Convert Write Safe Outputs Tools step to actions/github-script with JSON env vars

[Copilot]

Summary

Converts the "Write Safe Outputs Tools" step (step 31, referenced in https://github.com/github/gh-aw/actions/runs/24028507303/job/70072190053#step:31:1) from shell heredocs + direct node invocation to actions/github-script with JSON payloads passed as environment variables.

Problem

The step was using:

1. Shell heredocs to write tools_meta.json and validation.json to disk
2. Direct node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs invocation

This caused failures (exit code 1 from the node invocation) and is fragile due to direct node invocation.

Changes

actions/setup/js/generate_safe_outputs_tools.cjs

• Refactored from a top-level standalone script to an exported async function main()
• Added support for GH_AW_TOOLS_META_JSON env var: if set, writes the JSON content to tools_meta.json before processing (replaces heredoc)
• Added support for GH_AW_VALIDATION_JSON env var: if set, writes the JSON content to validation.json (replaces heredoc)
• Replaced process.exit(1) with throw new Error() (actions/github-script handles it properly)
• Added require.main === module guard for backward-compatible standalone node execution
• Maintained all existing behavior for direct node execution (all 10 vitest tests pass)

pkg/workflow/mcp_setup_generator.go

• Replaced the heredoc + node invocation step with an actions/github-script step
• JSON payloads (toolsMetaJSON, validationConfigJSON) are embedded as YAML literal block scalar env vars (GH_AW_TOOLS_META_JSON, GH_AW_VALIDATION_JSON)
• Uses the standard generateGitHubScriptWithRequire("generate_safe_outputs_tools.cjs") pattern

pkg/workflow/safe_outputs_tools_meta_integration_test.go

• Updated extractToolsMetaFromLockFile to find GH_AW_TOOLS_META_JSON: | env var instead of heredoc delimiter
• Updated assertions to check for env var instead of heredoc patterns

Lock files

• All 181 workflow .lock.yml files recompiled with the new step format

Generated YAML (before → after)

Before:

- name: Write Safe Outputs Tools
  run: |
    cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_abc123_EOF'
    {"description_suffixes":{...},...}
    GH_AW_SAFE_OUTPUTS_TOOLS_META_abc123_EOF
    cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_abc123_EOF'
    {...}
    GH_AW_SAFE_OUTPUTS_VALIDATION_abc123_EOF
    node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs

After:

- name: Write Safe Outputs Tools
  env:
    GH_AW_TOOLS_META_JSON: |
      {"description_suffixes":{...},...}
    GH_AW_VALIDATION_JSON: |
      {...}
  uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
  with:
    script: |
      const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
      setupGlobals(core, github, context, exec, io);
      const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_safe_outputs_tools.cjs');
      await main();

---

---

✨ PR Review Safe Output Test - Run 24035225148

💥 [THE END] — Illustrated by Smoke Claude · ● 229.8K · ◷

[github-actions]

Hey @Copilot 👋 — great work on refactoring the "Write Safe Outputs Tools" step! Replacing the fragile shell heredoc + direct node invocation with a clean actions/github-script approach (with JSON payloads via env vars) is a solid improvement in both reliability and maintainability. The PR is well-structured and follows established codebase patterns beautifully.

This PR looks ready for maintainer review:

• ✅ Focused — single, coherent change (the step refactor) with all 181 lock files correctly recompiled as a natural consequence.
• ✅ Well described — clear Problem / Changes / Before-After YAML sections make the intent immediately obvious.
• ✅ Tests updated — safe_outputs_tools_meta_integration_test.go is updated to reflect the new env var pattern, and the PR notes all 10 vitest tests continue to pass.
• ✅ Follows process — authored via Copilot coding agent with @pelikhan assigned for review, exactly as the contribution guidelines prescribe.

One note: the PR is currently in draft state — when you're happy with the implementation, mark it ready for review so @pelikhan can take a final pass. 🚀

---

Contribution check result: 🟢 Aligned — lgtm

Generated by Contribution Check · ● 1.8M · ◷

[Copilot]

Copilot wasn't able to review this pull request because it exceeds the maximum number of lines (20,000). Try reducing the number of changed lines and requesting a review from Copilot again.

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.53.0
jq	✅	1.7
yq	✅	v4.52.5
curl	✅	8.5.0
gh	✅	2.89.0
node	✅	v20.20.2
python3	✅	3.12.3
go	✅	1.24.13
java	✅	21.0.10
dotnet	✅	10.0.201

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test · ● 232K · ◷

[github-actions]

@Copilot @pelikhan — smoke test §24035225161 results:

Test	Status
GitHub MCP reads	✅
mcpscripts-gh CLI	✅
Serena MCP	⚠️ skipped
Playwright	❌ permission issue
Web fetch	✅
File I/O + bash	✅
Discussion comment	✅
Build gh-aw	✅
Discussion creation	✅
Workflow dispatch	✅
PR review	✅

Overall: ⚠️ PARTIAL PASS (10/11 operational tests passed; Playwright env issue)

📰 BREAKING: Report filed by Smoke Copilot · ● 1.6M · ◷

[github-actions]

This PR cleanly replaces fragile heredoc + direct node invocation with actions/github-script and env var JSON payloads. The refactoring is well-structured: generate_safe_outputs_tools.cjs gains a proper exported main(), error handling uses throw instead of process.exit(1), and the test updates correctly reflect the new GH_AW_TOOLS_META_JSON pattern. Nice work!

📰 BREAKING: Report filed by Smoke Copilot · ● 1.6M

[github-actions]

Good refactor — exporting main and guarding with require.main === module preserves backward compatibility while enabling actions/github-script integration. The throw new Error(msg) pattern also lets the caller handle failures cleanly instead of process.exit(1).

[github-actions]

Using YAML literal block scalar env vars instead of heredocs is a cleaner approach — no randomized delimiters needed, and actions/github-script handles the JSON payload safely. This should resolve the fragile heredoc + direct node invocation issue.

[github-actions]

Smoke Test 24035225148 — PARTIAL

Core (#1–12): ✅✅✅✅✅❌✅✅✅✅✅✅
PR Review (#13–19): ✅✅✅⚠️✅✅⚠️

❌ #6 Tavily: rate limited (429)
⚠️ #16 Resolve thread: skipped (no threads)
⚠️ #19 Close PR: skipped (no test PR)

💥 [THE END] — Illustrated by Smoke Claude · ● 229.8K · ◷

[github-actions]

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude · ● 229.8K

[github-actions]

The migration from run: | heredoc to actions/github-script with JSON env vars is a clean approach. Consider adding a comment to document why JSON env vars are preferred over heredoc for future maintainers.

[github-actions]

Consistent pattern with other lock files - good to see the migration is applied uniformly across all workflows. The GH_AW_TOOLS_META_JSON and GH_AW_VALIDATION_JSON env var approach improves readability.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