Pass workflow allowed domains into activation compute_text sanitization

[Copilot]

Incoming text sanitization in the activation job was using only the hardcoded default domain allow-list, so user URLs from network.allowed / safe-outputs.allowed-domains were redacted before the agent saw them. This made input-side sanitization inconsistent with output-side sanitization.

• Activation sanitize step now receives the same domain allow-list as output sanitization

  • Updated pkg/workflow/compiler_activation_job_builder.go in the NeedsTextOutput path (id: sanitized).
  • The step now sets GH_AW_ALLOWED_DOMAINS using existing compiler logic:
    • computeExpandedAllowedDomainsForSanitization(...) when safe-outputs.allowed-domains is configured
    • otherwise computeAllowedDomainsForSanitization(...)
  • GH_AW_ALLOWED_BOTS behavior remains unchanged; env emission is now assembled cleanly from present vars.

• Regression coverage for sanitized-step env wiring

  • Added a focused test in pkg/workflow/compute_text_lazy_test.go:
    • TestComputeTextStepIncludesAllowedDomainsEnv
  • Verifies the compiled sanitized step contains:
    • GH_AW_ALLOWED_BOTS
    • GH_AW_ALLOWED_DOMAINS
    • domain entries sourced from both network.allowed and safe-outputs.allowed-domains.

