From 82e5ba75f7bd80801bed6d6ebda7bcb594e76515 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 20 Apr 2026 14:37:35 +0000 Subject: [PATCH 1/2] Fix add_comment newline before injected caution/footer Agent-Logs-Url: https://github.com/github/gh-aw/sessions/4807312c-bc5c-485d-9852-eb4e71c1d72b Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- actions/setup/js/add_comment.cjs | 2 +- actions/setup/js/add_comment.test.cjs | 35 +++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/actions/setup/js/add_comment.cjs b/actions/setup/js/add_comment.cjs index 4d0e8d54aa..7c8ce5a959 100644 --- a/actions/setup/js/add_comment.cjs +++ b/actions/setup/js/add_comment.cjs @@ -528,7 +528,7 @@ async function main(config = {}) { if (includeFooter) { // When footer is enabled, add full footer with attribution and XML markers - processedBody += generateFooterWithMessages(workflowName, runUrl, workflowSource, workflowSourceURL, triggeringIssueNumber, triggeringPRNumber, triggeringDiscussionNumber, historyUrl).trimEnd(); + processedBody += "\n\n" + generateFooterWithMessages(workflowName, runUrl, workflowSource, workflowSourceURL, triggeringIssueNumber, triggeringPRNumber, triggeringDiscussionNumber, historyUrl).trimEnd(); } else { // When footer is disabled, only add XML marker for searchability (no visible attribution text) processedBody += "\n\n" + generateXMLMarker(workflowName, runUrl); diff --git a/actions/setup/js/add_comment.test.cjs b/actions/setup/js/add_comment.test.cjs index 5d22ba1d46..36244c829c 100644 --- a/actions/setup/js/add_comment.test.cjs +++ b/actions/setup/js/add_comment.test.cjs @@ -1882,6 +1882,41 @@ describe("add_comment", () => { delete process.env.GH_AW_WORKFLOW_NAME; }); + it("should add a blank line before injected security scanning caution footer", async () => { + const addCommentScript = fs.readFileSync(path.join(__dirname, "add_comment.cjs"), "utf8"); + + process.env.GH_AW_WORKFLOW_NAME = "Security Test Workflow"; + process.env.GH_AW_DETECTION_CONCLUSION = "warning"; + process.env.GH_AW_DETECTION_REASON = "threat_detected"; + + let capturedBody = null; + mockGithub.rest.issues.createComment = async params => { + capturedBody = params.body; + return { + data: { + id: 12345, + html_url: "https://github.com/owner/repo/issues/42#issuecomment-12345", + }, + }; + }; + + const handler = await eval(`(async () => { ${addCommentScript}; return await main({}); })()`); + + const message = { + type: "add_comment", + body: "Comment body for warning case", + }; + + const result = await handler(message, {}); + + expect(result.success).toBe(true); + expect(capturedBody).toContain("Comment body for warning case\n\n> [!CAUTION]"); + + delete process.env.GH_AW_WORKFLOW_NAME; + delete process.env.GH_AW_DETECTION_CONCLUSION; + delete process.env.GH_AW_DETECTION_REASON; + }); + it("should sanitize user content but preserve system markers", async () => { const addCommentScript = fs.readFileSync(path.join(__dirname, "add_comment.cjs"), "utf8"); From b6300ccbe5804e0cb0c165d363571ba125453511 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 20 Apr 2026 14:43:56 +0000 Subject: [PATCH 2/2] Strengthen newline regression test for injected caution footer Agent-Logs-Url: https://github.com/github/gh-aw/sessions/4807312c-bc5c-485d-9852-eb4e71c1d72b Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- actions/setup/js/add_comment.test.cjs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/actions/setup/js/add_comment.test.cjs b/actions/setup/js/add_comment.test.cjs index 36244c829c..9bcd6bd5a4 100644 --- a/actions/setup/js/add_comment.test.cjs +++ b/actions/setup/js/add_comment.test.cjs @@ -1911,6 +1911,9 @@ describe("add_comment", () => { expect(result.success).toBe(true); expect(capturedBody).toContain("Comment body for warning case\n\n> [!CAUTION]"); + expect(capturedBody).toContain("**Security scanning requires review**"); + expect(capturedBody).toContain("> Generated by [Security Test Workflow]"); + expect(capturedBody).toMatch(/> \[!CAUTION\][\s\S]*\n\n> Generated by \[Security Test Workflow\]/); delete process.env.GH_AW_WORKFLOW_NAME; delete process.env.GH_AW_DETECTION_CONCLUSION;