From 789a658bde529c8d6b47e9ab327060c15cbd04d8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 26 Mar 2026 20:51:50 +0000 Subject: [PATCH 1/3] Initial plan From b3509ac4f148bfd09c6da566bab3dafcb4c27b5c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 26 Mar 2026 21:05:53 +0000 Subject: [PATCH 2/3] fix: escape YAML env values to prevent structure injection (4 remaining sites) Agent-Logs-Url: https://github.com/github/gh-aw/sessions/48b78208-3e9c-4fdd-8555-49852099e78b Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/parser/schemas/main_workflow_schema.json | 1 + pkg/workflow/bots_test.go | 8 ++++---- pkg/workflow/compiler_activation_job.go | 4 ++-- pkg/workflow/compiler_yaml_main_job.go | 6 +++--- pkg/workflow/env.go | 15 +++++++++++++++ pkg/workflow/repository_import_checkout_test.go | 2 +- 6 files changed, 26 insertions(+), 10 deletions(-) diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json index 22ab3f984b4..48f19ae8b5e 100644 --- a/pkg/parser/schemas/main_workflow_schema.json +++ b/pkg/parser/schemas/main_workflow_schema.json @@ -8253,6 +8253,7 @@ "items": { "type": "string", "minLength": 1, + "pattern": "^[A-Za-z0-9._\\[\\]-]+$", "description": "Bot identifier/name (e.g., 'dependabot[bot]', 'renovate[bot]', 'github-actions[bot]')" } }, diff --git a/pkg/workflow/bots_test.go b/pkg/workflow/bots_test.go index acf29781772..b697ceaecae 100644 --- a/pkg/workflow/bots_test.go +++ b/pkg/workflow/bots_test.go @@ -137,8 +137,8 @@ Test workflow content.` compiledStr := string(compiledContent) - // Check that the bots environment variable is set - if !strings.Contains(compiledStr, "GH_AW_ALLOWED_BOTS: dependabot[bot],renovate[bot]") { + // Check that the bots environment variable is set (value is %q-quoted) + if !strings.Contains(compiledStr, `GH_AW_ALLOWED_BOTS: "dependabot[bot],renovate[bot]"`) { t.Errorf("Expected compiled workflow to contain GH_AW_ALLOWED_BOTS environment variable") } @@ -190,8 +190,8 @@ Test workflow content with bot and default roles.` t.Errorf("Expected compiled workflow to contain default GH_AW_REQUIRED_ROLES") } - // Check that bots environment variable is set - if !strings.Contains(compiledStr, "GH_AW_ALLOWED_BOTS: dependabot[bot]") { + // Check that bots environment variable is set (value is %q-quoted) + if !strings.Contains(compiledStr, `GH_AW_ALLOWED_BOTS: "dependabot[bot]"`) { t.Errorf("Expected compiled workflow to contain GH_AW_ALLOWED_BOTS environment variable") } } diff --git a/pkg/workflow/compiler_activation_job.go b/pkg/workflow/compiler_activation_job.go index 258688632fa..3472caed959 100644 --- a/pkg/workflow/compiler_activation_job.go +++ b/pkg/workflow/compiler_activation_job.go @@ -201,7 +201,7 @@ func (c *Compiler) buildActivationJob(data *WorkflowData, preActivationJobCreate steps = append(steps, fmt.Sprintf(" uses: %s\n", GetActionPin("actions/github-script"))) if len(data.Bots) > 0 { steps = append(steps, " env:\n") - steps = append(steps, fmt.Sprintf(" GH_AW_ALLOWED_BOTS: %s\n", strings.Join(data.Bots, ","))) + steps = append(steps, formatYAMLEnv(" ", "GH_AW_ALLOWED_BOTS", strings.Join(data.Bots, ","))) } steps = append(steps, " with:\n") steps = append(steps, " script: |\n") @@ -329,7 +329,7 @@ func (c *Compiler) buildActivationJob(data *WorkflowData, preActivationJobCreate if err != nil { return nil, fmt.Errorf("failed to marshal label-command names: %w", err) } - steps = append(steps, fmt.Sprintf(" GH_AW_LABEL_NAMES: %q\n", string(labelNamesJSON))) + steps = append(steps, formatYAMLEnv(" ", "GH_AW_LABEL_NAMES", string(labelNamesJSON))) steps = append(steps, " with:\n") // Use GitHub App or custom token if configured (avoids needing elevated GITHUB_TOKEN permissions) labelToken := c.resolveActivationToken(data) diff --git a/pkg/workflow/compiler_yaml_main_job.go b/pkg/workflow/compiler_yaml_main_job.go index 85c6cfbea0d..03b99cee0e7 100644 --- a/pkg/workflow/compiler_yaml_main_job.go +++ b/pkg/workflow/compiler_yaml_main_job.go @@ -106,13 +106,13 @@ func (c *Compiler) generateMainJobSteps(yaml *strings.Builder, data *WorkflowDat if err != nil { return fmt.Errorf("failed to marshal repository imports for merge step: %w", err) } - fmt.Fprintf(yaml, " GH_AW_REPOSITORY_IMPORTS: '%s'\n", string(repoImportsJSON)) + writeYAMLEnv(yaml, " ", "GH_AW_REPOSITORY_IMPORTS", string(repoImportsJSON)) } // Set agent import spec if present (legacy path) if data.AgentFile != "" && data.AgentImportSpec != "" { - fmt.Fprintf(yaml, " GH_AW_AGENT_FILE: \"%s\"\n", data.AgentFile) - fmt.Fprintf(yaml, " GH_AW_AGENT_IMPORT_SPEC: \"%s\"\n", data.AgentImportSpec) + writeYAMLEnv(yaml, " ", "GH_AW_AGENT_FILE", data.AgentFile) + writeYAMLEnv(yaml, " ", "GH_AW_AGENT_IMPORT_SPEC", data.AgentImportSpec) } yaml.WriteString(" with:\n") diff --git a/pkg/workflow/env.go b/pkg/workflow/env.go index 1a2f625f24a..ee2fb4983f3 100644 --- a/pkg/workflow/env.go +++ b/pkg/workflow/env.go @@ -2,6 +2,7 @@ package workflow import ( "fmt" + "io" "sort" "strings" @@ -11,6 +12,20 @@ import ( var envLog = logger.New("workflow:env") +// writeYAMLEnv emits a single YAML env variable with proper escaping. +// Uses %q to produce a valid YAML double-quoted scalar that escapes ", \, newlines, and control characters, +// preventing YAML structure injection from frontmatter-derived values. +// w must be an error-free writer (e.g., *strings.Builder). +func writeYAMLEnv(w io.Writer, indent, key, value string) { + fmt.Fprintf(w, "%s%s: %q\n", indent, key, value) +} + +// formatYAMLEnv returns a properly escaped YAML env variable string. +// Uses %q to produce a valid YAML double-quoted scalar — safe for use anywhere a string is needed. +func formatYAMLEnv(indent, key, value string) string { + return fmt.Sprintf("%s%s: %q\n", indent, key, value) +} + // writeHeadersToYAML writes a map of headers to YAML format with proper comma placement // indent is the indentation string to use for each header line (e.g., " ") func writeHeadersToYAML(yaml *strings.Builder, headers map[string]string, indent string) { diff --git a/pkg/workflow/repository_import_checkout_test.go b/pkg/workflow/repository_import_checkout_test.go index e780930acb7..10938d80541 100644 --- a/pkg/workflow/repository_import_checkout_test.go +++ b/pkg/workflow/repository_import_checkout_test.go @@ -128,7 +128,7 @@ imports: "Should use correct path for second import") // Verify merge step includes both imports - assert.Contains(t, lockContentStr, `GH_AW_REPOSITORY_IMPORTS: '["github/repo1@main","github/repo2@v1.0.0"]'`, + assert.Contains(t, lockContentStr, `GH_AW_REPOSITORY_IMPORTS: "[\"github/repo1@main\",\"github/repo2@v1.0.0\"]"`, "Should pass all repository imports to merge script") } From 0dcd8ab67788d6e355aa92268575679228ce3e28 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 26 Mar 2026 21:46:40 +0000 Subject: [PATCH 3/3] fix: address review comments - narrow writeYAMLEnv type and fix additional injection sites Agent-Logs-Url: https://github.com/github/gh-aw/sessions/acd256d0-6a0d-4704-ab84-18f21be3dfcf Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/ace-editor.lock.yml | 2 +- .../workflows/agent-performance-analyzer.lock.yml | 2 +- .github/workflows/agent-persona-explorer.lock.yml | 2 +- .github/workflows/ai-moderator.lock.yml | 4 ++-- .github/workflows/archie.lock.yml | 2 +- .github/workflows/auto-triage-issues.lock.yml | 2 +- .github/workflows/brave.lock.yml | 2 +- .github/workflows/breaking-change-checker.lock.yml | 2 +- .github/workflows/changeset.lock.yml | 2 +- .github/workflows/ci-doctor.lock.yml | 2 +- .github/workflows/cloclo.lock.yml | 2 +- .github/workflows/code-scanning-fixer.lock.yml | 2 +- .github/workflows/code-simplifier.lock.yml | 2 +- .github/workflows/craft.lock.yml | 2 +- .github/workflows/daily-cli-performance.lock.yml | 2 +- .github/workflows/daily-file-diet.lock.yml | 2 +- .github/workflows/daily-issues-report.lock.yml | 2 +- .../workflows/daily-observability-report.lock.yml | 2 +- .../daily-rendering-scripts-verifier.lock.yml | 2 +- .../workflows/daily-safe-output-optimizer.lock.yml | 2 +- .../daily-testify-uber-super-expert.lock.yml | 2 +- .github/workflows/dead-code-remover.lock.yml | 2 +- .github/workflows/dependabot-burner.lock.yml | 2 +- .github/workflows/dev-hawk.lock.yml | 2 +- .github/workflows/dev.lock.yml | 2 +- .github/workflows/firewall-escape.lock.yml | 2 +- .github/workflows/grumpy-reviewer.lock.yml | 2 +- .github/workflows/issue-monster.lock.yml | 2 +- .github/workflows/mergefest.lock.yml | 2 +- .github/workflows/metrics-collector.lock.yml | 2 +- .github/workflows/pdf-summary.lock.yml | 2 +- .github/workflows/plan.lock.yml | 2 +- .github/workflows/poem-bot.lock.yml | 2 +- .github/workflows/pr-nitpick-reviewer.lock.yml | 2 +- .github/workflows/q.lock.yml | 2 +- .github/workflows/refiner.lock.yml | 2 +- .github/workflows/release.lock.yml | 2 +- .github/workflows/scout.lock.yml | 2 +- .github/workflows/security-review.lock.yml | 2 +- .github/workflows/slide-deck-maintainer.lock.yml | 2 +- .github/workflows/smoke-agent-all-merged.lock.yml | 2 +- .github/workflows/smoke-agent-all-none.lock.yml | 2 +- .../workflows/smoke-agent-public-approved.lock.yml | 2 +- .github/workflows/smoke-agent-public-none.lock.yml | 2 +- .../workflows/smoke-agent-scoped-approved.lock.yml | 2 +- .github/workflows/smoke-call-workflow.lock.yml | 2 +- .github/workflows/smoke-claude.lock.yml | 2 +- .github/workflows/smoke-codex.lock.yml | 2 +- .github/workflows/smoke-copilot-arm.lock.yml | 2 +- .github/workflows/smoke-copilot.lock.yml | 2 +- .../workflows/smoke-create-cross-repo-pr.lock.yml | 2 +- .github/workflows/smoke-gemini.lock.yml | 2 +- .github/workflows/smoke-multi-pr.lock.yml | 2 +- .github/workflows/smoke-project.lock.yml | 2 +- .github/workflows/smoke-temporary-id.lock.yml | 2 +- .github/workflows/smoke-test-tools.lock.yml | 2 +- .../workflows/smoke-update-cross-repo-pr.lock.yml | 2 +- .../smoke-workflow-call-with-inputs.lock.yml | 2 +- .github/workflows/smoke-workflow-call.lock.yml | 2 +- .github/workflows/tidy.lock.yml | 2 +- .github/workflows/ubuntu-image-analyzer.lock.yml | 2 +- .github/workflows/unbloat-docs.lock.yml | 2 +- .github/workflows/update-astro.lock.yml | 2 +- .github/workflows/workflow-generator.lock.yml | 2 +- .github/workflows/workflow-health-manager.lock.yml | 2 +- pkg/workflow/bots_test.go | 4 ++-- pkg/workflow/compiler_pre_activation_job.go | 4 ++-- pkg/workflow/env.go | 6 ++---- pkg/workflow/role_checks.go | 4 ++-- pkg/workflow/skip_bots_test.go | 12 ++++++------ pkg/workflow/skip_roles_test.go | 8 ++++---- .../basic-copilot.golden | 2 +- .../smoke-copilot.golden | 2 +- .../with-imports.golden | 2 +- 74 files changed, 87 insertions(+), 89 deletions(-) diff --git a/.github/workflows/ace-editor.lock.yml b/.github/workflows/ace-editor.lock.yml index 52d6ee72bcb..5a8b39267f0 100644 --- a/.github/workflows/ace-editor.lock.yml +++ b/.github/workflows/ace-editor.lock.yml @@ -620,7 +620,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index d87a23b862f..ef036e0a9a4 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -1203,7 +1203,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 8e956ceb83f..7d30065fe64 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -1140,7 +1140,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index 1400617ea7e..56df536cbb5 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -965,7 +965,7 @@ jobs: id: check_skip_roles uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_SKIP_ROLES: admin,maintainer,write,triage + GH_AW_SKIP_ROLES: "admin,maintainer,write,triage" GH_AW_WORKFLOW_NAME: "AI Moderator" with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -978,7 +978,7 @@ jobs: id: check_skip_bots uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_SKIP_BOTS: github-actions,copilot,dependabot,renovate,github-copilot-enterprise,copilot-swe-agent + GH_AW_SKIP_BOTS: "github-actions,copilot,dependabot,renovate,github-copilot-enterprise,copilot-swe-agent" GH_AW_WORKFLOW_NAME: "AI Moderator" with: script: | diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index