fix: apply sanitizeContent to body in create_discussion and create_pull_request handlers by Copilot · Pull Request #28053 · github/gh-aw

Copilot · 2026-04-23T12:03:19Z

create_discussion.cjs and create_pull_request.cjs posted agent-generated body content directly to the GitHub API without calling sanitizeContent(), leaving @mention notifications, hidden markdown link title XPIA payloads, and bot-trigger strings unsanitized — a gap that create_issue.cjs, add_comment.cjs, and update_handler_factory.cjs don't have.

Changes

create_discussion.cjs — import sanitizeContent from sanitize_content.cjs and call it on processedBody after removeDuplicateTitleFromDescription, matching the create_issue.cjs pattern exactly
create_pull_request.cjs — same import + call, placed after removeDuplicateTitleFromDescription and before the system-generated Fixes #N closing keyword is appended (so only agent-supplied content is sanitized)
Regression tests — create_discussion_sanitization.test.cjs and create_pull_request_sanitization.test.cjs covering @mention neutralization, XPIA channel closure via markdown link title exposure, and footer marker preservation

// Before (both handlers)
let processedBody = replaceTemporaryIdReferences(item.body || "", ...);
processedBody = removeDuplicateTitleFromDescription(title, processedBody);
// ← body written to GitHub API unsanitized

