Skip to content

chore(ci): Add multi-architecture support to copilot-setup-steps binary downloads #945

Closed
Task
#955
Closed
chore(ci): Add multi-architecture support to copilot-setup-steps binary downloads#945
Task
#955
Labels
infrastructureRepository infrastructure and toolingmaintenanceMaintenance work, no version bump
Milestone
v3.2.0
@WilliamBerryiii

Description

@WilliamBerryiii
WilliamBerryiii
opened on Mar 8, 2026

Summary

The copilot-setup-steps.yml workflow hardcodes x86_64/amd64 binary URLs for all binary downloads (uv and actionlint). The devcontainer on-create.sh script already implements multi-architecture support via ARCH=$(uname -m) with if/elif/else branching for x86_64 and aarch64. This inconsistency creates a forward-looking risk: when GitHub ARM-based runners become available and the repo adopts them, hardcoded x86_64 downloads will silently install incompatible binaries or fail outright.

Context

PR #921 added uv installation to copilot-setup-steps.yml following the same single-architecture pattern already used by the actionlint step. This is internally consistent within the workflow, but diverges from the devcontainer's multi-arch approach.

The copilot-instructions.md Environment Synchronization section states: "When adding or removing tools in either environment, evaluate whether both need the change and update accordingly." The current gap is not a functional defect today — workflow instructions mandate ubuntu-latest (x86_64 only) — but it is a maintenance risk.

Affected Code: copilot-setup-steps.yml

actionlint step (lines 59–70) — hardcodes linux_amd64:

- name: Install actionlint
  env:
    ACTIONLINT_VERSION: '1.7.10'
    ACTIONLINT_SHA256: 'f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f'
  run: |
    curl -sLO "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz"
    echo "${ACTIONLINT_SHA256}  actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" | sha256sum -c -
    tar -xzf "actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" actionlint
    sudo install actionlint /usr/local/bin/actionlint
    rm actionlint "actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz"
    actionlint --version

uv step (lines 78–89) — hardcodes x86_64-unknown-linux-gnu:

- name: Install uv package manager
  env:
    UV_VERSION: '0.10.8'
    UV_SHA256: 'f0c566b55683395a62fefb9261a060fa09824914b5682c3b9629fa154762ae2f'
  run: |
    curl -sSfL "https://github.com/astral-sh/uv/releases/download/${UV_VERSION}/uv-x86_64-unknown-linux-gnu.tar.gz" -o /tmp/uv.tar.gz
    echo "${UV_SHA256}  /tmp/uv.tar.gz" | sha256sum -c -
    sudo tar -xzf /tmp/uv.tar.gz -C /usr/local/bin --strip-components=1 uv-x86_64-unknown-linux-gnu/uv uv-x86_64-unknown-linux-gnu/uvx
    rm /tmp/uv.tar.gz

Reference Implementation: on-create.sh

The devcontainer script already implements the desired pattern for all three binary downloads (actionlint, gitleaks, uv). Example from the uv section (lines 72–92):

UV_VERSION="0.10.8"
if [[ "${ARCH}" == "x86_64" ]]; then
  UV_ARCH="x86_64-unknown-linux-gnu"
  UV_SHA256="f0c566b55683395a62fefb9261a060fa09824914b5682c3b9629fa154762ae2f"
elif [[ "${ARCH}" == "aarch64" ]]; then
  UV_ARCH="aarch64-unknown-linux-gnu"
  UV_SHA256="661860e954f87dcd823251191866af3486484d1a9df60eed56f4586ed7559e3d"
else
  echo "ERROR: Unsupported architecture for uv: ${ARCH}" >&2
  exit 1
fi
curl -sSfL "https://github.com/astral-sh/uv/releases/download/${UV_VERSION}/uv-${UV_ARCH}.tar.gz" -o /tmp/uv.tar.gz

The same if/elif/else pattern is used for actionlint (lines 20–34) and gitleaks (lines 50–65).

Changes Required

File Change
.github/workflows/copilot-setup-steps.yml Add ARCH=$(uname -m) detection to the actionlint install step with architecture-specific URL and SHA256
.github/workflows/copilot-setup-steps.yml Add ARCH=$(uname -m) detection to the uv install step with architecture-specific URL and SHA256
.github/workflows/copilot-setup-steps.yml Add aarch64 SHA256 checksums as env vars alongside existing x86_64 checksums

Implementation Notes

  • The architecture detection block should use the same ARCH=$(uname -m) pattern as on-create.sh, with an else branch that prints an error and exits non-zero for unsupported architectures.
  • Each tool needs two SHA256 checksums (one per architecture). The aarch64 checksums are already captured in on-create.sh:
    • actionlint 1.7.10 aarch64: cd3dfe5f66887ec6b987752d8d9614e59fd22f39415c5ad9f28374623f41773a
    • uv 0.10.8 aarch64: 661860e954f87dcd823251191866af3486484d1a9df60eed56f4586ed7559e3d
  • Consider extracting the arch detection to a shared step or reusing ARCH across steps to avoid duplication.
  • If workflows.instructions.md runner constraints change to allow ARM runners in the future, update the Environment Synchronization guidance accordingly.

Acceptance Criteria

  • Both actionlint and uv install steps use ARCH=$(uname -m) with if/elif/else branching
  • x86_64 and aarch64 SHA256 checksums are specified for both tools
  • Unsupported architectures produce a clear error message and non-zero exit code
  • The pattern mirrors the structure used in on-create.sh for consistency
  • Existing x86_64 behavior is unchanged (no regression on ubuntu-latest)

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    infrastructureRepository infrastructure and toolingmaintenanceMaintenance work, no version bump

    Type

    Task

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions