From 8526b4844c6f71e62aa4108e4b70a52c980188c0 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Tue, 24 Mar 2026 06:06:58 +0000
Subject: [PATCH] refactor: extract writePromptBashStep helper to deduplicate
 poutine-suppressed steps

The two identical YAML step blocks in generatePrompt (Validate prompt
placeholders and Print prompt) share the same structure: step name, env
var, poutine:ignore suppression, and bash run command. Extract a
writePromptBashStep helper to eliminate the duplication and centralize
the poutine:ignore untrusted_checkout_exec suppression in one place.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 pkg/workflow/compiler_yaml.go | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/pkg/workflow/compiler_yaml.go b/pkg/workflow/compiler_yaml.go
index c1f53533685..09df0f30f3f 100644
--- a/pkg/workflow/compiler_yaml.go
+++ b/pkg/workflow/compiler_yaml.go
@@ -525,19 +525,23 @@ func (c *Compiler) generatePrompt(yaml *strings.Builder, data *WorkflowData, pre
 	}
 
 	// Validate that all placeholders have been substituted
-	yaml.WriteString("      - name: Validate prompt placeholders\n")
-	yaml.WriteString("        env:\n")
-	yaml.WriteString("          GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt\n")
-	yaml.WriteString("        # poutine:ignore untrusted_checkout_exec\n")
-	yaml.WriteString("        run: bash ${RUNNER_TEMP}/gh-aw/actions/validate_prompt_placeholders.sh\n")
+	writePromptBashStep(yaml, "Validate prompt placeholders", "validate_prompt_placeholders.sh")
 
 	// Print prompt (merged into prompt generation)
-	yaml.WriteString("      - name: Print prompt\n")
+	writePromptBashStep(yaml, "Print prompt", "print_prompt_summary.sh")
+}
+
+// writePromptBashStep writes a YAML step that runs a bash script from the gh-aw actions directory
+// with the GH_AW_PROMPT env var set. The poutine:ignore suppression is included to address
+// untrusted_checkout_exec findings for scripts executed from RUNNER_TEMP.
+func writePromptBashStep(yaml *strings.Builder, name, script string) {
+	fmt.Fprintf(yaml, "      - name: %s\n", name)
 	yaml.WriteString("        env:\n")
 	yaml.WriteString("          GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt\n")
 	yaml.WriteString("        # poutine:ignore untrusted_checkout_exec\n")
-	yaml.WriteString("        run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh\n")
+	fmt.Fprintf(yaml, "        run: bash ${RUNNER_TEMP}/gh-aw/actions/%s\n", script)
 }
+
 func (c *Compiler) generatePostSteps(yaml *strings.Builder, data *WorkflowData) {
 	if data.PostSteps != "" {
 		// Remove "post-steps:" line and adjust indentation, similar to CustomSteps processing