// After
processedBody = sanitizeContent(processedBody);  // ← added

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name 64/pkg/tool/linux_amd64/compile GOINSECURE 439224/b011/intsrev-parse ache/go/1.25.8/x--git-dir 64/pkg/tool/linux_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh repo view owner/repo env 1756645249 qrnP/bIu9B-2Kyy25-yTJqrnP 64/pkg/tool/linux_amd64/link GOINSECURE contextprotocol/rev-parse GOMODCACHE 64/pkg/tool/linux_amd64/link -c r.test log tcfg.link -n1 --format=format:config --end-of-options--get-regexp 9Ym34G_sfJyM6o-I^remote\..*\.gh-resolved$ (http block)
- Triggering command: /usr/bin/gh gh repo view owner/repo env 1756645249 gNV_/-ERQMY_tDmUJytyNgNV_ ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE contextprotocol/rev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-buildtags (http block)
https://api.github.com/orgs/test-owner/actions/secrets
- Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json o x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE modules/@npmcli/run-script/lib/node-gyp-bin/node GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git 439224/b136/_pkggit fg 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 3090135754 BHdz/-6z_QJDvZKL/opt/hostedtoolcache/node/24.14.1/x64/bin/npm ache/go/1.25.8/xinstall git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv user.name Test User /usr/bin/git LsRemoteWithRealgit LsRemoteWithRealrev-parse tions/node_modul--show-toplevel git rev-�� 70652528/001 go /usr/bin/git ithout_min-integnode GO111MODULE 64/pkg/tool/linuinstall git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv -bool -buildtags /usr/bin/docker -errorsas -ifaceassert -nilfunc docker pull�� test/race-image:v1.0.0 -tests /usr/bin/git ted-objects.md GO111MODULE x_amd64/vet git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_repos=public_3513185822/001 config /usr/bin/git remote.origin.urgit GO111MODULE 64/bin/go git remo�� GOMODCACHE go /usr/bin/git re GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv 1749-65282/test-284812053 config /opt/hostedtoolcache/node/24.14.1/x64/bin/node remote.origin.ur/usr/lib/git-core/git-remote-https GO111MODULE 64/bin/go node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/agent-persona-explorer.md go /usr/bin/git re GO111MODULE 64/bin/go git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv 439224/b202/importcfg -trimpath x_amd64/vet -p internal/godebugdiff -lang=go1.25 x_amd64/vet -o st-1785610441/.github/workflows -trimpath 1/x64/bin/node -p crypto/internal/rev-parse -lang=go1.25 /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel /tmp/gh-aw-merge-1647891969/new.md /usr/bin/git se 56796/b065/vet.c\n x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git 439224/b199/impogit -trimpath fg git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel /tmp/go-build24756796/b424/gitutil.test /usr/bin/git -test.paniconexigit -test.v=true /usr/bin/git git 1/x6�� --show-toplevel git /usr/bin/git ons-test14314398git rev-parse /usr/bin/git git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ithub/workflows/archie.md x_amd64/asm /usr/bin/git -json GO111MODULE x_amd64/compile git -C /tmp/gh-aw-test-runs/20260423-121502-35567/test--s config om/upstream/repo.git remote.origin.urgit GO111MODULE x_amd64/vet git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows/agentic-optimization-kit.md go /usr/bin/git -json GO111MODULE 64/bin/go git conf�� --get remote.origin.url /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv user.name Test User /usr/bin/git -json GO111MODULE 64/bin/go git conf�� --get remote.origin.url /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet 8716874/001' 8716874/001' 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/xconfig /usr/bin/git /tmp/go-build446git -trimpath rutil.test git rev-�� --show-toplevel rutil.test /usr/bin/git 56796/b410/_pkg_git /tmp/go-build247rev-parse 64/pkg/tool/linu--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git orts1019191673/0git GO111MODULE bin/golangci-lin-m git rev-�� --show-toplevel erignore /usr/bin/git -json GO111MODULE /opt/hostedtoolc--show-toplevel git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v9
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json gset/set.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json t/format.go x_amd64/compile GOINSECURE GOMOD bytealg/equal_wa--show-toplevel x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/vet /opt/hostedtoolcache/node/24.14.1/x64/bin/node rtcfg fg x_amd64/link /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� No expressions here x_amd64/link /usr/bin/git rtcfg fg 64/pkg/tool/linu--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_only_defaults_repo396968682/001 remote /usr/bin/gh -json GO111MODULE x_amd64/compile gh api /repos/actions/github-script/git/ref/tags/v9 --jq /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE x_amd64/vet node (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linuremote.origin.url /opt/hostedtoolcache/node/24.14.1/x64/bin/node tPQEqnyUP GO111MODULE x_amd64/compile /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� Secret: ${{ secrets.TOKEN }} x_amd64/compile /usr/bin/git ty-test.md om/modelcontextprev-parse 64/pkg/tool/linu--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv -bool l /usr/bin/git -errorsas -ifaceassert -nilfunc git rev-�� --show-toplevel -tests /usr/bin/git 1177054030/001' 1177054030/001' 64/bin/go git (http block)
