Add schema pattern validation for github-token fields

[Copilot]

Prevents accidental secret leakage by enforcing GitHub Actions secret expressions for all github-token fields via JSON schema pattern validation.

Changes

• Schema: Added $defs/github_token with regex pattern ^\$\{\{\s*secrets\.[A-Za-z_][A-Za-z0-9_]*(\s*\|\|\s*secrets\.[A-Za-z_][A-Za-z0-9_]*)*\s*\}\}$ applied to 16 field locations (top-level, safe-outputs global/individual, tools.github)
• Tests: 26 test cases covering valid secret expressions, plaintext rejection, environment variable rejection, and error messaging
• Docs: Added caution callout in frontmatter reference and security tip in security guide

Validation Examples

✅ Valid

github-token: ${{ secrets.GITHUB_TOKEN }}
github-token: ${{ secrets.CUSTOM_PAT }}
github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}

❌ Invalid (compilation fails)

github-token: ghp_1234567890...              # plaintext
github-token: ${{ env.MY_TOKEN }}            # env variable
github-token: my-secret-token                # string

Error Message

error: at '/github-token': 'ghp_actualSecretInPlainText' does not match pattern

Resolves #2457 (Option B implementation as requested)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[task] Add github-token secret validation</issue_title>
<issue_description>## Objective
Prevent accidental secret leakage by validating that github-token field uses GitHub Actions secret expressions, not plaintext values.

Context

Related to discussion #2457 (Schema Consistency Audit).

The schema allows any string for github-token, with no pattern validation. Users could accidentally commit secrets:

github-token: ghp_actualSecretInPlainText  # 😱 LEAKED!

Approach

Option A (Recommended): Add compile-time warning in pkg/workflow/github_token.go:

func validateGitHubToken(token string) error {
    // Check if token looks like a secret expression
    if !strings.Contains(token, "${{") || !strings.Contains(token, "secrets.") {
        return fmt.Errorf("github-token should use secret expression (e.g., ${{ secrets.GITHUB_TOKEN }}), not plaintext value")
    }
    return nil
}

Option B: Add schema pattern validation in pkg/parser/schemas/main_workflow_schema.json:

{
  "type": "string",
  "pattern": "^\\$\\{\\{.*secrets\\..*\\}\\}$",
  "description": "GitHub token expression using secrets",
  "examples": ["${{ secrets.GITHUB_TOKEN }}"]
}

Files to Modify

• Update: pkg/workflow/github_token.go (add validation function)
• Update: pkg/workflow/compiler.go (call validation during compilation)
• Update: pkg/parser/schemas/main_workflow_schema.json (add pattern if using Option B)
• Create: pkg/workflow/github_token_validation_test.go (test validation)

Acceptance Criteria

• Valid secret expressions pass validation: ${{ secrets.GITHUB_TOKEN }}
• Plaintext tokens trigger clear error/warning
• Error message suggests correct format
• Existing workflows with valid tokens continue to work
• Unit tests cover valid and invalid cases
  Related to [Schema Consistency] 🔍 Schema Consistency Check - Security & Type Safety Audit (2025-10-25) #2457

AI generated by Plan Command for discussion #2457</issue_description>

Comments on the Issue (you are @copilot in this section)

@pelikhan Option B.

• Fixes [task] Add github-token secret validation #2463

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

Agentic Changeset Generator triggered by this pull request.

[Copilot]

Pull Request Overview

This PR implements JSON schema pattern validation for github-token fields to prevent accidental plaintext secret leakage. Per the issue discussion, Option B was chosen to add schema-level validation rather than runtime checks.

Key changes:

• Added regex pattern validation to reject plaintext tokens and non-secret expressions
• Created comprehensive test coverage with 26 test cases across all github-token field locations
• Updated documentation to explain the validation behavior and requirements

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
pkg/parser/schemas/main_workflow_schema.json	Added github_token definition with regex pattern; updated 16 field locations to reference it
pkg/workflow/github_token_validation_test.go	Created comprehensive test suite covering valid/invalid tokens across all schema locations
docs/src/content/docs/reference/frontmatter.md	Added caution callout documenting valid/invalid token formats
docs/src/content/docs/guides/security.md	Added tip callout explaining automatic validation behavior

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[pelikhan]

@copilot format and lint

[Copilot]

@copilot format and lint

All formatting and linting checks pass successfully. No changes needed - the code is already properly formatted.