Summary
When using the Claude engine, the protected_files and protected_path_prefixes in the activation config (written by the "Write Safe Outputs Config" step) differ from those in the handler config (GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG env var).
Specifically, CLAUDE.md and .claude/ are protected in the handler config but not in the activation config.
Observed behavior
In a compiled *.lock.yml for a Claude engine workflow (e.g. daily-doc-updater.lock.yml):
Activation config (written to ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json):
{
"create_pull_request": {
"protected_files": ["package.json", "CODEOWNERS", ...],
"protected_path_prefixes": [".github/", ".agents/"]
}
}→ CLAUDE.md and .claude/ are absent
Handler config (GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG):
{
"create_pull_request": {
"protected_files": [..., "CLAUDE.md"],
"protected_path_prefixes": [".github/", ".agents/", ".claude/"]
}
}→ CLAUDE.md and .claude/ are present
Impact
The handler config provides the actual protection at output processing time, so there is no exploitable gap in practice. However, the inconsistency between the two configs is confusing and was flagged by an automated security scanner (AWS Security Agent), creating unnecessary noise in PR reviews.
Expected behavior
Both activation config and handler config should have consistent protected_files / protected_path_prefixes for Claude engine workflows. Ideally, CLAUDE.md and .claude/ should be included in the activation config as well.
Questions
- Is the discrepancy intentional? (e.g., activation config = base defaults, handler config = engine-specific additions injected at compile time)
- Is there a way for users to add custom entries to
protected_files / protected_path_prefixes in the activation config via the workflow .md source file's safe-outputs section?
Environment
- gh-aw compiler version: v0.68.3
- Engine: Claude Code (
agent_id: claude)
- Workflow source:
github/gh-aw/.github/workflows/daily-doc-updater.md@4a24b3ca12367cbedd9dc779dc47483e5f8cba9b
Summary
When using the Claude engine, the
protected_filesandprotected_path_prefixesin the activation config (written by the "Write Safe Outputs Config" step) differ from those in the handler config (GH_AW_SAFE_OUTPUTS_HANDLER_CONFIGenv var).Specifically,
CLAUDE.mdand.claude/are protected in the handler config but not in the activation config.Observed behavior
In a compiled
*.lock.ymlfor a Claude engine workflow (e.g.daily-doc-updater.lock.yml):Activation config (written to
${RUNNER_TEMP}/gh-aw/safeoutputs/config.json):{ "create_pull_request": { "protected_files": ["package.json", "CODEOWNERS", ...], "protected_path_prefixes": [".github/", ".agents/"] } }→
CLAUDE.mdand.claude/are absentHandler config (
GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG):{ "create_pull_request": { "protected_files": [..., "CLAUDE.md"], "protected_path_prefixes": [".github/", ".agents/", ".claude/"] } }→
CLAUDE.mdand.claude/are presentImpact
The handler config provides the actual protection at output processing time, so there is no exploitable gap in practice. However, the inconsistency between the two configs is confusing and was flagged by an automated security scanner (AWS Security Agent), creating unnecessary noise in PR reviews.
Expected behavior
Both activation config and handler config should have consistent
protected_files/protected_path_prefixesfor Claude engine workflows. Ideally,CLAUDE.mdand.claude/should be included in the activation config as well.Questions
protected_files/protected_path_prefixesin the activation config via the workflow.mdsource file'ssafe-outputssection?Environment
agent_id: claude)github/gh-aw/.github/workflows/daily-doc-updater.md@4a24b3ca12367cbedd9dc779dc47483e5f8cba9b