[CI Failure Doctor] Runtime import fuzz rejects partial secrets expressions

[github-actions]

CI Failure Investigation - Run #37699

Summary

Fuzzing the runtime import processor let a secrets. fragment slip through because no $\{\{ ... }} matches were found, so processExpressions returned successfully even though the test checks for that substring as a security violation.

Failure Details

• Run: 22354589038
• Commit: 460636a
• Trigger: push

Root Cause Analysis

processExpressions short-circuits whenever the regex finds zero $\{\{ ... }} expressions, so fuzz-generated fragments such as secrets. never reached the whitelist logic (isSafeExpression). When no expressions were matched the job returned the input unmodified, which allowed FuzzRuntimeImportProcessExpressions to report a failure because it now requires those fragments to error. The fix adds a lightweight substring scan for secrets. before the early return so the same error path is exercised even without closing braces.

Failed Jobs and Errors

• fuzz failure – FuzzRuntimeImportProcessExpressions produced runtime_import_fuzz_test.go:251: Content with 'secrets.' expression was processed successfully: "secrets." because processExpressions returned without running validation.

Investigation Findings

• The failure happens before the regex matches any $\{\{ ... }} expressions, leaving matches.length === 0 and bypassing the security checks.
• Added collectSuspiciousSubstrings so keywords like secrets. populate unsafeExpressions before the existing ERR_VALIDATION path throws.
• Tried re-running go test -run=FuzzRuntimeImportProcessExpressions/014e4d863738a238 ./pkg/parser, but the sandbox lacks Go 1.25; the test run tried to download go1.25 from (proxy.golang.org/redacted) and received 403 Forbidden`, so the rerun could not complete locally.

Recommended Actions

• Re-run go test -run=FuzzRuntimeImportProcessExpressions/014e4d863738a238 ./pkg/parser once the Go 1.25 toolchain is available in the environment to confirm the fuzz target passes.
• Keep an eye on the fuzz failure job in ci.yml to ensure the new substring guard does not conflict with legitimate Markdown that mentions secrets. outside of expressions.

Prevention Strategies

Scan raw runtime import content for high-risk prefixes such as secrets. (and any future keywords added to isSafeExpression) before returning early, so truncated expressions cannot bypass the whitelist even when $\{\{ ... }} is malformed.

AI Team Self-Improvement

When adding fuzz coverage around security-critical parsers, do not rely solely on regex matches; inspect the raw input for keyword anchors before any early return so truncated expressions still trigger the validation path.

Historical Context

No other CI Failure Doctor issue currently documents this fuzz regression pattern.

🩺 Diagnosis provided by CI Failure Doctor

To install this workflow, run gh aw add githubnext/agentics/workflows/ci-doctor.md@ea350161ad5dcc9624cf510f134c6a9e39a6f94d. View source at https://github.com/githubnext/agentics/tree/ea350161ad5dcc9624cf510f134c6a9e39a6f94d/workflows/ci-doctor.md.

• expires on Feb 25, 2026, 2:28 PM UTC