var domainsStr string
if data.SafeOutputs != nil && len(data.SafeOutputs.AllowedDomains) > 0 {
	domainsStr = c.computeExpandedAllowedDomainsForSanitization(data)
} else {
	domainsStr = c.computeAllowedDomainsForSanitization(data)
}
if domainsStr != "" {
	envLines = append(envLines, formatYAMLEnv("          ", "GH_AW_ALLOWED_DOMAINS", domainsStr))
}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name 64/pkg/tool/linux_amd64/vet GOINSECURE ntio/encoding/jsrev-parse GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh repo view owner/repo env 3836980/b226/_pkg_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE l 3836980/b092/sym/home/REDACTED/work/gh-aw/gh-aw/.github/workflows/api-consumption-report.md ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -c 171249/b390/_pkg_.a FnMM/DTE1YZYN5-LgmGb0FnMM x_amd64/compile --format=%H:%ct GOWORK 64/bin/go x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh repo view owner/repo env 2417631004 GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD 3836980/b092/sym--show-toplevel 64/pkg/tool/linux_amd64/link -c 49/001/test-frontmatter-with-nes-p uvTv/8YYGT_gSIAc5Hh4AuvTv rtcfg.link -n1 b/gh-aw/pkg/acticonfig --end-of-options--get-regexp 9Ym34G_sfJyM6o-I^remote\..*\.gh-resolved$ (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build3263388213/b070/importcfg -pack /tmp/go-build3263388213/b070/_testmain.go tion�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build606571946/b070/importcfg -pack /tmp/go-build606571946/b070/_testmain.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv xterm-color 64/pkg/tool/linu--auto /usr/bin/infocmp 2045953521/.githgit vce9/Iw7fHw9tzQVrev-parse 64/pkg/tool/linu--show-toplevel infocmp -1 xterm-color 64/pkg/tool/linux_amd64/vet /usr/bin/git 3836980/b232/_pknode taK6/ikh7gQ1RReQ/opt/hostedtoolcache/node/24.14.1/x64/bin/npm cfg git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/bash --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git bash --no�� --noprofile git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv xterm-color node /usr/bin/gh prettier --check 64/bin/go gh repo�� view owner/test-repo /usr/bin/git y_with_repos_arrnode sh ache/go/1.25.8/xinstall git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git -json GO111MODULE x_amd64/vet git remo�� add l (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv ansitiveImports4153028537/001 go /usr/bin/infocmp .js' --ignore-pagit GO111MODULE 64/bin/go infocmp -1 xterm-color go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv 3836980/b195/importcfg -trimpath ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -I /tmp/go-build280rev-parse -I ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -o 596954581 -trimpath 1/x64/bin/node -p crypto/hkdf -lang=go1.25 /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linutest@example.com (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git 171249/b390/_pkgtr FnMM/DTE1YZYN5-L\n x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git 0450-37945/test-git -trimpath ache/go/1.25.8/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git 1790306159 -trimpath /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 171249/b431/_tesrev-parse 171249/b440/vet.--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv 171249/b462/types.test x_amd64/compile 171249/b462/importcfg.link -json GO111MODULE x_amd64/compile VWw7VJguVlRAx/jNQYSQDdMsvnnTZDbyx2/zg1-jwF1IRoPasY5xy3c/9ezsDU_VWw7VJguVlRAx rev-�� git git 171249/b462/_pkg_.a -json GO111MODULE x_amd64/vet node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel /tmp/gh-aw-mergerev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv :latest --jq /usr/bin/git -json GO111MODULE tions/setup/js/n--show-toplevel git -C runs/20260421-181207-80393/test-3972690243 rev-parse /usr/bin/git s/test.md GO111MODULE layTitle git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/xv1.0.0 /usr/bin/git se 171249/b222/vet.checkout ache/go/1.25.8/x-b git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linu/tmp/go-build177171249/b462/_testmain.go /usr/bin/git -unreachable=falgit /tmp/go-build177rev-parse e/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolccheckout /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel e/git /usr/bin/infocmp--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git 1207-80393/test-git GO111MODULE tartedAt,updated-b git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 1/x64/bin/node git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build177171249/b438/importcfg -pack /tmp/go-build177171249/b438/_testmain.go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json age.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/vet /opt/hostedtoolcache/node/24.14.1/x64/bin/node -obugO3Wj cfg 64/pkg/tool/linu--show-toplevel node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/artifacts-summary.md 64/pkg/tool/linu-test.v=true /usr/bin/infocmp 3836980/b209/_pkgit cfg 64/pkg/tool/linu--show-toplevel infocmp (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git ty-test.md GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/gh LsRemoteWithRealgit LsRemoteWithRealrev-parse 64/bin/go gh (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git jYhsBWmby cfg 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git ned-imports-enabgit LsRemoteWithRealrev-parse 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --git-dir go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv -v x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/compile git conf�� s/test.md remote.origin.url /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE x_amd64/compile node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv user.email test@example.com /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git 64/bin/bash --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv -m initial commit /usr/bin/git -json GO111MODULE tions/setup/js/n--show-toplevel git -C /tmp/gh-aw-test-runs/20260421-181207-80393/test-3381628579/.github/workflows s/3/artifacts /usr/bin/git */*.ts' '**/*.jsgit GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel /tmp/go-build177171249/b462/_testmain.go /usr/bin/git AsxZxLib9 cfg 64/pkg/tool/linu--show-toplevel git init�� GOMODCACHE 64/pkg/tool/linu-importcfg /usr/lib/git-core/git 3836980/b101/_pkgit cfg 64/pkg/tool/linu--show-toplevel /usr/lib/git-core/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel QYSQDdMsvnnTZDbyrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/infocmp--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv Actor: ${{ github.actor }}, Repo: ${{ github.repository }} go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/infocmp hub/workflows GO111MODULE 64/bin/go infocmp (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260421-180450-37945/test-1278332800/.github/workflows remote /usr/bin/git -c=4 -nolocalimports -importcfg git rev-�� --show-toplevel /home/REDACTED/work/gh-aw/gh-aw/pkg/logger/logger.name,path,state 64/pkg/tool/linux_amd64/vet -json GO111MODULE x_amd64/compile 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv status git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git 64/pkg/tool/linux_amd64/vet ref/tags/v1.2.3 ache/go/1.25.8/xrev-parse sv 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -m initial commit /usr/bin/git -json GO111MODULE ache/go/1.25.8/x--show-toplevel git -C /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_only_defaults_repo1350184156/001 rev-parse /usr/bin/git */*.ts' '**/*.jsgit GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 rev-parse bject.type] | @tsv -json k x_amd64/compile git -C /tmp/gh-aw-test-runs/20260421-180450-37945/test-2086986997 l ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -json @v6.0.2/kind/kinrev-parse x_amd64/compile ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv status git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git 64/pkg/tool/linux_amd64/cgo --show-toplevel 1tjYVSqOEP82kiP9rev-parse /usr/bin/git 64/pkg/tool/linux_amd64/cgo (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv main.version=358c2b2-dirty l /usr/bin/git -json GO111MODULE h git rev-�� --git-dir go /usr/bin/git */*.ts' '**/*.jsgit GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 3836980/b007/symabis 64/pkg/tool/linux_amd64/vet env 2576979923/.github/workflows 3836980/b007/importcfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE g/x/net/http/httrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 3836980/b029/sym--show-toplevel 64/pkg/tool/linux_amd64/vet env 763858420/custom/workflows DUdE/2oEXO76xEThYfB4YDUdE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.8/xremote.origin.url -V=f�� ut1272828769/001 sh 64/pkg/tool/linux_amd64/cgo "prettier" --wrigit pkg/workflow/comconfig 64/bin/go 64/pkg/tool/linutest@example.com (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE /unix GOMODCACHE 64/pkg/tool/linuTest User env 905065914 7LFx/9x5EhNlMwHDxpQFH7LFx cfg GOINSECURE g/x/net/http2/hprev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 om/modelcontextprotocol/go-sdk@v1.5.0/internal/m-ifaceassert 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet rtcf�� 2417631004 tmain.go cfg GOINSECURE contextprotocol/init GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-buildtags (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.prettiremove /bin/sh -c y_with_explicit_repo2172128526/001 sh 64/pkg/tool/linux_amd64/compile tierignore go 64/bin/go 64/pkg/tool/linutest@example.com (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/sha512 GOMODCACHE 64/pkg/tool/linux_amd64/vet env 905065914 ZDcH/WlCyhVRj9mWQyquJZDcH ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/check GOMODCACHE 64/pkg/tool/linux_amd64/vet env 2417631004 wDwi/8TvZlM4P0nfuVfRvwDwi cfg GOINSECURE contextprotocol/rev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name --check 64/bin/go **/*.ts **/*.json --ignore-path go env GOPATH sh 64/pkg/tool/linux_amd64/asm tierignore go 64/bin/go 64/pkg/tool/linux_amd64/asm (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 3836980/b007/sym--show-toplevel 64/pkg/tool/linux_amd64/vet ache�� 2576979923/.github/workflows r73k/ZR15bOYtzO_sNGC5r73k ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe GOINSECURE b/gh-aw/pkg/gitu/tmp/js-hash-test-1044359396/test-hash.js GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linurev-parse (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 cfg 64/pkg/tool/linux_amd64/vet GOINSECURE (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name --check 64/bin/go **/*.ts **/*.json --ignore-path /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuGOPROXY -V=f�� ut1272828769/001 sh 64/pkg/tool/linux_amd64/vet "prettier" --wrigit pkg/agentdrain/aconfig 64/bin/go 64/pkg/tool/linuTest User (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name rg/x/text@v0.36.0/internal/tag/t-c=4 64/pkg/tool/linux_amd64/vet GOINSECURE hlite 3836980/b013/sym--show-toplevel 64/pkg/tool/linux_amd64/vet env 3836980/b241/_pkg_.a _zAe/m6K4S-499xrKjIdi_zAe cfg GOINSECURE t/internal/langurev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-dwarf=false (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 cfg 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/drbg GOMODCACHE 64/pkg/tool/linu/tmp/go-build177171249/b113/vet.cfg env 3836980/b235/_pkg_.a NNuM/NZNs7zEf3uyY_7BzNNuM ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE osh-tekuri/jsonsrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuGOPROXY -V=f�� ut1272828769/001 sh ache/go/1.25.8/x64/bin/go "prettier" --wrigit pkg/workflow/unirev-parse 64/bin/go go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 3836980/b245/_pkg_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE t/internal/strinrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 cfg 64/pkg/tool/linux_amd64/vet GOINSECURE fips140only 3836980/b029/sym--show-toplevel 