Enforce bash parser specification invariants in JS Copilot SDK parser

[Copilot]

This PR aligns the JavaScript bash parser with the parser specification used by Copilot SDK permissions, focusing on robustness and strict conformance behavior. It tightens parser guarantees so malformed or adversarial shell input remains non-throwing and semantically stable.

• Parser semantics hardening

  • Replaced recursive prefix skipping in extractCommandName with iterative scanning for !, {, and } prefixes.
  • Preserves existing extraction behavior while removing recursion-depth failure risk on long prefix chains.

• Spec contract enforcement

  • Added explicit type-contract tests for all parser APIs with non-string StringLike runtime inputs, asserting total-function behavior ([] / null, never throw).
  • Added targeted robustness vectors for both moderate and extreme prefix depth to enforce stack-safe command extraction.

• Conformance coverage expansion

  • Extended spec-vector tests so JS behavior is directly enforced against documented invariants rather than relying only on ad hoc cases.

// iterative prefix skipping (stack-safe)
if (word === "!" || word === "{" || word === "}") {
  remaining = remaining.slice(word.length).trim();
  if (!remaining) return null;
  continue;
}

[Copilot]

Pull request overview

This PR hardens the actions/setup JavaScript bash command parser to be stack-safe under long prefix chains and expands test coverage to enforce strict “total-function” behavior (never throw, stable []/null outputs). It also includes updates to compiled workflow/action pin artifacts.

Changes:

• Replaced recursive prefix skipping in extractCommandName with an iterative scan to avoid recursion-depth failures.
• Added type-contract and robustness tests ensuring all parser APIs return []/null for non-string runtime inputs and handle extreme prefix depth.
• Updated generated workflow lock/pin data (including removal of an unused setup action pin and regeneration of a lock workflow file).

Show a summary per file

File	Description
pkg/workflow/data/action_pins.json	Removes an action pin entry (generated pin data update).
pkg/actionpins/data/action_pins.json	Mirrors the action pin removal in the second pin dataset.
actions/setup/js/bash_command_parser.cjs	Makes extractCommandName iterative to avoid stack overflows on long prefix chains.
actions/setup/js/bash_command_parser_spec_vectors.test.cjs	Adds runtime type-contract + deep-prefix robustness tests for parser APIs.
.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml	Regenerates a compiled workflow lock file (operational/workflow artifact update).

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 5/5 changed files
• Comments generated: 1