fix: reject env.* expressions in markdown per documented safety policy#23932
fix: reject env.* expressions in markdown per documented safety policy#23932
Conversation
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/0ddb843d-8013-4637-820f-6a8c0a613b9f Co-authored-by: szabta89 <1330202+szabta89@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR tightens compile-time expression safety validation for workflow markdown by rejecting env.* expressions (per documented policy) to reduce risk of accidental secret exposure in generated prompt/lock artifacts.
Changes:
- Removed
env.*allowlisting from the expression safety validator and its error “allowed expressions” hint. - Updated tests/benchmarks to treat
env.*as blocked, including OR-fallback cases. - Updated affected workflows/lock files to replace markdown
env.*references with alternative contexts and recompiled lock files.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/expressions_benchmark_test.go | Removes env.* usage from benchmark validation options and benchmark markdown samples. |
| pkg/workflow/expression_safety_validation.go | Removes env.* regex/option and corresponding allowlist checks; updates allowed-expressions hint output. |
| pkg/workflow/expression_safety_test.go | Adds/updates regression tests asserting env.* is rejected (including OR fallback behavior). |
| pkg/workflow/expression_patterns.go | Removes the EnvPattern definition and related documentation. |
| pkg/workflow/compile_outputs_label_test.go | Updates test markdown strings to avoid env.* expressions in markdown content. |
| .github/workflows/stale-repo-identifier.md | Replaces markdown env.* expression usage with a github.event.inputs.* fallback expression. |
| .github/workflows/stale-repo-identifier.lock.yml | Recompiled lock file reflecting updated markdown expressions and placeholder env mappings. |
| .github/workflows/contribution-check.md | Adds workflow_dispatch input and replaces markdown env.* references with github.event.inputs.* expressions. |
| .github/workflows/contribution-check.lock.yml | Recompiled lock file reflecting updated expressions and placeholder env mappings. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ## Target Repository | ||
|
|
||
| The target repository is `${{ env.TARGET_REPOSITORY }}`. All PR fetching and subagent dispatch use this value. | ||
| The target repository is `${{ github.event.inputs.target_repository || github.repository }}`. All PR fetching and subagent dispatch use this value. | ||
|
|
There was a problem hiding this comment.
The markdown body now uses github.event.inputs.target_repository || github.repository, but the workflow’s env.TARGET_REPOSITORY also falls back to vars.TARGET_REPOSITORY. On scheduled runs (or when vars.TARGET_REPOSITORY is set and no dispatch input is provided), the prompt will describe/use a different target repo than the workflow actually operates on, which can cause subagent dispatch and safe-output writes to point at the wrong repository. Consider deriving a single resolved target-repo value once (e.g., from env.TARGET_REPOSITORY) and exposing it to the prompt via an allowed steps.*/needs.* output, then reference that consistently throughout the markdown body.
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | ||
| GH_AW_SAFE_OUTPUTS: ${{ runner.temp }}/gh-aw/safeoutputs/outputs.jsonl | ||
| GH_AW_ENV_TARGET_REPOSITORY: ${{ env.TARGET_REPOSITORY }} | ||
| GH_AW_EXPR_328DA439: ${{ github.event.inputs.target_repository || github.repository }} |
There was a problem hiding this comment.
GH_AW_EXPR_328DA439 is populated from github.event.inputs.target_repository || github.repository, but the workflow-level TARGET_REPOSITORY env var includes an additional vars.TARGET_REPOSITORY fallback. This means the compiled prompt placeholder for the target repo can diverge from the repo actually used by the workflow on scheduled runs / when vars are set. Update the expression backing this placeholder to use the same resolved target repository value as the workflow (or derive it from a step output) so the prompt and runtime behavior stay aligned.
| GH_AW_EXPR_328DA439: ${{ github.event.inputs.target_repository || github.repository }} | |
| GH_AW_EXPR_328DA439: ${{ github.event.inputs.target_repository || vars.TARGET_REPOSITORY || github.repository }} |
|
@copilot review comments |
github-actions
bot
deleted the
copilot/reject-env-expressions-in-markdown
branch
The compile-time expression safety validator accepted
env.*expressions (e.g.${{ env.GITHUB_TOKEN }}) in workflow markdown and propagated them into generated lock files, despite documentation explicitly prohibiting this category. Workflow authors relying on compile-time rejection for accidental secret exposure viaenv.*were unprotected.Security fix
envRegex/EnvRefromExpressionValidationOptionsand all allowlist checks invalidateSingleExpression()(simple, comparison, and OR branches)EnvPatternfromexpression_patterns.goenv.*from the allowed-expressions hint in validation error outputTests
authorized_env_variable→blocked_env_variable; addedblocked_env_github_tokenandblocked_env_underscoreregression casesmultiple_unauthorized_expressionsnow asserts bothsecrets.GITHUB_TOKENandenv.TESTare rejectedenv variable with string default(env.LOG_LEVEL || 'info') flipped towantErr: true— the OR fallback does not rescue a blocked left-hand expressionEnvRefrom allBenchmarkValidateExpression*callsitesAffected workflows
Two
.github/workflows/files used${{ env.* }}in their markdown bodies (prompt text, not frontmatter YAML — only the former is validated):contribution-check.md: Addedtarget_repositoryas aworkflow_dispatchinput; replaced${{ env.TARGET_REPOSITORY }}with${{ github.event.inputs.target_repository || github.repository }}throughout the markdown bodystale-repo-identifier.md: Replaced${{ env.ORGANIZATION }}with${{ github.event.inputs.organization || 'github' }}(the underlyingworkflow_dispatchinput was already declared)All 179 lock files recompiled.
Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/graphql/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE x_amd64/link git rev-�� --show-toplevel x_amd64/link /usr/bin/git 2-Jg8EAJx GO111MODULE ache/go/1.25.0/x--show-toplevel git(http block)/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/infocmp -json GO111MODULE ache/go/1.25.0/x--show-toplevel infocmp(http block)/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw infocmp af5aa9b80e21aeec--show-toplevel git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git 64/pkg/tool/linu--show-toplevel git(http block)https://api.github.com/orgs/test-owner/actions/secrets/usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -goversion go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build3898337570/b209/importcfg -pack -o /tmp/go-build250-p -trimpath 64/bin/go -p github.com/githu-o -lang=go1.25 go(http block)/usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name "prettier" --wriGOINSECURE git 64/bin/go tierignore /opt/hostedtoolcenv /usr/bin/git node /hom�� --write ../../../**/*.jsGOMOD 64/bin/go --ignore-path ../../../.pretti/home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/prettier ache/node/24.14.--check go(http block)/usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --show-toplevel go /usr/bin/git r/test-repo/actigit GO111MODULE /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -instructions-tegit GO111MODULE /home/REDACTED/.lo--show-toplevel git(http block)https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git ub/workflows exer.go x_amd64/compile git init�� GOMODCACHE x_amd64/compile /usr/bin/infocmp -json GO111MODULE x_amd64/link infocmp(http block)/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel go /usr/bin/gh -json GO111MODULE 64/bin/go gh api /repos/actions/checkout/git/ref/tags/v5 --jq /opt/hostedtoolcache/node/24.14.0/x64/bin/node -json GO111MODULE ode_modules/.bin--show-toplevel /opt/hostedtoolcache/node/24.14.0/x64/bin/node(http block)/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel -tests /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git ned-imports-enabgit 98954fc7448674farev-parse /opt/hostedtoolc--show-toplevel git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v3/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha /tmp/go-build3898337570/b243/_pkg_.a -trimpath /usr/bin/git -p golang.org/x/texrev-parse -lang=go1.25 git rev-�� --show-toplevel -dwarf=false /usr/bin/git go1.25.0 -c=4 -nolocalimports git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha k/gh-aw/gh-aw/.github/workflows GOPROXY /usr/bin/git GOSUMDB GOWORK 64/bin/go git cat-�� blob(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha k/gh-aw/gh-aw/.github/workflows git /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet --show-toplevel go /usr/bin/git /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -ato�� -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v5/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 3554535527 0/internal/format/format.go x_amd64/compile GOINSECURE GOMOD abis x_amd64/compile env g_.a u-JHp87yA 64/pkg/tool/linux_amd64/vet GOINSECURE g GOMODCACHE 64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/link git rev-�� --show-toplevel x_amd64/link /usr/bin/git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.0/xowner=github /usr/bin/git artifacts-summargit GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/link 86_64/node util.test GO111MODULE rtcfg.link git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v6/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/TestCompileErrorFormatting1281924133/001 rev-parse /usr/bin/git -json GO111MODULE x_amd64/compile git -C /tmp/gh-aw-test-runs/20260401-165655-31370/test-2517376493 status /usr/bin/git .github/workflowgit GO111MODULE x_amd64/compile git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha ets.TOKEN }} go /usr/bin/git ted-objects.md GO111MODULE x_amd64/asm git remo�� remove origin /usr/bin/git -json GO111MODULE x_amd64/compile git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/asm /usr/bin/git 5655-31370/test-git GO111MODULE cfg git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile /usr/bin/git FieldEnforcementgit GO111MODULE ache/go/1.25.0/x--show-toplevel git(http block)https://api.github.com/repos/actions/github-script/git/ref/tags/v8/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build3898337570/b252/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/semverutil/semverutil.go -V=f�� x_amd64/vet node 64/bin/go -d **/*.cjs 64/bin/go go(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --format %(refname) 64/bin/go -d 61ac06e4f058b300-o 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha /tmp/go-build250-p -trimpath 64/bin/go ced successfully/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile main -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/actions/setup-go/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha /tmp/file-tracker-test1520290006/test1.md /tmp/file-tracker-test1520290006/test2.lock.yml /usr/bin/git -json GO111MODULE x_amd64/asm git rev-�� --git-dir x_amd64/asm /usr/bin/git -json GO111MODULE x_amd64/compile git(http block)/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha user.email test@example.com /usr/bin/git h ../../../.pretgit GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git(http block)/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --get remote.origin.url /usr/bin/git --show-toplevel node /usr/bin/git git conf�� user.name Test User /usr/bin/git --show-toplevel node /usr/bin/git git(http block)https://api.github.com/repos/actions/setup-node/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha GOMODCACHE vCl8LenzMisJ /usr/bin/git -json GO111MODULE x_amd64/asm git rese�� HEAD .github/workflows/test.md /usr/bin/git -json GO111MODULE x_amd64/compile git(http block)/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/--workflow go /usr/bin/git h ../../../.pretgit GO111MODULE 64/bin/go git rev-�� --show-toplevel go clusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle -json GO111MODULE 64/bin/go git(http block)/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --get remote.origin.url /usr/bin/git tags/v5 node /usr/bin/git git init�� /usr/bin/git git /usr/bin/git --show-toplevel git /usr/bin/git git(http block)https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b/usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel g/workflow/ ache/go/1.25.0/x64/bin/bash --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git(http block)/usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel ifier.md /usr/bin/git ACCEPT git /usr/bin/git git rev-�� ithub/workflows git cal/bin/bash --show-toplevel git /usr/bin/git git(http block)/usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env _safety_test.go GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/usr/bin/gh gh api /repos/github/gh-aw --jq .visibility --show-toplevel git ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet --show-toplevel git /usr/bin/git ache/go/1.25.0/xrev-parse rev-�� --show-toplevel git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel git /usr/bin/git ache/go/1.25.0/xmcp/memory(http block)/usr/bin/gh gh api /repos/github/gh-aw --jq .visibility ithub/workflows git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� ithub/workflows git /usr/bin/git l git x_amd64/cgo git(http block)/usr/bin/gh gh api /repos/github/gh-aw --jq .visibility -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env kflow/compile_outputs_label_test-nxv GO111MODULE r: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE node(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha --show-toplevel git bash --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git 64/pkg/tool/linux_amd64/vet --show-toplevel git /usr/bin/git 64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� ithub/workflows git /usr/bin/git --show-toplevel git /usr/bin/git git(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha /tmp/go-build756219951/b446/timeutil.test -importcfg /usr/bin/git -s -w -buildmode=exe git add .github/workflows/test.md -extld=gcc /usr/bin/git -json GO111MODULE x_amd64/compile git(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git -C /tmp/TestCompileErrorFormatting2698255427/001 config /usr/bin/git remote.origin.urgit GO111MODULE 64/bin/go git(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --get(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha licyMinIntegrityOnlymin-integrity_with_explicit_repo442308866/001 -trimpath 219951/b402/_pkg_.a -p maps -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -o /tmp/go-build3898337570/b186/_pkg_.a -trimpath ache/node/24.14.0/x64/bin/node -p crypto/hmac -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linu1(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE /home/REDACTED/work/_temp/uv-python-dir/node GOINSECURE GOMOD GOMODCACHE node /opt�� run l /home/REDACTED/work/node_modules/.bin/sh GOSUMDB GOWORK 64/bin/go sh(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha t0 m0s /usr/bin/git -v(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha atjTay5oJ ache/go/1.25.0/x64/src/net/addrselect.go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile l slices -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile