Ignore ${{ ... }} in bash # comments during run-script expression harvesting

[Copilot]

gh aw compile regressed in v0.76+ by harvesting ${{ ... }} tokens from bash comments inside run: blocks, hoisting them into step env, and generating invalid lock workflows when those expressions resolve to non-scalars (e.g. secrets.*). This PR limits harvesting/guardrail scans to executable script content.

• Scope of fix: executable-only expression scanning

  • Added shell line-comment stripping (# ...) before run-script expression extraction.
  • Kept heredoc exclusion intact; scanning now ignores both heredoc bodies and bash comments.

• Compiler paths updated

  • sanitizeRunStepExpressions now scans stripShellLineComments(removeHeredocContent(run)).
  • Template-injection/regression guardrail run-script scans apply the same preprocessing in parsed workflow validation paths.

• Behavioral coverage added

  • New sanitizer cases:
    • comment-only expression is not extracted
    • mixed comment + executable expression extracts only executable expression
  • New helper tests for comment stripping behavior (quoted #, escaped \#, trailing comments).
  • Both validation paths now include a comment-expression case that should pass.

// Before scanning run: content for ${{ ... }}
scanContent := stripShellLineComments(removeHeredocContent(runVal))
matches := ExpressionPattern.FindAllStringSubmatch(scanContent, -1)

[Copilot]

Pull request overview

This PR narrows GitHub expression harvesting and validation for workflow run: scripts so ${{ ... }} inside bash # comments is treated like non-executable content, similar to existing heredoc exclusions.

Changes:

• Adds stripShellLineComments to remove bash-style comments while preserving quoted and escaped #.
• Applies heredoc + comment stripping before sanitizer and validation scans.
• Adds unit and compiler-path regression tests for comment-only expressions.

Show a summary per file

File	Description
pkg/workflow/template_injection_validation.go	Excludes shell comments from parsed workflow expression validation scans.
pkg/workflow/template_injection_validation_test.go	Adds unit coverage for shell comment stripping behavior.
pkg/workflow/template_injection_utils.go	Adds the comment-stripping helper and comment-start detection.
pkg/workflow/run_step_sanitizer.go	Updates run-step expression scanning to ignore comments.
pkg/workflow/run_step_sanitizer_test.go	Adds sanitizer cases for comment-only and mixed comment/executable expressions.
pkg/workflow/compiler_template_injection_both_paths_test.go	Adds both-path validation coverage for expressions inside bash comments.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 6/6 changed files
• Comments generated: 1

[pelikhan]

@copilot review all comments and reviews from copilot and github-actions actor. Address and resolve.

[Copilot]

@copilot review all comments and reviews from copilot and github-actions actor. Address and resolve.

Addressed the actionable Copilot review feedback in commit be2cf6c: replacement now skips bash # comments (while still replacing executable script occurrences), and regression coverage was added for the same expression appearing in both comment and executable lines. Targeted workflow sanitizer tests pass.

[github-actions]

``
@copilot review all comments and address unresolved review feedback, then rerun the targeted sanitizer tests.

Generated by 👨‍🍳 PR Sous Chef · gpt54 15.5M · ◷

[pelikhan]

@copilot fix https://github.com/github/gh-aw/actions/runs/26662701168/job/78589098141?pr=35777