From 5fa4da3661e227040783a63371778f4126cf6e68 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 12 Apr 2026 04:11:12 +0000 Subject: [PATCH 1/4] Initial plan From 89ec0e298873ac86d24f45fc2698986440952a7f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 12 Apr 2026 04:42:48 +0000 Subject: [PATCH 2/4] fix: extract ${{ github.* }} expressions from safe outputs config to env block Move GitHub Actions template expressions out of run: block heredocs into the step's env: block to prevent template-injection vulnerabilities flagged by zizmor. This extends the existing secret extraction pattern to also cover ${{ github.* }} context expressions. The safe outputs config JSON (config.json) previously contained ${{ github.workflow }} inside a run: block heredoc. Now the expression is set via env: and referenced as ${GITHUB_WORKFLOW} shell variable. Fixes 16 workflows: copilot-pr-nlp-analysis, copilot-session-insights, copilot-token-audit, daily-code-metrics, daily-integrity-analysis, daily-issues-report, daily-multi-device-docs-tester, daily-news, daily-repo-chronicle, github-mcp-structural-analysis, org-health-report, portfolio-analyst, python-data-charts, stale-repo-identifier, weekly-editors-health-check, weekly-issue-summary. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/22cff3a9-de45-47b6-8dbb-f8e7acb36115 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../copilot-pr-nlp-analysis.lock.yml | 6 +- .../copilot-session-insights.lock.yml | 6 +- .../workflows/copilot-token-audit.lock.yml | 6 +- .github/workflows/daily-code-metrics.lock.yml | 6 +- .../daily-integrity-analysis.lock.yml | 6 +- .../workflows/daily-issues-report.lock.yml | 6 +- .../daily-multi-device-docs-tester.lock.yml | 6 +- .github/workflows/daily-news.lock.yml | 6 +- .../workflows/daily-repo-chronicle.lock.yml | 6 +- .../github-mcp-structural-analysis.lock.yml | 6 +- .github/workflows/org-health-report.lock.yml | 6 +- .github/workflows/portfolio-analyst.lock.yml | 6 +- .github/workflows/python-data-charts.lock.yml | 6 +- .../workflows/stale-repo-identifier.lock.yml | 6 +- .../weekly-editors-health-check.lock.yml | 6 +- .../workflows/weekly-issue-summary.lock.yml | 6 +- actions/setup/js/git_helpers.cjs | 4 +- pkg/workflow/mcp_setup_generator.go | 43 ++++++++--- pkg/workflow/secret_extraction.go | 62 +++++++++++++++ pkg/workflow/secret_extraction_test.go | 75 +++++++++++++++++++ 20 files changed, 233 insertions(+), 47 deletions(-) diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index a24f26fa4aa..ceb7a484f65 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -486,12 +486,14 @@ jobs: - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28 node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b - name: Write Safe Outputs Config + env: + GITHUB_WORKFLOW: ${{ github.workflow }} run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_6f1a662ce3b69c72_EOF' - {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":24,"fallback_to_issue":true,"max":1,"title_prefix":"[nlp-analysis] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}} + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_6f1a662ce3b69c72_EOF + {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":24,"fallback_to_issue":true,"max":1,"title_prefix":"[nlp-analysis] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${GITHUB_WORKFLOW}","max-size":10240}} GH_AW_SAFE_OUTPUTS_CONFIG_6f1a662ce3b69c72_EOF - name: Write Safe Outputs Tools env: diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 0574b984186..e0e1d2acfe6 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -491,12 +491,14 @@ jobs: - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28 node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b - name: Write Safe Outputs Config + env: + GITHUB_WORKFLOW: ${{ github.workflow }} run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_247be6e762e7c629_EOF' - {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":24,"fallback_to_issue":true,"max":1,"title_prefix":"[copilot-session-insights] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}} + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_247be6e762e7c629_EOF + {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":24,"fallback_to_issue":true,"max":1,"title_prefix":"[copilot-session-insights] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${GITHUB_WORKFLOW}","max-size":10240}} GH_AW_SAFE_OUTPUTS_CONFIG_247be6e762e7c629_EOF - name: Write Safe Outputs Tools env: diff --git a/.github/workflows/copilot-token-audit.lock.yml b/.github/workflows/copilot-token-audit.lock.yml index ff942115257..c3577e048ce 100644 --- a/.github/workflows/copilot-token-audit.lock.yml +++ b/.github/workflows/copilot-token-audit.lock.yml @@ -538,12 +538,14 @@ jobs: - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28 node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b - name: Write Safe Outputs Config + env: + GITHUB_WORKFLOW: ${{ github.workflow }} run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_b6b826edcb8b04b7_EOF' - {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":72,"fallback_to_issue":true,"max":1,"title_prefix":"[copilot-token-audit] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":51200}]},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}} + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_b6b826edcb8b04b7_EOF + {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":72,"fallback_to_issue":true,"max":1,"title_prefix":"[copilot-token-audit] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":51200}]},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${GITHUB_WORKFLOW}","max-size":10240}} GH_AW_SAFE_OUTPUTS_CONFIG_b6b826edcb8b04b7_EOF - name: Write Safe Outputs Tools env: diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index e153315de1c..c442de0bb7e 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -480,12 +480,14 @@ jobs: - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28 node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b - name: Write Safe Outputs Config + env: + GITHUB_WORKFLOW: ${{ github.workflow }} run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_e15fd991b667d244_EOF' - {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":72,"fallback_to_issue":true,"max":1,"title_prefix":"[daily-code-metrics] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":51200}]},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}} + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_e15fd991b667d244_EOF + {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":72,"fallback_to_issue":true,"max":1,"title_prefix":"[daily-code-metrics] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":51200}]},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${GITHUB_WORKFLOW}","max-size":10240}} GH_AW_SAFE_OUTPUTS_CONFIG_e15fd991b667d244_EOF - name: Write Safe Outputs Tools env: diff --git a/.github/workflows/daily-integrity-analysis.lock.yml b/.github/workflows/daily-integrity-analysis.lock.yml index 5e5211e3403..811cca7aa04 100644 --- a/.github/workflows/daily-integrity-analysis.lock.yml +++ b/.github/workflows/daily-integrity-analysis.lock.yml @@ -528,12 +528,14 @@ jobs: exit 1 fi - name: Write Safe Outputs Config + env: + GITHUB_WORKFLOW: ${{ github.workflow }} run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_69ca74bab4b4d0b8_EOF' - {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":72,"fallback_to_issue":true,"max":1,"title_prefix":"[integrity] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}} + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_69ca74bab4b4d0b8_EOF + {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":72,"fallback_to_issue":true,"max":1,"title_prefix":"[integrity] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${GITHUB_WORKFLOW}","max-size":10240}} GH_AW_SAFE_OUTPUTS_CONFIG_69ca74bab4b4d0b8_EOF - name: Write Safe Outputs Tools env: diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index fc991388a03..977038c760e 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -502,12 +502,14 @@ jobs: - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28 node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b - name: Write Safe Outputs Config + env: + GITHUB_WORKFLOW: ${{ github.workflow }} run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_74d27a0a66cb0e13_EOF' - {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":72,"fallback_to_issue":true,"max":1,"title_prefix":"[daily issues] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}} + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_74d27a0a66cb0e13_EOF + {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":72,"fallback_to_issue":true,"max":1,"title_prefix":"[daily issues] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${GITHUB_WORKFLOW}","max-size":10240}} GH_AW_SAFE_OUTPUTS_CONFIG_74d27a0a66cb0e13_EOF - name: Write Safe Outputs Tools env: diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 1cb31a0e9aa..49044e27626 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -419,12 +419,14 @@ jobs: - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28 mcr.microsoft.com/playwright/mcp@sha256:7b82f29c6ef83480a97f612d53ac3fd5f30a32df3fea1e06923d4204d3532bb2 