safe_output_handler_manager ignores allowed-domains, redacts URLs from allowlisted domains

[theletterf]

Description

The allowed-domains configuration under safe-outputs: in the workflow frontmatter does not prevent URL redaction by the safe_output_handler_manager.cjs. URLs from explicitly allowed domains are still replaced with (domain/redacted) in comments.

Reproduction

Frontmatter:

safe-outputs:
  allowed-domains:
    - docs.example.com
    - api.example.com
  add-comment:

Compiled output shows two different behaviors:

1. collect_ndjson_output.cjs (agent job, ingestion step) — correctly receives GH_AW_ALLOWED_DOMAINS: "docs.example.com,api.example.com" as an env var and passes URLs through without redaction. ✅

2. safe_output_handler_manager.cjs (safe_outputs job) — does NOT receive GH_AW_ALLOWED_DOMAINS. Its GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG only contains {"add_comment":{"max":1},...} with no domain allowlist. It redacts all non-GitHub URLs:

Redacted URL: docs.example....
Redacted URL: docs.example....

The allowed-domains config only populates GH_AW_ALLOWED_DOMAINS in the agent job's collect_ndjson_output step. The safe_outputs job's Process Safe Outputs step has no access to this configuration.

Expected behavior

URLs from domains listed in safe-outputs.allowed-domains should pass through to the final comment unredacted. The allowed domains should be propagated to the safe_output_handler_manager.cjs — either via the GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG JSON, a separate env var, or the agent output artifact.

Environment

• gh-aw compiler: v0.50.4 (also reproduced on v0.49.4)
• Engine: Copilot CLI
• Trigger: issue_comment, issues: labeled

Workaround

Instruct the agent to output doc site paths (e.g. /docs/product/page-name) instead of full URLs to avoid triggering the URL sanitizer.

[strawgate]

from a quick look

GH_AW_ALLOWED_DOMAINS is only set in the agent job (at compiler_yaml.go:698 in the "Ingest   
  agent output" step), but the sanitization that produces the final comment runs in the        
  separate safe_outputs job, which never receives this env var.                                
                                                                                               
  The safe_outputs job's env vars are built by:                                                
  - buildJobLevelSafeOutputEnvVars() at compiler_safe_outputs_job.go:348 — does NOT include
  GH_AW_ALLOWED_DOMAINS
  - buildHandlerManagerStep() at compiler_safe_outputs_steps.go:215 — does NOT include it
  either
  - addAllSafeOutputConfigEnvVars() at compiler_safe_outputs_env.go:9 — does NOT include it
  either

  So when add_comment.cjs → sanitizeContent() → buildAllowedDomains() runs in the safe_outputs
  job, GH_AW_ALLOWED_DOMAINS is unset and it falls back to the hardcoded JS defaults:
  ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev",
  "codespaces.new"]

  The fix is to add GH_AW_ALLOWED_DOMAINS (and likely GH_AW_ALLOWED_GITHUB_REFS and
  GH_AW_COMMAND) to buildJobLevelSafeOutputEnvVars or buildHandlerManagerStep, using the same
  computation from compiler_yaml.go:688-698.

minimal reproduction (compile this and check the agents job has the env var but the safe outputs job doesnt)

---
description: Minimal repro for allowed-domains not propagated to safe_outputs job
on:
  workflow_dispatch:

permissions:
  contents: read
  issues: read

engine:
  id: copilot

network:
  allowed:
    - defaults
    - www.elastic.co

safe-outputs:
  add-comment:
    max: 1
---

Say hello.