64/pkg/tool/linux_amd64/vet env 3836980/b228/_pkg_.a wyMD/ZnqvKWWFy1YdeRMpwyMD ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE l/httpcommon GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-goversion (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuGOPROXY -V=f�� mpiledOutput2686708594/001 prettier 64/pkg/tool/linux_amd64/vet ../../../**/*.jsgit !../../../pkg/worev-parse 64/bin/go 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 3836980/b013/sym--show-toplevel 64/pkg/tool/linux_amd64/vet env 2576979923/.github/workflows 7Ps3/Xuna8G_bMUX3GMM57Ps3 ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE g/x/net/http/httrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuconfig (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 cfg 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/aes/gcm ache/go/1.25.8/x--show-toplevel 64/pkg/tool/linux_amd64/vet env 3836980/b225/_pkg_.a ho52/RILG8Ja3npv64jHUho52 k GOINSECURE ce GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go gcc -###�� -x c 64/pkg/tool/linux_amd64/vet - go 64/bin/go 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path 399330001/001' 399330001/001' -importcfg /tmp/go-build177171249/b419/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/vet env json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 3836980/b078/ GOMODCACHE 64/pkg/tool/linuTest User env l.go l_test.go cfg GOINSECURE fips140/ecdh 3836980/b078/sym--get ache/go/1.25.8/xremote.origin.url (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
  • Triggering command: /tmp/go-build177171249/b404/cli.test /tmp/go-build177171249/b404/cli.test -test.testlogfile=/tmp/go-build177171249/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /tmp/go-build3263388213/b404/cli.test /tmp/go-build3263388213/b404/cli.test -test.testlogfile=/tmp/go-build3263388213/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ules/.bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /tmp/go-build606571946/b404/cli.test /tmp/go-build606571946/b404/cli.test -test.testlogfile=/tmp/go-build606571946/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE erignore env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/compile /usr/bin/git se 171249/b093/vet.rev-parse cfg git rev-�� --show-toplevel ache/go/1.25.8/xconfig /usr/bin/git 87930913/.githubls -trimpath 64/pkg/tool/linu/tmp/gh-aw/aw-feature-branch.patch git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git ch git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/node/24.14.-lh /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git 1207-80393/test-ls GO111MODULE ache/go/1.25.8/x/tmp/gh-aw/aw-feature-branch.patch git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv se 171249/b006/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linutest@example.com 3836�� crypto/internal/boring/sig pkg/mod/github.com/segmentio/asm@v1.1.3/cpu/arm/arm.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -I /tmp/go-build280run -I ache/go/1.25.8/x12345 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv --show-toplevel test /usr/bin/git xterm-color x_amd64/asm /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git user.name Test User ache/node/24.14.--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link env ace-editor.md GO111MODULE ortcfg.link GOINSECURE GOMOD GOMODCACHE 0T_wmFh9OJbu2-pzzj/RcOTVA9pgHw5AY9NydNx/kaRytlLAconfig (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv go GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go ache�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv prettier --check 64/bin/go **/*.ts **/*.json --ignore-path git -c 858688024/001 858688024/002/work 64/bin/go -n1 --format=format:api --end-of-options/repos/actions/github-script/git/ref/tags/v9 go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE mcpgodebug GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env g_.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json poll/fd.go x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env heck '**/*.cjs' '**/*.ts' '**/*.GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv prettier --check 64/bin/go **/*.ts **/*.json --ignore-path /opt/hostedtoolcache/go/1.25.8/xGO111MODULE -V=f�� pkg/workflow/tri-json sh 64/bin/go "prettier" --wrigit pkg/workflow/uniinit 64/bin/go go (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv se 171249/b011/vet.cfg ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv --show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env agent-performance-analyzer.md GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE b/gh-aw/pkg/logg-unsafeptr=false ache/go/1.25.8/x-unreachable=false 64/pkg/tool/linu/tmp/go-build177171249/b114/vet.cfg (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion **/*.json --ignore-path ../../../.prettiActor: ${{ github.actor }}, Repo: ${{ github.repository }} go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env ithub/workflows GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json age/compact/comp-ifaceassert x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state x_amd64/compile GOINSECURE hpke GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name 99330001/001' 99330001/001' x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE tions/setup/js/nGOMODCACHE GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
• https://api.github.com/repos/test/repo
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch 3836980/b235/_pkg_.a NNuM/NZNs7zEf3uyY_7BzNNuM ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE osh-tekuri/jsonsrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu5 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch edOutput4084930777/001 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Updates activation-job incoming text sanitization so it uses the same allowed-domain allow-list as output-side sanitization, preventing user-configured domains from being incorrectly redacted before the agent sees them.