rtcf�� /tmp/go-build3898337570/b184/_pkg_.a tmain.go ache/go/1.25.0/x64/pkg/tool/linux_amd64/link -p crypto/hkdf -lang=go1.25 ache/go/1.25.0/x64/pkg/tool/linux_amd64/link(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE /bin/sh GOINSECURE GOMOD GOMODCACHE /bin/sh -c cd actions/setup/js && npm run lint:cjs GOPROXY 6559103/b433/vet.cfg GOSUMDB GOWORK 64/bin/go sh(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha t0 m0s ache/node/24.14.0/x64/bin/node -v(http block)https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts/usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD arith_wasm.s 64/pkg/tool/linux_amd64/asm env 3772322392/.github/workflows GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url(http block)/usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env st-3971697752/.github/workflows GO111MODULE cal/bin/node GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh run download 1 --dir test-logs/run-1 git /usr/bin/git --show-toplevel go r,url,status,con--show-toplevel git rev-�� 0118-49671/test-268072420/.github/workflows git /usr/bin/git 0:00Z go /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts/usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a @v1.19.2/printer/color.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User(http block)/usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env auto-triage-issues.md GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh run download 12345 --dir test-logs/run-12345 git /usr/bin/git --show-toplevel go /opt/hostedtoolc--show-toplevel git rev-�� 0118-49671/test-3524014089/.github/workflows /opt/hostedtoolcache/node/24.14.0/x64/bin/node /usr/bin/git GOMODCACHE x_amd64/vet /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts/usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a @v1.19.2/internal/errors/error.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com(http block)/usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env RequiresMinIntegrity269105956/001 GO111MODULE k/gh-aw/gh-aw/actions/node_modules/.bin/node GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh run download 12346 --dir test-logs/run-12346 git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� 0118-49671/test-3524014089/.github/workflows git /usr/bin/git --show-toplevel resolved$ /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts/usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 0XVD7GS/mRL0tEU7JbrieQ94-F8q env 3772322392/.github/workflows i.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile(http block)/usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env st-3971697752/.github/workflows GO111MODULE bin/node GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh run download 2 --dir test-logs/run-2 git At,event,headBranch,headSha,displayTitle --show-toplevel go /usr/bin/git git rev-�� 0118-49671/test-1357867271/.github/workflows git /usr/bin/git --git-dir go /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts/usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 3772322392/.github/workflows GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile(http block)/usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh run download 3 --dir test-logs/run-3 /opt/hostedtoolcache/node/24.14.0/x64/bin/node /usr/bin/git vars.MY_VAR go /usr/bin/git git rev-�� 0118-49671/test-268072420/.github/workflows git 0/x64/bin/node --show-toplevel go /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts/usr/bin/gh gh run download 4 --dir test-logs/run-4 o 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 3772322392/.github/workflows @v1.19.2/lexer/lexer.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile(http block)/usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env /ref/tags/v8 GO111MODULE ache/go/1.25.0/x64/bin/node GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh run download 4 --dir test-logs/run-4 git 0/x64/bin/node --show-toplevel go /usr/bin/git git -has�� vaScript3039746114/001/test-simple-frontmatter.md git 0/x64/bin/node --show-toplevel go /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts/usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 3772322392/.github/workflows hema-go@v0.4.2/jsonschema/annotations.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile(http block)/usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh run download 5 --dir test-logs/run-5 git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git GOMODCACHE go /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/actions/workflows/usr/bin/gh gh workflow list --json name,state,path go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build3898337570/b127/importcfg -pack /home/REDACTED/go/pkg/mod/github.com/modelcontextprotocol/go-sdk@v1.4.1/mcp/client.go -o /tmp/go-build250-p -trimpath 64/bin/go -p main -lang=go1.25 go(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile stlo�� g_.a GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git edOutput27192735git @v1.1.3/cpu/cpu.show-ref x_amd64/vet git(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --git-dir go /opt/hostedtoolcache/node/24.14.0/x64/bin/node -json GO111MODULE 64/bin/go /opt/hostedtoolcache/node/24.14.0/x64/bin/node /tmp�� GOMODCACHE go /usr/bin/git 39/001/test-compgit GO111MODULE nch,headSha,disp--verify git(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git 3779502199/.githgit git /usr/bin/basenam--verify git(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a oding@v0.5.4/ascii/equal_fold.go x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel gh /usr/bin/git /orgs/test-ownernode --jq /usr/bin/gh git rev-�� ub/workflows gh /usr/bin/git /repos/actions/ggit --jq /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE vCl8LenzMisJ env -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha (create_pull_request|push_to_pull_request_branch)" node /usr/bin/git --check **/*.cjs t git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x^remote\..