Skip to content

Replace deprecated needs.activation.outputs.{text,title,body} with steps.sanitized.outputs.*#44255

Merged
pelikhan merged 4 commits into
mainfrom
copilot/hippo-replace-deprecated-references
Jul 8, 2026
Merged

Replace deprecated needs.activation.outputs.{text,title,body} with steps.sanitized.outputs.*#44255
pelikhan merged 4 commits into
mainfrom
copilot/hippo-replace-deprecated-references

Conversation

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

The compiler auto-rewrites needs.activation.outputs.{text,title,body}steps.sanitized.outputs.* (emitting a deprecation warning each time). Several non-transformation-test files still used the deprecated form, accumulating unnecessary warning noise and serving as stale examples.

Changes

  • pkg/cli/compile_security_benchmark_test.go — embedded workflow content in BenchmarkCompileWithZizmor used the deprecated form, triggering a live deprecation warning on every benchmark run
  • specs/security-architecture-spec.md — 5 occurrences updated: IS-02 requirement, OI-01 description, CS-04 safe-pattern list, G.4 checklist, BP-01 example
  • specs/security-architecture-spec-validation.md — OI-01 validation quote
  • scratchpad/oh-my-code.md, template-injection-prevention.md, github-actions-security-best-practices.md updated to point to the current preferred form

Not changed

Tests that validate the backward-compat transformation itself (expression_extraction_test.go, codemod_activation_outputs_test.go, fuzz seeds, runtime_import.test.cjs, .skill-optimizer/ task inputs) intentionally retain the deprecated form — they exist specifically to assert the rewrite still works.

Before / After (benchmark workflow content):

-Issue: ${{ needs.activation.outputs.text }}
+Issue: ${{ steps.sanitized.outputs.text }}

…eps.sanitized.outputs.*

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Replace deprecated activation output references in workflow markdown Replace deprecated needs.activation.outputs.{text,title,body} with steps.sanitized.outputs.* Jul 8, 2026
Copilot AI requested a review from pelikhan July 8, 2026 09:50
@github-actions

This comment has been minimized.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Hey @copilot 👋 — thanks for picking up the deprecated-references cleanup from the Daily Hippo Learn workflow! Replacing stale activation output references is a solid, low-risk maintenance win.

This PR is still a draft with 0 changes, so a few things to address before it's ready for review:

  • Add a PR description — once the edits land, replace the boilerplate opening with a short summary of which files were updated and what deprecated patterns were replaced (e.g. set-output$GITHUB_OUTPUT). Reviewers need that context at a glance.
  • Consider adding or updating tests — if any of the changed .md files are covered by snapshot or lint tests, make sure those are updated alongside the content changes. If the changes are purely documentation markdown with no test surface, note that explicitly in the description.

When you're ready to fill in the implementation, here's a prompt you can use:

Complete the cleanup started in this PR: replace all deprecated activation output references in workflow markdown files.

Specific steps:
1. Search the repository (especially .github/aw/, docs/, specs/, and any workflow .md files) for deprecated patterns such as `set-output`, `save-state`, and `add-path` GitHub Actions commands.
2. Replace each occurrence with the modern `$GITHUB_OUTPUT`, `$GITHUB_STATE`, and `$GITHUB_PATH` environment-file equivalents.
3. Re-run `go build -ldflags "-s -w -X main.version=dev" -o gh-aw ./cmd/gh-aw` to confirm no compilation errors.
4. Update the PR description to summarise which files were changed and which patterns were replaced.

Generated by ✅ Contribution Check · 160.8 AIC · ⌖ 33.9 AIC · ⊞ 6.2K ·

@pelikhan pelikhan marked this pull request as ready for review July 8, 2026 09:58
Copilot AI review requested due to automatic review settings July 8, 2026 09:58

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR reduces deprecation-warning noise by updating documentation and benchmark workflow examples to use the compiler’s preferred sanitized-output expression form (steps.sanitized.outputs.*) instead of the deprecated needs.activation.outputs.{text,title,body}.

Changes:

  • Updated the security architecture spec and its validation companion to reference steps.sanitized.outputs.text in requirements, descriptions, and examples.
  • Updated multiple scratchpad security docs/examples to use steps.sanitized.outputs.text.
  • Updated the compile security benchmark’s embedded workflow text to avoid emitting the deprecation warning during benchmark runs.
Show a summary per file
File Description
pkg/cli/compile_security_benchmark_test.go Updates embedded benchmark workflow prompt content to use steps.sanitized.outputs.text, avoiding repeated deprecation warnings.
specs/security-architecture-spec.md Refreshes requirements/checklists/examples to reference steps.sanitized.outputs.text as the preferred sanitized output.
specs/security-architecture-spec-validation.md Keeps validation quotes aligned with the updated spec wording for OI-01.
scratchpad/template-injection-prevention.md Updates recommended sanitized expression to steps.sanitized.outputs.text (but currently introduces contradictory guidance about step outputs).
scratchpad/oh-my-code.md Updates the “Context sanitization” example to the preferred steps.sanitized.outputs.text.
scratchpad/github-actions-security-best-practices.md Updates secure-pattern examples/checklists to use steps.sanitized.outputs.text.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 6/6 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment on lines +111 to +114
- ❌ `${{ steps.*.outputs.* }}` (step outputs may contain user data)

2. **Use sanitized context instead:**
- ✅ `${{ needs.activation.outputs.text }}` (sanitized by gh-aw)
- ✅ `${{ steps.sanitized.outputs.text }}` (sanitized by gh-aw)
@pelikhan

pelikhan commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

@copilot cross check that this fix is correct by investivating compiler implementation in the go sources.

…safe exception

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@copilot cross check that this fix is correct by investivating compiler implementation in the go sources.

Verified the fix is correct. Key evidence from the Go sources:

  1. compiler_activation_job_builder.go:715-717 — The compiler generates the sanitized step (id: sanitized) and maps its outputs directly:

    ctx.outputs["text"] = "${{ steps.sanitized.outputs.text }}"
    ctx.outputs["title"] = "${{ steps.sanitized.outputs.title }}"
    ctx.outputs["body"] = "${{ steps.sanitized.outputs.body }}"
  2. expression_extraction.go:194-246transformActivationOutputs() rewrites needs.activation.outputs.{text,title,body}steps.sanitized.outputs.* for backward compat.

  3. expression_extraction.go:122-127 — The deprecation warning is emitted exactly when this transformation fires:

    fmt.Fprintln(os.Stderr, console.FormatWarningMessage(
        fmt.Sprintf("Deprecated expression ${{ %s }}: use ${{ %s }} instead.", originalContent, content),
    ))

So steps.sanitized.outputs.* is definitively the correct preferred form.

I also addressed the contradictory guidance flagged by the automated reviewer: line 111's steps.*.outputs.* danger warning now explicitly carves out the steps.sanitized.outputs.* exception (commit Fix contradictory guidance: clarify steps.sanitized.outputs.* is the safe exception).

@pelikhan pelikhan merged commit 2c89911 into main Jul 8, 2026
18 checks passed
@pelikhan pelikhan deleted the copilot/hippo-replace-deprecated-references branch July 8, 2026 10:40
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[hippo] Replace deprecated activation output references in workflow markdown

3 participants