[plan] Fix single-quote escaping bug in `formatYAMLValue` YAML step generator

## Context

Identified in [Sergo Audit Discussion #20993](https://github.com/github/gh-aw/discussions/20993) — YAML Step Generator Audit + Context-Propagation Revisit (2026-03-14, score 8/10).

## Problem

`formatYAMLValue` in `pkg/workflow/runtime_step_generator.go` wraps all string values in YAML single quotes via `fmt.Sprintf("'%s'", v)` **without ever escaping embedded `'` characters as `''`**. Per the YAML spec, single-quoted scalars represent a literal `'` only via `''`. Any user-configured `ExtraFields` value or engine version string containing a single quote will produce syntactically invalid workflow YAML at GitHub Actions parse time — with no error at `gh aw compile` time.

**Affected locations:**
- `pkg/workflow/runtime_step_generator.go:162–174` — `formatYAMLValue` string case: `fmt.Sprintf("'%s'", v)`
- `pkg/workflow/runtime_step_generator.go:125` — version field: `fmt.Sprintf("          %s: '%s'", runtime.VersionField, version)`
- `pkg/workflow/runtime_step_generator.go:206` — default case: `fmt.Sprintf("'%v'", v)`

**Impact**: Users who include single-quote characters in any `runtime.setup.with.*` field or engine version string silently receive broken generated workflow YAML.

## Approach

1. Add a `singleQuoteYAML` helper function in `runtime_step_generator.go`:
   ```go
   // singleQuoteYAML escapes a string for use in a YAML single-quoted scalar.
   // The only escape in single-quoted YAML is '' for a literal single quote.
   func singleQuoteYAML(s string) string {
       return "'" + strings.ReplaceAll(s, "'", "''") + "'"
   }
   ```
2. Replace all three unescaped `fmt.Sprintf("'%s'", v)` / `fmt.Sprintf("'%v'", v)` occurrences with calls to `singleQuoteYAML`.
3. Update the version field formatting on line 125 to use `singleQuoteYAML(version)`.

## Files to Modify

- `pkg/workflow/runtime_step_generator.go` — add helper, fix 3 call sites
- `pkg/workflow/runtime_step_generator_test.go` — add unit tests

## Acceptance Criteria

- [ ] `singleQuoteYAML` helper exists and is tested: `singleQuoteYAML("it's")` → `"'it''s'"`, `singleQuoteYAML("O'Brien")` → `"'O''Brien'"`
- [ ] All three unescaped quote sites replaced with `singleQuoteYAML`
- [ ] Generated workflow YAML containing `ExtraFields` with single quotes round-trips through `gopkg.in/yaml.v3` without error
- [ ] `make agent-finish` passes (build, test, lint, fmt)




> Generated by [Plan Command](https://github.com/github/gh-aw/actions/runs/23121319255) for issue #discussion #20993 · [◷](https://github.com/search?q=repo%3Agithub%2Fgh-aw+is%3Aissue+%22gh-aw-workflow-call-id%3A+github%2Fgh-aw%2Fplan%22&type=issues)
> - [x] expires  on Mar 17, 2026, 11:03 PM UTC

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[plan] Fix single-quote escaping bug in `formatYAMLValue` YAML step generator #21133

Context

Problem

Approach

Files to Modify

Acceptance Criteria

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

[plan] Fix single-quote escaping bug in formatYAMLValue YAML step generator #21133

Description

Context

Problem

Approach

Files to Modify

Acceptance Criteria

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions

[plan] Fix single-quote escaping bug in `formatYAMLValue` YAML step generator #21133