[sergo] Sergo Report: YAML Step Generator Audit + Context-Propagation Revisit - 2026-03-14

[github-actions[bot]]

Date: 2026-03-14
Strategy: yaml-step-generator-audit-plus-context-propagation-revisit
Success Score: 8/10
Run: §23097433230

Executive Summary

Today's analysis combined a revisit of the persistent context-propagation gap in dispatch.go (unfixed since run 19) with a new deep audit of the YAML step-generator layer — specifically how user-supplied values are serialized into GitHub Actions YAML steps. The audit surfaced two co-located bugs in runtime_step_generator.go and one in the brand-new Copilot pre-flight diagnostic code introduced in PR #20975.

The core new finding is a single-quote escaping defect in formatYAMLValue: every string is wrapped in YAML single quotes using fmt.Sprintf("'%s'", v) without ever doubling embedded ' characters as ''. Since YAML single-quoted scalars represent a literal ' only via '', any user-supplied ExtraFields value or engine version string containing a single quote will produce syntactically invalid workflow YAML. The related PR #20975 independently introduced a separate unquoted YAML injection point in the Copilot pre-flight diagnostic step for the COPILOT_API_TARGET env variable.

Three findings were discovered and three improvement tasks are proposed.

---

🛠️ Serena Tools Update

Tools Snapshot

• Total Tools Available: 40 (23 active, 17 inactive)
• New Tools Since Last Run: None
• Removed Tools: None
• Modified Tools: None — tool list is stable for the 4th consecutive run

Tool Capabilities Used Today

Tool	Purpose
get_symbols_overview	Mapped symbols in copilot_engine_execution.go and runtime_step_generator.go
find_symbol	Read generateCopilotPreflightDiagnosticStep and GetExecutionSteps bodies
grep (native)	Cross-referenced formatYAMLValue callers, ExtraFields sources, APITarget usage, append(step, patterns
Read (native)	Inspected full formatYAMLValue implementation and step-generation context
bash	Counted files, checked latest commit metadata, confirmed go.mod Go version (1.25.0)

---

📊 Strategy Selection

Cached Reuse Component (50%)

Previous Strategy Adapted: context-propagation-dispatch-audit (run 19, score 8) + context-propagation-revisit (run 20, score 7)

• Original Success Score: 8/10 and 7/10
• Last Used: 2026-03-13 (run 20)
• Why Reused: dispatch.go fetchAndSaveRemoteDispatchWorkflows missing context.Context has been confirmed unfixed for three consecutive runs. Re-validating keeps it visible. Also used to anchor the audit on the latest commit (PR Add Copilot pre-flight diagnostic for GHES environments #20975: Copilot pre-flight GHES diagnostic) for any new context issues.
• Modifications: Extended scope to include the new generateCopilotPreflightDiagnosticStep function introduced in the latest commit; audited new code for YAML and context issues simultaneously.

New Exploration Component (50%)

Novel Approach: yaml-step-generator-audit — systematic review of how user-controlled values are embedded into generated GitHub Actions YAML strings.

• Tools Employed: grep for fmt.Sprintf("'%s'", append(step, patterns; Read for formatYAMLValue and callers; Serena find_symbol for body inspection
• Hypothesis: The codebase generates raw YAML strings by string concatenation in multiple step-generator functions. YAML has specific quoting rules (single-quoted scalars, escape rules). If any function wraps values in single quotes without escaping embedded ', user-configured values with single quotes would silently produce broken workflow YAML.
• Target Areas: pkg/workflow/runtime_step_generator.go, pkg/workflow/copilot_engine_execution.go, all append(step, patterns across pkg/workflow/

Combined Strategy Rationale

The two components complement each other because the latest commit (PR #20975) introduced new step-generation code that follows the same structural pattern as runtime_step_generator.go. Reviewing new code through the lens of an existing known anti-pattern (direct YAML concatenation) immediately revealed the new COPILOT_API_TARGET injection point. The cached context-propagation angle caught the pre-flight step's missing context propagation opportunity while inspecting the new code.

---

🔍 Analysis Execution

Codebase Context

• Total Go Files (non-test): 584
• Files in pkg/: 577
• Packages Analyzed: pkg/workflow/ (runtime step generators, Copilot engine, dispatch)
• Focus Areas: Step-generator layer, new GHES pre-flight diagnostic, YAML formatting utilities
• Go Version: 1.25.0 (confirmed via go.mod)

Findings Summary

• Total Issues Found: 3
• Critical: 0
• High: 2
• Medium: 1
• Low: 0

---

📋 Detailed Findings

High Priority Issues

Finding 1 — formatYAMLValue single-quote escaping bug

pkg/workflow/runtime_step_generator.go:162–208

The function formatYAMLValue is the central utility for serializing user ExtraFields into YAML with: blocks of generated runtime setup steps. It wraps all string values in YAML single quotes:

// Return as-is for simple strings, quote for complex ones  ← misleading comment
return fmt.Sprintf("'%s'", v)

In YAML, single-quoted scalars cannot contain a bare ' character — it must be doubled as '' (the only escape mechanism in single-quoted strings). The current implementation never applies this escaping. If a user configures an ExtraFields value containing a single quote — for example, a cache-dependency-path expression, an auth token description, or a custom version string — the generated step YAML will be syntactically invalid.

Additional instance: runtime_step_generator.go:125 applies the same unescaped single-quoting directly for the version field:

step = append(step, fmt.Sprintf("          %s: '%s'", runtime.VersionField, version))

If a user's engine version string (e.g. node-version: "20.0.0's LTS") contained a ', the same breakage occurs.

Evidence path: ExtraFields is populated from user-supplied with: blocks parsed from .github/workflows/ YAML files at pkg/workflow/runtime_deduplication.go:168 (req.ExtraFields[key] = value), making this fully user-controlled.

Impact: Users who include single-quote characters in any runtime.setup.with.* field or engine version string will silently receive a broken generated workflow that fails to parse — with no error at gh aw compile time and a confusing YAML parse error at runtime.

---

Finding 2 — COPILOT_API_TARGET unquoted YAML injection (new in PR #20975)

pkg/workflow/copilot_engine_execution.go:498

The new generateCopilotPreflightDiagnosticStep function (introduced in the latest commit, PR #20975) directly concatenates EngineConfig.APITarget into a YAML env: block without any quoting:

step = append(step, "          COPILOT_API_TARGET: "+workflowData.EngineConfig.APITarget)

APITarget is a user-configured hostname string (e.g. api.acme.ghe.com). While typical hostname values are safe, this pattern:

1. Is inconsistent with the rest of the codebase — all other user-provided values use formatYAMLValue or are pre-validated $\{\{ }} expressions
2. Is fragile — a value containing : (colon-space), #, or a newline would produce invalid or misleading YAML in the generated workflow file

The three places in the codebase using unquoted append(step, "...: "+var) are:

• runtime_step_generator.go:98 — IfCondition (GitHub Actions expression, controlled syntax)
• runtime_step_generator.go:104 — GoModFile (filesystem path, limited charset)
• copilot_engine_execution.go:498 — APITarget (user hostname, new)

The first two have constrained input formats by convention; APITarget does not.

---

Medium Priority Issues

Finding 3 — fetchAndSaveRemoteDispatchWorkflows missing context.Context (unfixed since run 19)

pkg/cli/dispatch.go:77

The function fetchAndSaveRemoteDispatchWorkflows has no context.Context parameter. The getRepoDefaultBranch(spec.RepoSlug) call at line 93 performs an uncancellable network request — spawned during gh aw add to resolve a remote workflow's default branch when no explicit version: is set.

func fetchAndSaveRemoteDispatchWorkflows(content string, spec *WorkflowSpec,
    targetDir string, verbose bool, force bool,
    tracker *FileTracker, downloaders ...fileDownloadFn) error {
    // ...
    defaultBranch, err := getRepoDefaultBranch(spec.RepoSlug)  // no ctx

This has been confirmed unfixed for three consecutive Sergo runs (19, 20, 21). Ctrl+C during gh aw add cannot cancel this network call; the process must wait for the TCP timeout.

---

✅ Improvement Tasks Generated

Task 1: Fix formatYAMLValue single-quote escaping in YAML step generator

Issue Type: YAML Generation Correctness

Problem:
formatYAMLValue (pkg/workflow/runtime_step_generator.go:162) wraps all string values in YAML single quotes via fmt.Sprintf("'%s'", v) without escaping embedded ' as ''. Per the YAML specification, a single-quoted scalar's only escape is '' for a literal single quote. Any user-configured ExtraFields value or engine version string containing ' will produce syntactically invalid workflow YAML.

The same bug appears on line 125 where the version field is formatted directly:

fmt.Sprintf("          %s: '%s'", runtime.VersionField, version)

Locations:

• pkg/workflow/runtime_step_generator.go:162–174 — formatYAMLValue string case
• pkg/workflow/runtime_step_generator.go:125 — version field formatting
• pkg/workflow/runtime_step_generator.go:206 — default case also unescaped: fmt.Sprintf("'%v'", v)

Impact:

• Severity: High
• Affected Files: 1 (runtime_step_generator.go)
• Risk: Silent broken workflow YAML for users with single quotes in runtime ExtraFields or engine version strings; fails at GitHub Actions parse time, not at gh aw compile time

Recommendation:
Add a helper that properly escapes single-quoted YAML scalars, and apply it consistently:

Before:

// formatYAMLValue - string case
return fmt.Sprintf("'%s'", v)

// version field
step = append(step, fmt.Sprintf("          %s: '%s'", runtime.VersionField, version))

After:

// singleQuoteYAML escapes a string for use in a YAML single-quoted scalar.
// The only escape in single-quoted YAML is '' for a literal single quote.
func singleQuoteYAML(s string) string {
    return "'" + strings.ReplaceAll(s, "'", "''") + "'"
}

// formatYAMLValue - string case
return singleQuoteYAML(v)

// version field
step = append(step, fmt.Sprintf("          %s: %s", runtime.VersionField, singleQuoteYAML(version)))

Validation:

• Unit tests: formatYAMLValue("it's") → "'it''s'", formatYAMLValue("O'Brien") → "'O''Brien'"
• Verify generated YAML parses correctly with gopkg.in/yaml.v3
• Check runtime_step_generator_test.go for existing round-trip tests

Estimated Effort: Small

---

Task 2: Quote COPILOT_API_TARGET value in pre-flight diagnostic step generator

Issue Type: YAML Generation Consistency / Injection Risk (new code, PR #20975)

Problem:
generateCopilotPreflightDiagnosticStep at pkg/workflow/copilot_engine_execution.go:498 directly concatenates EngineConfig.APITarget into a YAML env block without quoting:

step = append(step, "          COPILOT_API_TARGET: "+workflowData.EngineConfig.APITarget)

This is inconsistent with how other user-supplied values are handled throughout the step-generation layer. While a well-formed hostname (api.acme.ghe.com) is safe, the pattern is fragile: a value containing : , #, or a newline would silently corrupt the generated workflow YAML.

Location:

• pkg/workflow/copilot_engine_execution.go:498

Impact:

• Severity: High
• Affected Files: 1 (copilot_engine_execution.go)
• Risk: Malformed workflow YAML if api-target config value contains YAML-special characters; inconsistent with codebase patterns

Recommendation:
Apply singleQuoteYAML (from Task 1) or formatYAMLValue to the APITarget value. Since APITarget is a plain hostname string, single-quoting it is the safest approach:

Before:

step = append(step, "          COPILOT_API_TARGET: "+workflowData.EngineConfig.APITarget)

After:

step = append(step, "          COPILOT_API_TARGET: "+singleQuoteYAML(workflowData.EngineConfig.APITarget))

Validation:

• Test with APITarget values containing :, #, ', and newline
• Confirm generated workflow YAML round-trips through gopkg.in/yaml.v3
• Add test case to the Copilot engine execution test suite

Estimated Effort: Small (fix is one line; test coverage is the bulk of effort)

---

Task 3: Add context.Context to fetchAndSaveRemoteDispatchWorkflows

Issue Type: Context Propagation / Cancellation

Problem:
fetchAndSaveRemoteDispatchWorkflows (pkg/cli/dispatch.go:77) has no context.Context parameter. The getRepoDefaultBranch(spec.RepoSlug) call at line 93 is an uncancellable network request triggered during gh aw add. If the network is slow or the remote is unreachable, the process cannot be interrupted by Ctrl+C. This has been unfixed since run 19 (2026-03-11).

Location:

• pkg/cli/dispatch.go:77 — function signature missing ctx context.Context
• pkg/cli/dispatch.go:93 — getRepoDefaultBranch(spec.RepoSlug) → should become getRepoDefaultBranch(ctx, spec.RepoSlug)

Impact:

• Severity: Medium
• Affected Files: 2 (dispatch.go, callers that pass context)
• Risk: Uninterruptible network hang during gh aw add if remote branch resolution stalls

Recommendation:

Before:

func fetchAndSaveRemoteDispatchWorkflows(content string, spec *WorkflowSpec,
    targetDir string, verbose bool, force bool,
    tracker *FileTracker, downloaders ...fileDownloadFn) error {
    // ...
    defaultBranch, err := getRepoDefaultBranch(spec.RepoSlug)

After:

func fetchAndSaveRemoteDispatchWorkflows(ctx context.Context, content string, spec *WorkflowSpec,
    targetDir string, verbose bool, force bool,
    tracker *FileTracker, downloaders ...fileDownloadFn) error {
    // ...
    defaultBranch, err := getRepoDefaultBranch(ctx, spec.RepoSlug)

Validation:

• Update getRepoDefaultBranch signature to accept ctx
• Propagate context from all call sites (find with grep -rn fetchAndSaveRemoteDispatchWorkflows)
• Verify Ctrl+C during gh aw add with a slow remote cancels cleanly

Estimated Effort: Small–Medium (propagation through call chain)

---

📈 Success Metrics

This Run

• Findings Generated: 3
• Tasks Created: 3
• Files Analyzed: ~8 (copilot_engine_execution.go, runtime_step_generator.go, runtime_deduplication.go, dispatch.go, engine_helpers.go, engine.go, unified_prompt_step.go, awf_helpers.go)
• Success Score: 8/10

Reasoning for Score

• Findings Quality (3/4): Two HIGH findings with clear reproduction paths, one recurring MEDIUM
• Coverage (3/3): Anchored on the latest commit's new code (PR Add Copilot pre-flight diagnostic for GHES environments #20975) plus a cross-cutting audit of the YAML generation layer — good breadth
• Task Generation (2/3): All three tasks are actionable with small scope; deducted 1 point because Finding 2 (new COPILOT_API_TARGET) depends on Task 1's singleQuoteYAML helper, making the tasks sequentially coupled

---

📊 Historical Context

Strategy Performance (all 21 runs)

Run	Date	Strategy	Score	Findings	Tasks
1	2026-02-21	symbol-analysis-plus-error-patterns	8	3	3
2	2026-02-22	interface-coverage-plus-registry-analysis	8	3	3
3	2026-02-23	error-patterns-plus-field-registry-audit	9	3	3
4	2026-02-24	error-wrapping-plus-context-propagation	8	3	3
5	2026-02-25	blank-identifier-audit-plus-incomplete-impl	8	3	3
6	2026-02-26	registry-nil-plus-goroutine-lifecycle	8	3	3
7	2026-02-28	config-field-audit-plus-subprocess-timeout	7	3	3
8	2026-03-01	context-propagation-revisit-plus-pagination-audit	8	3	3
9	2026-03-02	context-sleep-audit-plus-polling-infra	8	3	3
10	2026-03-03	mutex-audit-plus-init-function-audit	8	3	3
11	2026-03-04	dependency-graph-race-audit-plus-npm-subprocess-timeout	9	3	3
12	2026-03-05	dep-graph-race-revisit-plus-string-builder-audit	8	3	3
13	2026-03-06	string-builder-revisit-plus-scanner-buffer-audit	8	3	3
14	2026-03-07	scanner-buffer-revisit-plus-regexp-compilation-audit	8	3	3
15	2026-03-08	regexp-compilation-deepdive-plus-context-free-git-subprocess	8	3	3
16	2026-03-09	regexp-deepdive-revisit-plus-chdir-leak-audit	8	3	3
17	2026-03-10	os-state-revisit-plus-http-response-size-audit	8	3	3
18	2026-03-11	http-client-loop-plus-utf8-truncation-audit	8	3	3
19	2026-03-12	http-network-audit-plus-dispatch-context	8	3	3
20	2026-03-13	context-propagation-revisit-plus-dead-code-audit	7	3	3
21	2026-03-14	yaml-step-generator-audit-plus-context-propagation-revisit	8	3	3

Cumulative Statistics

• Total Runs: 21
• Total Findings: 63
• Total Tasks Generated: 63
• Average Success Score: 8.0/10
• Most Successful Strategy: error-patterns-plus-field-registry-audit (run 3, score 9)
• Issues Fixed Since Sergo Started: 4 confirmed fixes across 21 runs

---

🎯 Recommendations

Immediate Actions

1. [HIGH] Fix formatYAMLValue single-quote escaping (runtime_step_generator.go:162,125,206) — introduce singleQuoteYAML(s string) string helper using strings.ReplaceAll(s, "'", "''") and apply throughout the step generator. Small effort, prevents silent broken YAML for users with ' in config values.
2. [HIGH] Quote COPILOT_API_TARGET in pre-flight step (copilot_engine_execution.go:498) — apply singleQuoteYAML (or formatYAMLValue) to EngineConfig.APITarget. One-line fix in new code before it ships widely to GHES users.
3. [MEDIUM] Add context.Context to fetchAndSaveRemoteDispatchWorkflows (dispatch.go:77) — allows Ctrl+C cancellation of the getRepoDefaultBranch network call during gh aw add. Has been flagged for 3 consecutive runs.

Long-term Improvements

• YAML generation layer audit: The step-generator pattern (string concatenation into raw YAML) is fragile. Consider a struct-based approach for step generation that uses a YAML marshaler, eliminating the entire class of single-quote, injection, and indentation bugs. This would address Findings 1 and 2 and prevent recurrence.
• Fix backlog attention: 23 unfixed recurring issues remain in the Sergo backlog as of run 21. The longest-standing (GetSupportedEngines non-deterministic map iteration, getLatestWorkflowRunWithRetry missing context) have been flagged for 10+ consecutive runs. A dedicated debt-reduction sprint targeting the top 5 by severity would have significant impact.

---

🔄 Next Run Preview

Suggested Focus Areas

• New code in PR Add Copilot pre-flight diagnostic for GHES environments #20975: The copilot_preflight_diagnostic.sh script is referenced at copilot_engine_execution.go:501. Auditing the shell script generation pattern for shell injection vulnerabilities (env variables expanded in run: steps).
• IfCondition and GoModFile unquoted injection: The two pre-existing unquoted YAML concatenations in runtime_step_generator.go:98,104 were left un-analyzed today. A follow-up audit of what inputs flow into IfCondition and whether they can contain YAML-special sequences is warranted.

Strategy Evolution

• The YAML generation layer has proven to be a rich new area (2 high findings in first audit). A second pass of pkg/workflow/ step-generator files focusing on IfCondition sourcing and shell injection in run: step content would be a natural continuation.
• The 50% cached / 50% new split continues to work well — new angles consistently find previously unseen issues while cached revisits keep long-standing issues visible.

---

References:

• §23097433230

AI generated by Sergo - Serena Go Expert · history

• expires on Mar 15, 2026, 10:21 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Sergo - Serena Go Expert.

A newer discussion is available at Discussion #21125.

[pelikhan]

/plan