Skip to content

Escape OTLP endpoints JSON before YAML single-quote wrapping#30527

Merged
pelikhan merged 2 commits into
mainfrom
copilot/fix-code-scanning-alert-582
May 6, 2026
Merged

Escape OTLP endpoints JSON before YAML single-quote wrapping#30527
pelikhan merged 2 commits into
mainfrom
copilot/fix-code-scanning-alert-582

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 6, 2026
edited
Loading

This addresses a CodeQL go/unsafe-quoting alert in OTLP env var generation. The issue was unsafe embedding of JSON into a YAML single-quoted scalar, which could break YAML structure when values contained '.

  • What changed

    • In pkg/workflow/observability_otlp.go, escaped single quotes in GH_AW_OTLP_ENDPOINTS payload before injecting into YAML:
      • encodedstrings.ReplaceAll(encoded, "'", "''")
    • Preserved existing env var format and behavior; only hardened quoting at the injection boundary.

  • Regression coverage

    • Added a focused test in pkg/workflow/observability_otlp_test.go for multi-endpoint OTLP config with header values containing apostrophes.
    • Asserts the generated GH_AW_OTLP_ENDPOINTS YAML value contains doubled single quotes.

  • Why this resolves the alert

    • YAML single-quoted scalars require internal ' to be escaped as ''; otherwise embedded content can terminate the string early.
if encoded := encodeOTLPEndpoints(entries); encoded != "" {
    escapedEncoded := strings.ReplaceAll(encoded, "'", "''")
    otlpEnvLines += "\n  GH_AW_OTLP_ENDPOINTS: '" + escapedEncoded + "'"
}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name k (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw er_test (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name on' --ignore-path ../../../.prettierignore (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name th .prettierignore --log-level=error git sv /ref/tags/v9 git sv git ode_�� w/js/**/*.json' --ignore-path git de_modules/.bin/sh --show-toplevel /usr/bin/git /usr/bin/git gh (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/go/1.25.8/xrepos/{owner}/{repo}/actions/runs/3/artifacts /usr/bin/git licyMinIntegritygit -buildtags /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel -tests ache/node/24.14./repos/actions/github-script/git/ref/tags/v9 git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel node /usr/bin/git epo}/actions/rungit scripts/**/*.js , number: .run_n--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git 5831-27430/test-gh git /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv Safe: ${{ github.actor }}, Unsafe: ${{ secrets.TOKEN }} 64/pkg/tool/linu-importcfg /usr/bin/git ting JavaScript gh fg 64/pkg/tool/linu/repos/actions/github-script/git/ref/tags/v9 git rev-�� --show-toplevel 64/pkg/tool/linuremote.origin.url /usr/bin/git LsRemoteWithRealgit LsRemoteWithRealrev-parse 64/pkg/tool/linu--show-toplevel /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 remote.myorg.url bject.type] | @tsv e-analyzer.md git tions/setup/node/repos/actions/github-script/git/ref/tags/v9 git conf�� user.email [email protected] /usr/bin/git add-source-path-git node k/node_modules/.--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv .a /tmp/go-build87361461/b122/vet.cfg 1/x64/bin/node m0s test (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 /usr/bin/git bject.type] | @tsv --get-regexp ^remote\..*\.gh-rev-parse ache/node/24.14.--show-toplevel git rev-�� --show-toplevel ache/node/24.14.1/x64/bin/node /usr/bin/git /tmp/TestGuardPogit config /opt/hostedtoolc--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel infocmp /usr/bin/infocmp xterm-color 64/pkg/tool/linurev-parse /usr/bin/git infocmp -1 xterm-color git /usr/bin/git --show-toplevel J1c7b8qkFQ0vAYI1rev-parse /usr/bin/gh git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /repos/actions/github-script/git/ref/tags/v9 --jq ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ry=1 l 61461/b473/_pkg_.a -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel gh api /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/vet /usr/bin/git ormat:cjs --silegit (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv xterm-color node /usr/bin/git /home/REDACTED/worgit x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv xterm-color git /usr/bin/git /usr/bin/gh git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/infocmp --oneline -1 (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build87361461/b395/importcfg -pack /tmp/go-build87361461/b395/_testmain.go ode_�� (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv th .prettierigno-errorsas (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9.0.0
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build87361461/b411/importcfg -pack /tmp/go-build87361461/b411/_testmain.go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv iant-786114836/.github/workflows (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu-buildtags /usr/bin/gh ithub-script/gitinfocmp /tmp/go-build873-1 e/git gh api /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/git -unreachable=falgit tname) 1/x64/bin/node git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/gh bject.type] | @tgh on 1/x64/bin/node gh api /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/git npx prettier --wgit git ache/node/24.14.--show-toplevel git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv rhysd/actionlint:latest x_amd64/vet /usr/bin/git ode_modules/flatgit --global x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git tmatter-with-envgit fg 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/[email protected] /usr/bin/git SameOutput126880infocmp /tmp/go-build873-1 e/git git rev-�� --show-toplevel e/git /usr/bin/git 3 /tmp/go-build873rev-parse /opt/hostedtoolc--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git ons-test39713817git config ow-without-react--show-toplevel git rev-�� /ref/tags/v9 git sv git git 64/pkg/tool/linuxterm-color gh (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /tmp/go-build87361461/b436/repoutil.test -importcfg (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv -test.paniconexit0 61461/b453/_testmain.go /opt/hostedtoolcache/node/24.14.1/x64/bin/node -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel node /tmp�� /tmp/TestHashStability_SameInputSameOutput1268801179/001/stability-test.md x_amd64/compile /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ansitiveImports1279012359/001 -extld=gcc /usr/bin/git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/agent-persona-explorer.md R3QYghl/tRxxCh1E--jq /usr/bin/git */*.ts' '**/*.jsgit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 5831-27430/test-2065290444 gh /usr/bin/docker /repos/actions/ggit --jq ode_modules/.bin--show-toplevel docker pull�� test/concurrent-image:v1.0.0 git /usr/bin/git Gitmaster_branchgit Gitmaster_branchrev-parse ode_modules/.bin--show-toplevel git (http block)