Changes:

• Pass GH_AW_ALLOWED_DOMAINS into the activation job’s sanitized (compute_text.cjs) step, computed from either safe-outputs.allowed-domains (expanded) or the default/network-based allow-list.
• Refactor env emission for the sanitized step to be assembled from present variables (GH_AW_ALLOWED_BOTS unchanged; domains added when non-empty).
• Add a regression test verifying the compiled sanitized step includes both GH_AW_ALLOWED_BOTS and GH_AW_ALLOWED_DOMAINS and that domain sources are correctly represented.

Show a summary per file

File	Description
pkg/workflow/compiler_activation_job_builder.go	Wires computed allowed-domain list into the activation sanitized step via GH_AW_ALLOWED_DOMAINS, aligning input sanitization with output sanitization behavior.
pkg/workflow/compute_text_lazy_test.go	Adds a focused regression test to ensure the compiled sanitized step’s env includes bots + allowed domains sourced from both network.allowed and safe-outputs.allowed-domains.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 0

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 90/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	1
✅ Design tests (behavioral contracts)	1 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	1 (100%)
Duplicate test clusters	0
Test inflation detected	⚠️ Yes (116 test lines vs 14 production lines, ratio ≈ 8.3:1)
🚨 Coding-guideline violations	None

---

Test Classification Details

Test	File	Classification	Issues Detected
TestComputeTextStepIncludesAllowedDomainsEnv	pkg/workflow/compute_text_lazy_test.go:414	✅ Design	Test inflation flag (see below); otherwise strong behavioral coverage

---

Test Analysis

✅ TestComputeTextStepIncludesAllowedDomainsEnv (pkg/workflow/compute_text_lazy_test.go:414)

Classification: Design test (behavioral contract)

What design invariant does this test enforce? It verifies that the compiler correctly passes network.allowed domains and safe-outputs.allowed-domains into the compute_text sanitization step's env block as GH_AW_ALLOWED_DOMAINS — the core behavioral contract of this PR.

What would break if deleted? A regression in domain-passing logic would go undetected. Both domain sources must be merged; deleting this test means that fix could silently regress.

Strengths:

• Compiles a real workflow file end-to-end using NewCompiler().CompileWorkflow() — tests actual system behavior
• Separately verifies both domain sources (cnn.com from network.allowed, bbc.com from safe-outputs.allowed-domains) are included, confirming the merge logic
• Verifies GH_AW_ALLOWED_BOTS env var is also populated correctly
• All t.Errorf/t.Fatalf calls include descriptive context strings
• No mock libraries used — real component interaction ✅
• Build tag //go:build !integration present ✅

---

⚠️ Test Inflation Note

The test file added 116 lines against 14 lines of production code (ratio ~8.3:1), exceeding the 2:1 threshold. However, this is expected and justified for this type of test: the 116 lines are largely structural overhead required to:

1. Create a temp directory and write a workflow markdown fixture
2. Run the compiler end-to-end
3. Parse the resulting YAML lock file line-by-line to locate the sanitized step and its env block
4. Assert five specific behavioral properties

The inflation flag is a mechanical artifact of integration-style tests — the extra lines add genuine verification value rather than duplicating assertions. No action needed.

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 1 test — unit (//go:build !integration)
• 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). The single new test directly validates the behavioral contract introduced by this PR — that allowed domains from both network.allowed and safe-outputs.allowed-domains are correctly threaded into the compute_text sanitization step.

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References:

• §24739465855

🧪 Test quality analysis by Test Quality Sentinel · ● 485.8K · ◷

[github-actions]

✅ Test Quality Sentinel: 90/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). The new test TestComputeTextStepIncludesAllowedDomainsEnv directly validates the behavioral contract of this PR via real end-to-end compilation.

[github-actions]

Commit pushed: ff501a1

🏗️ ADR gate enforced by Design Decision Gate 🏗️

[github-actions]

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (130 new lines in pkg/ directories) but does not have a linked Architecture Decision Record (ADR).

AI has analyzed the PR diff and generated a draft ADR to help you get started:

📄 Draft ADR: docs/adr/27639-unify-activation-sanitize-allowed-domains.md

What to do next

1. Review the draft ADR committed to your branch — it was generated from the PR diff
2. Complete the missing sections — add context the AI couldn't infer, refine the decision rationale, and list real alternatives you considered
3. Commit the finalized ADR to docs/adr/ on your branch
4. Reference the ADR in this PR body by adding a line such as:

   ADR: ADR-27639: Unify Allowed-Domains Configuration for Activation Input Sanitization

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

Why ADRs Matter

"AI made me procrastinate on key design decisions. Because refactoring was cheap, I could always say 'I'll deal with this later.' Deferring decisions corroded my ability to think clearly."

ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you.

---

📋 Draft ADR Summary

Decision: Pass the same computed allowed-domains value to the activation sanitized (input) step that is already used for output sanitization. When safe-outputs.allowed-domains is configured, use computeExpandedAllowedDomainsForSanitization; otherwise use computeAllowedDomainsForSanitization.

Problem solved: The sanitized step was silently redacting URLs from user-configured domains (via network.allowed / safe-outputs.allowed-domains) before the agent saw them, causing input sanitization to be inconsistent with output sanitization.

Key trade-off: safe-outputs.allowed-domains now implicitly affects input sanitization even though its name implies output-only scope — this may surprise some workflow authors and is worth documenting explicitly in the ADR.

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

• Context — What is the problem? What forces are at play?
• Decision — What did you decide? Why?
• Alternatives Considered — What else could have been done?
• Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number (e.g., 27639-title.md for PR #27639).

🔒 This PR cannot merge until an ADR is linked in the PR body.

References: §24739465880

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · ● 104.4K · ◷