Resolve context propagation and environment-mutation lint findings in CLI/workflow paths (#39007)

Author: Copilot

pkg/cli/add_interactive_orchestrator.go

@@ -12,6 +12,7 @@ import (
 	"github.com/github/gh-aw/pkg/constants"
 	"github.com/github/gh-aw/pkg/logger"
 	"github.com/github/gh-aw/pkg/styles"
+	"github.com/github/gh-aw/pkg/workflow"
 )
 
 var addInteractiveLog = logger.New("cli:add_interactive")
@@ -76,7 +77,7 @@ func RunAddInteractive(ctx context.Context, config *AddInteractiveConfig) error
 		detectedHost := getHostFromOriginRemote()
 		if detectedHost != "github.com" {
 			addInteractiveLog.Printf("Auto-detected GHES host from git remote: %s", detectedHost)
-			os.Setenv("GH_HOST", detectedHost)
+			workflow.SetDefaultGHHost(detectedHost)
 			if config.Verbose {
 				fmt.Fprintln(os.Stderr, console.FormatInfoMessage("Auto-detected GitHub Enterprise host: "+detectedHost))
 			}

pkg/cli/engine_secrets.go

@@ -325,8 +325,6 @@ func promptForCopilotPATUnified(req SecretRequirement, config EngineSecretConfig
 		return fmt.Errorf("failed to get Copilot token: %w", err)
 	}
 
-	// Store in environment for later use
-	_ = os.Setenv(req.Name, token)
 	fmt.Fprintln(os.Stderr, console.FormatSuccessMessage("Valid fine-grained Copilot token received"))
 
 	// Upload to repository if we have a repo slug
@@ -373,8 +371,6 @@ func promptForSystemTokenUnified(req SecretRequirement, config EngineSecretConfi
 		return fmt.Errorf("failed to get %s token: %w", req.Name, err)
 	}
 
-	// Store in environment for later use
-	_ = os.Setenv(req.Name, token)
 	fmt.Fprintln(os.Stderr, console.FormatSuccessMessage(req.Name+" token received"))
 
 	// Upload to repository if we have a repo slug
@@ -426,8 +422,6 @@ func promptForGenericAPIKeyUnified(req SecretRequirement, config EngineSecretCon
 		return fmt.Errorf("failed to get %s API key: %w", label, err)
 	}
 
-	// Store in environment for later use
-	_ = os.Setenv(req.Name, apiKey)
 	fmt.Fprintln(os.Stderr, console.FormatSuccessMessage(label+" API key received"))
 
 	// Upload to repository if we have a repo slug

pkg/cli/mcp_inspect_mcp.go

@@ -147,12 +147,12 @@ func connectStdioMCPServer(ctx context.Context, config parser.RegistryMCPServerC
 	if config.Container != "" {
 		// Docker container mode
 		args := append([]string{"run", "--rm", "-i"}, config.Args...)
-		cmd = exec.Command("docker", args...)
+		cmd = exec.CommandContext(ctx, "docker", args...)
 	} else {
 		// Direct command mode
 		// #nosec G204 -- config.Command is validated via exec.LookPath above (line 138);
 		// exec.Command with separate args (not shell execution) prevents shell injection.
-		cmd = exec.Command(config.Command, config.Args...)
+		cmd = exec.CommandContext(ctx, config.Command, config.Args...)
 	}
 
 	// Set environment variables

pkg/cli/run_push.go

@@ -372,7 +372,7 @@ func collectImports(workflowPath string, files map[string]bool, visited map[stri
 // pushWorkflowFiles commits and pushes the workflow files to the repository
 func pushWorkflowFiles(ctx context.Context, workflowName string, files []string, refOverride string, verbose bool) error {
 	if ctx == nil {
-		ctx = context.Background()
+		return errors.New("context is required")
 	}
 	runPushLog.Printf("Pushing %d files for workflow: %s", len(files), workflowName)
 	runPushLog.Printf("Files to push: %v", files)

pkg/cli/run_workflow_execution.go

@@ -571,7 +571,14 @@ func RunWorkflowsOnGitHub(ctx context.Context, workflowNames []string, opts RunO
 
