Skip to content

Fix: propagate allowed-domains to the Process Safe Outputs step#18538

Merged
pelikhan merged 3 commits intomainfrom
copilot/fix-safe-output-manager-redaction
Feb 26, 2026
Merged

Fix: propagate allowed-domains to the Process Safe Outputs step#18538
pelikhan merged 3 commits intomainfrom
copilot/fix-safe-output-manager-redaction

Conversation

Copy link
Contributor

Copilot AI commented Feb 26, 2026
edited
Loading

safe-outputs.allowed-domains was only wired into the Ingest agent output step (GH_AW_ALLOWED_DOMAINS env var), not the Process Safe Outputs step. Since safe_output_handler_manager.cjs calls sanitizeContent()buildAllowedDomains() which reads from process.env.GH_AW_ALLOWED_DOMAINS, URLs from explicitly allowed domains were still redacted in the final comment/issue output.

Changes

  • pkg/workflow/compiler_safe_outputs_steps.gobuildHandlerManagerStep() now emits the same allowed-domains env vars as the ingest step:

    • GH_AW_ALLOWED_DOMAINS — from explicit safe-outputs.allowed-domains config, or computed from engine/network/tool config
    • GITHUB_SERVER_URL / GITHUB_API_URL — so buildAllowedDomains() can also pick up GHES-specific domains at runtime

  • pkg/workflow/compiler_safe_outputs_steps_test.go — two new TestBuildHandlerManagerStep cases asserting the vars are emitted correctly with and without explicit allowed-domains config

