fix: compiler validates dangerous shell expansion in safe-outputs.steps; fix copilot-pr-nlp-analysis prompt

[Copilot]

The safe-outputs security harness blocks shell expansion patterns at runtime (${var@op}, ${!var}, $(...), backticks), but previously gave no signal at compile time — leading to confusing runtime failures. Additionally, the Copilot PR NLP Analysis workflow prompt was generating $(...) command substitution when handling chart upload URLs, directly triggering the runtime block.

Changes

Compiler validation (new)

• New validator validateSafeOutputsStepsShellExpansion scans every run: script in safe-outputs.steps[] for the four blocked patterns:

  • ${var@operator} — parameter transformation
  • ${!var} — indirect expansion
  • $(...) — command substitution (arithmetic $(( excluded)
  • `...` — backtick command substitution

  Simple $VAR, ${VAR}, and ${{ }} GitHub Actions expressions are allowed.

• Registered in compiler_validators.go after validateSafeOutputsMax.

• Severity: warning in non-strict mode (compilation continues) and hard error in strict mode.

• 18 tests covering all pattern categories, safe pass-through cases, and edge cases (arithmetic expansion $(( allowed, GitHub Actions expressions, non-map steps).

• Error message accurately describes only the blocked constructs ("Avoid command substitution, backticks, indirect expansion, and parameter transformation") rather than implying all variable expansion is forbidden.

Root cause fix — copilot-pr-nlp-analysis.md

The SENT_DIST_URL variable was generated by the agent because:

1. Phase 5 said "Collect returned URLs for embedding in the discussion" — the agent used SENT_DIST_URL="$(upload_asset ...)" command substitution to capture each URL.
2. Phase 6 used URL_FROM_UPLOAD_ASSET_* placeholders that the agent replaced by expanding those shell variables in a bash command passed to the safe-output step.

Fix: Phase 5 now explicitly instructs the agent to write each URL to a plain file (/tmp/gh-aw/agent/url-<name>.txt) immediately after the MCP tool returns, and explicitly warns against $(...) command substitution. Phase 6 now uses a Python script to read the URL files directly via open() — eliminating the previous contradiction where Phase 5 forbade $(...) but Phase 6 used $(cat ...) shell command substitution. Python builds the fully-substituted discussion body and writes it to a file before passing it to create_discussion.

[pelikhan]

@copilot review what generated SENT_DIST_URL

[pelikhan]

@copilot

• downgrade to warning in non-strict mode
• compile and fix any issue in .github/workflows/ in this repo

[Copilot]

@copilot review what generated SENT_DIST_URL

SENT_DIST_URL was generated by the agent as a way to bridge two phases of the workflow:

1. Phase 5 said "Collect returned URLs for embedding in the discussion" — the agent interpreted "collect" as "store in a shell variable", using command substitution: SENT_DIST_URL="$(upload_asset sentiment_distribution.png)"

2. Phase 6 had URL_FROM_UPLOAD_ASSET_sentiment_distribution as a placeholder in the content template — the agent tried to replace these placeholders by expanding the shell variables it had just stored.

The $(...) command substitution is what the safe-outputs security harness blocked.

Fixed in d1fea34:

• Phase 5 now explicitly tells the agent to write each URL to a plain file in /tmp/gh-aw/agent/url-<name>.txt immediately after the MCP tool returns the URL — and explicitly says do NOT use $(...) to capture the URL
• Phase 6 reads the URL files via $(cat ...) in the agent's regular bash turn (allowed), then uses Python to write the fully-substituted body to a file with literal URL strings — no shell expansion in safe-outputs

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw IG5zd7jh0Luq (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw gd/_O5l9t_ri5Uhv-C (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv nlp-analysis^{co-f (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv nlp-analysis^{commit} (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

✅ smoke-ci: safeoutputs CLI comment + comment-memory run (25114931067)

Generated by Smoke CI for issue #29123 · ◷

[github-actions]

Comment Memory

CI lights the path
Green checks bloom at dawn
Quiet bots still sing

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Generated by Smoke CI for issue #29123 · ◷

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 97/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	20 (3 test functions, 20 subtests/table rows)
✅ Design tests (behavioral contracts)	20 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	20 (100%)
Duplicate test clusters	0
Test inflation detected	No (ratio: 1.06:1)
🚨 Coding-guideline violations	None

---

Test Classification Details

View All Test Classifications (20 tests)

Test	File	Classification	Notes
TestValidateSafeOutputsStepsShellExpansion/nil_config_passes	safe_outputs_steps_shell_expansion_validation_test.go:13	✅ Design	Edge case: nil input guard
TestValidateSafeOutputsStepsShellExpansion/empty_steps_passes	line 18	✅ Design	Edge case: empty config
TestValidateSafeOutputsStepsShellExpansion/step_without_run_passes	line 24	✅ Design	Edge case: non-run step
TestValidateSafeOutputsStepsShellExpansion/simple_run_script	line 35	✅ Design	Happy path: safe script
TestValidateSafeOutputsStepsShellExpansion/simple_variable_reference	line 48	✅ Design	Happy path: $VAR
TestValidateSafeOutputsStepsShellExpansion/braced_variable_reference	line 61	✅ Design	Happy path: ${VAR}
TestValidateSafeOutputsStepsShellExpansion/GitHub_Actions_expression	line 74	✅ Design	Happy path: ${{ }} passthrough
TestValidateSafeOutputsStepsShellExpansion/non-map_step_entry	line 90	✅ Design	Edge case: malformed step
TestValidateSafeOutputsStepsShellExpansion_DangerousPatterns/command_substitution_$(...)	line 100	✅ Design	Error path: $() rejected
TestValidateSafeOutputsStepsShellExpansion_DangerousPatterns/command_substitution_with_space	line 105	✅ Design	Error path: multi-line script
TestValidateSafeOutputsStepsShellExpansion_DangerousPatterns/nested_command_substitution	line 110	✅ Design	Error path: quoted substitution
TestValidateSafeOutputsStepsShellExpansion_DangerousPatterns/backtick_command_substitution	line 115	✅ Design	Error path: backtick form
TestValidateSafeOutputsStepsShellExpansion_DangerousPatterns/parameter_transformation_@P``	line 120	✅ Design	Error path: @P transformation
TestValidateSafeOutputsStepsShellExpansion_DangerousPatterns/parameter_transformation_@U``	line 125	✅ Design	Error path: @U transformation
TestValidateSafeOutputsStepsShellExpansion_DangerousPatterns/indirect_expansion_${!var}	line 130	✅ Design	Error path: indirect expansion
TestValidateSafeOutputsStepsShellExpansion_DangerousPatterns/indirect_expansion_in_assignment	line 135	✅ Design	Error path: indirect in assignment
TestValidateRunScriptForShellExpansion/empty_script_passes	line 155	✅ Design	Edge case: empty string
TestValidateRunScriptForShellExpansion/error_includes_step_index	line 160	✅ Design	Behavioral: error message format
TestValidateRunScriptForShellExpansion/error_includes_offending_snippet	line 167	✅ Design	Behavioral: error includes context
TestValidateRunScriptForShellExpansion/error_includes_remediation_guidance	line 175	✅ Design	Behavioral: error includes guidance

---

Flagged Tests — Requires Review

No tests flagged. One minor observation (non-blocking):

i️ TestValidateRunScriptForShellExpansion/error_includes_remediation_guidance

Classification: Design test (kept as-is)
Observation: The assertion checks for the literal path /tmp/gh-aw/agent/ in the error message. This is a valid behavioral contract check (remediation guidance is provided), but it ties the test to a specific path string. If the remediation text changes, this test will break — consider using a more general string like "write" or "/tmp/gh-aw" to make it less brittle. Not a blocking issue.

---

Language Support

Tests analyzed:

• 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). Tests are well-structured with full coverage of both happy paths and all dangerous-pattern error cases. Build tag is present and correct. No mock library usage. Assertion messages are consistently provided.

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §25114923874

🧪 Test quality analysis by Test Quality Sentinel · ● 475.3K · ◷

[github-actions]

✅ Test Quality Sentinel: 97/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All 20 test scenarios cover behavioral contracts with full error-path coverage, correct build tag, no mock libraries, and no test inflation.

[Copilot]

Pull request overview

Adds compile-time validation to detect shell expansion patterns in safe-outputs.steps[].run that are blocked by the safe-outputs runtime harness, and updates the Copilot PR NLP Analysis workflow prompt to avoid triggering those runtime blocks when handling uploaded chart URLs.

Changes:

• Introduces validateSafeOutputsStepsShellExpansion / validateRunScriptForShellExpansion to scan safe-outputs.steps[].run for blocked bash constructs and emit compiler errors with actionable guidance.
• Registers the new validator in the compiler validation pipeline.
• Updates .github/workflows/copilot-pr-nlp-analysis.md to record uploaded chart URLs to files and later build the discussion body from those values.

Show a summary per file

File	Description
pkg/workflow/safe_outputs_steps_shell_expansion_validation.go	New compile-time validator and error messaging for blocked shell expansion patterns in safe-outputs.steps[].run.
pkg/workflow/safe_outputs_steps_shell_expansion_validation_test.go	Unit tests covering allowed vs blocked patterns and error message contents.
pkg/workflow/compiler_validators.go	Wires the new validator into the compiler validation sequence.
.github/workflows/copilot-pr-nlp-analysis.md	Prompt changes to avoid generating blocked shell expansion patterns when embedding upload URLs.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/4 changed files
• Comments generated: 4

[Copilot]

The inline comment claims that command substitution matches starting with "$({" or "$({{" should be ignored because of GitHub Actions "${{ }}" expressions, but the implementation only skips "$((" arithmetic expansion and does not (and probably should not) exempt "$({". Please update the comment (or implement the described exemption if it's truly required) so it matches the actual behavior and GitHub Actions expression syntax ("${{" not "$({{").

Suggested change

	// - "commandSubst" matches starting with "$({" or "$({{" that form "${{" are ignored
	// because "${{" is not a valid shell construct (GitHub Actions uses "${{ }}").
	// - GitHub Actions expressions use "${{ ... }}", not "$(...)", so they do not
	// match the "commandSubst" pattern.

[Copilot]

The remediation text says "Avoid shell variable expansion in safe-outputs run scripts", but this validator explicitly allows simple "$VAR" and "${VAR}" expansions (and tests cover those as allowed). This wording is misleading—please narrow it to the specific blocked constructs (command substitution/backticks/indirect expansion/parameter transformation) or describe the safe alternative without implying all variable expansion is forbidden.

Suggested change

	"Avoid shell variable expansion in safe-outputs run scripts. "+
	"Write URL values and other dynamic content to files in /tmp/gh-aw/agent/ "+
	"during the agent turn, then read the file contents in the safe-outputs step "+
	"without using shell expansion (e.g. with 'cat' or a script argument)",
	"Avoid command substitution, backticks, indirect expansion, and parameter "+
	"transformation in safe-outputs run scripts. Write URL values and other "+
	"dynamic content to files in /tmp/gh-aw/agent/ during the agent turn, then "+
	"read the file contents in the safe-outputs step (e.g. with 'cat' or by "+
	"passing a script argument)",

[Copilot]

The implementation intentionally skips arithmetic expansion "$((" (see validateRunScriptForShellExpansion), and the PR description mentions tests for this edge case, but there isn't currently a test asserting that "$((1+1))" (or similar) is allowed. Adding an explicit passing test would prevent regressions and keep the test suite aligned with the intended behavior.

[Copilot]

Phase 5 explicitly says not to store URLs in shell variables or use command substitution ($(...)), but Phase 6 immediately uses SENTIMENT_DIST_URL=$(cat ...) (both a shell variable and command substitution). If the intent is "don’t do this inside safe-outputs.steps run scripts" but it’s OK in the agent bash turn, please clarify the wording in Phase 5 (or adjust Phase 6 to avoid $()/shell vars by reading the files directly in Python) to remove the internal contradiction.

