Harden threat-detection against missing prompt artifact; unblock safe_outputs

[Copilot]

The detection job could fail hard when /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt was missing, producing ERR_PARSE and skipping safe_outputs despite a successful agent job. This change makes missing prompt context a diagnosable warning path instead of a pipeline blocker.

• Detection setup now degrades gracefully

  • actions/setup/js/setup_threat_detection.cjs no longer hard-fails on missing/empty detection prompt context.
  • Emits actionable warnings and continues by generating a fallback detection prompt from workflow metadata and available artifacts.

• Compiled workflow adds explicit prompt preflight check

  • pkg/workflow/threat_detection.go now emits a guard in Prepare threat detection files that checks for a non-empty prompt file (-s) and logs a clear warning if absent.
  • Makes ordering/artifact issues visible at detection start with an explicit operator hint.

• Coverage for regression path

  • Added focused tests for:
    • missing prompt artifact → warning + fallback continuation,
    • empty prompt artifact → warning + fallback continuation,
    • compiled detection step contains the preflight warning logic.

# Generated in detection job
- name: Prepare threat detection files
  run: |
    mkdir -p /tmp/gh-aw/threat-detection/aw-prompts
    cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null || true
    if [ ! -s /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt ]; then
      echo "::warning::ERR_VALIDATION: Missing or empty detection context prompt ..."
    fi

---

Branch updated by pr-sous-chef from https://github.com/github/gh-aw/actions/runs/26714571223.

Generated by 👨‍🍳 PR Sous Chef · gpt54 9.8M · ◷

[Copilot]

Pull request overview

This PR hardens the threat-detection setup so missing or empty workflow prompt artifacts are reported as warnings instead of blocking the detection pipeline and downstream safe_outputs.

Changes:

• Adds a generated workflow preflight warning when the detection prompt context is missing or empty.
• Changes threat-detection JS setup to continue with fallback workflow metadata when prompt context is unavailable.
• Adds focused Go and Vitest coverage for the new warning/fallback paths.

Show a summary per file

File	Description
pkg/workflow/threat_detection.go	Adds shell preflight warning for missing/empty detection prompt context.
pkg/workflow/threat_detection_test.go	Verifies the compiled prepare step includes the new warning logic.
actions/setup/js/setup_threat_detection.cjs	Softens prompt-context validation and substitutes an unavailable marker.
actions/setup/js/setup_threat_detection.test.cjs	Covers missing and empty prompt artifact fallback behavior.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/4 changed files
• Comments generated: 0

[github-actions]

Please refresh the branch and rerun checks so the missing prompt-artifact fix can be validated end to end.

Generated by 👨‍🍳 PR Sous Chef · gpt54 9.8M · ◷