*\.gh-resolved$ /usr/bin/git k/gh-aw/gh-aw/.ggit -buildtags /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE SgNL4Y2/HXO2egOlrev-parse GOMODCACHE x_amd64/compile(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json d.go 64/bin/go GOINSECURE GOMOD tomic_wasm.s go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha --show-toplevel 0/x64/bin/node /usr/bin/git --check **/*.cjs /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel sh /usr/bin/git git(http block)https://api.github.com/repos/githubnext/agentics/git/ref/tags//usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --show-toplevel git $name) { hasDiscussionsEnabled } } --show-toplevel git /usr/bin/git ache/go/1.25.0/x^remote\..*\.gh-resolved$ rev-�� --show-toplevel git tnet/tools/bash --show-toplevel git /usr/bin/git git(http block)/usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha ithub/workflows git $name) { hasDiscussionsEnabled } } --show-toplevel git /usr/bin/git ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile rev-�� ithub/workflows git cal/bin/bash --show-toplevel b/gh-aw/pkg/work-C ed } } git(http block)/usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha tputs_label_testOUTPUT GO111MODULE $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go env ck '**/*.cjs' '*ACCEPT GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD 177d7280 64/pkg/tool/linutest@example.com env g_.a oding@v0.5.4/json/codec.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile(http block)/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha h ../../../.pret.prettierignore GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel 0/x64/bin/node /usr/bin/git k/gh-aw/gh-aw/.ggit node /usr/bin/git git rev-�� b/workflows git /usr/bin/git --show-toplevel node /usr/bin/git git(http block)https://api.github.com/repos/nonexistent/repo/actions/runs/12345/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile(http block)/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env ck '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --show-toplevel go /usr/bin/git 64/pkg/tool/linux_amd64/link rev-�� eutil.test git ortcfg.link --show-toplevel go /usr/bin/git FpiJ9ENbZatjTay5oJ/BhqTCoRMGewfss9ZXZGY/X4XoDkfiiEtxJ64HjgrP(http block)https://api.github.com/repos/owner/repo/actions/workflows/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go **/*.json --ignore-path ../../../.pretti/tmp/go-build3898337570/b093/_pkg_.a /opt/hostedtoolc-trimpath -o /tmp/go-build250-p -trimpath 64/bin/go -p main -lang=go1.25 go(http block)/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go **/*.json --ignore-path ../../../.pretti/tmp/go-build3898337570/b112/_pkg_.a /opt/hostedtoolc-trimpath -o /tmp/go-build250-p -trimpath 64/bin/go -p main -lang=go1.25 go(http block)/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go .prettierignore --log-level=erroenv /usr/bin/git /bin/sh -c echo "��� Code fGOINSECURE git 64/bin/go --ignore-path ..node /opt/hostedtoolc/opt/hostedtoolcache/node/24.14.0/x64/bin/npx ache/go/1.25.0/xprettier go(http block)https://api.github.com/repos/owner/repo/contents/file.md/tmp/go-build756219951/b396/cli.test /tmp/go-build756219951/b396/cli.test -test.testlogfile=/tmp/go-build756219951/b396/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build3898337570/b210/importcfg -pack /hom�� --check scripts/**/*.js 64/bin/go -d x_amd64/vet 64/bin/go go(http block)/tmp/go-build3016559103/b396/cli.test /tmp/go-build3016559103/b396/cli.test -test.testlogfile=/tmp/go-build3016559103/b396/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true **/*.json --ignore-path run-script/lib/n-json sh -c "prettier" --wriGOINSECURE git 64/bin/go ./cmd/... ./pkg/...; \ else \ echo "golangci-lint is not installed. Run 'make deps-dev' to in /opt/hostedtoolc-c /usr/bin/git go(http block)/tmp/go-build3704887808/b001/cli.test /tmp/go-build3704887808/b001/cli.test -test.testlogfile=/tmp/go-build3704887808/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true -test.run=^Test -test.short=true /usr/bin/git ithub/workflows/git GO111MODULE /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel go /usr/bin/git licyMinIntegritygit GO111MODULE /opt/hostedtoolc--show-toplevel git(http block)https://api.github.com/repos/test-owner/test-repo/actions/secrets/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -goversion go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build3898337570/b255/importcfg -pack -o /tmp/go-build250-p -trimpath 64/bin/go -p github.com/githu-o -lang=go1.25 go(http block)/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name "prettier" --wriGOINSECURE git 64/bin/go tierignore Mh/-AQebepxq_h8Menv /usr/bin/git node /hom�� --write ../../../**/*.jsGOMOD 64/bin/go --ignore-path ../../../.pretti/home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/prettier /usr/bin/git go(http block)/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --show-toplevel go /usr/bin/git itattributes-tesgit GO111MODULE ache/node/24.14.--show-toplevel git rev-�� --show-toplevel go /usr/bin/git sistency_GoAndJagit GO111MODULE /home/REDACTED/wor--show-toplevel git(http block)If you need me to access, download, or install something from one of these locations, you can either: