Fix expression errors for custom engine workflows missing validate-secret step

[Copilot]

The compiler unconditionally added secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} to all agent job outputs, but Custom engine doesn't include the validate-secret step in GetInstallationSteps(). This caused expression errors in 2 workflows (issue-classifier, smoke-opencode).

Changes

• Made output conditional: Only add secret_verification_result output when engine includes validate-secret step
• Added helper function: EngineHasValidateSecretStep() in engine_helpers.go to detect step presence
• Applied to notification logic: Made GH_AW_SECRET_VERIFICATION_RESULT env var conditional in conclusion job

// Check if engine adds the step before adding the output
if EngineHasValidateSecretStep(engine, data) {
    outputs["secret_verification_result"] = "${{ steps.validate-secret.outputs.verification_result }}"
}

Impact

• Custom engine workflows (actions-ai-inference, opencode): No secret_verification_result output
• Copilot/Claude/Codex workflows: Unchanged (still have the output)
• Expression errors reduced from 2 to 0 across all 148 workflows

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Code Quality] Fix expression errors in 27 workflows with undefined job outputs</issue_title>
<issue_description>### Description

27 compiled workflows contain expression errors where job outputs or properties are referenced that don't exist in the workflow context, causing runtime failures and empty values.

Error Pattern

Common issue: Referencing needs.job_name.outputs.property when:

• The job doesn't define that output
• The property name is incorrect
• The job dependency isn't declared in needs:

Example from actionlint:

# Job references output that doesn't exist
- name: Use error message
  run: echo "${{ needs.create_pull_request.outputs.error_message }}"
  # ERROR: create_pull_request job doesn't define error_message output

Impact

• Runtime Errors: Workflows fail or behave unexpectedly
• Empty Values: Critical data is silently missing
• Debugging Difficulty: Errors only appear at runtime, not compile time
• Workflow Reliability: 18% of workflows affected (27/148)

Affected Workflows

From static analysis report (Discussion githubnext/gh-aw#11769):

• ci-coach
• cloclo
• code-scanning-fixer
• code-simplifier
• daily-doc-updater
• daily-workflow-updater
• dependabot-bundler
• developer-docs-consolidator
• dictation-prompt
• github-mcp-tools-report
• grumpy-reviewer
• homebrew-updater
• library-upgrade-guide
• mergefest
• openapi-spec-generator
• pdf-summary
• plan
• pr-nitpick-reviewer
• pull-request-summary
• q
• r
• release
• repo-audit-analyzer
• repo-tree-map
• scout
• skill-update-prompter
• unbloat-docs

Success Criteria

• All 27 workflows analyzed for expression errors
• Missing job outputs added or references removed
• Incorrect property paths corrected
• All job dependencies declared in needs: blocks
• Actionlint expression errors reduced to 0
• Add compiler validation to catch these errors early

Implementation Approach

Step 1: Detection

# Use actionlint to identify specific errors
actionlint .github/workflows/*.lock.yml 2>&1 | grep "expression"

Step 2: Fix Patterns

For each workflow:

1. Identify the referenced output (e.g., needs.job.outputs.property)
2. Check if the job defines that output:
   • If missing: Add output definition to the job
   • If wrong name: Correct the reference
   • If job doesn't exist: Remove the reference or add the job
3. Verify needs: dependency is declared

Step 3: Validation

Add compiler-time validation:

// Pseudo-code for compiler enhancement
func validateJobDependencies(workflow *Workflow) []error {
    // For each job's steps that reference needs.*
    // Verify the referenced job exists
    // Verify the output is defined
    // Return errors if validation fails
}

Files Affected

• pkg/workflow/compiler*.go - Add expression validation
• pkg/workflow/validation*.go - Job dependency checks
• .github/workflows/*.md - Fix source workflows (27 files)
• .github/workflows/*.lock.yml - Will be regenerated

Debugging Tips

1. Search for needs.*.outputs.* in workflow files
2. Cross-reference with job output definitions (outputs: blocks)
3. Check needs: dependencies are declared
4. Test workflows locally with gh workflow run to verify fixes

Priority

High - This affects 18% of workflows and causes runtime failures. Should be fixed before adding new features.

Source

Extracted from Discussion githubnext/gh-aw#11769 - Static Analysis Report (Jan 25, 2026)

Section: Priority 1: Expression Errors (27 workflows)

AI generated by Discussion Task Miner - Code Quality Improvement Agent

• expires on Feb 15, 2026, 5:09 PM UTC

Comments on the Issue (you are @copilot in this section)

• Fixes [Code Quality] Fix expression errors in 27 workflows with undefined job outputs #13144

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.