Skip to content

Ensure activation secret validation is skipped when top-level environment is configured#26650

Merged
pelikhan merged 4 commits intomainfrom
copilot/fix-environment-propagation-issue
Apr 16, 2026
Merged

Ensure activation secret validation is skipped when top-level environment is configured#26650
pelikhan merged 4 commits intomainfrom
copilot/fix-environment-propagation-issue

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 16, 2026
edited
Loading

environment: in frontmatter is intended to enable environment-scoped secrets, but activation could still run early engine token validation in contexts where those secrets aren’t available yet. This created a mismatch that could block workflows before downstream jobs run.

  • What changed

    • Added targeted regression coverage for activation job generation when top-level environment is set.
    • The new test asserts activation does not emit:
      • validate-secret step
      • secret_verification_result output
    • This aligns activation behavior with existing environment-aware secret validation logic and prevents early token checks from blocking environment-secret workflows.

  • Files updated

    • pkg/workflow/compiler_activation_jobs_test.go

  • Example assertion added

    assert.NotContains(t, stepsStr, "id: validate-secret")
assert.NotContains(t, job.Outputs, "secret_verification_result")

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw 1432200/b228/vetrev-parse ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linu/tmp/go-build2351432200/b455/_testmain.go /usr/bin/git 3945-33075/test-git -trimpath /opt/hostedtoolc--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git CompiledOutput20git GO111MODULE ache/go/1.25.8/x--show-toplevel git (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE tions/setup/js/nGOMODCACHE GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/compile /usr/bin/gh -json aTWjRYknE 64/pkg/tool/linu--show-toplevel gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts /usr/bin/git .artifacts[].namgit GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv Value: ${{ github.actor }} go /usr/bin/infocmp -json GO111MODULE 64/bin/go infocmp -1 xterm-color sh /usr/bin/git npx prettier --cgit GOPROXY 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyMinIntegrityOnlyCompiledOutpOUTPUT config /usr/bin/git remote.origin.urgit GO111MODULE x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv ons-test1017935044 -tests /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 86_64/node node /tmp�� f/tags/v999.999.999 (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv sRemoteWithRealGitmain_branch1619920728/001 sRemoteWithRealGitmain_branch1619920728/002/work .cfg --format=%H:%ct GOWORK 64/bin/go ache/go/1.25.8/x^remote\..*\.gh-resolved$ -o p4PL/2DzgscF83Lzy9p19p4PL -trimpath ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -p internal/syscallrev-parse -lang=go1.25 ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/compile /usr/bin/git 3245277/b175/_pkgit g-gh/tcTLxKIFRzerev-parse x_amd64/vet git rev-�� it/ref/tags/v4 x_amd64/vet sv 3245277/b082/impgit uFzy/p9hy1yt1djFrev-parse .cfg git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuremote2 /usr/bin/git -unreachable=falgit /tmp/go-build235rev-parse .cfg git rev-�� --show-toplevel /tmp/go-build2351432200/b396/agentdrain.test /usr/bin/git -test.paniconexigit -test.v=true 1432200/b441/str--show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuremote /usr/bin/git se 1432200/b123/vetcommit .cfg git rev-�� --show-toplevel ache/go/1.25.8/x-buildtags /usr/bin/git Onlymin-integritgit 1432200/b243/vetrev-parse ache/go/1.25.8/x--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json GO111MODULE 64/pkg/tool/linu-m git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json GO111MODULE .cfg git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv /var/lib/php/ses-errorsas -ignore_readdir_-ifaceassert x_amd64/compile -mindepth 1 -name x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json age/common.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /opt/hostedtoolcache/node/24.14.1/x64/bin/node g_.a GO111MODULE x_amd64/vet node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/agent-performance-analyzer.md x_amd64/vet 1432200/b457/vet.cfg t5smDhwOz .cfg 64/pkg/tool/linu--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git tmatter-with-nesgit GO111MODULE 64/bin/go git rev-�� --git-dir go 6013922/b457/vet.cfg -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 1432200/b458/_pkg_.a x_amd64/vet 1432200/b458=> g_.a h1Ee82J5b x_amd64/link git rev-�� r92o/MOnXGBEYub-2Hgbqr92o x_amd64/link /opt/hostedtoolcache/node/24.14.1/x64/bin/node u-LDGAhfx .cfg x_amd64/compile /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv image:v1.0.0 mCL8sxl/jOx707g3config /usr/bin/git b/workflows GO111MODULE 9e0be72f14707d94--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv g0Bc/tPF8yqw6FqeS_Zczg0Bc test@example.com /usr/bin/gh s/^session\.savegit GOPROXY x_amd64/asm gh 1432�� ons-test1863104347 1432200/b425/_testmain.go 1432200/b434/vet.cfg --repo owner/repo x_amd64/compile git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE /usr/bin/git GOINSECURE GOMOD GOMODCACHE git add . GOPROXY ache/node/24.14.1/x64/bin/node GOSUMDB GOWORK tions/node_modul--show-toplevel ache/node/24.14.1/x64/bin/node (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv add remote2 /usr/bin/git 653662/001 GO111MODULE nch,headSha,disp--show-toplevel git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json 3Js0Ri3Dw 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --git-dir ortcfg /usr/bin/git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-add-gitattributes-test1671357223 l /usr/bin/git -ignore_readdir_git -lname x_amd64/compile git -C /tmp/gh-aw-test-runs/20260416-133945-33075/test-.artifacts[].name remote /usr/bin/git 3953479492/001' 3953479492/001' x_amd64/compile git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -ldflags -s -w -X main.version=e9b494d-dirty /usr/lib/git-core/git-upload-pack gh-aw ./cmd/gh-aw 64/bin/go git-upload-pack /tmp�� GOMODCACHE go /usr/bin/git -json GO111MODULE tions/node_modul--show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-add-gitattributes-test1671357223/.github/workflows config /usr/bin/git remote.origin.urgit -lname x_amd64/asm git -C /tmp/gh-aw-test-runs/20260416-133945-33075/test-940710824/.githu.github/workflows/test.md rev-parse /usr/bin/git -json rk x_amd64/compile git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv sistency_KeyOrdering635518300/001/test1.md --always /usr/bin/git GOSUMDB GOWORK 64/bin/go git clon�� /tmp/TestParseDefaultBranchFromLsRemoteWithRealGitcustom_branch2193254767/001 /tmp/TestParseDefaultBranchFromLsRemoteWithRealGitcustom_branch2193254767/002/work /usr/bin/git -json GO111MODULE tions/setup/js/n--show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 557530170/.github/workflows GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE t/internal/strinrev-parse GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name itbranch_with_hyphen230750935/002/work 64/bin/go GOSUMDB GOWORK 64/bin/go node /hom�� ut1913152525/001 scripts/**/*.js ache/go/1.25.8/x64/bin/go -d git 64/bin/go go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linu-nolocalimports GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/tmp/go-build2351432200/b441/_testmain.go env 3245277/b196/_pkg_.a HJpH/bR5uMPu5Fr3Cy4PJHJpH 3245277/b196=> GOINSECURE GOMOD GOMODCACHE /bin/sh (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE 3245277/b078/ GOMODCACHE 64/pkg/tool/linux_amd64/vet env 3245277/b205/_pkg_.a GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/tls13 ache/go/1.25.8/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows/agent-persona-explorer.md 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh -c y_with_explicit_repo2770410064/001 node ache/go/1.25.8/x64/bin/go tierignore scripts/**/*.js 64/bin/go go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE 3245277/b078/ GOMODCACHE 64/pkg/tool/linux_amd64/vet env 3245277/b197/_pkg_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 3245277/b078/sym--show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 3245277/b208/_pkg_.a rn9z/FXv0oohNOW0KmEF_rn9z 64/pkg/tool/linux_amd64/link GOINSECURE g/x/crypto/chachrev-parse GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh -c 35/001/test-inlined-imports-enabremote.origin.url node ache/go/1.25.8/x64/bin/go tierignore scripts/**/*.js 64/bin/go go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linu-importcfg GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/pkg/timeutil/format_test.go env 1100151894 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE g/x/text/unicoderev-parse GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env 3245277/b234/_pkg_.a oYmy/n_pwg_VDfKQLamLkoYmy ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name LsRemoteWithRealGitbranch_with_hyphen230750935/001' 64/bin/go GOSUMDB GOWORK run-script/lib/n--show-toplevel node /hom�� ut1913152525/001 scripts/**/*.js ache/go/1.25.8/x64/bin/go -d git 64/bin/go go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 1100151894 d2UJ/DbmGN00V4XBV3gqgd2UJ ache/go/1.25.8/x64/pkg/tool/linu-nilfunc GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 3245277/b241/_pkg_.a V7o_/18xeupG6XnJInX8DV7o_ ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE t/internal/langurev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-buildtags (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go node /hom�� --check scripts/**/*.js ache/go/1.25.8/x64/bin/go -d git 64/bin/go go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 1100151894 go .cfg GOINSECURE g/x/net/http2/hpinit GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env 3245277/b232/_pkg_.a gNV_/-ERQMY_tDmUJytyNgNV_ ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE contextprotocol/rev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-test.v=true (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go node /hom�� 63/001/stability-test.md scripts/**/*.js ache/go/1.25.8/x64/bin/go -d git 64/bin/go go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linu-nolocalimports GOINSECURE fips140 GOMODCACHE 64/pkg/tool/linu/tmp/go-build2351432200/b450/_testmain.go env 1100151894 i2Jk/kxQktkbJrdZm0O72i2Jk 64/pkg/tool/linux_amd64/compile GOINSECURE able GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ylQP4Z8/vCNYLdc7D8RXanEmFBss env 3245277/b242/_pkg_.a taK6/ikh7gQ1RReQdq87ptaK6 ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE t/internal/tag GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go node /hom�� mpiledOutput4039099396/001 scripts/**/*.js ache/go/1.25.8/x64/bin/go -d git 64/bin/go go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/vet env -json .go x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 e GOMODCACHE 64/pkg/tool/linux_amd64/vet env 3245277/b135/_pkg_.a .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel -extld=gcc /usr/bin/git se 1432200/b013/vetrev-parse ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 1432200/b156/vet-lh .cfg git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel -extld=gcc /usr/bin/git 63/001/stabilitygit GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 1/x64/bin/node git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv 3245277/b188/_pkg_.a GO111MODULE .test GOINSECURE fips140/edwards2rev-parse 3245277/b006/sym--show-toplevel .test 3514�� 14/001/test-simple-frontmatter.md 1432200/b036/vet.cfg .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuInitial commit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti--show-toplevel go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go 9499�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet 9920�� -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env g_.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env flags="-w -s" -o--exclude-hidden=receive GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go _bra�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv 3245277/b183/_pkg_.a xxol/GL-tkTNtkvunLaxVxxol util.test GOINSECURE g/x/crypto/cryptrev-parse GOMODCACHE util.test 3514�� 14/001/test-simple-frontmatter.md 1432200/b042/vet.cfg .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x^remote\..*\.gh-resolved$ (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.prettierignore go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 3245277/b194/_pkg_.a Kv-X/SrddFjc3EqPBzwz7Kv-X ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.8/xrev-parse -o /tmp/go-build1043940768/b425/_pkg_.a -trimpath 64/pkg/tool/linux_amd64/vet -p main -lang=go1.25 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json gset/set.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo tions/node_modulGOMODCACHE GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build2351432200/b400/cli.test /tmp/go-build2351432200/b400/cli.test -test.testlogfile=/tmp/go-build2351432200/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true --log-target journal-or-kmsg 64/bin/go go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /tmp/go-build2346013922/b400/cli.test /tmp/go-build2346013922/b400/cli.test -test.testlogfile=/tmp/go-build2346013922/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 1/x64/lib/node_mGOMODCACHE GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name 19920728/001' 19920728/001' x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json 1.5.0/internal/j-ifaceassert x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE ache/go/1.25.8/xGOMODCACHE GOINSECURE GOMOD GOMODCACHE go env */*.ts' '**/*.jsGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 16, 2026 that may be closed by this pull request
environment: frontmatter does not propagate to activation job — environment-level secrets fail validation #26645
Closed
Copilot AI and others added 3 commits April 16, 2026 13:36
@pelikhan
chore: outline plan for environment propagation fix
47cc048 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/500e3d2f-e7b6-4a62-a743-3d9a4bb176bb

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Revert "chore: outline plan for environment propagation fix"
e9b494d 
This reverts commit 47cc048.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
test: cover activation secret-check skip when environment is set
52edca2 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/500e3d2f-e7b6-4a62-a743-3d9a4bb176bb

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix environment frontmatter propagation to activation job Ensure activation secret validation is skipped when top-level environment is configured Apr 16, 2026
Copilot AI requested a review from pelikhan April 16, 2026 14:16
@pelikhan pelikhan marked this pull request as ready for review April 16, 2026 14:21
Copilot AI review requested due to automatic review settings April 16, 2026 14:21
@pelikhan pelikhan merged commit 85e869a into main Apr 16, 2026
52 of 54 checks passed
@pelikhan pelikhan deleted the copilot/fix-environment-propagation-issue branch April 16, 2026 14:21
@github-actions github-actions bot mentioned this pull request Apr 16, 2026
Open
Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds regression coverage to ensure activation job generation does not perform early secret/token validation when a top-level environment: is configured in workflow frontmatter (so environment-scoped secrets don’t block workflows before downstream jobs run).

Changes:

  • Added a new unit test asserting the activation job omits the validate-secret step when WorkflowData.Environment is set.
  • Added assertions that the activation job does not publish the secret_verification_result output when secret validation is skipped.
Show a summary per file
File Description
pkg/workflow/compiler_activation_jobs_test.go Adds regression test ensuring activation job skips secret validation and related outputs when top-level environment is configured.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 1

Comment thread pkg/workflow/compiler_activation_jobs_test.go
Comment on lines +287 to +302
func TestBuildActivationJob_SkipsSecretValidationWithEnvironment(t *testing.T) {
compiler := NewCompiler()

workflowData := &WorkflowData{
Name: "Test Workflow",
Environment: "environment: production",
}

job, err := compiler.buildActivationJob(workflowData, false, "", "test.lock.yml")
require.NoError(t, err, "buildActivationJob should succeed")
require.NotNil(t, job)

stepsStr := strings.Join(job.Steps, "")
assert.NotContains(t, stepsStr, "id: validate-secret", "Activation job should skip validate-secret when top-level environment is configured")
assert.NotContains(t, job.Outputs, "secret_verification_result", "Activation job should not expose secret_verification_result output when validate-secret is skipped")
}
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test relies on the default engine/config to decide whether a validate-secret step would normally be emitted. To make the regression intent explicit (and avoid false positives if defaults change, e.g. default engine or feature flags), consider setting workflowData.AI (or engine) to a known engine that requires secret validation (e.g. copilot) and adding a quick control assertion that id: validate-secret/secret_verification_result are present when Environment is empty, then absent when Environment is set.

Copilot uses AI. Check for mistakes.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 16, 2026

🧪 Test Quality Sentinel Report

Test Quality Score: 95/100

Excellent test quality

Metric Value
New/modified tests analyzed 1
✅ Design tests (behavioral contracts) 1 (100%)
⚠️ Implementation tests (low value) 0 (0%)
Tests with error/edge cases 1 (100%)
Duplicate test clusters 0
Test inflation detected N/A (no production file changed in PR)
🚨 Coding-guideline violations 0 (Go mock libraries / missing build tags / missing assertion messages)

Test Classification Details

Test File Classification Issues Detected
TestBuildActivationJob_SkipsSecretValidationWithEnvironment pkg/workflow/compiler_activation_jobs_test.go:285 ✅ Design Minor: require.NotNil(t, job) missing descriptive message

Test Analysis

TestBuildActivationJob_SkipsSecretValidationWithEnvironment

Classification: Design test (behavioral contract)

What design invariant does this test enforce?
It enforces the contract that when a top-level environment field is set on the workflow, the activation job must not include a validate-secret step and must not expose a secret_verification_result output. This maps directly to observable behavior that users and downstream jobs depend on.

What would break if deleted? A regression where buildActivationJob accidentally re-introduces validate-secret when Environment is set would go completely undetected. The PR title itself describes this as the key contract being protected.

Positive signals:

  • Tests the conditional branch in BuildDefaultSecretValidationStep (the strings.TrimSpace(workflowData.Environment) != "" guard in engine_helpers.go)
  • Uses both assert.NotContains assertions with descriptive messages ✓
  • Uses require.NoError with a descriptive message ✓
  • Build tag //go:build !integration present on line 1 ✓
  • No mock libraries used ✓

Minor flag: require.NotNil(t, job) on line ~298 is missing a descriptive message argument. Per the project guideline, every assertion should have a message (e.g., require.NotNil(t, job, "buildActivationJob should return a non-nil job")). This is a minor style issue — not a blocking concern.

Language Support

Tests analyzed:

  • 🐹 Go (*_test.go): 1 test — unit (//go:build !integration)
  • 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

Verdict

Check passed. 0% of new tests are implementation tests (threshold: 30%). The single new test is a well-written behavioral contract test that directly verifies the feature described in the PR title.

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

  • Assert on observable outputs, return values, or state changes
  • Cover error paths and boundary conditions
  • Would catch a behavioral regression if deleted
  • Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

  • Assert on internal function calls (mocking internals)
  • Only test the happy path with typical inputs
  • Break during legitimate refactoring even when behavior is correct
  • Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §24515591544

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

🧪 Test quality analysis by Test Quality Sentinel · ● 1.1M ·

github-actions[bot]
github-actions bot approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 95/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). The single new test TestBuildActivationJob_SkipsSecretValidationWithEnvironment is a well-written behavioral contract test with proper build tags and no mock libraries. Minor: require.NotNil(t, job) is missing a descriptive message argument.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@github-actions github-actions[bot] github-actions[bot] approved these changes

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

environment: frontmatter does not propagate to activation job — environment-level secrets fail validation

3 participants

@pelikhan