https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv r-test2154417746/existing.md x_amd64/asm /usr/bin/infocmp -json GO111MODULE x_amd64/compile infocmp -1 xterm-color x_amd64/compile /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -json /common.go x_amd64/compile /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv if command -v wasm-opt >/dev/null 2>&1; then \ echo "Running wasm-opt -Oz (size optimization)../usr/bin/git go /usr/bin/git -json GO111MODULE 64/bin/go git comm�� -m initial commit /usr/bin/git -json GO111MODULE /sh git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv runs/20260423-121749-65282/test-1169135801/.github/workflows go ache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go git t-17�� k/gh-aw/gh-aw/.github/workflows/api-consumption-report.md go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel /tmp/go-build24756796/b472/_testmain.go /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json fg 64/pkg/tool/linu--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� github.event.issue.number 64/pkg/tool/linux_amd64/vet /usr/bin/git rtcfg fg 64/pkg/tool/linu--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git hub/workflows GO111MODULE ache/go/1.25.8/x--show-toplevel git (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv bility_SameInputSameOutput2248448116/001/stabilitest-logs/run-12345 remote /usr/bin/git -json 4/arm64.go x_amd64/compile git -C /tmp/gh-aw-test-runs/20260423-121502-35567/test-1756645249 l /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git push�� origin my-default tartedAt,updatedAt,event,headBranch,headSha,displayTitle (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows/agentic-observability-kit.md -buildtags /usr/lib/git-core/git -errorsas -ifaceassert -nilfunc /usr/lib/git-core/git main�� run --auto /usr/bin/git --detach GO111MODULE 64/bin/go git (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv 56796/b462/types.test rev-parse 56796/b462/importcfg.link h379122368/001' h379122368/001' -nolocalimports VWw7VJguVlRAx/jNQYSQDdMsvnnTZDbyx2/zg1-jwF1IRoPaowner/repo 5679�� ry=1 56796/b447/_testmain.go 56796/b462/_pkg_.a 01 GO111MODULE x_amd64/link git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git comm�� -m initial commit /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv runs/20260423-121749-65282/test-1543528399 -buildtags 1/x64/bin/node -errorsas -ifaceassert -nilfunc 1/x64/bin/node t-42�� k/gh-aw/gh-aw/.github/workflows/approach-validator.md -tests /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name fg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 25840859/.github/workflows fWCy/na03iXLzDBM34i--fWCy ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE g/x/net/http/httrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 fg 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/aes/gcm 439224/b029/symauser.name 64/pkg/tool/linuTest User env 439224/b228/_pkg_.a ho52/RILG8Ja3npv64jHUho52 64/pkg/tool/linux_amd64/compile GOINSECURE l/httpcommon GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GOPROXY /bin/sh GOSUMDB GOWORK 64/bin/go /bin/sh -c echo "�� All validations passed" node /bin/sh --write ../../../**/*.jsrev-parse 64/bin/go /bin/sh (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/hmac GOMODCACHE 64/pkg/tool/linux_amd64/vet env 4032087493 ahb4/lZep-2MiwczJtV1iahb4 x_amd64/link GOINSECURE g/x/net/http2/hp/tmp/js-hash-test-1128287683/test-hash.js GOMODCACHE x_amd64/link (http block)
- Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 fg 64/pkg/tool/linu-nolocalimports GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env 1756645249 gNV_/-ERQMY_tDmUJytyNgNV_ ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE contextprotocol/rev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-buildtags (http block)
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GOPROXY /usr/local/.ghcup/bin/sh GOSUMDB GOWORK 64/bin/go sh -c tructions-test-2954549675/.github/workflows sh /usr/bin/git tierignore git 64/bin/go git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 4032087493 GO111MODULE fg GOINSECURE able GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-buildtags (http block)
- Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 om/modelcontextprotocol/go-sdk@v1.5.0/internal/xcontext/xcontext.go 64/pkg/tool/linux_amd64/vet GOINSECURE l/buffer GOMODCACHE 64/pkg/tool/linutest@example.com env 1756645249 pRaw/gwkwek_UF5vdtNyzpRaw fg GOINSECURE a95/uritemplate/rev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-goversion (http block)
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GOPROXY /home/REDACTED/.dotnet/tools/sh GOSUMDB GOWORK 64/bin/go sh -c tructions-test-2954549675/.github/workflows sh /usr/bin/git l git 64/bin/go git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name fg 64/pkg/tool/linux_amd64/vet GOINSECURE hlite 439224/b013/symabis 64/pkg/tool/linux_amd64/vet env 439224/b251/_pkg_.a _zAe/m6K4S-499xrKjIdi_zAe ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE b/gh-aw/pkg/giturev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-dwarf=false (http block)
- Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 fg 64/pkg/tool/linux_amd64/vet GOINSECURE sysrand GOMODCACHE 64/pkg/tool/linux_amd64/vet env 439224/b236/_pkg_.a fg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE osh-tekuri/jsonsrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-buildtags (http block)
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GOPROXY /bin/sh GOSUMDB GOWORK run-script/lib/n--show-toplevel /bin/sh -c echo "Syncing actions-lock.json from .github/aw to pkg/actionpins/data/action_pins.json..." node /usr/lib/git-core/git-receive-pack --write ../../../**/*.jsrev-parse 64/bin/go git-receive-pack (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name g/gitutil/gitutil.go 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 439224/b007/symauser.name 64/pkg/tool/linuTest User ache�� 439224/b253/_pkg_.a r73k/ZR15bOYtzO_sNGC5r73k k GOINSECURE /semver GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-test.v=true (http block)
- Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 fg 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/drbg 439224/b029/symabis 64/pkg/tool/linux_amd64/vet env 439224/b225/_pkg_.a NNuM/NZNs7zEf3uyY_7BzNNuM k GOINSECURE ce GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-importcfg (http block)
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GOPROXY 1/x64/bin/node l GOWORK 64/bin/go 1/x64/bin/node -c if [ -f .github/aw/actions-lock.json ]; then \ cp .github/aw/actions-lock.json -errorsas l /usr/lib/git-core/git --write ../../../**/*.jsrev-parse 64/bin/go /usr/lib/git-core/git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name fg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 439224/b007/symauser.email 64/pkg/tool/linutest@example.com env 25840859/.github/workflows 7Ps3/Xuna8G_bMUX3GMM57Ps3 ache/go/1.25.8/x64/pkg/tool/linu-nilfunc GOINSECURE b/gh-aw/pkg/semvrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-buildtags (http block)
- Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 fg 64/pkg/tool/linux_amd64/vet GOINSECURE entropy GOMODCACHE 64/pkg/tool/linux_amd64/vet env 439224/b235/_pkg_.a h5RJ/fhSiz4P0ozPJ9_2Hh5RJ ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE osh-tekuri/jsonsrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-goversion (http block)
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GOPROXY /usr/bin/cp GOSUMDB GOWORK 64/bin/go cp .git�� pkg/actionpins/data/action_pins.json node /usr/lib/git-core/git --write ../../../**/*.jsrun 64/bin/go /usr/lib/git-cor--json (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name fg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 25840859/.github/workflows GO111MODULE ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe GOINSECURE g/x/net/http/httrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-extld=gcc (http block)
- Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 fg 64/pkg/tool/linux_amd64/vet GOINSECURE fips140only ache/go/1.25.8/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows/agent-performance-analyzer.md 64/pkg/tool/linux_amd64/vet env til.go til_test.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GOPROXY /usr/bin/cp GOSUMDB GOWORK 64/bin/go cp inst�� runs/20260423-121639-51508/test-3425040120/.github/workflows node /usr/lib/git-core/git --write ../../../**/*.js-1 64/bin/go /usr/lib/git-core/git (http block)
https://api.github.com/repos/github/gh-aw/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path -c=4 -nolocalimports -importcfg /tmp/go-build24756796/b419/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD cpu/cpu.s x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD s/js_js.s x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env til.go o x_amd64/link GOINSECURE g/x/crypto/cryptremote 439224/b078/symabis x_amd64/link (http block)
https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
- Triggering command: /tmp/go-build24756796/b404/cli.test /tmp/go-build24756796/b404/cli.test -test.testlogfile=/tmp/go-build24756796/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
- Triggering command: /tmp/go-build1310642107/b404/cli.test /tmp/go-build1310642107/b404/cli.test -test.testlogfile=/tmp/go-build1310642107/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /sh GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /tmp/go-build1369769329/b404/cli.test /tmp/go-build1369769329/b404/cli.test -test.testlogfile=/tmp/go-build1369769329/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git 439224/b208/impogit -trimpath ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/xconfig /usr/bin/git /ref/tags/v9 -trimpath util.test git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv user.email test@example.com /usr/bin/git -json GO111MODULE es/.bin/sh git rev-�� --show-toplevel go /usr/bin/git ck '**/*.cjs' '*ls GO111MODULE /opt/hostedtoolc/tmp/gh-aw/aw-feature-branch.patch git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv se 56796/b015/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env _.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE es/.bin/sh GOINSECURE GOMOD GOMODCACHE go env json' --ignore-path ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env b/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet 1115�� -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet 1115�� _.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env _.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE ode_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go env b/workflows GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv lGitcustom_brancremote.origin.url lGitcustom_branch1037182917/001' node GOINSECURE GOMOD GOMODCACHE go ode_�� lic_489288494/001 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv se 56796/b014/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE sh GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/nonexistent/repo/actions/runs/12345
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE /go-yaml/internarev-parse GOMODCACHE 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/pkg/typeutil/convert_test.go (http block)
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion -n1 --format=format:rev-parse --end-of-options--show-toplevel node /tmp�� /tmp/TestHashConsistency_GoAndJavaScript1655318367/001/test-frontmatter-with-env-template-expresgit go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --write ../../../**/*.jsrev-parse 64/bin/go git init�� --bare --initial-branch=main ache/node/24.14.1/x64/bin/node optimization)..git GO111MODULE 64/bin/go git (http block)
https://api.github.com/repos/owner/repo/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json g/catmsg.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state x_amd64/link GOINSECURE g/x/net/http2/hp/tmp/js-hash-test-1128287683/test-hash.js GOMODCACHE x_amd64/link buil�� t1214649757/.github/workflows 9f-D/pnN9IHobo0_Hgqea9f-D fg ./cmd/gh-aw-wasmgh GOWORK 64/bin/go N_/MhA652aEkSuR8repos/{owner}/{repo}/actions/runs/12346/artifacts (http block)
https://api.github.com/repos/test-owner/test-repo/actions/secrets
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json (http block)
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/test/repo
- Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch 439224/b228/_pkg_.a ho52/RILG8Ja3npv64jHUho52 64/pkg/tool/linux_amd64/compile GOINSECURE l/httpcommon GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch GOMODCACHE go /usr/bin/git ty-test.md GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git th .prettierignogit GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch runs/20260423-121749-65282/test-284812053 go /usr/bin/git s/test.md GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git th .prettierignogit GO111MODULE 64/bin/go git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