  • https://api.github.com/repos/aws-actions/configure-aws-credentials/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/node/24.14.1/x64/bin/node /usr/bin/git uts.branch (http block)
    • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linush /usr/bin/git /tmp/go-build873gh -importcfg /usr/bin/git git rev-�� /ref/tags/v9 git sv /tmp/gh-aw-test-git config /usr/bin/git infocmp (http block)
    • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel node /usr/bin/git /ref/tags/v9.0.0git git sv git rev-�� --show-toplevel git /usr/bin/git user.email [email protected] flow.test git (http block)
  • https://api.github.com/repos/azure/login/git/ref/tags/v2
    • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/node/24.14.1/x64/bin/node /usr/bin/git /tmp/TestHashCongit -extld=gcc /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel node /usr/bin/git /tmp/TestHashConinfocmp x_amd64/vet /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git ons-test11925213git remote /usr/bin/infocmp--show-toplevel git rev-�� --show-toplevel infocmp /usr/bin/git xterm-color l /usr/bin/git git (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/node/24.14.1/x64/bin/node /usr/bin/git /tmp/TestGuardPogit config /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel node /usr/bin/infocmp /tmp/TestHashConinfocmp x_amd64/vet /usr/bin/git infocmp (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git rev-parse /usr/bin/gh git rev-�� --show-toplevel gh /usr/bin/infocmp /repos/actions/ginfocmp --jq /usr/bin/git infocmp (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/git .a /tmp/go-build873api e/git git rev-�� --show-toplevel e/git /usr/bin/git /ref/tags/v9 -buildtags sv git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/git ithub/workflows/gh -trimpath /bin/sh git rev-�� --show-toplevel /bin/sh /usr/bin/git 5831-27430/test-infocmp (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /v1.0.0 (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /v1.0.0 git sv */*.ts' '**/*.jsgit git ed } } git rev-�� --show-toplevel git /usr/bin/git ithub-script/gitgit git 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv bject.type] | @t/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmaster_branch45622649/001 x_amd64/cgo /usr/bin/infocmp */*.ts' '**/*.jsgit infocmp de_modules/.bin/--show-toplevel infocmp -1 xterm-color git /usr/bin/git --show-toplevel git ache/go/1.25.8/x--show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-29 (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-06 (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-02-05 (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name on 64/pkg/tool/linux_amd64/vet /../../.prettier/opt/hostedtoolcache/node/24.14.1/x64/bin/node erignore (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 fg ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name g/workflow/import_schema_test.go 64/pkg/tool/linux_amd64/asm /repos/actions/g/usr/bin/git --jq /usr/bin/git 64/pkg/tool/linu^remote\..*\.gh-resolved$ -o edOutput3860154427/001 -importcfg sh -buildmode=exe -buildid=L5rpN3Zrev-parse -s node (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name refs/heads/main ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 on ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /../../.prettiergit erignore (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name --jq ules/.bin/node --show-toplevel git /usr/bin/git git tion�� edOutput179195555/001 git er.test ignore git sv er.test (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1234567890
    • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, (http block)
    • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, h ../../../.pret.prettierignore git n-dir/sh --show-toplevel git /usr/bin/git infocmp -1 submodules | head -n 10 git /usr/bin/infocmp 2 /usr/bin/git /usr/bin/git infocmp (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name fg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet erignore (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 on ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /../../.prettiergh erignore th: .path, creatlist ache/go/1.25.8/x--json -c 1179/001/stabili--limit (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name git de_modules/.bin/node --show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name on ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /../../.prettierinfocmp erignore (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 fg ache/go/1.25.8/x64/pkg/tool/linu-nilfunc (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name tmain.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/link /ref/tags/v9 git sv ache/go/1.25.8/x64/pkg/tool/linux_amd64/link -c echo "��� Formatting Go code..." git /home/REDACTED/.local/bin/node --show-toplevel git /usr/lib/git-coradd node (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name on ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /../../.prettier/usr/bin/git erignore (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 fg ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name gh 64/pkg/tool/linux_amd64/vet /repos/actions/g/usr/bin/git --jq /usr/bin/git 64/pkg/tool/linux_amd64/vet fmt rity2079693296/001 git 1/x64/bin/node /ref/tags/v9 git sv 3OB9m2gFXZRKn/8rTest User (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name on ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /../../.prettier/usr/bin/git erignore (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 fg x_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name infocmp 64/pkg/tool/linux_amd64/cgo xterm-color git /usr/bin/git 64/pkg/tool/linu--json fmt edOutput38601544--limit git h --show-toplevel git /bin/sh node (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name on ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /../../.prettiergh erignore (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name infocmp 64/pkg/tool/linux_amd64/vet xterm-color git /usr/bin/git 64/pkg/tool/linu^remote\..*\.gh-resolved$ -l rity2079693296/001 actions/setup/js/node_modules/flatted/golang/pkg/flatted/flatted.go ache/node/24.14.1/x64/bin/npx cmd/gh-aw/capitagit cmd/gh-aw/commanconfig cmd/gh-aw/formatuser.email node (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path on' --ignore-path ../../../.prettierignore (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)
  • https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
    • Triggering command: /tmp/go-build87361461/b404/cli.test /tmp/go-build87361461/b404/cli.test -test.testlogfile=/tmp/go-build87361461/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true (http block)
    • Triggering command: /tmp/go-build810024658/b404/cli.test /tmp/go-build810024658/b404/cli.test -test.testlogfile=/tmp/go-build810024658/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true --show-toplevel git /usr/bin/git infocmp -1 on' --ignore-path ../../../.pret--log-level=error git sv ithub-script/gitsh ache/go/1.25.8/x-c bject.type] | @tnpx prettier --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/node/24.14.1/x64/bin/node /usr/bin/git ets.TOKEN }} remote /usr/bin/git git rev-�� --show-toplevel git /usr/bin/infocmp --show-toplevel x_amd64/vet /usr/bin/git infocmp (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel node /usr/bin/git /home/REDACTED/wordu git /opt/hostedtoolc/tmp/gh-aw/aw-feature-branch.patch git rev-�� --show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node /usr/bin/infocmp github.token (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv sRemoteWithRealGitmaster_branch1639852280/001 sRemoteWithRealGitmaster_branch1639852280/002/work ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet **/*.json --ignore-path ../../../.prettixterm-color ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv "prettier" --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore sed $name) { hasDiscussionsEnabled } } ithub-script/gitgit git bject.type] | @t--show-toplevel node ache�� prettier --write cfg !../../../pkg/wo/usr/bin/gh --ignore-path r /opt/hostedtoolc-f (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv */*.ts' '**/*.json' --ignore-path ../../../.prettierignore (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv */*.ts' '**/*.json' --ignore-path ../../../.prettierignore git ode --show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv */*.ts' '**/*.js-c=4 (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -c=4 -nolocalimports -importcfg /tmp/go-build87361461/b465/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/types/spec_test.go x_amd64/vet 1/x6�� [email protected]/difflib/difflib.go --get x_amd64/link son (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv */*.ts' '**/*.json' --ignore-path ../../../.prettierignore (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build87361461/b460/importcfg -pack /tmp/go-build87361461/b460/_testmain.go 1/x6�� ub/workflows fuzz/counters_supported.go x_amd64/compile son (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv nt >/dev/null 2>&1 git /usr/bin/git --show-toplevel nly /usr/bin/git git 1/x6�� Gitbranch_with_hyphen2975262313/001' Gitbranch_with_hyphen2975262313/001' ode_modules/.bin/node son git /usr/bin/git 64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/google-github-actions/auth/git/ref/tags/v2
    • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/TestGuardPogit remote /usr/bin/gh git rev-�� --show-toplevel gh /usr/bin/git /repos/actions/ggit --jq om/owner/repo.gi--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git r-test2758445511git config /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git om/myorg/repo.gi--show-toplevel git (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv 136870868/001 **/*.cjs ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet **/*.json --ignore-path ../../../.pretti--get-regexp ache/go/1.25.8/x^remote\..*\.gh-resolved$ -c 5343-14150/test-2955821947/.github/workflows (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv "prettier" --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore ckout_runtime_order_test.go k/gh-aw/gh-aw/node_modules/.bin/sh _require_validatgh ude_engine.go ude_engine_netwolist ude_engine_test.--json ude_�� te 'scripts/**/*--workflow ude_mcp.go h se_entity_helpergh ex_engine.go ex_engine_test.g/repos/actions/github-script/git/ref/tags/v9 ex_logs.go (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion ./../.prettieriggit chr/testify/asserev-parse (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion ./../.prettieriggit infocmp /usr/bin/git sh -c 3508739486 git k/gh-aw/gh-aw/node_modules/.bin/--limit ithub-script/gitgit Test User bject.type] | @t--show-toplevel sh (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo n-dir/git (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo nfig/composer/vendor/bin/git (http block)
    • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state fg **/*.ts **/*.json --ignore-path ache/go/1.25.8/x64/pkg/tool/linu/tmp/go-build87361461/b453/_testmain.go (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name on' --ignore-path ../../../.pret.prettierignore (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name th .prettierignore --log-level=error git (http block)
  • https://api.github.com/repos/test/repo
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch t3289472890/.github/workflows (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch 3508739486 git k/gh-aw/gh-aw/node_modules/.bin/--limit ithub-script/gitgit Test User bject.type] | @t--show-toplevel sh k/gh�� ository }} efaultBranchFromLsRemoteWithRealGitcustom_branch3115247543/001' k/node_modules/.bin/sh /ref/tags/v9 git erignore /opt/hostedtoolcache/go/1.25.8/xorigin (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 6, 2026

Hey @Copilot 👋 — thanks for picking up code scanning alert #582! The intent here (fixing a security alert) is perfectly aligned with the project's goals. This is currently a WIP draft with no code changes yet, so here are the things to address before it's ready for review:

  • Add the actual fix — the diff is currently empty (0 changed files). The alert fix needs to be implemented before this PR can be evaluated or merged.
  • Update the PR description — once the fix is in, replace the WIP placeholder body with a concrete summary of what the alert was, what the root cause was, and how the change addresses it (or declare it a false positive with reasoning).
  • Add tests — if the fix involves logic changes, include a test that covers the patched code path to prevent regressions.

If you would like a hand, you can assign this prompt to your coding agent:

Fix code scanning alert #582 in the github/gh-aw repository.
1. Use the GitHub MCP server to retrieve the details of code scanning alert #582.
2. Implement the minimum code change required to resolve the alert.
3. If the alert is a false positive, do NOT change the code — instead document the reasoning in the PR body.
4. Add or update a test that covers the affected code path.
5. Update the PR body with: (a) a description of the alert, (b) the root cause, (c) how the fix addresses it, or a false-positive declaration.

Generated by Contribution Check · ● 7.1M ·

@github-actions github-actions Bot mentioned this pull request May 6, 2026
Closed
Copilot AI changed the title [WIP] Fix code scanning alert #582 Escape OTLP endpoints JSON before YAML single-quote wrapping May 6, 2026
Copilot AI requested a review from pelikhan May 6, 2026 06:01
@github-actions github-actions Bot mentioned this pull request May 6, 2026
Open
@pelikhan pelikhan marked this pull request as ready for review May 6, 2026 11:12
Copilot AI review requested due to automatic review settings May 6, 2026 11:12
@pelikhan pelikhan merged commit 3a4ff3d into main May 6, 2026
@pelikhan pelikhan deleted the copilot/fix-code-scanning-alert-582 branch May 6, 2026 11:13
Copilot AI reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens OTLP env-var YAML generation by escaping single quotes inside the JSON payload injected into a YAML single-quoted scalar, addressing the CodeQL go/unsafe-quoting alert.

Changes:

  • Escapes ' as '' when embedding the JSON-encoded GH_AW_OTLP_ENDPOINTS value into YAML.
  • Adds a regression test ensuring headers containing apostrophes are correctly escaped in the generated YAML env block.
Show a summary per file
File Description
pkg/workflow/observability_otlp.go Escapes single quotes in the JSON payload before wrapping it in a YAML single-quoted scalar for GH_AW_OTLP_ENDPOINTS.
pkg/workflow/observability_otlp_test.go Adds a test case validating YAML-safe escaping for apostrophes inside the injected GH_AW_OTLP_ENDPOINTS value.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan