy Markdown
Contributor

💥 Smoke Test Run §24787456549PARTIAL

Core Tests #1–12:
✅ GitHub MCP | ✅ GH CLI | ✅ Serena | ✅ Make Build | ✅ Playwright | ✅ Tavily | ✅ File Write | ✅ Bash | ✅ Discussion | ❌ AW MCP | ✅ Slack | ✅ Code Scanning

PR Review Tests #13–19:
✅ Update PR | ✅ Review Comments | ✅ Submit Review | ⚠️ Resolve Thread | ✅ Add Reviewer | ✅ Push Branch | ⚠️ Close PR

Overall: PARTIAL (1 failure: Agentic Workflows MCP unavailable; 2 skipped)

💥 [THE END] — Illustrated by Smoke Claude · ● 165K ·

Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💥 Automated smoke test review - all systems nominal! History expansion disable pattern looks consistent across all shell scripts.

💥 [THE END] — Illustrated by Smoke Claude · ● 165K

Comment thread .devcontainer/setup.sh
@@ -1,4 +1,6 @@
#!/bin/bash
set +o histexpand
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Good practice adding set +o histexpand right after the shebang line. This disables Bash history expansion globally for the script, preventing unexpected ! expansion issues. Consider adding a brief inline comment explaining why this is needed for maintainability.

@@ -289,6 +289,8 @@ function generateCLIWrapperScript(serverName, serverUrl, toolsFile, apiKey, brid
const safeBridge = shellEscapeDoubleQuoted(bridgeScript);

return `#!/usr/bin/env bash
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Excellent — adding set +o histexpand to the generated MCP CLI wrapper script template ensures history expansion is disabled in auto-generated scripts too. This is particularly important since these scripts are auto-generated and could contain user-supplied content with ! characters.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants