From 55d16d24a31f1f689ed54785bd873cd1b23a6a59 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 24 Apr 2026 14:25:57 +0000 Subject: [PATCH 1/5] feat: suggest gh-proxy mode when api.github.com is blocked by firewall Agent-Logs-Url: https://github.com/github/gh-aw/sessions/6e7ed1c2-999b-4c24-8057-c2f9d020badc Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- actions/setup/js/firewall_blocked_domains.cjs | 17 ++++++++++ .../js/firewall_blocked_domains.test.cjs | 32 +++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/actions/setup/js/firewall_blocked_domains.cjs b/actions/setup/js/firewall_blocked_domains.cjs index 69beb00f2ec..133541bb054 100644 --- a/actions/setup/js/firewall_blocked_domains.cjs +++ b/actions/setup/js/firewall_blocked_domains.cjs @@ -207,6 +207,23 @@ function generateBlockedDomainsSection(blockedDomains) { } section += `>\n`; + + // Check if api.github.com is in the blocked domains list + const hasGitHubApiBlocked = blockedDomains.includes("api.github.com"); + + if (hasGitHubApiBlocked) { + section += `> **💡 Tip:** \`api.github.com\` is blocked because GitHub API access uses the built-in GitHub tools by default. Instead of adding \`api.github.com\` to \`network.allowed\`, use \`tools.github.mode: gh-proxy\` for direct pre-authenticated GitHub CLI access without requiring network access to \`api.github.com\`:\n`; + section += `>\n`; + section += `> \`\`\`yaml\n`; + section += `> tools:\n`; + section += `> github:\n`; + section += `> mode: gh-proxy\n`; + section += `> \`\`\`\n`; + section += `>\n`; + section += `> See [GitHub Tools](https://github.github.com/gh-aw/reference/github-tools/) for more information on \`gh-proxy\` mode.\n`; + section += `>\n`; + } + section += `> To allow these domains, add them to the \`network.allowed\` list in your workflow frontmatter:\n`; section += `>\n`; section += `> \`\`\`yaml\n`; diff --git a/actions/setup/js/firewall_blocked_domains.test.cjs b/actions/setup/js/firewall_blocked_domains.test.cjs index 71c70f8b65f..593e8e49cfc 100644 --- a/actions/setup/js/firewall_blocked_domains.test.cjs +++ b/actions/setup/js/firewall_blocked_domains.test.cjs @@ -348,5 +348,37 @@ describe("firewall_blocked_domains.cjs", () => { const result = generateBlockedDomainsSection(["example.com"]); expect(result).toMatch(/^\n\n> \[!WARNING\]/); }); + + it("should suggest gh-proxy mode when api.github.com is blocked", () => { + const result = generateBlockedDomainsSection(["api.github.com"]); + + expect(result).toContain("> [!WARNING]"); + expect(result).toContain("> **⚠️ Firewall blocked 1 domain**"); + expect(result).toContain("> - `api.github.com`"); + expect(result).toContain("`tools.github.mode: gh-proxy`"); + expect(result).toContain("> ```yaml\n> tools:\n> github:\n> mode: gh-proxy\n> ```"); + expect(result).toContain("> See [GitHub Tools](https://github.github.com/gh-aw/reference/github-tools/) for more information on `gh-proxy` mode."); + expect(result).toContain("> See [Network Configuration](https://github.github.com/gh-aw/reference/network/) for more information."); + }); + + it("should suggest gh-proxy mode when api.github.com is among other blocked domains", () => { + const domains = ["api.github.com", "other.example.com"]; + const result = generateBlockedDomainsSection(domains); + + expect(result).toContain("> [!WARNING]"); + expect(result).toContain("> **⚠️ Firewall blocked 2 domains**"); + expect(result).toContain("> - `api.github.com`"); + expect(result).toContain("> - `other.example.com`"); + expect(result).toContain("> ```yaml\n> tools:\n> github:\n> mode: gh-proxy\n> ```"); + expect(result).toContain("> See [GitHub Tools](https://github.github.com/gh-aw/reference/github-tools/) for more information on `gh-proxy` mode."); + }); + + it("should not suggest gh-proxy mode when api.github.com is not blocked", () => { + const result = generateBlockedDomainsSection(["other.example.com"]); + + expect(result).not.toContain("gh-proxy"); + expect(result).not.toContain("GitHub Tools"); + expect(result).toContain("> See [Network Configuration](https://github.github.com/gh-aw/reference/network/) for more information."); + }); }); }); From e43828bd1b0ff6c386f84be7f4734f305063b348 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 24 Apr 2026 15:11:28 +0000 Subject: [PATCH 2/5] refactor: move firewall blocked domains text to md template, use renderTemplateFromFile Agent-Logs-Url: https://github.com/github/gh-aw/sessions/c419322e-1c45-4004-bc12-fa668a0f1736 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- actions/setup/js/firewall_blocked_domains.cjs | 73 ++++++++----------- .../js/firewall_blocked_domains.test.cjs | 25 ++++--- actions/setup/md/firewall_blocked_domains.md | 17 +++++ 3 files changed, 65 insertions(+), 50 deletions(-) create mode 100644 actions/setup/md/firewall_blocked_domains.md diff --git a/actions/setup/js/firewall_blocked_domains.cjs b/actions/setup/js/firewall_blocked_domains.cjs index 133541bb054..7f817bcbd4b 100644 --- a/actions/setup/js/firewall_blocked_domains.cjs +++ b/actions/setup/js/firewall_blocked_domains.cjs @@ -11,6 +11,7 @@ const fs = require("fs"); const path = require("path"); const { sanitizeDomainName } = require("./sanitize_content_core.cjs"); +const { renderTemplateFromFile } = require("./messages_core.cjs"); /** * Parses a single firewall log line @@ -185,59 +186,49 @@ function getBlockedDomains(logsDir) { /** * Generates HTML details/summary section for blocked domains wrapped in a GitHub warning alert * @param {string[]} blockedDomains - Array of blocked domain names + * @param {string} [templatePath] - Optional path to template file (defaults to RUNNER_TEMP/gh-aw/prompts/firewall_blocked_domains.md) * @returns {string} GitHub warning alert with details section, or empty string if no blocked domains */ -function generateBlockedDomainsSection(blockedDomains) { +function generateBlockedDomainsSection(blockedDomains, templatePath) { if (!blockedDomains || blockedDomains.length === 0) { return ""; } const domainCount = blockedDomains.length; const domainWord = domainCount === 1 ? "domain" : "domains"; + const verb = domainCount === 1 ? "was" : "were"; - let section = "\n\n> [!WARNING]\n"; - section += `> **⚠️ Firewall blocked ${domainCount} ${domainWord}**\n`; - section += `>\n`; - section += `> The following ${domainWord} ${domainCount === 1 ? "was" : "were"} blocked by the firewall during workflow execution:\n`; - section += `>\n`; + // Build domain bullet list lines + const domainList = blockedDomains.map(domain => `> - \`${domain}\`\n`).join(""); - // List domains as bullet points (within the alert) - for (const domain of blockedDomains) { - section += `> - \`${domain}\`\n`; - } - - section += `>\n`; + // Build YAML network.allowed list lines + const yamlNetworkList = blockedDomains.map(domain => `> - "${domain}"\n`).join(""); - // Check if api.github.com is in the blocked domains list + // Build optional gh-proxy tip if api.github.com is blocked const hasGitHubApiBlocked = blockedDomains.includes("api.github.com"); - - if (hasGitHubApiBlocked) { - section += `> **💡 Tip:** \`api.github.com\` is blocked because GitHub API access uses the built-in GitHub tools by default. Instead of adding \`api.github.com\` to \`network.allowed\`, use \`tools.github.mode: gh-proxy\` for direct pre-authenticated GitHub CLI access without requiring network access to \`api.github.com\`:\n`; - section += `>\n`; - section += `> \`\`\`yaml\n`; - section += `> tools:\n`; - section += `> github:\n`; - section += `> mode: gh-proxy\n`; - section += `> \`\`\`\n`; - section += `>\n`; - section += `> See [GitHub Tools](https://github.github.com/gh-aw/reference/github-tools/) for more information on \`gh-proxy\` mode.\n`; - section += `>\n`; - } - - section += `> To allow these domains, add them to the \`network.allowed\` list in your workflow frontmatter:\n`; - section += `>\n`; - section += `> \`\`\`yaml\n`; - section += `> network:\n`; - section += `> allowed:\n`; - section += `> - defaults\n`; - for (const domain of blockedDomains) { - section += `> - "${domain}"\n`; - } - section += `> \`\`\`\n`; - section += `>\n`; - section += `> See [Network Configuration](https://github.github.com/gh-aw/reference/network/) for more information.\n`; - - return section; + const ghProxyTip = hasGitHubApiBlocked + ? `> **💡 Tip:** \`api.github.com\` is blocked because GitHub API access uses the built-in GitHub tools by default. Instead of adding \`api.github.com\` to \`network.allowed\`, use \`tools.github.mode: gh-proxy\` for direct pre-authenticated GitHub CLI access without requiring network access to \`api.github.com\`:\n` + + `>\n` + + `> \`\`\`yaml\n` + + `> tools:\n` + + `> github:\n` + + `> mode: gh-proxy\n` + + `> \`\`\`\n` + + `>\n` + + `> See [GitHub Tools](https://github.github.com/gh-aw/reference/github-tools/) for more information on \`gh-proxy\` mode.\n` + + `>\n` + : ""; + + const resolvedTemplatePath = templatePath || (process.env.RUNNER_TEMP ? `${process.env.RUNNER_TEMP}/gh-aw/prompts/firewall_blocked_domains.md` : path.join(__dirname, "../md/firewall_blocked_domains.md")); + + return renderTemplateFromFile(resolvedTemplatePath, { + domain_count: domainCount, + domain_word: domainWord, + verb, + domain_list: domainList, + yaml_network_list: yamlNetworkList, + gh_proxy_tip: ghProxyTip, + }); } module.exports = { diff --git a/actions/setup/js/firewall_blocked_domains.test.cjs b/actions/setup/js/firewall_blocked_domains.test.cjs index 593e8e49cfc..a693ad4b3eb 100644 --- a/actions/setup/js/firewall_blocked_domains.test.cjs +++ b/actions/setup/js/firewall_blocked_domains.test.cjs @@ -2,6 +2,13 @@ import { describe, it, expect, beforeEach, afterEach } from "vitest"; import fs from "fs"; import path from "path"; import os from "os"; +import { fileURLToPath } from "url"; + +const __filename = fileURLToPath(import.meta.url); +const __dirname = path.dirname(__filename); + +// Path to the template file in the source tree (used in tests instead of RUNNER_TEMP) +const TEMPLATE_PATH = path.join(__dirname, "../md/firewall_blocked_domains.md"); describe("firewall_blocked_domains.cjs", () => { let parseFirewallLogLine; @@ -306,7 +313,7 @@ describe("firewall_blocked_domains.cjs", () => { }); it("should generate warning section for single blocked domain", () => { - const result = generateBlockedDomainsSection(["blocked.example.com"]); + const result = generateBlockedDomainsSection(["blocked.example.com"], TEMPLATE_PATH); expect(result).toContain("> [!WARNING]"); expect(result).toContain("> **⚠️ Firewall blocked 1 domain**"); @@ -318,7 +325,7 @@ describe("firewall_blocked_domains.cjs", () => { it("should generate warning section for multiple blocked domains", () => { const domains = ["alpha.example.com", "beta.example.com", "gamma.example.com"]; - const result = generateBlockedDomainsSection(domains); + const result = generateBlockedDomainsSection(domains, TEMPLATE_PATH); expect(result).toContain("> [!WARNING]"); expect(result).toContain("> **⚠️ Firewall blocked 3 domains**"); @@ -330,27 +337,27 @@ describe("firewall_blocked_domains.cjs", () => { }); it("should use correct singular/plural form", () => { - const singleResult = generateBlockedDomainsSection(["single.com"]); + const singleResult = generateBlockedDomainsSection(["single.com"], TEMPLATE_PATH); expect(singleResult).toContain("1 domain"); expect(singleResult).toContain("domain was blocked"); - const multiResult = generateBlockedDomainsSection(["one.com", "two.com"]); + const multiResult = generateBlockedDomainsSection(["one.com", "two.com"], TEMPLATE_PATH); expect(multiResult).toContain("2 domains"); expect(multiResult).toContain("domains were blocked"); }); it("should format domains with backticks", () => { - const result = generateBlockedDomainsSection(["example.com"]); + const result = generateBlockedDomainsSection(["example.com"], TEMPLATE_PATH); expect(result).toMatch(/> - `example\.com`/); }); it("should start with double newline and warning alert", () => { - const result = generateBlockedDomainsSection(["example.com"]); + const result = generateBlockedDomainsSection(["example.com"], TEMPLATE_PATH); expect(result).toMatch(/^\n\n> \[!WARNING\]/); }); it("should suggest gh-proxy mode when api.github.com is blocked", () => { - const result = generateBlockedDomainsSection(["api.github.com"]); + const result = generateBlockedDomainsSection(["api.github.com"], TEMPLATE_PATH); expect(result).toContain("> [!WARNING]"); expect(result).toContain("> **⚠️ Firewall blocked 1 domain**"); @@ -363,7 +370,7 @@ describe("firewall_blocked_domains.cjs", () => { it("should suggest gh-proxy mode when api.github.com is among other blocked domains", () => { const domains = ["api.github.com", "other.example.com"]; - const result = generateBlockedDomainsSection(domains); + const result = generateBlockedDomainsSection(domains, TEMPLATE_PATH); expect(result).toContain("> [!WARNING]"); expect(result).toContain("> **⚠️ Firewall blocked 2 domains**"); @@ -374,7 +381,7 @@ describe("firewall_blocked_domains.cjs", () => { }); it("should not suggest gh-proxy mode when api.github.com is not blocked", () => { - const result = generateBlockedDomainsSection(["other.example.com"]); + const result = generateBlockedDomainsSection(["other.example.com"], TEMPLATE_PATH); expect(result).not.toContain("gh-proxy"); expect(result).not.toContain("GitHub Tools"); diff --git a/actions/setup/md/firewall_blocked_domains.md b/actions/setup/md/firewall_blocked_domains.md new file mode 100644 index 00000000000..473ecca907b --- /dev/null +++ b/actions/setup/md/firewall_blocked_domains.md @@ -0,0 +1,17 @@ + + +> [!WARNING] +> **⚠️ Firewall blocked {domain_count} {domain_word}** +> +> The following {domain_word} {verb} blocked by the firewall during workflow execution: +> +{domain_list}> +{gh_proxy_tip}> To allow these domains, add them to the `network.allowed` list in your workflow frontmatter: +> +> ```yaml +> network: +> allowed: +> - defaults +{yaml_network_list}> ``` +> +> See [Network Configuration](https://github.github.com/gh-aw/reference/network/) for more information. From 2eb20677617d5a4c5f73a5881116c7b367e3fcf4 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 24 Apr 2026 15:13:53 +0000 Subject: [PATCH 3/5] fix: address code review feedback on template and path resolution Agent-Logs-Url: https://github.com/github/gh-aw/sessions/c419322e-1c45-4004-bc12-fa668a0f1736 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- actions/setup/js/firewall_blocked_domains.cjs | 28 ++++++++++++------- actions/setup/md/firewall_blocked_domains.md | 2 -- 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/actions/setup/js/firewall_blocked_domains.cjs b/actions/setup/js/firewall_blocked_domains.cjs index 7f817bcbd4b..cfcc60d1bdb 100644 --- a/actions/setup/js/firewall_blocked_domains.cjs +++ b/actions/setup/js/firewall_blocked_domains.cjs @@ -185,7 +185,7 @@ function getBlockedDomains(logsDir) { /** * Generates HTML details/summary section for blocked domains wrapped in a GitHub warning alert - * @param {string[]} blockedDomains - Array of blocked domain names + * @param {string[]} blockedDomains - Array of blocked domain names (expected to be pre-sanitized via getBlockedDomains) * @param {string} [templatePath] - Optional path to template file (defaults to RUNNER_TEMP/gh-aw/prompts/firewall_blocked_domains.md) * @returns {string} GitHub warning alert with details section, or empty string if no blocked domains */ @@ -219,16 +219,24 @@ function generateBlockedDomainsSection(blockedDomains, templatePath) { `>\n` : ""; - const resolvedTemplatePath = templatePath || (process.env.RUNNER_TEMP ? `${process.env.RUNNER_TEMP}/gh-aw/prompts/firewall_blocked_domains.md` : path.join(__dirname, "../md/firewall_blocked_domains.md")); + // Resolve template path: explicit > RUNNER_TEMP (production) > source tree (local dev/test) + let resolvedTemplatePath = templatePath; + if (!resolvedTemplatePath) { + resolvedTemplatePath = process.env.RUNNER_TEMP ? `${process.env.RUNNER_TEMP}/gh-aw/prompts/firewall_blocked_domains.md` : path.join(__dirname, "../md/firewall_blocked_domains.md"); + } - return renderTemplateFromFile(resolvedTemplatePath, { - domain_count: domainCount, - domain_word: domainWord, - verb, - domain_list: domainList, - yaml_network_list: yamlNetworkList, - gh_proxy_tip: ghProxyTip, - }); + // Template starts without leading newlines; prepend separator expected by callers + return ( + "\n\n" + + renderTemplateFromFile(resolvedTemplatePath, { + domain_count: domainCount, + domain_word: domainWord, + verb, + domain_list: domainList, + yaml_network_list: yamlNetworkList, + gh_proxy_tip: ghProxyTip, + }) + ); } module.exports = { diff --git a/actions/setup/md/firewall_blocked_domains.md b/actions/setup/md/firewall_blocked_domains.md index 473ecca907b..2532db09488 100644 --- a/actions/setup/md/firewall_blocked_domains.md +++ b/actions/setup/md/firewall_blocked_domains.md @@ -1,5 +1,3 @@ - - > [!WARNING] > **⚠️ Firewall blocked {domain_count} {domain_word}** > From 4e3a6c9a787d958aa80bb8f13c3d55d1d7cab664 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 24 Apr 2026 15:27:51 +0000 Subject: [PATCH 4/5] refactor: move gh-proxy tip text into template using {{#if}} conditional Agent-Logs-Url: https://github.com/github/gh-aw/sessions/211e7bfd-9bea-49c0-bc8e-66c11a68d91a Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- actions/setup/js/firewall_blocked_domains.cjs | 38 +++++++------------ actions/setup/md/firewall_blocked_domains.md | 14 ++++++- 2 files changed, 27 insertions(+), 25 deletions(-) diff --git a/actions/setup/js/firewall_blocked_domains.cjs b/actions/setup/js/firewall_blocked_domains.cjs index cfcc60d1bdb..3da4cbcc97a 100644 --- a/actions/setup/js/firewall_blocked_domains.cjs +++ b/actions/setup/js/firewall_blocked_domains.cjs @@ -12,6 +12,7 @@ const fs = require("fs"); const path = require("path"); const { sanitizeDomainName } = require("./sanitize_content_core.cjs"); const { renderTemplateFromFile } = require("./messages_core.cjs"); +const { renderMarkdownTemplate } = require("./render_template.cjs"); /** * Parses a single firewall log line @@ -204,20 +205,7 @@ function generateBlockedDomainsSection(blockedDomains, templatePath) { // Build YAML network.allowed list lines const yamlNetworkList = blockedDomains.map(domain => `> - "${domain}"\n`).join(""); - // Build optional gh-proxy tip if api.github.com is blocked const hasGitHubApiBlocked = blockedDomains.includes("api.github.com"); - const ghProxyTip = hasGitHubApiBlocked - ? `> **💡 Tip:** \`api.github.com\` is blocked because GitHub API access uses the built-in GitHub tools by default. Instead of adding \`api.github.com\` to \`network.allowed\`, use \`tools.github.mode: gh-proxy\` for direct pre-authenticated GitHub CLI access without requiring network access to \`api.github.com\`:\n` + - `>\n` + - `> \`\`\`yaml\n` + - `> tools:\n` + - `> github:\n` + - `> mode: gh-proxy\n` + - `> \`\`\`\n` + - `>\n` + - `> See [GitHub Tools](https://github.github.com/gh-aw/reference/github-tools/) for more information on \`gh-proxy\` mode.\n` + - `>\n` - : ""; // Resolve template path: explicit > RUNNER_TEMP (production) > source tree (local dev/test) let resolvedTemplatePath = templatePath; @@ -225,18 +213,20 @@ function generateBlockedDomainsSection(blockedDomains, templatePath) { resolvedTemplatePath = process.env.RUNNER_TEMP ? `${process.env.RUNNER_TEMP}/gh-aw/prompts/firewall_blocked_domains.md` : path.join(__dirname, "../md/firewall_blocked_domains.md"); } + // First pass: substitute {key} placeholders; has_github_api_blocked becomes "true"/"false" + // so renderMarkdownTemplate can evaluate the {{#if {has_github_api_blocked}}} conditional. + const rendered = renderTemplateFromFile(resolvedTemplatePath, { + domain_count: domainCount, + domain_word: domainWord, + verb, + domain_list: domainList, + yaml_network_list: yamlNetworkList, + has_github_api_blocked: hasGitHubApiBlocked ? "true" : "false", + }); + + // Second pass: evaluate {{#if ...}} conditional blocks (e.g. the gh-proxy tip section) // Template starts without leading newlines; prepend separator expected by callers - return ( - "\n\n" + - renderTemplateFromFile(resolvedTemplatePath, { - domain_count: domainCount, - domain_word: domainWord, - verb, - domain_list: domainList, - yaml_network_list: yamlNetworkList, - gh_proxy_tip: ghProxyTip, - }) - ); + return "\n\n" + renderMarkdownTemplate(rendered); } module.exports = { diff --git a/actions/setup/md/firewall_blocked_domains.md b/actions/setup/md/firewall_blocked_domains.md index 2532db09488..cd47bc3548c 100644 --- a/actions/setup/md/firewall_blocked_domains.md +++ b/actions/setup/md/firewall_blocked_domains.md @@ -4,7 +4,19 @@ > The following {domain_word} {verb} blocked by the firewall during workflow execution: > {domain_list}> -{gh_proxy_tip}> To allow these domains, add them to the `network.allowed` list in your workflow frontmatter: +{{#if {has_github_api_blocked}}} +> **💡 Tip:** `api.github.com` is blocked because GitHub API access uses the built-in GitHub tools by default. Instead of adding `api.github.com` to `network.allowed`, use `tools.github.mode: gh-proxy` for direct pre-authenticated GitHub CLI access without requiring network access to `api.github.com`: +> +> ```yaml +> tools: +> github: +> mode: gh-proxy +> ``` +> +> See [GitHub Tools](https://github.github.com/gh-aw/reference/github-tools/) for more information on `gh-proxy` mode. +> +{{/if}} +> To allow these domains, add them to the `network.allowed` list in your workflow frontmatter: > > ```yaml > network: From d791debb1f3159beec5016b81ac623fb0597641d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 24 Apr 2026 15:29:15 +0000 Subject: [PATCH 5/5] docs: clarify isTruthy string evaluation in comment Agent-Logs-Url: https://github.com/github/gh-aw/sessions/211e7bfd-9bea-49c0-bc8e-66c11a68d91a Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- actions/setup/js/firewall_blocked_domains.cjs | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/actions/setup/js/firewall_blocked_domains.cjs b/actions/setup/js/firewall_blocked_domains.cjs index 3da4cbcc97a..d9cd4150422 100644 --- a/actions/setup/js/firewall_blocked_domains.cjs +++ b/actions/setup/js/firewall_blocked_domains.cjs @@ -213,8 +213,11 @@ function generateBlockedDomainsSection(blockedDomains, templatePath) { resolvedTemplatePath = process.env.RUNNER_TEMP ? `${process.env.RUNNER_TEMP}/gh-aw/prompts/firewall_blocked_domains.md` : path.join(__dirname, "../md/firewall_blocked_domains.md"); } - // First pass: substitute {key} placeholders; has_github_api_blocked becomes "true"/"false" - // so renderMarkdownTemplate can evaluate the {{#if {has_github_api_blocked}}} conditional. + // First pass: substitute {key} placeholders. + // has_github_api_blocked is set to the string "true" or "false" so that + // renderMarkdownTemplate's isTruthy() correctly evaluates the + // {{#if {has_github_api_blocked}}} conditional in the template + // (isTruthy("false") === false per the template engine's explicit check). const rendered = renderTemplateFromFile(resolvedTemplatePath, { domain_count: domainCount, domain_word: domainWord,