Skip to content

Consolidate threat detection parse + conclude into a single JavaScript step#22910

Merged
pelikhan merged 2 commits intomainfrom
copilot/refactor-detection-result-parsing
Mar 25, 2026
Merged

Consolidate threat detection parse + conclude into a single JavaScript step#22910
pelikhan merged 2 commits intomainfrom
copilot/refactor-detection-result-parsing

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 25, 2026
edited
Loading

Detection result parsing, logging, and job failure were split across two steps: a JS step (parse_detection_results) that parsed the log and set outputs.success, and a bash step (detection_conclusion) that read that output to set the final conclusion and call exit 1. This consolidates both into one JS step.

Changes

  • parse_threat_detection_results.cjsmain() now owns the full conclusion lifecycle:

    • Reads RUN_DETECTION env var; short-circuits with conclusion=skipped when detection wasn't needed
    • Sets conclusion output (skipped / success / failure) in addition to success
    • Added extensive diagnostic logging: file existence, log size/preview, per-field verdict, reasons list
    • Calls core.setFailed() on threat detection or parse errors

  • threat_detection.gobuildDetectionConclusionStep() now emits a github-script JS step (instead of bash) that calls parse_threat_detection_results.cjs via require(). The separate buildParsingStep() and its parse_detection_results step ID are removed. Step ordering becomes: custom steps → upload artifact → parse-and-conclude.

  • Tests — Go and JS tests updated to match the new single-step structure; new main() tests cover the RUN_DETECTION !== 'true' skip path and the conclusion output on all code paths.

# Before: two steps
- name: Parse threat detection results   # id: parse_detection_results (conditional)
- name: Set detection conclusion          # id: detection_conclusion (bash, always)

# After: one step
- name: Parse and conclude threat detection  # id: detection_conclusion (github-script, always)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE go env cgKk/1_eS_RiLu3iGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 097417/b412/impoGOPROXY (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw b/gh-aw/pkg/fileenv GOMODCACHE go env Be1c/MG_s_CsRVnQGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 097417/b413/impoGOPROXY (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw b/gh-aw/pkg/mathenv GOMODCACHE go env 4wXJ/4MWVMo_oiDJGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 097417/b418/impo-buildtags (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git TOKEN"; }; f getgit TOKEN"; }; f getrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git runs/20260325-14git rev-parse 4687587/b421/vet--show-toplevel git (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha GOMODCACHE go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/gh ithub/workflows GO111MODULE bin/bash gh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw rev-parse /usr/bin/git --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git rev-�� s/test.md git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows 4687587/b403/_testmain.go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link remote.origin.urgit GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link -o /tmp/go-build3854687587/b403/cli.test -importcfg /usr/bin/git -s -w -buildmode=exe git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git /opt/hostedtoolcache/uv/0.11.1/x86_64/bash --show-toplevel git /usr/bin/git bash --no�� op.prop.prop.prop.prop.prop.prop.prop.prop.prop.prop.prop.prop.prop.prop.prop.prop.prop.prop.progit git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha ithub/workflows GO111MODULE /home/REDACTED/.config/composer/vendor/bin/bash l GOMOD GOMODCACHE bash --no�� k/gh-aw/gh-aw/.github/workflows GOPROXY me: String!) { repository(owner: $owner, name:-nilfunc l GOWORK 64/bin/go bash (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha github.repository go /usr/bin/git -json GO111MODULE me: String!) { --show-toplevel git rev-�� --show-toplevel go /usr/bin/git ithub/workflows GO111MODULE /opt/hostedtoolc--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel git /usr/bin/git PIJbBLrkR rev-parse /usr/bin/gh git rev-�� --show-toplevel /usr/bin/gh /usr/bin/git k/gh-aw/gh-aw/.ggit stmain.go /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha k/gh-aw/gh-aw/.github/workflows/archie.md -test.v=true /usr/bin/git -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel git -C /tmp/gh-aw-test-runs/20260325-145108-30916/test-1191604542 status /opt/hostedtoolcache/node/24.14.0/x64/bin/node .github/workflowgit GO111MODULE ache/go/1.25.0/x--show-toplevel node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha k/gh-aw/gh-aw/.github/workflows/blog-auditor.md go /usr/bin/git -json GO111MODULE 64/bin/bash git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE repository(owne--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git g_.a ache/go/1.25.0/xrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git j36ZOwlHC rev-parse /usr/bin/docker git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE r: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE r: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE r: $owner, name:-f GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha k/gh-aw/gh-aw/.github/workflows/audit-workflows.md go /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git ache/node/24.14.0/x64/bin/node --show-toplevel git /usr/bin/git ache/node/24.14.0/x64/bin/node 3354�� /tmp/gh-aw-test-runs/20260325-145413-35819/test-3715487057/.gith--detach config /usr/bin/git rop.prop.prop.prgit git /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha k/gh-aw/gh-aw/.github/workflows/artifacts-summary.md -trimpath /usr/bin/git -p main -lang=go1.25 git rev-�� --git-dir -dwarf=false /usr/bin/git go1.25.0 -c=4 -nolocalimports git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /usr/bin/git git /usr/bin/git --show-toplevel 4687587/b421/imprev-parse ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel bin 2>/dev/null | tr '\n' ':')$PATH"; [ -n "$GOROOT" ] && expo /usr/bin/git --show-toplevel nly /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha 4687587/b436/_pkg_.a @sentry/mcp-server@0.29.0 4687587/b436=> /tmp/go-build515git -trimpath 64/bin/go git -C eOEC/u1ogOOgsHoxcKHcseOEC rev-parse /home/REDACTED/.cargo/bin/bash -json GO111MODULE $name) { has--show-toplevel bash (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha st-257134547/.github/workflows git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git rev-�� ithub/workflows git /usr/bin/git --show-toplevel infocmp /usr/bin/git git (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha a820/Vgx0-6pZlp3GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD run-script/lib/n--show-toplevel 097417/b438/impoGOPROXY /hom�� k/gh-aw/gh-aw/scGOSUMDB k/gh-aw/gh-aw/scGOWORK 64/bin/go **/*.json --ignore-path ../../../.prettixterm-color /opt/hostedtoolcache/go/1.25.0/xGO111MODULE (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x-f GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti/home/REDACTED/work/gh-aw/gh-aw/.github/workflows go (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha /tmp/TestHashConsistency_GoAndJavaScript2882712194/001/test-complex-frontmatter-with-tools.md go /usr/bin/git -json GO111MODULE repository(owne--show-toplevel git rev-�� --git-dir go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha /tmp/TestGuardPolicyMinIntegrityOnlyCompiledOutput1401080695/001 config /usr/bin/git remote.origin.urgit