perf: eliminate hot-path regexp compilations and redundant YAML parses

[Copilot]

BenchmarkCompileComplexWorkflow regressed +113.9% (6.5ms → 13.9ms) due to regexp.MustCompile calls inside hot-path functions and redundant yaml.Unmarshal calls during validation.

Changes

• secret_extraction.go — ExtractSecretsFromValue was compiling two regexps on every call; moved to package-level vars (secretsExprFindPattern, secretsNamePattern)
• yaml.go — CleanYAMLNullValues compiled a regexp on every call; moved to package-level yamlNullPattern. UnquoteYAMLKey compiled a key-specific regexp on every call; now caches via sync.Map
• template_injection_validation.go — validateNoTemplateInjection always called yaml.Unmarshal even when unnecessary; added fast-path that skips the full parse when unsafeContextRegex finds no matches. Extracted validateNoTemplateInjectionFromParsed to accept pre-parsed data
• schema_validation.go — Extracted validateGitHubActionsSchemaFromParsed accepting pre-parsed any
• compiler.go — generateAndValidateYAML now parses the compiled YAML once and shares the result between the template-injection and schema validators instead of each independently calling yaml.Unmarshal

// Before: compiled on every ExtractSecretsFromValue call
exprPattern := regexp.MustCompile(`\$\{\{[^}]+\}\}`)
secretPattern := regexp.MustCompile(`secrets\.([A-Z_][A-Z0-9_]*)`)