See below for a potential fix:

**Before constructing the body**, use Python to read the uploaded chart URLs directly from the files saved in `/tmp/gh-aw/agent/`. Do not use shell variables or command substitution here either; have Python read each file and treat missing files as empty strings.

Use a Python script to read:
- `/tmp/gh-aw/agent/url-sentiment-distribution.txt`
- `/tmp/gh-aw/agent/url-sentiment-timeline.txt`
- `/tmp/gh-aw/agent/url-topic-frequencies.txt`
- `/tmp/gh-aw/agent/url-topics-wordcloud.txt`
- `/tmp/gh-aw/agent/url-keyword-trends.txt`

Then write the fully-substituted discussion body to `/tmp/gh-aw/agent/discussion_body.md`, inserting the literal URL strings directly into the markdown body. After that, pass the body to the `create_discussion` safe-output tool.

Post a comprehensive discussion with the following structure:

**Title**: `Copilot PR Conversation NLP Analysis - [DATE]`

**Content Template** (substitute `[SENTIMENT_DIST_URL]`, `[SENTIMENT_TIME_URL]`, `[TOPIC_FREQ_URL]`, `[TOPICS_CLOUD_URL]`, and `[KEYWORD_TRENDS_URL]` with the literal URL strings read by Python from the files above):

[github-actions]

Commit pushed: aaefd9f

🏗️ ADR gate enforced by Design Decision Gate 🏗️

[github-actions]

@/tmp/gh-aw/agent/comment-body.md

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · ● 190.7K · ◷

[Copilot]

@copilot

• downgrade to warning in non-strict mode
• compile and fix any issue in .github/workflows/ in this repo

Done in commit 83ddde4:

• Non-strict mode: validateSafeOutputsStepsShellExpansion failures now emit a ⚠ warning via formatCompilerMessage and increment the warning counter — compilation continues.
• Strict mode: still a hard error, as before.

Recompiled all 205 workflows with the updated binary — all compile cleanly with zero new shell expansion warnings.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw Z6/_O5l9t_ri5Uhv-C (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw k/gh-aw/gh-aw/pk-1 k/gh-aw/gh-aw/pkxterm-color k/gh-aw/gh-aw/pkg/workflow/actioconfig k/gh�� k/gh-aw/gh-aw/pkg/workflow/actioremote.origin.url k/gh-aw/gh-aw/pkg/workflow/action_reference.go r: $owner, name: $name) { hasDiscussionsEnabled } } k/gh-aw/gh-aw/pkgit k/gh-aw/gh-aw/pk-C k/gh-aw/gh-aw/pk/home/REDACTED/work/gh-aw/gh-aw/.github/workflows k/gh-aw/gh-aw/pkrev-parse (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv get :latest ock.yml core.hooksPath (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ithub/workflows --local yml core.hooksPath (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ithub/workflows --local cal/bin/bash core.hooksPath (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --local user.name me: String!) { repository(owner: $owner, name:-f (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch edcfg credential.username r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch /home/REDACTED/worremote.origin.url rev-parse r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot review all comments

[Copilot]

@copilot review all comments

Addressed all 4 review comments in commit 16b5df4:

1. Comment on shellExpansionPattern (lines 50-51): Fixed the inaccurate $({/$({{ exclusion comment — now correctly explains that ${{ }} uses { not ( so it never matches \$\( in the first place.

2. Misleading error message (lines 183-186): Replaced "Avoid shell variable expansion" (which wrongly implies $VAR/${VAR} are forbidden) with "Avoid command substitution, backticks, indirect expansion, and parameter transformation".

3. Missing arithmetic expansion test: Added "arithmetic expansion $(( )) passes" test to TestValidateRunScriptForShellExpansion — confirms $((1+1)) is allowed.

4. Phase 5/6 contradiction in copilot-pr-nlp-analysis.md: Phase 6 now uses Python to read the URL files directly (no SENTINEL_DIST_URL=$(cat ...) shell command substitution), consistent with Phase 5's guidance.