node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b - name: Write Safe Outputs Config + env: + GITHUB_WORKFLOW: ${{ github.workflow }} run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_732bcf318c5a65f2_EOF' - {"create_issue":{"expires":48,"labels":["cookie"],"max":1},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}} + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_732bcf318c5a65f2_EOF + {"create_issue":{"expires":48,"labels":["cookie"],"max":1},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${GITHUB_WORKFLOW}","max-size":10240}} GH_AW_SAFE_OUTPUTS_CONFIG_732bcf318c5a65f2_EOF - name: Write Safe Outputs Tools env: diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 65c680a2428..4553a0f848e 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -556,12 +556,14 @@ jobs: - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28 node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b - name: Write Safe Outputs Config + env: + GITHUB_WORKFLOW: ${{ github.workflow }} run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_34e2cc8328156bbf_EOF' - {"create_discussion":{"category":"daily-news","close_older_discussions":true,"expires":72,"fallback_to_issue":true,"max":1},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}} + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_34e2cc8328156bbf_EOF + {"create_discussion":{"category":"daily-news","close_older_discussions":true,"expires":72,"fallback_to_issue":true,"max":1},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${GITHUB_WORKFLOW}","max-size":10240}} GH_AW_SAFE_OUTPUTS_CONFIG_34e2cc8328156bbf_EOF - name: Write Safe Outputs Tools env: diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index c3ec5b522d2..2cbee65feba 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -449,12 +449,14 @@ jobs: - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28 node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b - name: Write Safe Outputs Config + env: + GITHUB_WORKFLOW: ${{ github.workflow }} run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_7c0255a00d75f76e_EOF' - {"create_discussion":{"category":"announcements","close_older_discussions":true,"expires":72,"fallback_to_issue":true,"max":1,"title_prefix":"📰 "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}} + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_7c0255a00d75f76e_EOF + {"create_discussion":{"category":"announcements","close_older_discussions":true,"expires":72,"fallback_to_issue":true,"max":1,"title_prefix":"📰 "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${GITHUB_WORKFLOW}","max-size":10240}} GH_AW_SAFE_OUTPUTS_CONFIG_7c0255a00d75f76e_EOF - name: Write Safe Outputs Tools env: diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 8eb7b599b0f..24cee20c827 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -446,12 +446,14 @@ jobs: - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28 node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b - name: Write Safe Outputs Config + env: + GITHUB_WORKFLOW: ${{ github.workflow }} run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_0251766c03ebee0e_EOF' - {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":24,"fallback_to_issue":true,"max":1,"title_prefix":"[mcp-analysis] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}} + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_0251766c03ebee0e_EOF + {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":24,"fallback_to_issue":true,"max":1,"title_prefix":"[mcp-analysis] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${GITHUB_WORKFLOW}","max-size":10240}} GH_AW_SAFE_OUTPUTS_CONFIG_0251766c03ebee0e_EOF - name: Write Safe Outputs Tools env: diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 77de7e571e6..65c74bb54c9 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -444,12 +444,14 @@ jobs: - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28 node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b - name: Write Safe Outputs Config + env: + GITHUB_WORKFLOW: ${{ github.workflow }} run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_9b9dd4d9c3a211cc_EOF' - {"create_discussion":{"category":"reports","close_older_discussions":true,"expires":24,"fallback_to_issue":true,"max":1},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}} + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_9b9dd4d9c3a211cc_EOF + {"create_discussion":{"category":"reports","close_older_discussions":true,"expires":24,"fallback_to_issue":true,"max":1},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${GITHUB_WORKFLOW}","max-size":10240}} GH_AW_SAFE_OUTPUTS_CONFIG_9b9dd4d9c3a211cc_EOF - name: Write Safe Outputs Tools env: diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 64d1ccd9c58..e87d9d12fca 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -517,12 +517,14 @@ jobs: exit 1 fi - name: Write Safe Outputs Config + env: + GITHUB_WORKFLOW: ${{ github.workflow }} run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_f762f8a8df5b4160_EOF' - {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":24,"fallback_to_issue":true,"max":1,"title_prefix":"[portfolio] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}} + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_f762f8a8df5b4160_EOF + {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":24,"fallback_to_issue":true,"max":1,"title_prefix":"[portfolio] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${GITHUB_WORKFLOW}","max-size":10240}} GH_AW_SAFE_OUTPUTS_CONFIG_f762f8a8df5b4160_EOF - name: Write Safe Outputs Tools env: diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index ef86b0f8b3f..9c3f590301d 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -496,12 +496,14 @@ jobs: exit 1 fi - name: Write Safe Outputs Config + env: + GITHUB_WORKFLOW: ${{ github.workflow }} run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_64ffeed666fa9cd2_EOF' - {"create_discussion":{"category":"artifacts","expires":24,"fallback_to_issue":true,"max":1},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}} + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_64ffeed666fa9cd2_EOF + {"create_discussion":{"category":"artifacts","expires":24,"fallback_to_issue":true,"max":1},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${GITHUB_WORKFLOW}","max-size":10240}} GH_AW_SAFE_OUTPUTS_CONFIG_64ffeed666fa9cd2_EOF - name: Write Safe Outputs Tools env: diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 68e61f4e2b3..06aa95ea6c4 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -507,12 +507,14 @@ jobs: - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28 node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b - name: Write Safe Outputs Config + env: + GITHUB_WORKFLOW: ${{ github.workflow }} run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_81483eaa6376d6b4_EOF' - {"create_issue":{"expires":48,"group":true,"labels":["stale-repository","automated-analysis","cookie"],"max":10,"title_prefix":"[Stale Repository] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}} + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_81483eaa6376d6b4_EOF + {"create_issue":{"expires":48,"group":true,"labels":["stale-repository","automated-analysis","cookie"],"max":10,"title_prefix":"[Stale Repository] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${GITHUB_WORKFLOW}","max-size":10240}} GH_AW_SAFE_OUTPUTS_CONFIG_81483eaa6376d6b4_EOF - name: Write Safe Outputs Tools env: diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 9b112f8d37e..8c8767a0a64 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -385,12 +385,14 @@ jobs: - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28 mcr.microsoft.com/playwright/mcp@sha256:7b82f29c6ef83480a97f612d53ac3fd5f30a32df3fea1e06923d4204d3532bb2 node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b - name: Write Safe Outputs Config + env: + GITHUB_WORKFLOW: ${{ github.workflow }} run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_337a18270da128f9_EOF' - {"create_pull_request":{"expires":168,"labels":["documentation","automation"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"],"reviewers":["copilot"],"title_prefix":"[docs] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max":5,"max-size":10240}} + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_337a18270da128f9_EOF + {"create_pull_request":{"expires":168,"labels":["documentation","automation"],"max":1,"max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"],"reviewers":["copilot"],"title_prefix":"[docs] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${GITHUB_WORKFLOW}","max":5,"max-size":10240}} GH_AW_SAFE_OUTPUTS_CONFIG_337a18270da128f9_EOF - name: Write Safe Outputs Tools env: diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index c9bed013553..3e6e93d5fc8 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -426,12 +426,14 @@ jobs: - name: Download container images run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28 node:lts-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b - name: Write Safe Outputs Config + env: + GITHUB_WORKFLOW: ${{ github.workflow }} run: | mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_cd82b23c6d9d6d0c_EOF' - {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":24,"fallback_to_issue":true,"max":1,"title_prefix":"[Weekly Summary] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}} + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_cd82b23c6d9d6d0c_EOF + {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":24,"fallback_to_issue":true,"max":1,"title_prefix":"[Weekly Summary] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${GITHUB_WORKFLOW}","max-size":10240}} GH_AW_SAFE_OUTPUTS_CONFIG_cd82b23c6d9d6d0c_EOF - name: Write Safe Outputs Tools env: diff --git a/actions/setup/js/git_helpers.cjs b/actions/setup/js/git_helpers.cjs index 4999838d70c..70becf63bb2 100644 --- a/actions/setup/js/git_helpers.cjs +++ b/actions/setup/js/git_helpers.cjs @@ -76,9 +76,7 @@ function execGitSync(args, options = {}) { const spawnError = result.error; if (spawnError.code === "ENOBUFS") { /** @type {NodeJS.ErrnoException} */ - const bufferError = new Error( - `${ERR_SYSTEM}: Git command output exceeded buffer limit (ENOBUFS). The output from '${args[0]}' is too large for the configured maxBuffer. Consider reducing the diff size or increasing maxBuffer.` - ); + const bufferError = new Error(`${ERR_SYSTEM}: Git command output exceeded buffer limit (ENOBUFS). The output from '${args[0]}' is too large for the configured maxBuffer. Consider reducing the diff size or increasing maxBuffer.`); bufferError.code = "ENOBUFS"; core.error(`Git command buffer overflow: ${gitCommand}`); throw bufferError; diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go index 78b0ee623d6..85286926d06 100644 --- a/pkg/workflow/mcp_setup_generator.go +++ b/pkg/workflow/mcp_setup_generator.go @@ -209,18 +209,34 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // AND exceeds 21,000 characters total. yaml.WriteString(" - name: Write Safe Outputs Config\n") - // SECURITY: extract any ${{ secrets.* }} from config.json content and pass them - // as env vars so the shell treats the values as data, not syntax. + // SECURITY: extract ${{ secrets.* }} and ${{ github.* }} expressions from + // config.json content and pass them as env vars so the shell treats the + // values as data, not syntax. This prevents template-injection + // vulnerabilities flagged by zizmor/CodeQL for run: blocks. configSecrets := ExtractSecretsFromValue(safeOutputConfig) - if len(configSecrets) > 0 { + configContextVars := ExtractGitHubContextExpressionsFromValue(safeOutputConfig) + + // Build the combined env: block from secrets and GitHub context expressions. + // Secrets MUST be set explicitly (the runner doesn't expose them as env vars). + // GitHub context vars already exist as GITHUB_* env vars on the runner, but + // we still list them in env: for clarity and to satisfy static-analysis tools + // that flag any ${{ }} outside env:/with: blocks. + hasEnvVars := len(configSecrets) > 0 || len(configContextVars) > 0 + if hasEnvVars { yaml.WriteString(" env:\n") - secretKeys := make([]string, 0, len(configSecrets)) - for k := range configSecrets { - secretKeys = append(secretKeys, k) + envKeys := make([]string, 0, len(configSecrets)+len(configContextVars)) + envValues := make(map[string]string, len(configSecrets)+len(configContextVars)) + for k, v := range configSecrets { + envKeys = append(envKeys, k) + envValues[k] = v } - sort.Strings(secretKeys) - for _, varName := range secretKeys { - yaml.WriteString(" " + varName + ": " + configSecrets[varName] + "\n") + for k, v := range configContextVars { + envKeys = append(envKeys, k) + envValues[k] = v + } + sort.Strings(envKeys) + for _, varName := range envKeys { + yaml.WriteString(" " + varName + ": " + envValues[varName] + "\n") } } @@ -240,13 +256,16 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Write the safe-outputs configuration to config.json delimiter := GenerateHeredocDelimiterFromSeed("SAFE_OUTPUTS_CONFIG", workflowData.FrontmatterHash) if safeOutputConfig != "" { - if len(configSecrets) > 0 { - // Replace ${{ secrets.X }} with ${X} and use unquoted heredoc so the - // shell expands the env var references we set above. + if hasEnvVars { + // Replace ${{ ... }} expressions with ${VAR} shell references and use + // an unquoted heredoc so the shell expands them at runtime. sanitizedConfig := safeOutputConfig for varName, secretExpr := range configSecrets { sanitizedConfig = strings.ReplaceAll(sanitizedConfig, secretExpr, "${"+varName+"}") } + for varName, ctxExpr := range configContextVars { + sanitizedConfig = strings.ReplaceAll(sanitizedConfig, ctxExpr, "${"+varName+"}") + } yaml.WriteString(" cat > \"${RUNNER_TEMP}/gh-aw/safeoutputs/config.json\" << " + delimiter + "\n") yaml.WriteString(" " + sanitizedConfig + "\n") yaml.WriteString(" " + delimiter + "\n") diff --git a/pkg/workflow/secret_extraction.go b/pkg/workflow/secret_extraction.go index 22554f25c48..5c36f3a048c 100644 --- a/pkg/workflow/secret_extraction.go +++ b/pkg/workflow/secret_extraction.go @@ -178,6 +178,68 @@ func ExtractEnvExpressionsFromValue(value string) map[string]string { return envExpressions } +// gitHubContextExprPattern matches ${{ github.PROPERTY }} expressions where PROPERTY is a +// simple dotted identifier (e.g., github.workflow, github.ref_name, github.run_id). +// Complex expressions with operators (||, &&) or nested event payloads (github.event.issue.title) +// are excluded because they may not map to well-known runner environment variables. +var gitHubContextExprPattern = regexp.MustCompile(`\$\{\{\s*github\.([a-z][a-z0-9_.]*)\s*\}\}`) + +// gitHubContextEnvVarMap maps common github.* context properties to their corresponding +// GitHub Actions runner environment variables (always available on all runners). +var gitHubContextEnvVarMap = map[string]string{ + "workflow": "GITHUB_WORKFLOW", + "run_id": "GITHUB_RUN_ID", + "run_number": "GITHUB_RUN_NUMBER", + "run_attempt": "GITHUB_RUN_ATTEMPT", + "actor": "GITHUB_ACTOR", + "repository": "GITHUB_REPOSITORY", + "event_name": "GITHUB_EVENT_NAME", + "sha": "GITHUB_SHA", + "ref": "GITHUB_REF", + "ref_name": "GITHUB_REF_NAME", + "ref_type": "GITHUB_REF_TYPE", + "head_ref": "GITHUB_HEAD_REF", + "base_ref": "GITHUB_BASE_REF", + "server_url": "GITHUB_SERVER_URL", + "job": "GITHUB_JOB", + "action": "GITHUB_ACTION", + "workspace": "GITHUB_WORKSPACE", + "workflow_ref": "GITHUB_WORKFLOW_REF", + "workflow_sha": "GITHUB_WORKFLOW_SHA", + "repository_owner": "GITHUB_REPOSITORY_OWNER", + "triggering_actor": "GITHUB_TRIGGERING_ACTOR", + "token": "GITHUB_TOKEN", +} + +// ExtractGitHubContextExpressionsFromValue extracts all simple ${{ github.X }} expressions from a +// string value and maps them to their corresponding GitHub Actions runner environment variable names. +// Only well-known context properties that have a corresponding GITHUB_* env var are extracted. +// Returns a map of env var name -> full expression. +// +// Examples: +// - "${{ github.workflow }}" -> {"GITHUB_WORKFLOW": "${{ github.workflow }}"} +// - "${{ github.ref_name }}" -> {"GITHUB_REF_NAME": "${{ github.ref_name }}"} +// - "${{ github.event.issue.title }}" -> {} (not a well-known property, skipped) +func ExtractGitHubContextExpressionsFromValue(value string) map[string]string { + result := make(map[string]string) + + matches := gitHubContextExprPattern.FindAllStringSubmatch(value, -1) + for _, match := range matches { + if len(match) < 2 { + continue + } + property := match[1] + fullExpr := match[0] + + if envVar, known := gitHubContextEnvVarMap[property]; known { + result[envVar] = fullExpr + secretLog.Printf("Extracted GitHub context expression: %s -> %s", fullExpr, envVar) + } + } + + return result +} + // ReplaceTemplateExpressionsWithEnvVars replaces all template expressions with environment variable references // Handles: secrets.*, env.*, and github.workspace // Examples: diff --git a/pkg/workflow/secret_extraction_test.go b/pkg/workflow/secret_extraction_test.go index 2a5ab23f365..5414b878ecf 100644 --- a/pkg/workflow/secret_extraction_test.go +++ b/pkg/workflow/secret_extraction_test.go @@ -378,3 +378,78 @@ func TestSharedExtractSecretsFromValueEdgeCases(t *testing.T) { }) } } + +func TestExtractGitHubContextExpressionsFromValue(t *testing.T) { + tests := []struct { + name string + value string + expected map[string]string + }{ + { + name: "simple github.workflow", + value: `"branch":"assets/${{ github.workflow }}"`, + expected: map[string]string{"GITHUB_WORKFLOW": "${{ github.workflow }}"}, + }, + { + name: "github.ref_name", + value: `"base-branch":"${{ github.ref_name }}"`, + expected: map[string]string{"GITHUB_REF_NAME": "${{ github.ref_name }}"}, + }, + { + name: "github.run_id", + value: `"key":"cache-${{ github.run_id }}"`, + expected: map[string]string{"GITHUB_RUN_ID": "${{ github.run_id }}"}, + }, + { + name: "multiple expressions", + value: `"branch":"${{ github.workflow }}/run-${{ github.run_id }}"`, + expected: map[string]string{"GITHUB_WORKFLOW": "${{ github.workflow }}", "GITHUB_RUN_ID": "${{ github.run_id }}"}, + }, + { + name: "no expressions", + value: `"branch":"assets/my-workflow"`, + expected: map[string]string{}, + }, + { + name: "secrets are not extracted", + value: `"token":"${{ secrets.MY_TOKEN }}"`, + expected: map[string]string{}, + }, + { + name: "complex event payload not extracted", + value: `"title":"${{ github.event.issue.title }}"`, + expected: map[string]string{}, + }, + { + name: "expression with spaces", + value: `"branch":"assets/${{ github.workflow }}"`, + expected: map[string]string{"GITHUB_WORKFLOW": "${{ github.workflow }}"}, + }, + { + name: "github.actor", + value: `"actor":"${{ github.actor }}"`, + expected: map[string]string{"GITHUB_ACTOR": "${{ github.actor }}"}, + }, + { + name: "github.repository", + value: `"repo":"${{ github.repository }}"`, + expected: map[string]string{"GITHUB_REPOSITORY": "${{ github.repository }}"}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := ExtractGitHubContextExpressionsFromValue(tt.value) + + if len(result) != len(tt.expected) { + t.Errorf("Expected %d results, got %d: %v", len(tt.expected), len(result), result) + } + + for varName, expr := range tt.expected { + if result[varName] != expr { + t.Errorf("Expected %q to have expression %q, got %q", varName, expr, result[varName]) + } + } + }) + } +} From 67dbbcb04e0d5b37d4853bf7173564ae50471daf Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 12 Apr 2026 04:47:27 +0000 Subject: [PATCH 3/4] Address code review feedback: use assert.Equal in tests, add docs reference Agent-Logs-Url: https://github.com/github/gh-aw/sessions/22cff3a9-de45-47b6-8dbb-f8e7acb36115 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/mcp_setup_generator.go | 2 +- pkg/workflow/secret_extraction.go | 1 + pkg/workflow/secret_extraction_test.go | 10 ++++------ 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go index 85286926d06..bc03d01e1ae 100644 --- a/pkg/workflow/mcp_setup_generator.go +++ b/pkg/workflow/mcp_setup_generator.go @@ -220,7 +220,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Secrets MUST be set explicitly (the runner doesn't expose them as env vars). // GitHub context vars already exist as GITHUB_* env vars on the runner, but // we still list them in env: for clarity and to satisfy static-analysis tools - // that flag any ${{ }} outside env:/with: blocks. + // (zizmor, CodeQL) that flag any ${{ }} outside env:/with: blocks. hasEnvVars := len(configSecrets) > 0 || len(configContextVars) > 0 if hasEnvVars { yaml.WriteString(" env:\n") diff --git a/pkg/workflow/secret_extraction.go b/pkg/workflow/secret_extraction.go index 5c36f3a048c..34e5c4d52ea 100644 --- a/pkg/workflow/secret_extraction.go +++ b/pkg/workflow/secret_extraction.go @@ -186,6 +186,7 @@ var gitHubContextExprPattern = regexp.MustCompile(`\$\{\{\s*github\.([a-z][a-z0- // gitHubContextEnvVarMap maps common github.* context properties to their corresponding // GitHub Actions runner environment variables (always available on all runners). +// See: https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables var gitHubContextEnvVarMap = map[string]string{ "workflow": "GITHUB_WORKFLOW", "run_id": "GITHUB_RUN_ID", diff --git a/pkg/workflow/secret_extraction_test.go b/pkg/workflow/secret_extraction_test.go index 5414b878ecf..b24a6545ac9 100644 --- a/pkg/workflow/secret_extraction_test.go +++ b/pkg/workflow/secret_extraction_test.go @@ -4,6 +4,8 @@ package workflow import ( "testing" + + "github.com/stretchr/testify/assert" ) // TestSharedExtractSecretName tests the shared ExtractSecretName utility function @@ -441,14 +443,10 @@ func TestExtractGitHubContextExpressionsFromValue(t *testing.T) { t.Run(tt.name, func(t *testing.T) { result := ExtractGitHubContextExpressionsFromValue(tt.value) - if len(result) != len(tt.expected) { - t.Errorf("Expected %d results, got %d: %v", len(tt.expected), len(result), result) - } + assert.Equal(t, len(tt.expected), len(result), "Should extract expected number of GitHub context expressions") for varName, expr := range tt.expected { - if result[varName] != expr { - t.Errorf("Expected %q to have expression %q, got %q", varName, expr, result[varName]) - } + assert.Equal(t, expr, result[varName], "Env var %q should map to the correct expression", varName) } }) } From 322035b58b0f2e48b71616da0b97a93923a6aff6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 12 Apr 2026 10:05:14 +0000 Subject: [PATCH 4/4] Address review comments: fix comment accuracy and secret precedence on key collision - secret_extraction.go: Clarify that the regex matches nested properties like github.event.issue.title but the map filters them out (not the regex itself). - mcp_setup_generator.go: Add context vars to envValues first, then secrets, so secrets always take precedence on key collision. - secret_extraction_test.go: Use assert.Len instead of assert.Equal(len, len) to satisfy testifylint. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/ff433af4-2b6b-46b4-8f63-fa5b57ddba8e Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/mcp_setup_generator.go | 12 +++++++++--- pkg/workflow/secret_extraction.go | 10 ++++++---- pkg/workflow/secret_extraction_test.go | 2 +- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go index bc03d01e1ae..575086354e8 100644 --- a/pkg/workflow/mcp_setup_generator.go +++ b/pkg/workflow/mcp_setup_generator.go @@ -221,17 +221,23 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // GitHub context vars already exist as GITHUB_* env vars on the runner, but // we still list them in env: for clarity and to satisfy static-analysis tools // (zizmor, CodeQL) that flag any ${{ }} outside env:/with: blocks. + // + // Secrets take precedence over context vars when both maps share a key + // (e.g. a secret named GITHUB_WORKFLOW would shadow the context var). hasEnvVars := len(configSecrets) > 0 || len(configContextVars) > 0 if hasEnvVars { yaml.WriteString(" env:\n") envKeys := make([]string, 0, len(configSecrets)+len(configContextVars)) envValues := make(map[string]string, len(configSecrets)+len(configContextVars)) - for k, v := range configSecrets { + // Add context vars first so secrets overwrite them on collision. + for k, v := range configContextVars { envKeys = append(envKeys, k) envValues[k] = v } - for k, v := range configContextVars { - envKeys = append(envKeys, k) + for k, v := range configSecrets { + if _, exists := envValues[k]; !exists { + envKeys = append(envKeys, k) + } envValues[k] = v } sort.Strings(envKeys) diff --git a/pkg/workflow/secret_extraction.go b/pkg/workflow/secret_extraction.go index 34e5c4d52ea..2e0014b66ee 100644 --- a/pkg/workflow/secret_extraction.go +++ b/pkg/workflow/secret_extraction.go @@ -180,8 +180,9 @@ func ExtractEnvExpressionsFromValue(value string) map[string]string { // gitHubContextExprPattern matches ${{ github.PROPERTY }} expressions where PROPERTY is a // simple dotted identifier (e.g., github.workflow, github.ref_name, github.run_id). -// Complex expressions with operators (||, &&) or nested event payloads (github.event.issue.title) -// are excluded because they may not map to well-known runner environment variables. +// Complex expressions with operators (||, &&) are excluded by the regex. Nested dotted +// properties such as github.event.issue.title may still match this pattern, but are only +// accepted later if they are present in gitHubContextEnvVarMap. var gitHubContextExprPattern = regexp.MustCompile(`\$\{\{\s*github\.([a-z][a-z0-9_.]*)\s*\}\}`) // gitHubContextEnvVarMap maps common github.* context properties to their corresponding @@ -214,13 +215,14 @@ var gitHubContextEnvVarMap = map[string]string{ // ExtractGitHubContextExpressionsFromValue extracts all simple ${{ github.X }} expressions from a // string value and maps them to their corresponding GitHub Actions runner environment variable names. -// Only well-known context properties that have a corresponding GITHUB_* env var are extracted. +// Only well-known context properties present in gitHubContextEnvVarMap are extracted; nested +// properties like github.event.issue.title are matched by the regex but filtered out by the map. // Returns a map of env var name -> full expression. // // Examples: // - "${{ github.workflow }}" -> {"GITHUB_WORKFLOW": "${{ github.workflow }}"} // - "${{ github.ref_name }}" -> {"GITHUB_REF_NAME": "${{ github.ref_name }}"} -// - "${{ github.event.issue.title }}" -> {} (not a well-known property, skipped) +// - "${{ github.event.issue.title }}" -> {} (not in gitHubContextEnvVarMap, skipped) func ExtractGitHubContextExpressionsFromValue(value string) map[string]string { result := make(map[string]string) diff --git a/pkg/workflow/secret_extraction_test.go b/pkg/workflow/secret_extraction_test.go index b24a6545ac9..b2590d7457c 100644 --- a/pkg/workflow/secret_extraction_test.go +++ b/pkg/workflow/secret_extraction_test.go @@ -443,7 +443,7 @@ func TestExtractGitHubContextExpressionsFromValue(t *testing.T) { t.Run(tt.name, func(t *testing.T) { result := ExtractGitHubContextExpressionsFromValue(tt.value) - assert.Equal(t, len(tt.expected), len(result), "Should extract expected number of GitHub context expressions") + assert.Len(t, result, len(tt.expected), "Should extract expected number of GitHub context expressions") for varName, expr := range tt.expected { assert.Equal(t, expr, result[varName], "Env var %q should map to the correct expression", varName)