// After: compiled once at package init
var secretsExprFindPattern = regexp.MustCompile(`\$\{\{[^}]+\}\}`)
var secretsNamePattern     = regexp.MustCompile(`secrets\.([A-Z_][A-Z0-9_]*)`)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw 64/pkg/tool/linurev-parse tions/setup/js/n--show-toplevel git rev-�� --show-toplevel 858598/b001/importcfg /usr/bin/git k/gh-aw/gh-aw/cmgit son k/gh-aw/gh-aw/ac--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw sh /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel node ache/node/24.14.--show-toplevel git (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name ormance-regression-compile-complex-workflo ache/go/1.25.0/x64/src/cmd/vendor/golang.org/x/arch/arm64/arm64asm/arg.go 64/bin/bash -errorsas -ifaceassert -nilfunc /opt/hostedtoolcscripts/**/*.js -o h ../../../.pret.prettierignore -trimpath (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --show-toplevel sed ache/node/24.14.0/x64/bin/npm x86_64/bash git /usr/bin/git ache/node/24.14.0/x64/bin/npm rev-�� nly git /usr/bin/git --show-toplevel gh /usr/bin/git git (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/ai-moderator.md /home/REDACTED/work/gh-aw/gh-aw/pkg/stringutil/identifiers.go /usr/bin/git json' --ignore-pgit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel bash /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel bash /usr/bin/git git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha k/gh-aw/gh-aw/pkg/constants/constants.go k/gh-aw/gh-aw/pkg/constants/constants_test.go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -unreachable=falgit /tmp/go-build250rev-parse ache/node/24.14.--show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -o ithub-script/git/ref/tags/v8 -trimpath /usr/bin/git -p github.com/githurev-parse -lang=go1.25 git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --is-ancestor 00f4df9def6c21890a215b804a9d2b3fa28c0a49 /usr/bin/git user.email test@example.comrev-parse /usr/bin/infocmp--show-toplevel git rev-�� --show-toplevel infocmp /usr/bin/git xterm-color head /usr/bin/git git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --noprofile x_amd64/link cal/bin/bash (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel bash /usr/bin/git ../pkg/workflow/git x_amd64/vet x_amd64/link git rev-�� --show-toplevel x_amd64/link /usr/bin/git a/action_pins.jsgit x_amd64/vet n-dir/node git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel bash /usr/bin/git st-1177477827/.ggit ache/go/1.25.0/xrev-parse sh git rev-�� --show-toplevel bash /usr/bin/git te '../../../**/git ache/go/1.25.0/xrev-parse /home/REDACTED/.lo--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha test/race-image:v1.0.0 x_amd64/vet /usr/bin/git 626-e0db08df7383git ugGl8nZkIVRhfpIJrev-parse x_amd64/link git conf�� user.email test@example.com /usr/bin/git 10 /opt/hostedtoolcrev-parse ache/go/1.25.0/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/go-build255747881/b445/_pkg_.a -trimpath /usr/lib/git-core/git -p main -lang=go1.25 /usr/lib/git-core/git main�� run --auto /opt/hostedtoolcache/node/24.14.0/x64/bin/node --detach -c=4 -nolocalimports node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel bash /usr/bin/git t4118184723/.gitgit s not exist yet"rev-parse /usr/bin/grep git rev-�� --show-toplevel grep /usr/bin/git 3940-15155/test-git pkg/workflow/frorev-parse 0/x64/bin/node git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha rd -buildtags bin/bash -errorsas -ifaceassert -nilfunc bash --no�� h ../../../.prettierignore -tests x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -stringintconv -tests rgo/bin/bash (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --noprofile -tests bin/bash (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -test.paniconexit0 -test.v=true (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel x_amd64/link /usr/bin/git git rev-�� nt/action/git/ref/tags/v999.999.999 git /usr/bin/git --show-toplevel 6n/cLzQgjXlIjxIorev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git rev-�� --show-toplevel -tests /usr/bin/git -v origin mplateInjection|--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel bash /usr/bin/git git rev-�� -aw/git/ref/tags/v1.0.0 git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha prettier --write (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git -m Test commit /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha 3940-15155/test-3116375969 ache/go/1.25.0/xsecurity /opt/hostedtoolcache/node/24.14.0/x64/lib/node_modules/npm/node_-importcfg --noprofile 64/src/cmd/vendorev-parse run-script/lib/n--show-toplevel sh -c k/gh-aw/gh-aw/.github/workflows ache/go/1.25.0/xconntrack 747881/b439/styles.test g.org/x/sys/unixgit /tmp/go-build250rev-parse 0/x64/bin/bash 747881/b439/styles.test (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel /usr/lib/git-core/git /usr/bin/git run --auto /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel node /usr/bin/gh /home/REDACTED/worgit /tmp/go-build255rev-parse /usr/bin/git gh (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha "prettier" --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore ache/go/1.25.0/xsecurity cfg se 64/src/cmd/vendorev-parse tSecrets sh -c k/gh-aw/gh-aw ache/go/1.25.0/xowner ache/node/24.14.0/x64/bin/node 37778/b233/_pkg_git /tmp/go-build250rev-parse tnet/tools/bash /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git /usr/bin/git .github/workflowgit -goversion /usr/bin/git git rev-�� --show-toplevel git /usr/bin/gh --show-toplevel /home/REDACTED/worrev-parse /opt/hostedtoolc--show-toplevel gh (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 x_amd64/vet x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� tags/v5 git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 5eb984d1afb492c5-d/pprof ndor/bin/sh (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 x_amd64/vet