Replace deprecated needs.activation.outputs.{text,title,body} with steps.sanitized.outputs.*#44255
Conversation
…eps.sanitized.outputs.* Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
needs.activation.outputs.{text,title,body} with steps.sanitized.outputs.*
This comment has been minimized.
This comment has been minimized.
|
Hey This PR is still a draft with 0 changes, so a few things to address before it's ready for review:
When you're ready to fill in the implementation, here's a prompt you can use:
|
There was a problem hiding this comment.
Pull request overview
This PR reduces deprecation-warning noise by updating documentation and benchmark workflow examples to use the compiler’s preferred sanitized-output expression form (steps.sanitized.outputs.*) instead of the deprecated needs.activation.outputs.{text,title,body}.
Changes:
- Updated the security architecture spec and its validation companion to reference
steps.sanitized.outputs.textin requirements, descriptions, and examples. - Updated multiple scratchpad security docs/examples to use
steps.sanitized.outputs.text. - Updated the compile security benchmark’s embedded workflow text to avoid emitting the deprecation warning during benchmark runs.
Show a summary per file
| File | Description |
|---|---|
| pkg/cli/compile_security_benchmark_test.go | Updates embedded benchmark workflow prompt content to use steps.sanitized.outputs.text, avoiding repeated deprecation warnings. |
| specs/security-architecture-spec.md | Refreshes requirements/checklists/examples to reference steps.sanitized.outputs.text as the preferred sanitized output. |
| specs/security-architecture-spec-validation.md | Keeps validation quotes aligned with the updated spec wording for OI-01. |
| scratchpad/template-injection-prevention.md | Updates recommended sanitized expression to steps.sanitized.outputs.text (but currently introduces contradictory guidance about step outputs). |
| scratchpad/oh-my-code.md | Updates the “Context sanitization” example to the preferred steps.sanitized.outputs.text. |
| scratchpad/github-actions-security-best-practices.md | Updates secure-pattern examples/checklists to use steps.sanitized.outputs.text. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 6/6 changed files
- Comments generated: 1
- Review effort level: Low
| - ❌ `${{ steps.*.outputs.* }}` (step outputs may contain user data) | ||
|
|
||
| 2. **Use sanitized context instead:** | ||
| - ✅ `${{ needs.activation.outputs.text }}` (sanitized by gh-aw) | ||
| - ✅ `${{ steps.sanitized.outputs.text }}` (sanitized by gh-aw) |
|
@copilot cross check that this fix is correct by investivating compiler implementation in the go sources. |
…safe exception Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Verified the fix is correct. Key evidence from the Go sources:
So I also addressed the contradictory guidance flagged by the automated reviewer: line 111's |
|
🎉 This pull request is included in a new release. Release: |
The compiler auto-rewrites
needs.activation.outputs.{text,title,body}→steps.sanitized.outputs.*(emitting a deprecation warning each time). Several non-transformation-test files still used the deprecated form, accumulating unnecessary warning noise and serving as stale examples.Changes
pkg/cli/compile_security_benchmark_test.go— embedded workflow content inBenchmarkCompileWithZizmorused the deprecated form, triggering a live deprecation warning on every benchmark runspecs/security-architecture-spec.md— 5 occurrences updated: IS-02 requirement, OI-01 description, CS-04 safe-pattern list, G.4 checklist, BP-01 examplespecs/security-architecture-spec-validation.md— OI-01 validation quotescratchpad/—oh-my-code.md,template-injection-prevention.md,github-actions-security-best-practices.mdupdated to point to the current preferred formNot changed
Tests that validate the backward-compat transformation itself (
expression_extraction_test.go,codemod_activation_outputs_test.go, fuzz seeds,runtime_import.test.cjs,.skill-optimizer/task inputs) intentionally retain the deprecated form — they exist specifically to assert the rewrite still works.Before / After (benchmark workflow content):