eb24a359baa..f1525732294 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -1127,7 +1127,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 66fd9f493ca..10a128c2349 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -1085,7 +1085,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index dfbfa4552f5..1591437a6b9 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -1119,7 +1119,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 4aa034d816c..eb37fb132bd 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -1071,7 +1071,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index bb2747dc487..4cef00b9ab2 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -981,7 +981,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 54b93212950..6e557f39d5e 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1282,7 +1282,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 9938a717b7e..edb2501f5ec 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1474,7 +1474,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index b8823b0012f..4caa38c7dd0 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -1130,7 +1130,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index bfc4e63c5ad..4034efebf59 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -1078,7 +1078,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 114644a61b8..ce48125c94c 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -1120,7 +1120,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 9ad0e0e7669..10215c58c53 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -1289,7 +1289,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index eaec0258fe0..91f89dd7b17 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -1093,7 +1093,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index a3cc0dce6cd..aff08b22f70 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -1184,7 +1184,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 74a3a0345dc..e5c09ae49d1 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -1157,7 +1157,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index f2f8f2cd9ca..96f8ba2621a 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -1268,7 +1268,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index d890c2779a0..f983ef80f75 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -1239,7 +1239,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index a8f87e3d5cd..9f4ee880d26 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -1131,7 +1131,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 02388c80339..6fdbc02a0ff 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -1102,7 +1102,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index 2b3b3aee802..6d2662b1bef 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -1042,7 +1042,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 98d30ae6ff8..92c578fd9f5 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -1138,7 +1138,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 1e8e4478a8e..c4a899b577e 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -1237,7 +1237,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 94ee56e572b..e41eaeed0fc 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -1156,7 +1156,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 9b8933baee6..f8eaa9350f5 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -1163,7 +1163,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 37e7991555d..83770386bdb 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -1437,7 +1437,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index f0f19fe4eb7..bef0d254b54 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -1133,7 +1133,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 309256545bc..8943a4565d9 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -671,7 +671,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 31f9866ab9b..68939d1ec15 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -1202,7 +1202,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index