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 64/bin/go git init�� GOMODCACHE go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ../../../**/*.jsinit 64/bin/go node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/artifacts-summary.md resolved$ /usr/bin/git h ../../../.pretgit GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git TH" GO111MODULE ache/go/1.25.0/x64/bin/go git (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -instructions-test-3987599857/.github/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE 1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha tructions-test-3941647811/.github/workflows GO111MODULE 4349827/b285/vet.cfg GOINSECURE GOMOD GOMODCACHE sh -c "prettier" --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret-- l /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 1/x64/bin/node git rev-�� --show-toplevel go /usr/bin/git bin' && echo "$P/usr/bin/unpigz GO111MODULE 1/x64/bin/node git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha g_.a GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE ole GOMODCACHE go env 1548-28197/test-405782392/.github/workflows GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE ortcfg (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env runs/20260226-171548-28197/test-3717584218/.github/workflows .cfg 3984381/b356/vet.cfg GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE 3984381/b366/vet.cfg GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha run --auto /usr/bin/git --detach k/gh-aw/gh-aw/pkrev-parse 64/bin/go git rev-�� --show-toplevel JbrieQ94-F8q /usr/bin/git /tmp/go-build388git -trimpath 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha /tmp/go-build2443984381/b368/_pkg_.a l /usr/bin/git -p main -lang=go1.25 git rev-�� --show-toplevel -goversion /usr/bin/git -c=4 -nolocalimports -importcfg git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha user.email test@example.com /usr/bin/git log.showsignaturgit log 64/bin/go git init�� 2570430b9765a08crhysd/actionlint:latest go /opt/hostedtoolcache/node/24.13.1/x64/bin/node -json GO111MODULE tartedAt,updated--show-toplevel /opt/hostedtoolcache/node/24.13.1/x64/bin/node (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE k/gh-aw/gh-aw/ac/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git rev-�� --show-toplevel go /usr/bin/git 1915-40329/test-docker GO111MODULE ache/uv/0.10.6/xsemgrep/semgrep:latest git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE tions/setup/js/n--show-toplevel git rev-�� --show-toplevel go /usr/bin/git */*.ts' '**/*.js/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile GO111MODULE ache/go/1.25.0/x/tmp/go-build1026730569/b334/_pkg_.a git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel go /usr/bin/gh ithub/workflows GO111MODULE ache/go/1.25.0/xxterm-color gh api /repos/actions/checkout/git/ref/tags/v4 --jq /usr/bin/git -json GO111MODULE }} {{context.Com/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE af32c1d240deaaadenv GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha --show-toplevel go /usr/bin/gh -json GO111MODULE /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows gh api /repos/actions/sremote.origin.url --jq r: $owner, name: $name) { hasDiscussionsEnabled } } -json GO111MODULE /opt/hostedtoolcinspect git (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha se 3984381/b360/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha 1 GO111MODULE ache/node/24.13.1/x64/bin/node GOINSECURE GOMOD GOMODCACHE go t-22�� sistency_GoAndJavaScript3448313065/001/test-complex-frontmatter-with-tools.md GO111MODULE /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE sh (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE tartedAt,updated/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 3393702089 GO111MODULE p/bin/sh cHmzgKq/IxsbqDPbRl6eF7xSNVwy (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha ch go /usr/bin/git -json GO111MODULE 1/x64/bin/node git rev-�� --show-toplevel go /usr/bin/git vaScript34483130git GO111MODULE /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 3984381/b357/vet.cfg GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env runs/20260226-171915-40329/test-2976054181/.github/workflows GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE 1/x64/bin/node (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --show-toplevel owner /usr/bin/git 0 -j ACCEPT git rev-�� --show-toplevel go /usr/bin/git 5762/001/stabiligit GO111MODULE ache/go/1.25.0/xHEAD git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.0/xa7d371cc7e68f270ded0592942424548e05bf1c2:pkg/workflow/compiler_safe_outputs_step-buildmode=exe git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/pkg/tool/linux_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git -json GO111MODULE /opt/hostedtoolc-c git (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel go /usr/bin/git */*.ts' '**/*.jstail GO111MODULE 64/pkg/tool/linux_amd64/link git rev-�� afe_outputs_steps.go 64/pkg/tool/linux_amd64/link /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--version git (http block)
  • https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.0/xxterm-color git rev-�� ature-branch.patch erignore /usr/bin/git -json GO111MODULE /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel go /usr/bin/gh -json GO111MODULE /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows gh api kflow/compiler_sremote.origin.url --jq /usr/bin/git 1 GO111MODULE ache/node/24.13.-c git (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha --show-toplevel go r: $owner, name: $name) { hasDiscussionsEnabled } } ithub/workflows GO111MODULE /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git rev-�� --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha --show-toplevel go /usr/bin/gh ck '**/*.cjs' '*infocmp GO111MODULE 1/x64/bin/node gh api kflow/compiler_safe_outputs_step-p --jq r: $owner, name: $name) { hasDiscussionsEnabled } } ithub/workflows//usr/bin/unpigz GO111MODULE /opt/hostedtoolc-c git (http block)
  • https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.0/xxterm-color git rev-�� --show-toplevel erignore /usr/bin/git 1 GO111MODULE /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha --show-toplevel go e/git ithub/workflows GO111MODULE ache/go/1.25.0/xxterm-color e/git rev-�� --show-toplevel erignore /usr/bin/git -json GO111MODULE /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
  • https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel go /usr/bin/git ring2764515733/0git GO111MODULE cal/bin/node git rev-�� 40\} ature-branch.patch r: $owner, name: $name) { hasDiscussionsEnabled } } -json GO111MODULE /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel go /usr/bin/git ithub/workflows GO111MODULE 1/x64/bin/node git runs�� --show-toplevel erignore r: $owner, name: $name) { hasDiscussionsEnabled } } ithub/workflows/infocmp GO111MODULE /opt/hostedtoolcxterm-color git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE x_amd64/compile N files are not git GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env ty-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE x_amd64/cgo GOINSECURE GOMOD GOMODCACHE x_amd64/cgo env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path 2888c116b4dd41c7GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 7700171/b394/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/logginstall-gh-aw.sh GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 b/gh-aw/pkg/time-V=full GOMODCACHE go env Q-eU/ZpLY0UQ8eaBGOSUMDB GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 7700171/b411/importcfg (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha --show-toplevel go /usr/bin/git */*.ts' '**/*.js/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link GO111MODULE ache/go/1.25.0/x64/bin/go git rev-�� afe_outputs_steps_test.go go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x-c git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 2014301320/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 1/x64/bin/node git rev-�� --show-toplevel go /usr/bin/git vaScript34483130infocmp GO111MODULE es/.bin/node git (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 1114858372/.github/workflows GO111MODULE 1/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 7700171/b403/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/slicbuild GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE erignore GOMODCACHE ache/go/1.25.0/xGO111MODULE env 7700171/b405/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/stri-c GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go --show-toplevel x_amd64/link /usr/bin/git sh -c "prettier" --wriGOSUMDB git 64/bin/go --show-toplevel jI/oGwbraVjnBOX--c /usr/bin/git go (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build2443984381/b381/cli.test /tmp/go-build2443984381/b381/cli.test -test.testlogfile=/tmp/go-build2443984381/b381/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go m/_n�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /tmp/go-build2894349827/b381/cli.test /tmp/go-build2894349827/b381/cli.test -test.testlogfile=/tmp/go-build2894349827/b381/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true --ignore-path ../../../.prettienv /usr/bin/git node /opt�� prettier --write 64/bin/go !../../../pkg/wonode --ignore-path ../../../.pretti--check go (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 7700171/b385/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/consenv GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name prettier --write 64/bin/go --ignore-path .prettierignore /usr/bin/git sh -c "prettier" --wriGOSUMDB git 64/bin/go --show-toplevel go /usr/bin/git go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>safe_output_handler_manager ignores allowed-domains, redacts URLs from allowlisted domains</issue_title>
<issue_description>## Description

