Resolve dev-hawk github-env highs by tightening env-file usage in generated workflow steps

[Copilot]

Static analysis reported persistent High zizmor github-env findings in dev-hawk.lock.yml, with one finding tied to GHES host wiring and another to MCP gateway env propagation. This PR removes the unnecessary env-file write and scopes suppression to the remaining intentional $GITHUB_ENV write derived from trusted GitHub runtime context.

• Security finding scope

  • Targets the two dev-hawk github-env hotspots called out in the daily static-analysis report.
  • Applies changes in workflow source generation paths (not manual lock-file-only edits), then regenerates dev-hawk.lock.yml.

• Generator changes

  • GHES host step (pkg/workflow/ghes_host_step.go)
    • Keeps GH_HOST propagation via $GITHUB_ENV for cross-step compatibility.
    • Adds a scoped zizmor: ignore[github-env] annotation as a standalone comment line immediately above run:, matching the # zizmor: ignore[...] - <reason> pattern used elsewhere in the codebase.
  • MCP gateway setup (pkg/workflow/mcp_setup_generator.go)
    • Removes GH_AW_MCP_CLI_SERVERS write to $GITHUB_ENV.
    • Retains step-local export GH_AW_MCP_CLI_SERVERS=..., which is sufficient for in-step usage (all consumers — start_mcp_gateway.cjs and convert_gateway_config_*.cjs — run as subprocesses within the same step and inherit the exported variable). No downstream steps reference this variable.

• Compiled workflow impact

  • /.github/workflows/dev-hawk.lock.yml
    • Drops echo GH_AW_MCP_CLI_SERVERS=... >> "$GITHUB_ENV" in the MCP gateway step.
    • Emits GHES host step with scoped suppression as a dedicated comment line above run:.

• Focused test update

  • pkg/workflow/ghes_host_step_test.go
    • Adds assertion that generated GHES host step includes zizmor: ignore[github-env].

- name: Configure GH_HOST for enterprise compatibility
  id: ghes-host-config
  shell: bash
  # zizmor: ignore[github-env] - GITHUB_SERVER_URL is set by GitHub Actions, not user input.
  run: |
    GH_HOST="${GITHUB_SERVER_URL#https://}"
    GH_HOST="${GH_HOST#http://}"
    echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV"

[Copilot]

Pull request overview

This PR addresses dev-hawk static-analysis High findings (zizmor github-env) by reducing unnecessary writes to $GITHUB_ENV in generated workflow steps, and adding a scoped suppression for the remaining intentional $GITHUB_ENV usage that derives from GitHub-provided runtime context.

Changes:

• Stop persisting GH_AW_MCP_CLI_SERVERS via $GITHUB_ENV and keep it step-local via export in the MCP gateway setup generation.
• Annotate the GHES GH_HOST configuration step with a zizmor: ignore[github-env] suppression tied to trusted GITHUB_SERVER_URL.
• Update the GHES host step unit test to assert the suppression is present, and regenerate dev-hawk.lock.yml accordingly.

Show a summary per file

File	Description
pkg/workflow/mcp_setup_generator.go	Removes the $GITHUB_ENV write for GH_AW_MCP_CLI_SERVERS, keeping only a step-local export.
pkg/workflow/ghes_host_step.go	Adds a zizmor suppression annotation to the generated GHES host step.
pkg/workflow/ghes_host_step_test.go	Adds an assertion to ensure the suppression is present in the generated step.
.github/workflows/dev-hawk.lock.yml	Regenerates the locked workflow to reflect the generator updates (drop env-file write; include suppression).

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/4 changed files
• Comments generated: 2

[github-actions]

Please post a brief status update summarizing the env-file tightening and any remaining blockers.

Generated by 👨‍🍳 PR Sous Chef · 115.8 AIC · ⌖ 0.985 AIC · ⊞ 17K · ◷

[pelikhan]

@copilot review all comments

[Copilot]

@copilot review all comments

Addressed both review comments — moved the zizmor: ignore[github-env] annotation from an inline comment on run: | to a dedicated standalone comment line immediately above run:, matching the # zizmor: ignore[...] - <reason> pattern used elsewhere in the codebase (e.g. pkg/workflow/jobs.go:212). Updated in both the generator (ghes_host_step.go) and the regenerated dev-hawk.lock.yml. Commit: Move zizmor annotation to standalone comment line above run: in ghes_host_step.

[pelikhan]

@copilot review that this change does not break other downstream steps.

[Copilot]

No downstream steps are broken. GH_AW_MCP_CLI_SERVERS is consumed exclusively within the same step that sets it:

1. export GH_AW_MCP_CLI_SERVERS=... makes the variable available to any subprocess spawned by that shell.
2. cat << EOF | node start_mcp_gateway.cjs runs Node.js as a subprocess in the same step and inherits all exported shell vars.
3. start_mcp_gateway.cjs calls convert_gateway_config_*.cjs via execSync(..., { env: process.env }), passing the inherited env through.
4. convert_gateway_config_shared.cjs reads process.env.GH_AW_MCP_CLI_SERVERS — which is populated from the exported variable.

There is no subsequent step (checked across all lock files) that references $GH_AW_MCP_CLI_SERVERS or ${GH_AW_MCP_CLI_SERVERS} in a run: script or env: block. The $GITHUB_ENV write was persisting the variable well past its actual scope of use; the export alone is sufficient.

[github-actions]

@copilot review all comments and address the two unresolved review threads.

Generated by 👨‍🍳 PR Sous Chef · 21.4 AIC · ⌖ 1.04 AIC · ⊞ 17K · ◷

[github-actions]

Please refresh the branch and rerun the CGO build-wasm check after those fixes land.

Generated by 👨‍🍳 PR Sous Chef · 21.4 AIC · ⌖ 1.04 AIC · ⊞ 17K · ◷

[pelikhan]

@copilot review all changes and the impact of not using github_env

[Copilot]

@copilot review all changes and the impact of not using github_env

Here is a full review of both changes and their GITHUB_ENV impact:

---

Change 1: GH_AW_MCP_CLI_SERVERS — GITHUB_ENV write removed (mcp_setup_generator.go)

Before: Two lines were emitted — export GH_AW_MCP_CLI_SERVERS=... (shell-local) and echo GH_AW_MCP_CLI_SERVERS=... >> "$GITHUB_ENV" (persisted across steps).

After: Only the export line remains.

Impact of removing GITHUB_ENV: None. All consumers of this variable run as subprocesses within the same step:

• start_mcp_gateway.cjs is invoked via cat << EOF | node ... in the same step — inherits all exported shell vars.
• It calls convert_gateway_config_*.cjs via execSync(..., { env: process.env }) — the env is passed through explicitly.
• convert_gateway_config_shared.cjs reads process.env.GH_AW_MCP_CLI_SERVERS — gets it from the inherited env.

No subsequent step anywhere in the repo references $GH_AW_MCP_CLI_SERVERS in a run: script or env: block. The GITHUB_ENV write was always surplus.

---

Change 2: GH_HOST — GITHUB_ENV write kept, annotation added (ghes_host_step.go)

The echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV" line is unchanged. GH_HOST must persist to GITHUB_ENV because it is needed by the gh CLI in every subsequent step in the job (checkout, setup, agent run, etc.). Removing that write would break GHES/GHEC compatibility.

The only change here is adding # zizmor: ignore[github-env] - GITHUB_SERVER_URL is set by GitHub Actions, not user input. as a standalone comment above run:, which suppresses the zizmor finding without altering runtime behavior.