microsoft · danielmeppiel · May 29, 2026 · May 29, 2026
@@ -322,9 +322,16 @@ jobs:
           # ROW_PRIVATE_KEY values so downstream tolerance is irrelevant.
           pk="${pk%$'\n'}"
           # Defence in depth: the PK is already masked because it came from
-          # a ${{ secrets.* }} reference at compile time, but registering it
-          # again here makes the contract explicit and survives any future
-          # gh-aw template churn that might lose the secret tag.
+          # a secrets-context reference at compile time (gh-aw substitutes
+          # the configured private-key secret into AW_APM_*), but
+          # registering it again here makes the contract explicit and
+          # survives any future gh-aw template churn that might lose the
+          # secret tag. NOTE: do not write GitHub Actions expression syntax
+          # (dollar-doublecurly ... doublecurly) inside this comment.
+          # gh-aw v0.76+ harvests such tokens out of bash run-block bodies
+          # (even inside `#` comments) and hoists them into the step env,
+          # which fails workflow load when the inner expression resolves
+          # to a sequence (e.g. wildcard secrets-context references).
           echo "::add-mask::$pk"
           # Use a random heredoc delimiter to eliminate any chance of a PEM
           # line collision terminating the value early. The official docs