fix(panels): unbreak panel workflows -- gh-aw v0.76+ harvests expression tokens from bash comments#1545
Merged
danielmeppiel merged 1 commit intoMay 29, 2026
Conversation
…ment
gh-aw v0.76+ scans the body of `run:` blocks for GitHub Actions
expression tokens and hoists them into the step's env: block. It
does this even for tokens that appear inside `#` shell comments.
shared/apm.md:325 contained a comment that, for documentation
purposes, included the literal expression form of a secrets-context
reference. v0.76+ harvested that into
env:
GH_AW_EXPR_36F7BDB0: ${{ secrets.* }}
which fails workflow load with 'A sequence was not expected'
because the wildcard secrets-context filter evaluates to a sequence,
not a string. This broke pr-review-panel, triage-panel, and
docs-sync at template-load time on every triggering event (see PR
#1538 CI failure).
Fix: rewrite the comment so it documents the contract without
spelling out the literal expression syntax. Recompiled the three
affected lock files. No behaviour change in the resolved step;
the env block now only carries ROW_INDEX / ROW_KIND as intended.
Filing upstream against github/gh-aw separately so future expression
harvesting respects shell-comment boundaries.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Collaborator
Author
|
Upstream bug filed: github/gh-aw#35688 |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes panel workflow template-load failures introduced after the gh-aw v0.76+ recompile by removing a ${{ ... }} expression token from a bash # comment inside the shared APM credential-resolver run block, and recompiling the affected lock workflows so they no longer contain an invalid hoisted env: value.
Changes:
- Rewrite the credential-masking comment in
.github/workflows/shared/apm.mdto avoid literal GitHub Actions expression syntax inside arun:block comment. - Regenerate the affected lock workflows so the unintended
GH_AW_EXPR_*: ${{ secrets.* }}env entry is removed. - Ensure the step
env:in lock files contains only the intendedROW_INDEX/ROW_KINDexpressions.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/shared/apm.md | Removes ${{ ... }} expression syntax from a run-block comment to prevent gh-aw expression hoisting. |
| .github/workflows/pr-review-panel.lock.yml | Recompiled lock file; removes unintended GH_AW_EXPR_* env entry and retains intended row env vars. |
| .github/workflows/triage-panel.lock.yml | Recompiled lock file; removes unintended GH_AW_EXPR_* env entry and retains intended row env vars. |
| .github/workflows/docs-sync.lock.yml | Recompiled lock file; removes unintended GH_AW_EXPR_* env entry and retains intended row env vars. |
Copilot's findings
- Files reviewed: 4/4 changed files
- Comments generated: 0
danielmeppiel
deleted the
danielmeppiel/fix-gh-aw-secrets-expansion-in-comment
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TL;DR
The PR Review Panel, Triage Panel, and Docs-Sync workflows have been failing at template-load time on every triggering event since the
gh-aw v0.71.5 -> v0.76.1recompile in #1487 (commit 9680e67). Symptom on the affected runs:Example failure: https://github.com/microsoft/apm/actions/runs/26625014231/job/78460262895?pr=1538
Root cause
gh-awv0.76+ scans the body ofrun:blocks for GitHub Actions expression tokens (${{ ... }}) and hoists them into the step'senv:block. It does this even for tokens that appear inside#shell comments. v0.71.5 did not.shared/apm.md(the imported APM credential-prep shared block) had a comment that, for documentation purposes, included the literal expression form of a secrets-context reference:v0.76+ harvested that comment token into:
secrets.*is the wildcard secrets-context filter, which evaluates to a sequence (array of secret values), not a string. Actions refuses to coerce a sequence into an env value, so the workflow fails to load before any step runs. Same root cause hitpr-review-panel.lock.yml,triage-panel.lock.yml, anddocs-sync.lock.ymlbecause they all importshared/apm.md.I verified this is not fixed in the latest gh-aw pre-release (v0.77.1) either, so this is the right surface to fix.
Fix
Rewrite the offending comment in
shared/apm.mdso it documents the contract without spelling out the literal expression syntax (no${{ ... }}form, no${{ ... }}placeholder either — gh-aw harvests that too). Recompiled all three affected lock files.After the fix, the rebuilt step env block in each lock file carries only the intended values:
No runtime behaviour change — the
Resolve APM credentialsstep continues to readAW_APM_LEGACY_*andAW_APM_APPS(which gh-aw still wires up at the job env level), mask the PEM, and writeROW_APP_ID/ROW_PRIVATE_KEYto$GITHUB_ENV.Validation
gh aw compileclean (0 errors, 2 unrelated pre-existingpull_request_targetwarnings on panels — see comment inpr-review-panel.md).grep -r 'GH_AW_EXPR_36F7BDB0\|secrets\.\*' .github/workflows/*.ymlreturns no matches inenv:blocks (only inside cautionary documentation comments).bash scripts/lint-auth-signals.shpasses..md, all in the same step body. No primitive, CLI, or runtime code touched.Upstream follow-up
Filing a bug at
github/gh-awso the v0.76+ expression-harvesting pass respects shell-comment boundaries insiderun:blocks. Will link the issue here once filed.Risk
Low. This is the exact lock file shape gh-aw v0.71.5 produced (minus the action/container SHA bumps that already shipped in #1487), with a clean comment that no longer trips the v0.76+ harvester.