ba514bd261c..2335e174ed2 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -1137,7 +1137,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index fda997a74af..d755a8fa5a7 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1503,7 +1503,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer + GH_AW_REQUIRED_ROLES: "admin,maintainer" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index d20978620a9..da3bce7f445 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -1201,7 +1201,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index ed997ab7108..48dc06aefd8 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1324,7 +1324,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 129d1eb890d..425f1ab6332 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -1108,7 +1108,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index c9db240eece..a97aaabeeae 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -1198,7 +1198,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer + GH_AW_REQUIRED_ROLES: "admin,maintainer" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 8b763fbcfd2..495988d6679 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1389,7 +1389,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index afb9e7c5c07..55e66485e72 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -1243,7 +1243,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 69fc67cc491..4f02a0b33ba 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -1177,7 +1177,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index b7df946c6dd..c3479ecaead 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -1075,7 +1075,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index 6d4aa5caad4..5100d996077 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -1075,7 +1075,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 6bcbf5f1ef7..def6f49c7eb 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -1103,7 +1103,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index f07d969d0c1..41c57adde71 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -1075,7 +1075,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index c597fa1a1ad..1b23063570c 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -1079,7 +1079,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-call-workflow.lock.yml b/.github/workflows/smoke-call-workflow.lock.yml index 6a53e4a114b..f1a261c447d 100644 --- a/.github/workflows/smoke-call-workflow.lock.yml +++ b/.github/workflows/smoke-call-workflow.lock.yml @@ -1050,7 +1050,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index db5119b6a82..85dae88ecce 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -2585,7 +2585,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index b340c08f3d0..b314801b5bc 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1678,7 +1678,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 0673a7c70bd..8965afa2df7 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -1983,7 +1983,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index ce0f8357bcf..5963bd34c2f 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -2029,7 +2029,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index d7ea32e8daf..3f24124fbc3 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -1181,7 +1181,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index 3e7c8806b11..b0bcd86e822 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -1322,7 +1322,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 6033a9c980c..bf94bbb5d72 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -1174,7 +1174,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index ee55ff968ca..925d4997993 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -1307,7 +1307,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 72ea3af4247..d486a5eb0bf 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -1144,7 +1144,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index ce142090439..0a66b105e0b 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -1105,7 +1105,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 12212dce01a..9ca24434cd0 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -1181,7 +1181,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml index 14257a79355..1da20aea6a5 100644 --- a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml +++ b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml @@ -1101,7 +1101,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index 74bcfc1ed65..40cf7a4ee5c 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -1092,7 +1092,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 8666979e673..cdd2ea27f36 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1201,7 +1201,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index f38ea4ec68d..bb9e66badea 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -1100,7 +1100,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 4a01f4fa7be..453b34df5a4 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1510,7 +1510,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/update-astro.lock.yml b/.github/workflows/update-astro.lock.yml index 4692f05881d..9a860b8a21c 100644 --- a/.github/workflows/update-astro.lock.yml +++ b/.github/workflows/update-astro.lock.yml @@ -1123,7 +1123,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index df9558b812e..852c437da98 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -1117,7 +1117,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index c7fbf614ed4..85b58c87fb3 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -1158,7 +1158,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_REQUIRED_ROLES: "admin,maintainer,write" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/pkg/workflow/bots_test.go b/pkg/workflow/bots_test.go index b697ceaecae..7c523763005 100644 --- a/pkg/workflow/bots_test.go +++ b/pkg/workflow/bots_test.go @@ -143,7 +143,7 @@ Test workflow content.` } // Also check that roles are still present - if !strings.Contains(compiledStr, "GH_AW_REQUIRED_ROLES: triage") { + if !strings.Contains(compiledStr, `GH_AW_REQUIRED_ROLES: "triage"`) { t.Errorf("Expected compiled workflow to contain GH_AW_REQUIRED_ROLES environment variable") } } @@ -186,7 +186,7 @@ Test workflow content with bot and default roles.` compiledStr := string(compiledContent) // Check that default roles are present (admin, maintainer, write) - if !strings.Contains(compiledStr, "GH_AW_REQUIRED_ROLES: admin,maintainer,write") { + if !strings.Contains(compiledStr, `GH_AW_REQUIRED_ROLES: "admin,maintainer,write"`) { t.Errorf("Expected compiled workflow to contain default GH_AW_REQUIRED_ROLES") } diff --git a/pkg/workflow/compiler_pre_activation_job.go b/pkg/workflow/compiler_pre_activation_job.go index 24aead98e14..ab6d2a53526 100644 --- a/pkg/workflow/compiler_pre_activation_job.go +++ b/pkg/workflow/compiler_pre_activation_job.go @@ -191,7 +191,7 @@ func (c *Compiler) buildPreActivationJob(data *WorkflowData, needsPermissionChec steps = append(steps, fmt.Sprintf(" id: %s\n", constants.CheckSkipRolesStepID)) steps = append(steps, fmt.Sprintf(" uses: %s\n", GetActionPin("actions/github-script"))) steps = append(steps, " env:\n") - steps = append(steps, fmt.Sprintf(" GH_AW_SKIP_ROLES: %s\n", strings.Join(data.SkipRoles, ","))) + steps = append(steps, fmt.Sprintf(" GH_AW_SKIP_ROLES: %q\n", strings.Join(data.SkipRoles, ","))) steps = append(steps, fmt.Sprintf(" GH_AW_WORKFLOW_NAME: %q\n", workflowName)) steps = append(steps, " with:\n") steps = append(steps, " github-token: ${{ secrets.GITHUB_TOKEN }}\n") @@ -208,7 +208,7 @@ func (c *Compiler) buildPreActivationJob(data *WorkflowData, needsPermissionChec steps = append(steps, fmt.Sprintf(" id: %s\n", constants.CheckSkipBotsStepID)) steps = append(steps, fmt.Sprintf(" uses: %s\n", GetActionPin("actions/github-script"))) steps = append(steps, " env:\n") - steps = append(steps, fmt.Sprintf(" GH_AW_SKIP_BOTS: %s\n", strings.Join(data.SkipBots, ","))) + steps = append(steps, fmt.Sprintf(" GH_AW_SKIP_BOTS: %q\n", strings.Join(data.SkipBots, ","))) steps = append(steps, fmt.Sprintf(" GH_AW_WORKFLOW_NAME: %q\n", workflowName)) steps = append(steps, " with:\n") steps = append(steps, " script: |\n") diff --git a/pkg/workflow/env.go b/pkg/workflow/env.go index ee2fb4983f3..b86685bccfc 100644 --- a/pkg/workflow/env.go +++ b/pkg/workflow/env.go @@ -2,7 +2,6 @@ package workflow import ( "fmt" - "io" "sort" "strings" @@ -15,9 +14,8 @@ var envLog = logger.New("workflow:env") // writeYAMLEnv emits a single YAML env variable with proper escaping. // Uses %q to produce a valid YAML double-quoted scalar that escapes ", \, newlines, and control characters, // preventing YAML structure injection from frontmatter-derived values. -// w must be an error-free writer (e.g., *strings.Builder). -func writeYAMLEnv(w io.Writer, indent, key, value string) { - fmt.Fprintf(w, "%s%s: %q\n", indent, key, value) +func writeYAMLEnv(b *strings.Builder, indent, key, value string) { + fmt.Fprintf(b, "%s%s: %q\n", indent, key, value) } // formatYAMLEnv returns a properly escaped YAML env variable string. diff --git a/pkg/workflow/role_checks.go b/pkg/workflow/role_checks.go index a213037d15f..d1eb2cc8d5c 100644 --- a/pkg/workflow/role_checks.go +++ b/pkg/workflow/role_checks.go @@ -26,9 +26,9 @@ func (c *Compiler) generateMembershipCheck(data *WorkflowData, steps []string) [ // Add environment variables for permission check steps = append(steps, " env:\n") - steps = append(steps, fmt.Sprintf(" GH_AW_REQUIRED_ROLES: %s\n", strings.Join(data.Roles, ","))) + steps = append(steps, fmt.Sprintf(" GH_AW_REQUIRED_ROLES: %q\n", strings.Join(data.Roles, ","))) if len(data.Bots) > 0 { - steps = append(steps, fmt.Sprintf(" GH_AW_ALLOWED_BOTS: %s\n", strings.Join(data.Bots, ","))) + steps = append(steps, fmt.Sprintf(" GH_AW_ALLOWED_BOTS: %q\n", strings.Join(data.Bots, ","))) } steps = append(steps, " with:\n") diff --git a/pkg/workflow/skip_bots_test.go b/pkg/workflow/skip_bots_test.go index 744d79bcb97..9bad567bf79 100644 --- a/pkg/workflow/skip_bots_test.go +++ b/pkg/workflow/skip_bots_test.go @@ -51,7 +51,7 @@ This workflow has a skip-bots configuration. assert.Contains(t, lockContentStr, "Check skip-bots", "Expected skip-bots check to be present") // Verify the skip users environment variable is set correctly - assert.Contains(t, lockContentStr, "GH_AW_SKIP_BOTS: user1,user2,user3", "Expected GH_AW_SKIP_BOTS environment variable with correct value") + assert.Contains(t, lockContentStr, `GH_AW_SKIP_BOTS: "user1,user2,user3"`, "Expected GH_AW_SKIP_BOTS environment variable with correct value") // Verify the check_skip_bots step ID is present assert.Contains(t, lockContentStr, "id: check_skip_bots", "Expected check_skip_bots step ID") @@ -93,7 +93,7 @@ This workflow skips only for user1. assert.Contains(t, lockContentStr, "Check skip-bots", "Expected skip-bots check to be present") // Verify single user - assert.Contains(t, lockContentStr, "GH_AW_SKIP_BOTS: user1", "Expected GH_AW_SKIP_BOTS with single user") + assert.Contains(t, lockContentStr, `GH_AW_SKIP_BOTS: "user1"`, "Expected GH_AW_SKIP_BOTS with single user") }) t.Run("no_skip_bots_no_check_created", func(t *testing.T) { @@ -159,10 +159,10 @@ This workflow has both roles and skip-bots. assert.Contains(t, lockContentStr, "Check skip-bots", "Expected skip-bots check to be present") // Verify GH_AW_REQUIRED_ROLES is set - assert.Contains(t, lockContentStr, "GH_AW_REQUIRED_ROLES: maintainer", "Expected GH_AW_REQUIRED_ROLES for roles field") + assert.Contains(t, lockContentStr, `GH_AW_REQUIRED_ROLES: "maintainer"`, "Expected GH_AW_REQUIRED_ROLES for roles field") // Verify GH_AW_SKIP_BOTS is set - assert.Contains(t, lockContentStr, "GH_AW_SKIP_BOTS: user1,user2", "Expected GH_AW_SKIP_BOTS for skip-bots field") + assert.Contains(t, lockContentStr, `GH_AW_SKIP_BOTS: "user1,user2"`, "Expected GH_AW_SKIP_BOTS for skip-bots field") // Verify both conditions in activated output