…uest.cjs body processing - Adds `sanitizeContent` import and call to `create_discussion.cjs` after `removeDuplicateTitleFromDescription`, matching the pattern used in `create_issue.cjs` and `update_handler_factory.cjs` - Adds `sanitizeContent` import and call to `create_pull_request.cjs` after `removeDuplicateTitleFromDescription`, before the system-generated auto-close keyword is appended - Adds regression tests for @mention neutralization and XPIA channel closure in both handlers (create_discussion_sanitization.test.cjs and create_pull_request_sanitization.test.cjs) Fixes: @mention injection and XPIA channel via hidden markdown link titles in create_discussion and create_pull_request safe-output handlers Agent-Logs-Url: https://github.com/github/gh-aw/sessions/0f3551a7-db46-4881-a4fd-ff2a1dc85ee2 Co-authored-by: szabta89 <1330202+szabta89@users.noreply.github.com>

github-actions · 2026-04-23T12:27:19Z

🧪 Test Quality Sentinel Report

Test Quality Score: 70/100

⚠️ Acceptable, with suggestions

Metric	Value
New/modified tests analyzed	6
✅ Design tests (behavioral contracts)	6 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	2 (33%) — XPIA security scenarios
Duplicate test clusters	0
Test inflation detected	✅ YES — discussion: 171 lines test / 4 lines prod (42.75x); PR: 144 lines test / 4 lines prod (36x)
🚨 Coding-guideline violations	None

Test Classification Details

View all 6 tests

Test	File	Classification	Issues Detected
`should neutralize` @mentions `in discussion body`	`create_discussion_sanitization.test.cjs`	✅ Design	No error path; negative assertions (`not.toMatch`) present
`should expose hidden markdown link title XPIA payloads in discussion body`	`create_discussion_sanitization.test.cjs`	✅ Design	Security edge case with unusual input ✅
`should sanitize body but preserve the footer workflow marker`	`create_discussion_sanitization.test.cjs`	✅ Design	No error path
`should neutralize` @mentions `in PR body`	`create_pull_request_sanitization.test.cjs`	✅ Design	No error path; negative assertions present
`should expose hidden markdown link title XPIA payloads in PR body`	`create_pull_request_sanitization.test.cjs`	✅ Design	Security edge case with unusual input ✅
`should sanitize body but preserve the footer workflow marker`	`create_pull_request_sanitization.test.cjs`	✅ Design	No error path

Flagged Items — Suggestions

⚠️ Test Inflation

Both new test files show extreme line-count inflation relative to the production code changes:

create_discussion_sanitization.test.cjs: 171 lines of test for 4 lines of production code (42.75× ratio; threshold: 2×)
create_pull_request_sanitization.test.cjs: 144 lines of test for 4 lines of production code (36× ratio; threshold: 2×)

Most of the bulk is the shared mock setup in beforeEach/afterEach. This is not harmful — comprehensive setup is good — but be aware it inflates the metric. Consider extracting the common mock setup into a shared helper if more sanitization tests are added.

⚠️ No Error/Failure Paths Tested

None of the 6 tests exercise error paths (no .toThrow(), .rejects, or error-shaped return values). Consider adding at least one test that covers a failure scenario, for example:

What happens when createDiscussion GraphQL mutation rejects?
What happens if the category lookup returns no matching category?
What happens when pulls.create rejects?

Suggested addition (for create_pull_request_sanitization.test.cjs):

it("should handle PR creation failure gracefully", async () => {
  global.github.rest.pulls.create.mockRejectedValue(new Error("API error"));
  const { main } = require("./create_pull_request.cjs");
  const handler = await main({ allow_empty: true });

  await expect(handler({ title: "Test", body: "body" }, {}))
    .rejects.toThrow(); // or check setFailed was called
});

Language Support

Tests analyzed:

🐹 Go (*_test.go): 0 tests
🟨 JavaScript (*.test.cjs): 6 tests (vitest)

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). All 6 tests verify behavioral contracts — the sanitization functions produce observable, security-relevant changes to API call payloads. The main gap is absence of error-path coverage and the large test inflation ratio (driven by mock setup verbosity, not redundant test logic).

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

Assert on observable outputs, return values, or state changes
Cover error paths and boundary conditions
Would catch a behavioral regression if deleted
Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

Assert on internal function calls (mocking internals)
Only test the happy path with typical inputs
Break during legitimate refactoring even when behavior is correct
Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §24834953312

🧪 Test quality analysis by Test Quality Sentinel · ● 350.6K · ◷

github-actions

✅ Test Quality Sentinel: 70/100. Test quality is acceptable — 0% of new tests are implementation tests (threshold: 30%). All 6 tests enforce behavioral contracts around sanitization output. Minor suggestions: add error-path tests and extract shared mock setup to reduce test inflation.

Copilot

Pull request overview

Applies existing content sanitization to agent-supplied bodies in the create_discussion and create_pull_request handlers to prevent unsafe output (e.g., @mention notifications and hidden markdown link-title payloads) from being sent directly to the GitHub API.

Changes:

Add sanitizeContent() to discussion body processing after duplicate-title removal.
Add sanitizeContent() to PR body processing after duplicate-title removal (before appending auto-generated “Fixes #N”).
Add Vitest regression tests covering mention neutralization, hidden link-title exposure, and footer marker preservation.

Show a summary per file

File	Description
actions/setup/js/create_discussion.cjs	Sanitizes `processedBody` before building the final discussion body sent via GraphQL.
actions/setup/js/create_pull_request.cjs	Sanitizes `processedBody` before PR creation, keeping system-generated footer/closing text outside sanitization.
actions/setup/js/create_discussion_sanitization.test.cjs	Adds regression tests asserting sanitization behavior for discussions.
actions/setup/js/create_pull_request_sanitization.test.cjs	Adds regression tests asserting sanitization behavior for pull requests.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files reviewed: 4/4 changed files
Comments generated: 0

pelikhan · 2026-04-23T12:45:28Z

@copilot review all comments

Copilot · 2026-04-23T13:27:06Z

@copilot review all comments

Reviewed all comments. The automated review found 0 issues and all 83 relevant tests pass (63 existing create_pull_request tests, 9 create_discussion category normalization tests, 5 create_discussion fallback tests, and the 6 new regression tests). No issues to address.

Initial plan

982c2b3

Copilot AI assigned Copilot and szabta89 Apr 23, 2026

Copilot started work on behalf of szabta89 April 23, 2026 12:03 View session

Copilot AI linked an issue Apr 23, 2026 that may be closed by this pull request

create_discussion.cjs and create_pull_request.cjs: body not passed through sanitizeContent — mention injection and XPIA channel [Content truncated due to length] #28052

Closed

Copilot AI changed the title ~~[WIP] Fix body not passed through sanitizeContent in create_discussion and create_pull_request~~ fix: apply sanitizeContent to body in create_discussion and create_pull_request handlers Apr 23, 2026

Copilot finished work on behalf of szabta89 April 23, 2026 12:21

Copilot AI requested a review from szabta89 April 23, 2026 12:21

pelikhan marked this pull request as ready for review April 23, 2026 12:22

Copilot AI review requested due to automatic review settings April 23, 2026 12:22

Copilot started reviewing on behalf of pelikhan April 23, 2026 12:23 View session

github-actions Bot approved these changes Apr 23, 2026

View reviewed changes

Copilot AI reviewed Apr 23, 2026

View reviewed changes

github-actions Bot mentioned this pull request Apr 23, 2026

[aw] No-Op Runs #27675

Closed

Copilot started work on behalf of pelikhan April 23, 2026 13:21 View session

pelikhan merged commit 66b4cd8 into main Apr 23, 2026
29 of 30 checks passed

pelikhan deleted the copilot/fix-sanitize-content-issue branch April 23, 2026 13:27

Copilot stopped work on behalf of pelikhan due to an error April 23, 2026 13:28
The session was cancelled by the user.

Copilot AI requested a review from pelikhan April 23, 2026 13:28

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: apply sanitizeContent to body in create_discussion and create_pull_request handlers#28053

fix: apply sanitizeContent to body in create_discussion and create_pull_request handlers#28053
pelikhan merged 2 commits intomainfrom
copilot/fix-sanitize-content-issue

Copilot AI commented Apr 23, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Apr 23, 2026

Uh oh!

github-actions Bot left a comment

Uh oh!

Copilot AI left a comment

Uh oh!

pelikhan commented Apr 23, 2026

Uh oh!

Copilot AI commented Apr 23, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

Copilot AI commented Apr 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

github-actions Bot commented Apr 23, 2026

🧪 Test Quality Sentinel Report

Test Quality Score: 70/100

Test Classification Details

Flagged Items — Suggestions

⚠️ Test Inflation

⚠️ No Error/Failure Paths Tested

Language Support

Verdict

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Copilot's findings

Uh oh!

pelikhan commented Apr 23, 2026

Uh oh!

Copilot AI commented Apr 23, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Copilot AI commented Apr 23, 2026 •

edited

Loading