 			// Add a small delay between workflows to avoid overwhelming GitHub API
 			if i < len(workflowNames)-1 {
-				time.Sleep(betweenWorkflowsDelay)
+				timer := time.NewTimer(betweenWorkflowsDelay)
+				select {
+				case <-ctx.Done():
+					timer.Stop()
+					fmt.Fprintln(os.Stderr, console.FormatWarningMessage("Operation cancelled"))
+					return ctx.Err()
+				case <-timer.C:
+				}
 			}
 		}
 

pkg/workflow/github_cli.go

@@ -9,28 +9,45 @@ import (
 	"os"
 	"os/exec"
 	"strings"
+	"sync"
 
 	"github.com/github/gh-aw/pkg/console"
 	"github.com/github/gh-aw/pkg/logger"
 	"github.com/github/gh-aw/pkg/tty"
 )
 
 var githubCLILog = logger.New("workflow:github_cli")
+var defaultGHHost struct {
+	mu   sync.RWMutex
+	host string
+}
+
+// SetDefaultGHHost sets the default host used by gh CLI helper commands when GH_HOST
+// is not set in the process environment.
+func SetDefaultGHHost(host string) {
+	defaultGHHost.mu.Lock()
+	defer defaultGHHost.mu.Unlock()
+	defaultGHHost.host = host
+}
+
+func getDefaultGHHost() string {
+	defaultGHHost.mu.RLock()
+	defer defaultGHHost.mu.RUnlock()
+	return defaultGHHost.host
+}
 
 // setupGHCommand creates an exec.Cmd for gh CLI with proper token configuration.
 // This is the core implementation shared by ExecGH and ExecGHContext.
-// When ctx is nil, it uses exec.Command; when ctx is provided, it uses exec.CommandContext.
+// When ctx is nil, it falls back to context.TODO().
 func setupGHCommand(ctx context.Context, args ...string) *exec.Cmd {
 	// Check if GH_TOKEN or GITHUB_TOKEN is available
 	ghToken := os.Getenv("GH_TOKEN")
 	githubToken := os.Getenv("GITHUB_TOKEN")
 
-	var cmd *exec.Cmd
-	if ctx != nil {
-		cmd = exec.CommandContext(ctx, "gh", args...)
-	} else {
-		cmd = exec.Command("gh", args...)
+	if ctx == nil {
+		ctx = context.TODO()
 	}
+	cmd := exec.CommandContext(ctx, "gh", args...)
 
 	if ghToken != "" || githubToken != "" {
 		githubCLILog.Printf("Token detected, using gh CLI for command: gh %v", args)
@@ -44,6 +61,9 @@ func setupGHCommand(ctx context.Context, args ...string) *exec.Cmd {
 		githubCLILog.Printf("GH_TOKEN not set, using GITHUB_TOKEN for gh CLI")
 		cmd.Env = append(os.Environ(), "GH_TOKEN="+githubToken)
 	}
+	if os.Getenv("GH_HOST") == "" {
+		SetGHHostEnv(cmd, getDefaultGHHost())
+	}
 
 	return cmd
 }

pkg/workflow/github_cli_test.go

@@ -473,3 +473,36 @@ func TestSetGHHostEnv(t *testing.T) {
 		})
 	}
 }
+
+func TestSetupGHCommandUsesDefaultGHHost(t *testing.T) {
+	originalDefaultHost := getDefaultGHHost()
+	defer SetDefaultGHHost(originalDefaultHost)
+
+	t.Run("applies default host when GH_HOST is not set", func(t *testing.T) {
+		originalHost, hadOriginalHost := os.LookupEnv("GH_HOST")
+		require.NoError(t, os.Unsetenv("GH_HOST"))
+		t.Cleanup(func() {
+			if hadOriginalHost {
+				require.NoError(t, os.Setenv("GH_HOST", originalHost))
+				return
+			}
+			require.NoError(t, os.Unsetenv("GH_HOST"))
+		})
+		SetDefaultGHHost("myorg.ghe.com")
+
+		cmd := setupGHCommand(context.Background(), "auth", "status")
+		require.NotNil(t, cmd.Env)
+		assert.Contains(t, cmd.Env, "GH_HOST=myorg.ghe.com")
+	})
+
+	t.Run("does not apply default host when GH_HOST is already set", func(t *testing.T) {
+		t.Setenv("GH_HOST", "explicit.ghe.com")
+		SetDefaultGHHost("myorg.ghe.com")
+
+		cmd := setupGHCommand(context.Background(), "auth", "status")
+		if cmd.Env == nil {
+			return
+		}
+		assert.NotContains(t, cmd.Env, "GH_HOST=myorg.ghe.com")
+	})
+}