git ache/uv/0.11.1/x--show-toplevel git rev-�� --show-toplevel git /usr/bin/git --show-toplevel nly /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha runs/20260325-145108-30916/test-829527778/.github/workflows -f /usr/bin/git l owner=github -f git -C k/gh-aw/gh-aw/.github/workflows rev-parse ache/node/24.14.0/x64/bin/node -json GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel /usr/bin/gh /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha 999 rev-parse .cfg /tmp/go-build515git -trimpath 64/bin/go /usr/bin/gh api graphql -f ache/node/24.14.0/x64/bin/node -f owner=github -f /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha 5413-35819/test-3567125621 git /usr/bin/git --show-toplevel x_amd64/compile /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE x_amd64/compile GOINSECURE GOMOD ed } } x_amd64/compile env ithub/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x-nolocalimports GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 git ache/node/24.14.0/x64/bin/node --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git t-32�� sistency_GoAndJavaScript4024342631/001/test-frontmatter-with-arrays.md git 0/x64/bin/node --show-toplevel /usr/bin/gh /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE /opt/hostedtoolcache/go/1.25.0/x-lang=go1.25 GOINSECURE b616ae8dd8f689ebinit GOMODCACHE go env ithub/workflows GO111MODULE (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 git /usr/bin/git --show-toplevel o "��� Warning: rev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE repository(owner: $owner, name:-nilfunc GOINSECURE %H %ct %D ed } } go env ithub/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 git /usr/bin/git --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git rev-�� --show-toplevel git 0/x64/bin/node pload-artifact/ggit 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE /opt/hostedtoolcache/go/1.25.0/x-buildmode=exe GOINSECURE GOMOD GOMODCACHE go env ithub/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env ithub/workflows GO111MODULE (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git clusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --show-toplevel infocmp /usr/bin/docker git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env ithub/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE HC/wPHmRHH07drGotDxh6_4/9rUbv3kNVNgnGPLEQds7 (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env ithub/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE r: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE 86_64/bash GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD ed } } go estl�� ithub/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha ty-test.md GO111MODULE (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel infocmp /usr/bin/git xterm-color node /usr/bin/gh git rev-�� --show-toplevel /usr/bin/gh /usr/bin/git graphql -f /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x-lang=go1.25 GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git /usr/bin/git /tmp/compile-insinfocmp rev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git user.name Test User /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x-lang=go1.25 GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x-nilfunc GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE r: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE r: $owner, name:-nilfunc GOINSECURE GOMOD 0b84e665 go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE GoFiles,IgnoredG-buildmode=exe GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git rev-parse /usr/bin/git git rev-�� ty-test.md git /home/REDACTED/work/_temp/uv-python-dir/node --get remote.origin.urrev-parse e/git-remote-htt--show-toplevel node (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha k/gh-aw/gh-aw/inGOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcrev-parse -o /tmp/go-build515097417/b393/_pkgGOINSECURE -trimpath 64/bin/go -p github.com/githu-C -lang=go1.25 go (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ithub/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env ithout_min-integrity1676141662/001 GO111MODULE /usr/local/bin/iptables l GOMOD GOMODCACHE iptables (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel git /usr/bin/git g/cli config (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --show-toplevel x_amd64/vet /usr/bin/git git t-ha�� ithub/workflows/ai-moderator.md git 0/x64/bin/node --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo r: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /usr/bin/git 5108-30916/test-git rev-parse g_.a git rev-�� --show-toplevel git /usr/bin/git /home/REDACTED/worbash rev-parse 0/x64/bin/node git (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build3854687587/b403/cli.test /tmp/go-build3854687587/b403/cli.test -test.testlogfile=/tmp/go-build3854687587/b403/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /tmp/go-build1831484498/b377/cli.test /tmp/go-build1831484498/b377/cli.test -test.paniconexit0 -test.timeout=10m0s -test.count=1 rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git SameOutput425858git config /usr/bin/gh git rev-�� --show-toplevel /usr/bin/gh /usr/bin/git graphql -f 4687587/b395/vet--show-toplevel git (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE r: $owner, name:-f GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --show-toplevel 1f-RA1IlxQwjfc586n/cLzQgjXlIjxIo_QUvJx9/eZ420Er5test@example.com /usr/bin/git graphql -f g_.a git rev-�� --show-toplevel /usr/bin/gh /usr/bin/git graphql -f ache/node/24.14.--show-toplevel git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@pelikhan
Refactor detection result parsing, logging, and job failed status int…
f26a31f 
…o single JS step