x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 stmain.go x_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 x_amd64/vet ules/.bin/node (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 4 /usr/bin/git d -name bin git rev-�� --show-toplevel git er: String!, $name: String!) { -lang=go1.25 --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 x_amd64/vet x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 x_amd64/vet x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path celain --ignore-**/*.ts ache/go/1.25.0/x**/*.json ache/go/1.25.0/x--ignore-path -errorsas -ifaceassert -nilfunc ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -o h ../../../.prettierignore -trimpath p/bin/bash -p cmd/vendor/golan--norc -lang=go1.25 bash (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --noprofile x_amd64/vet /usr/bin/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git 5 ache/go/1.25.0/xrev-parse /home/REDACTED/wor--show-toplevel git rev-�� --show-toplevel node /usr/bin/git --write **/*.cjs ache/go/1.25.0/x--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha re --log-level=e!../../../pkg/workflow/js/**/*.json -dwarf=false ndor/bin/bash go1.25.0 -c=4 -nolocalimports bash --no�� js/**/*.json' ---errorsas /tmp/go-build250-ifaceassert 64/pkg/tool/linu-nilfunc (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha re --log-level=e!../../../pkg/workflow/js/**/*.json -extld=gcc /prettier (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha re --log-level=error (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git .cfg git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha re --log-level=e!../../../pkg/workflow/js/**/*.json (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/link /usr/bin/git kflow.test git ortcfg.link git rev-�� --show-toplevel 4vp10F8WpkMTgHfKbO/RxFptwafM0xGdqTVy4vZ/wY0DV-HzYmIFAxVjUal6 /usr/bin/git --show-toplevel git g_.a git (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ty-test.md x_amd64/vet tions/setup/js/node_modules/.bin-importcfg ew@v1.1.1/spew/bgit ew@v1.1.1/spew/cconfig (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel 1f-RA1IlxQwjfc586n/cLzQgjXlIjxIo_QUvJx9/eZ420Er5bfpaslI2Q9Xq /usr/bin/git SameOutput258557git ache/go/1.25.0/xrev-parse _.a git rev-�� --show-toplevel node /usr/bin/gh licyMinIntegritygit **/*.cjs /home/REDACTED/wor--show-toplevel gh (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --show-toplevel git /usr/bin/git git rev-�� HEAD git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /prettier -errorsas -ifaceassert -nilfunc 64/pkg/tool/linuformat:pkg-json -o /tmp/go-build76137778/b241/_pkg_.a -trimpath x_amd64/cgo -p cmd/vendor/githu--norc -lang=go1.25 x_amd64/cgo (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo de -errorsas -ifaceassert -nilfunc 64/pkg/tool/linux_amd64/vet /pre�� /tmp/go-build76137778/b002/_pkg_.a -trimpath x_amd64/link -p cmd/internal/dis--norc -lang=go1.25 x_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo ache/go/1.25.0/x64/bin/node ^From [0-9a-f]\{node /tmp/gh-aw/aw-majs/fuzz_mentions_harness.cjs /usr/bin/git git ache�� --show-toplevel nly /usr/bin/git --show-toplevel infocmp /usr/bin/git git (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build255747881/b400/cli.test /tmp/go-build255747881/b400/cli.test -test.testlogfile=/tmp/go-build255747881/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -errorsas -ifaceassert -nilfunc x_amd64/vet -V=f�� -stringintconv -tests rgo/bin/bash (http block)
  • Triggering command: /tmp/go-build714491049/b001/cli.test /tmp/go-build714491049/b001/cli.test -test.testlogfile=/tmp/go-build714491049/b001/testlog.txt -test.paniconexit0 -test.timeout=2m0s rev-�� --show-toplevel /usr/lib/git-core/git /usr/bin/git run --auto /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel /usr/bin/git /usr/bin/git git (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name ormance-regression-compile-complex-workflo ache/go/1.25.0/x64/src/cmd/internal/objabi/autotype.go bash -errorsas -ifaceassert -nilfunc /opt/hostedtoolcscripts/**/*.js -o h ../../../.pret.prettierignore -trimpath ache/go/1.25.0/x64/pkg/tool/linux_amd64/link Action pins synnode debug/gosym -lang=go1.25 ache/go/1.25.0/x../../../**/*.json (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --show-toplevel 2ababf0e..HEAD /usr/bin/git bash git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel gh /usr/bin/git git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.

[Copilot]

Pull request overview

This PR addresses a performance regression in workflow compilation by removing repeated hot-path regexp compilations and avoiding redundant YAML parses during validation.

Changes:

• Hoists frequently used regexps to package scope and adds a small regex cache for key-specific YAML rewrites.
• Adds a fast-path to skip template-injection validation when no unsafe contexts exist in the compiled YAML.
• Parses compiled YAML once in generateAndValidateYAML and shares the parsed representation across template-injection and schema validators.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/workflow/secret_extraction.go	Moves regex compilation out of ExtractSecretsFromValue hot path by using pre-compiled package-level regexps.
pkg/workflow/yaml.go	Pre-compiles the null-cleanup regexp and caches per-key regexps for UnquoteYAMLKey to avoid repeated compilation.
pkg/workflow/template_injection_validation.go	Adds a fast-path to skip parsing/scanning when unsafe contexts aren’t present; extracts a validator that accepts pre-parsed YAML.
pkg/workflow/schema_validation.go	Extracts a schema-validation helper that accepts pre-parsed YAML to avoid an extra yaml.Unmarshal.
pkg/workflow/compiler.go	Parses compiled YAML once (when needed) and reuses it for both template-injection and schema validation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.