fix: add GEMINI_CLI_TRUST_WORKSPACE=true to unblock Gemini headless mode

[Copilot]

Gemini CLI v1.x introduced a trusted-folders security model that overrides --yolo to "default" approval mode when the workspace is not trusted, causing exit code 55 with 0 turns executed before any work begins.

Changes

• pkg/workflow/gemini_engine.go: Added GEMINI_CLI_TRUST_WORKSPACE: "true" to the base env map in GetExecutionSteps, alongside the other Gemini-specific vars. This env var is the official bypass for Gemini CLI v1.x's workspace trust check, allowing --yolo to function as intended in GitHub Actions runners.
• pkg/workflow/gemini_engine_test.go: Added assertion verifying the env var is present in the compiled execution step.

env := map[string]string{
    "GEMINI_API_KEY": "${{ secrets.GEMINI_API_KEY }}",
    // ...
    // Trust the workspace to prevent Gemini CLI v1.x from overriding --yolo to default
    // approval mode when the workspace is untrusted, which causes exit code 55.
    "GEMINI_CLI_TRUST_WORKSPACE": "true",
}

All 202 workflow lock files were recompiled with the new env var present in both agent and detection execution steps.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE node /opt�� prettier --check 64/bin/go **/*.ts **/*.json --ignore-path golangci-lint (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE node /opt�� prettier --check 64/bin/go **/*.ts **/*.json --ignore-path go (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE node /opt�� prettier --check 64/bin/go **/*.ts **/*.json --ignore-path git (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE 6164680/b400/impGO111MODULE -c 6164680/b400/embGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcGO111MODULE (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/pkGOINSECURE **/*.cjs $name) { hasDiscussionsEnabled } } **/*.json --ignore-path ../../../.prettiGOPATH /opt/hostedtoolcGOPROXY -o /tmp/go-build263GOSUMDB -trimpath 64/bin/go -p main -lang=go1.25 go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv che/go-build/e1/GOINSECURE **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti--noprofile /opt/hostedtoolcGOPROXY -o /tmp/go-build263GOSUMDB -trimpath 64/bin/go -p github.com/githuapi -lang=go1.25 go (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch k/gh-aw/gh-aw/.gremote.origin.url rev-parse n-dir/node -json GO111MODULE r: $owner, name:/home/REDACTED/work/gh-aw/gh-aw /usr/bin/gh 1/x6�� graphql -f ache/CodeQL/2.25.1/x64/codeql/tools/linux64/java/bin/java -f owner=github (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Updates the Gemini engine’s GitHub Actions execution environment to trust the workspace by default so Gemini CLI v1.x won’t override --yolo into default approval mode (which causes early termination / exit code 55 in headless runners).

Changes:

• Add GEMINI_CLI_TRUST_WORKSPACE=true to Gemini’s base env map in GetExecutionSteps.
• Add a unit test assertion ensuring the compiled execution step includes GEMINI_CLI_TRUST_WORKSPACE.
• Recompile affected workflow lock output to include the new env var in both agent and detection Gemini execution steps.

Show a summary per file

File	Description
pkg/workflow/gemini_engine.go	Adds GEMINI_CLI_TRUST_WORKSPACE to the Gemini execution env so --yolo remains effective under Gemini CLI v1.x trusted-folder enforcement.
pkg/workflow/gemini_engine_test.go	Verifies the generated step content includes the new env var.
.github/workflows/smoke-gemini.lock.yml	Updates the compiled lock workflow to include the new env var for both agent and detection Gemini runs.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 0

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 95/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	1 assertion added to existing test
✅ Design tests (behavioral contracts)	1 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	N/A (modification to existing assertion block)
Duplicate test clusters	0
Test inflation detected	No (1 line test / 3 lines production = 0.33:1)
🚨 Coding-guideline violations	None

---

Test Classification Details

Test	File	Classification	Issues Detected
TestGeminiEngineExecution (modified)	pkg/workflow/gemini_engine_test.go:232	✅ Design	—

---

Analysis

The PR adds a single assert.Contains assertion to the existing TestGeminiEngineExecution test:

assert.Contains(t, stepContent, "GEMINI_CLI_TRUST_WORKSPACE: true", "Should include GEMINI_CLI_TRUST_WORKSPACE")

Design invariant enforced: The compiled Gemini engine step output must include the GEMINI_CLI_TRUST_WORKSPACE: true environment variable. This directly validates the behavioral contract introduced by the production change.

Value if deleted: A regression that removes or renames the env var would go undetected — high value.

Assessment: The assertion follows all project guidelines — it verifies an observable output (compiled YAML content), includes a descriptive message, and the test file has the correct //go:build !integration build tag. No mocks, no inflation, no duplication.

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 1 assertion modified — unit (//go:build !integration)

---

Verdict

✅ Check passed. 0% of new/modified test assertions are implementation tests (threshold: 30%). The added assertion directly covers the behavioral contract of the production change.

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

🧪 Test quality analysis by Test Quality Sentinel · ● 372.7K · ◷

[github-actions]

✅ Test Quality Sentinel: 95/100. Test quality is excellent — 0% of new/modified assertions are implementation tests (threshold: 30%). The added assertion directly verifies the behavioral contract of the GEMINI_CLI_TRUST_WORKSPACE env var in compiled output.