Update threat detection to download prompt.txt artifact instead of embedding WORKFLOW_MARKDOWN

[Copilot]

Problem

When agentic workflows have large markdown content, the threat detection job was hitting GitHub Actions' 21KB limit for environment variable values. The WORKFLOW_MARKDOWN environment variable was being used to embed the entire workflow prompt content, which could easily exceed this limit for complex workflows.

Solution

This PR updates the threat detection system to download the prompt.txt artifact instead of embedding the workflow markdown as an environment variable. The prompt.txt artifact is already uploaded by the main agent job, so this change leverages existing infrastructure.

Key Changes

1. Added prompt artifact download step - The threat detection job now downloads the prompt.txt artifact alongside the existing agent output and patch artifacts.

2. Updated threat detection template - Modified templates/threat_detection.md to reference the prompt file path ({WORKFLOW_PROMPT_FILE}) instead of embedding the full markdown content ({WORKFLOW_MARKDOWN}). The template now instructs the LLM to load and read the prompt file.

3. Updated setup script - The JavaScript setup script in buildSetupScript() now checks for the downloaded prompt file and passes the file path information to the LLM instead of embedding the content inline.

4. Removed WORKFLOW_MARKDOWN environment variable - Eliminated the WORKFLOW_MARKDOWN environment variable from buildWorkflowContextEnvVars(), keeping only WORKFLOW_NAME and WORKFLOW_DESCRIPTION.

5. Added jqschema import to audit workflow - Added shared/jqschema.md import to the audit-workflows.md workflow to provide JSON schema discovery utilities for analyzing complex tool outputs.

Benefits

• Avoids size limits: No longer subject to GitHub Actions' 21KB environment variable limit
• Better performance: Downloading artifacts is more efficient than embedding large content in environment variables
• Cleaner architecture: Improved separation of concerns between prompt generation and threat detection
• Backward compatible: Works with all existing workflows without requiring changes to workflow markdown files

Testing

• Added 3 new unit tests to verify the prompt download mechanism
• All 64 repository workflows recompiled successfully
• Verified WORKFLOW_MARKDOWN is no longer present in any compiled workflow
• All unit tests passing
• Audit workflow with jqschema import compiles successfully

Example

Before: Threat detection job failed with workflows containing >21KB of markdown content

After: Threat detection job downloads the prompt file and instructs the LLM to load it:

- name: Download prompt artifact
  continue-on-error: true
  uses: actions/download-artifact@v5
  with:
    name: prompt.txt
    path: /tmp/gh-aw/threat-detection/

The threat detection prompt now contains:

## Workflow Source Context

The workflow prompt file is available at: /tmp/gh-aw/threat-detection/prompt.txt (X bytes)

Load and read this file to understand the intent and context of the workflow.

Fixes issue with large workflow prompts exceeding environment variable size limits.

Original prompt

Update the detection creation prompt to avoid WORKFLOW_MARKDOWN.

Instead download the prompt.txt artifact and prompt the LLM to load the file.

This should take care of size issue when the prompt is too large.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[pelikhan]

@copilot add import jqschema.md to copilot agent auditor agentic workflow and it should compile correctly

[Copilot]

@copilot add import jqschema.md to copilot agent auditor agentic workflow and it should compile correctly

Added shared/jqschema.md import to audit-workflows.md and verified it compiles successfully. The jqschema utility script and documentation are now available to the audit agent. Commit: e9e8844

[github-actions]

Agentic Changeset Generator triggered by this pull request.