The allowed-domains configuration under safe-outputs: in the workflow frontmatter does not prevent URL redaction by the safe_output_handler_manager.cjs. URLs from explicitly allowed domains are still replaced with (domain/redacted) in comments.

Reproduction

Frontmatter:

safe-outputs:
  allowed-domains:
    - docs.example.com
    - api.example.com
  add-comment:

Compiled output shows two different behaviors:

  1. collect_ndjson_output.cjs (agent job, ingestion step) — correctly receives GH_AW_ALLOWED_DOMAINS: "docs.example.com,api.example.com" as an env var and passes URLs through without redaction. ✅

  2. safe_output_handler_manager.cjs (safe_outputs job) — does NOT receive GH_AW_ALLOWED_DOMAINS. Its GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG only contains {"add_comment":{"max":1},...} with no domain allowlist. It redacts all non-GitHub URLs:

Redacted URL: docs.example....
Redacted URL: docs.example....

The allowed-domains config only populates GH_AW_ALLOWED_DOMAINS in the agent job's collect_ndjson_output step. The safe_outputs job's Process Safe Outputs step has no access to this configuration.

Expected behavior

URLs from domains listed in safe-outputs.allowed-domains should pass through to the final comment unredacted. The allowed domains should be propagated to the safe_output_handler_manager.cjs — either via the GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG JSON, a separate env var, or the agent output artifact.

Environment

  • gh-aw compiler: v0.50.4 (also reproduced on v0.49.4)
  • Engine: Copilot CLI
  • Trigger: issue_comment, issues: labeled

Workaround

Instruct the agent to output doc site paths (e.g. /docs/product/page-name) instead of full URLs to avoid triggering the URL sanitizer.</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@pelikhan
fix: propagate GH_AW_ALLOWED_DOMAINS to the Process Safe Outputs step
6a1b591 
The safe-outputs allowed-domains config was only set in the Ingest agent
output step but not in the Process Safe Outputs step. Since
sanitizeContent() in safe_output_handler_manager.cjs reads from the
GH_AW_ALLOWED_DOMAINS env var, URLs from user-configured allowed domains
were still being redacted in the final output.

Also add GITHUB_SERVER_URL and GITHUB_API_URL to the Process Safe Outputs
step so that buildAllowedDomains() can extract GHES domains dynamically.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix URL redaction in safe_output_handler_manager Fix: propagate allowed-domains to the Process Safe Outputs step Feb 26, 2026
@pelikhan pelikhan marked this pull request as ready for review February 26, 2026 18:12
Copilot AI review requested due to automatic review settings February 26, 2026 18:12
@pelikhan pelikhan merged commit 2e94824 into main Feb 26, 2026
48 checks passed
@pelikhan pelikhan deleted the copilot/fix-safe-output-manager-redaction branch February 26, 2026 18:12
Copilot AI reviewed Feb 26, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a bug where the safe-outputs.allowed-domains configuration was only propagated to the agent's ingestion step but not to the "Process Safe Outputs" step, causing URLs from explicitly allowed domains to be incorrectly redacted in final outputs.

Changes:

  • Modified the handler manager step builder to include allowed domains environment variables
  • Added GITHUB_SERVER_URL and GITHUB_API_URL to support GHES-specific domain detection
  • Added comprehensive test coverage for the new functionality

Reviewed changes

Copilot reviewed 155 out of 155 changed files in this pull request and generated no comments.

File Description
pkg/workflow/compiler_safe_outputs_steps.go Added logic to propagate GH_AW_ALLOWED_DOMAINS, GITHUB_SERVER_URL, and GITHUB_API_URL to the handler manager step
pkg/workflow/compiler_safe_outputs_steps_test.go Added two test cases to verify allowed domains are correctly propagated with and without explicit configuration
.github/workflows/*.lock.yml (multiple files) Regenerated workflow files with the new environment variables correctly set in all "Process Safe Outputs" steps

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

safe_output_handler_manager ignores allowed-domains, redacts URLs from allowlisted domains

3 participants

@pelikhan