assert.Contains(t, lockContentStr, "steps.check_membership.outputs.is_team_member", "Expected membership check in activated output") @@ -201,8 +201,8 @@ This workflow has both skip-roles and skip-bots. assert.Contains(t, lockContentStr, "Check skip-bots", "Expected skip-bots check to be present") // Verify both environment variables are set - assert.Contains(t, lockContentStr, "GH_AW_SKIP_ROLES: admin,write", "Expected GH_AW_SKIP_ROLES for skip-roles field") - assert.Contains(t, lockContentStr, "GH_AW_SKIP_BOTS: user1,user2", "Expected GH_AW_SKIP_BOTS for skip-bots field") + assert.Contains(t, lockContentStr, `GH_AW_SKIP_ROLES: "admin,write"`, "Expected GH_AW_SKIP_ROLES for skip-roles field") + assert.Contains(t, lockContentStr, `GH_AW_SKIP_BOTS: "user1,user2"`, "Expected GH_AW_SKIP_BOTS for skip-bots field") // Verify both conditions in activated output assert.Contains(t, lockContentStr, "steps.check_skip_roles.outputs.skip_roles_ok", "Expected skip-roles check in activated output") diff --git a/pkg/workflow/skip_roles_test.go b/pkg/workflow/skip_roles_test.go index da21460ab63..38a41a202c0 100644 --- a/pkg/workflow/skip_roles_test.go +++ b/pkg/workflow/skip_roles_test.go @@ -51,7 +51,7 @@ This workflow has a skip-roles configuration. assert.Contains(t, lockContentStr, "Check skip-roles", "Expected skip-roles check to be present") // Verify the skip roles environment variable is set correctly - assert.Contains(t, lockContentStr, "GH_AW_SKIP_ROLES: admin,maintainer,write", "Expected GH_AW_SKIP_ROLES environment variable with correct value") + assert.Contains(t, lockContentStr, `GH_AW_SKIP_ROLES: "admin,maintainer,write"`, "Expected GH_AW_SKIP_ROLES environment variable with correct value") // Verify the check_skip_roles step ID is present assert.Contains(t, lockContentStr, "id: check_skip_roles", "Expected check_skip_roles step ID") @@ -93,7 +93,7 @@ This workflow skips only for admin role. assert.Contains(t, lockContentStr, "Check skip-roles", "Expected skip-roles check to be present") // Verify single role - assert.Contains(t, lockContentStr, "GH_AW_SKIP_ROLES: admin", "Expected GH_AW_SKIP_ROLES with single role") + assert.Contains(t, lockContentStr, `GH_AW_SKIP_ROLES: "admin"`, "Expected GH_AW_SKIP_ROLES with single role") }) t.Run("no_skip_roles_no_check_created", func(t *testing.T) { @@ -159,10 +159,10 @@ This workflow has both roles and skip-roles. assert.Contains(t, lockContentStr, "Check skip-roles", "Expected skip-roles check to be present") // Verify GH_AW_REQUIRED_ROLES is set - assert.Contains(t, lockContentStr, "GH_AW_REQUIRED_ROLES: maintainer", "Expected GH_AW_REQUIRED_ROLES for roles field") + assert.Contains(t, lockContentStr, `GH_AW_REQUIRED_ROLES: "maintainer"`, "Expected GH_AW_REQUIRED_ROLES for roles field") // Verify GH_AW_SKIP_ROLES is set - assert.Contains(t, lockContentStr, "GH_AW_SKIP_ROLES: admin,write", "Expected GH_AW_SKIP_ROLES for skip-roles field") + assert.Contains(t, lockContentStr, `GH_AW_SKIP_ROLES: "admin,write"`, "Expected GH_AW_SKIP_ROLES for skip-roles field") // Verify both conditions in activated output assert.Contains(t, lockContentStr, "steps.check_membership.outputs.is_team_member", "Expected membership check in activated output") diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden index 18ae263913e..0bbe77962ad 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden @@ -530,7 +530,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: + GH_AW_REQUIRED_ROLES: "" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden index 9efbda03f12..9d917ad9fc6 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden @@ -730,7 +730,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: + GH_AW_REQUIRED_ROLES: "" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden index 9353f61c2c4..d3b8fc1336f 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden @@ -533,7 +533,7 @@ jobs: id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_REQUIRED_ROLES: + GH_AW_REQUIRED_ROLES: "" with: github-token: ${{ secrets.GITHUB_TOKEN }} script: |