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/6f90f261-3ccf-4386-ab22-c897d97d9b91
Copilot AI changed the title [WIP] Refactor detection result parsing and logging Consolidate threat detection parse + conclude into a single JavaScript step Mar 25, 2026
Copilot AI requested a review from pelikhan March 25, 2026 15:02
@pelikhan pelikhan marked this pull request as ready for review March 25, 2026 15:13
Copilot AI review requested due to automatic review settings March 25, 2026 15:13
Copilot AI reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Consolidates threat detection result parsing and job conclusion into a single actions/github-script step, simplifying workflow generation and making the detection job set its own outputs/failure state.

Changes:

  • Replace the two-step parse + bash “conclusion” flow with one JS step (detection_conclusion) that parses results, sets outputs (success, conclusion), and fails the job when needed.
  • Update workflow compiler tests to assert the new combined step and ensure the legacy parse_detection_results step ID is gone.
  • Regenerate workflow lockfiles to reflect the new single-step threat detection conclusion.

Reviewed changes

Copilot reviewed 174 out of 174 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
actions/setup/js/parse_threat_detection_results.cjs Consolidates parsing + conclusion logic; sets outputs and fails the job from JS.
pkg/workflow/threat_detection_isolation_test.go Updates assertions to expect detection_conclusion instead of parse_detection_results.
pkg/workflow/detection_success_test.go Updates assertions for the merged parse-and-conclude step and absence of the old parsing step ID.
.github/workflows/agent-performance-analyzer.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/artifacts-summary.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/audit-workflows.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/blog-auditor.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/breaking-change-checker.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/changeset.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/ci-coach.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/claude-code-user-docs-review.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/cli-consistency-checker.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/cli-version-checker.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/code-scanning-fixer.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/code-simplifier.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/commit-changes-analyzer.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/constraint-solving-potd.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/contribution-check.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/copilot-agent-analysis.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/copilot-cli-deep-research.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/copilot-pr-merged-report.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/copilot-pr-nlp-analysis.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/copilot-pr-prompt-analysis.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/copilot-session-insights.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-architecture-diagram.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-assign-issue-to-user.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-choice-test.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-cli-performance.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-code-metrics.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-compiler-quality.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-copilot-token-report.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-doc-healer.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-doc-updater.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-file-diet.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-firewall-report.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-function-namer.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-integrity-analysis.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-mcp-concurrency-analysis.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-news.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-performance-summary.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-regulatory.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-repo-chronicle.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-safe-output-integrator.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-safe-output-optimizer.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-safe-outputs-conformance.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-secrets-analysis.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-security-red-team.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-syntax-error-quality.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-team-evolution-insights.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-team-status.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/daily-workflow-updater.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/dead-code-remover.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/delight.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/dev-hawk.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/dev.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/developer-docs-consolidator.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/dictation-prompt.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/discussion-task-miner.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/docs-noob-tester.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/draft-pr-cleanup.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/example-workflow-analyzer.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/firewall-escape.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/github-mcp-structural-analysis.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/github-mcp-tools-report.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/go-fan.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/go-logger.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/go-pattern-detector.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/gpclean.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/hourly-ci-cleaner.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/instructions-janitor.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/issue-monster.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/issue-triage-agent.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/jsweep.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/layout-spec-maintainer.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/lockfile-stats.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/mcp-inspector.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/org-health-report.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/portfolio-analyst.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/prompt-clustering-analysis.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/python-data-charts.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/refiner.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/release.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/repo-tree-map.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/research.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/safe-output-health.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/schema-consistency-checker.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/security-compliance.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/semantic-function-refactor.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/sergo.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/smoke-claude.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/smoke-project.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/static-analysis-report.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/step-name-alignment.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/super-linter.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/technical-doc-writer.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/terminal-stylist.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/test-create-pr-error-handling.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/test-dispatcher.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/test-project-url-default.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/typist.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/unbloat-docs.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/update-astro.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/video-analyzer.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/weekly-issue-summary.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/workflow-generator.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/workflow-health-manager.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.
.github/workflows/workflow-normalizer.lock.yml Switches to a single “Parse and conclude threat detection” github-script step.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

actions/setup/js/parse_threat_detection_results.cjs
Comment on lines +224 to +228
// Log first and last few lines for quick diagnosis without overwhelming output
const previewLines = 5;
if (logLines.length > 0) {
core.info(`📄 First ${Math.min(previewLines, logLines.length)} lines of detection log:`);
logLines.slice(0, previewLines).forEach((line, i) => core.info(` [${i + 1}] ${line}`));
Copy link

Copilot AI Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The parser logs a preview of the detection log contents. Since the detection log can contain sensitive data (including the exact secret or injected content being analyzed), emitting raw log lines to the Actions log can re-expose secrets and potentially leak them outside the artifact. Consider removing raw log previews entirely, or gating them behind an explicit debug flag (e.g., ACTIONS_STEP_DEBUG) and/or redacting common secret patterns before logging.

Copilot uses AI. Check for mistakes.
actions/setup/js/parse_threat_detection_results.cjs
Comment on lines 272 to 281
const reasonsText = verdict.reasons && verdict.reasons.length > 0 ? "\nReasons: " + verdict.reasons.join("; ") : "";

core.error("🚨 Security threats detected: " + threats.join(", "));
if (verdict.reasons && verdict.reasons.length > 0) {
core.error(" Reasons: " + verdict.reasons.join("; "));
}

core.setOutput("conclusion", "failure");
core.setOutput("success", "false");
core.setFailed(`${ERR_VALIDATION}: ❌ Security threats detected: ${threats.join(", ")}${reasonsText}`);
Copy link

Copilot AI Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reasons list is logged verbatim and also appended to the failure message. If the detection engine includes sensitive tokens/secret values in its reasons, this can leak secrets into the workflow logs and annotations. Consider sanitizing/redacting reasons before logging/including them in failure messages, or only including a non-sensitive summary (e.g., reason count + category).

Copilot uses AI. Check for mistakes.
@pelikhan pelikhan merged commit 3ea4afe into main Mar 25, 2026
127 of 173 checks passed
@pelikhan pelikhan deleted the copilot/refactor-detection-result-parsing branch March 25, 2026 15:22
This was referenced Mar 25, 2026
Closed
Closed
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan