Merge branch 'main' into fix-org-page-stack

Author: mnkiefer

docs/adr/29257-expression-controlled-threat-detection-for-workflow-call.md

@@ -0,0 +1,85 @@
+# ADR-29257: Expression-Controlled Threat Detection for `workflow_call` Reuse
+
+**Date**: 2026-04-30
+**Status**: Draft
+**Deciders**: pelikhan
+
+---
+
+## Part 1 — Narrative (Human-Friendly)
+
+### Context
+
+The `safe-outputs.threat-detection` field previously accepted only compile-time boolean or object values. This made it impossible for reusable `workflow_call` workflows to expose threat detection on/off control to callers via `inputs` — every combination required a separate workflow file. The same limitation applied to the `enabled` and `continue-on-error` sub-fields of the object form. The codebase had already established a pattern of accepting GitHub Actions expression strings for other parameterizable fields (PR #29212 for list constraints; PR #29230 for `protected-files` and `patch-format`); this PR applies the same pattern to the threat detection subsystem. Unlike those prior cases, threat detection is compiled as a separate GitHub Actions job rather than a handler configuration value, so allowing runtime control requires changes to the `if:` conditions on the `detection` job and on all downstream jobs that depend on its result (`safe_outputs`, `safe_jobs`, `upload_assets`).
+
+### Decision
+
+We will allow `safe-outputs.threat-detection` to accept a GitHub Actions expression string (matching `${{...}}`), and will allow the `enabled` and `continue-on-error` sub-fields of the object form to accept `templatable_boolean` (bool literal or expression string). When an expression is detected at parse time, the compiler stores it in `EnabledExpr` / `ContinueOnErrorExpr` fields of `ThreatDetectionConfig` and always emits the `detection` job (never skips compilation). The detection job's `if:` condition is extended with the raw caller expression so GitHub Actions evaluates it at runtime and skips the job when the expression resolves to `false`. Because a skipped `detection` job would cause downstream jobs that depend on it with a strict success condition to also be skipped silently, the `safe_outputs`, `safe_jobs`, and `upload_assets` jobs switch to `always() && (success || skipped)` semantics (`buildDetectionPassedCondition`) whenever the detection configuration is expression-controlled.
+
+### Alternatives Considered
+
+#### Alternative 1: Separate Workflow Files per Detection Mode
+
+Callers could maintain distinct workflow copies for each threat detection configuration. This was the status quo before this PR. It was rejected for the same reason as in ADR-29230: the duplication does not scale, and every structural change to the base workflow must be propagated to all variants, which teams routinely fail to do.
+
+#### Alternative 2: Add a New Dedicated `threat-detection-expression` Field
+
+A separate field (e.g., `threat-detection-enabled-expression`) could accept only expression strings while the existing field remained bool-only. This avoids changing the type of `threat-detection` but doubles the surface area and requires callers to know which field to use in which context. It was rejected as unnecessarily complex given that the `${{...}}`-pattern detection approach is already established in the codebase and yields a single, self-describing field.
+
+#### Alternative 3: Relax Gate Conditions on All Downstream Jobs Unconditionally
+
+Instead of conditionally switching downstream jobs to `always() && (success || skipped)` only when detection is expression-controlled, the gate condition could be relaxed for all workflows regardless of detection configuration. This was not chosen because it would weaken the strict-mode guarantee for workflows with static detection configurations, where a failed detection job must still block `safe_outputs`.
+
+### Consequences
+
+#### Positive
+- A single reusable `workflow_call` workflow can expose threat detection as a caller-controlled input without duplication.
+- Literal boolean and object forms remain fully backward-compatible; existing workflows are unaffected.
+- The `detection` job is always compiled when an expression is provided, ensuring the compiled lock file is static regardless of which runtime value the expression resolves to.
+- The fail-closed default (`always()` + `success || skipped` on downstream jobs) ensures that a misconfigured expression cannot silently skip safe-output handling.
+
+#### Negative
+- Expression values are only validated at runtime. A typo in a `workflow_call` input default (e.g., `default: ${{ inputs.typo }}`) will not be caught until the workflow executes.
+- All three downstream job builders (`buildConsolidatedSafeOutputsJob`, `buildSafeJobs`, `buildUploadAssetsJob`) must independently check `IsConditionalDetection()` and apply the extended condition, adding three separate call sites to keep in sync.
+- The `continue-on-error` step emitter (`buildDetectionConclusionStep`) must distinguish between a literal-true, literal-false, and expression value, adding a third branch to a function that previously had two.
+
+#### Neutral
+- The `extractRawExpression` helper was added to strip `${{` / `}}` wrappers from expression strings before embedding them in the YAML `if:` expression tree; this is a small pure utility with no broader side effects.
+- The `IsConditionalDetection` package-level helper provides a single authoritative check that is reused across all three affected compiler functions.
+- The `templatable_boolean` JSON schema `$ref` was already defined in the schema for other fields; this PR reuses it for `enabled` and `continue-on-error` without introducing a new definition.
+
+---
+
+## Part 2 — Normative Specification (RFC 2119)
+
+> The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHALL**, **SHALL NOT**, **SHOULD**, **SHOULD NOT**, **RECOMMENDED**, **MAY**, and **OPTIONAL** in this section are to be interpreted as described in [RFC 2119](https://www.rfc-editor.org/rfc/rfc2119).
+
+### Schema and Parsing
+
+1. The `safe-outputs.threat-detection` field **MUST** accept either a boolean literal, an object form, or a GitHub Actions expression string matching `^\$\{\{.*\}\}$`.
+2. The `enabled` and `continue-on-error` sub-fields of the object form **MUST** accept either a boolean literal or a GitHub Actions expression string (i.e., they **MUST** be typed as `templatable_boolean`).
+3. When `threat-detection` is a boolean literal `false`, or the object form sets `enabled: false`, the parser **MUST** return `nil` (detection disabled).
+4. When `threat-detection` is an expression string, the parser **MUST** store the full `${{...}}` string in `ThreatDetectionConfig.EnabledExpr` and **MUST NOT** treat the expression as a disabled state.
+5. When `continue-on-error` is an expression string, the parser **MUST** store it in `ThreatDetectionConfig.ContinueOnErrorExpr` and **MUST NOT** set `ContinueOnError` (the literal bool field) for that configuration.
+
+### Detection Job Compilation
+
+1. When `ThreatDetectionConfig.EnabledExpr` is non-nil, the compiler **MUST** always emit a `detection` job (it **MUST NOT** skip compiling the job based on the expression value).
+2. The `detection` job's `if:` condition **MUST** include the raw caller expression (the `${{...}}` wrappers stripped via `extractRawExpression`) appended with `&&` to the existing content guard condition.
+3. The `continue-on-error` step field on the detection conclusion step **MUST** emit the expression string verbatim (unquoted) when `ContinueOnErrorExpr` is non-nil, rather than a `"true"` or `"false"` literal.
+4. The `GH_AW_DETECTION_CONTINUE_ON_ERROR` environment variable on the detection conclusion step **MUST** emit the expression string verbatim when `ContinueOnErrorExpr` is non-nil.
+
+### Downstream Job Conditions
+
+1. When `IsConditionalDetection(data.SafeOutputs)` returns `true`, the `safe_outputs` job's `if:` condition **MUST** use `always() && <agent-not-skipped> && buildDetectionPassedCondition()` (accepting both `success` and `skipped` results from the detection job).
+2. When `IsConditionalDetection(data.SafeOutputs)` returns `true`, every `safe_jobs` custom job's base condition **MUST** be wrapped with `always() && <safe-output-type-check> && buildDetectionPassedCondition()`.
+3. When `IsConditionalDetection(data.SafeOutputs)` returns `true`, the `upload_assets` job's `if:` condition **MUST** use `always() && <upload-asset-check> && buildDetectionPassedCondition()`.
+4. When `IsConditionalDetection(data.SafeOutputs)` returns `false` and detection is statically enabled, downstream jobs **MUST** continue to use the strict `needs.detection.result == 'success'` gate (via `buildDetectionSuccessCondition()`).
+
+### Conformance
+
+An implementation is considered conformant with this ADR if it satisfies all **MUST** and **MUST NOT** requirements above. Failure to meet any **MUST** or **MUST NOT** requirement — in particular: skipping the detection job compilation for an expression-controlled config, failing to wrap downstream jobs with `always()` when detection is conditional, or emitting a quoted literal instead of the raw expression in step fields — constitutes non-conformance.
+
+---
+
+*This is a DRAFT ADR generated by the [Design Decision Gate](https://github.com/github/gh-aw/actions/runs/25170616496) workflow. The PR author must review, complete, and finalize this document before the PR can merge.*

pkg/cli/logs_formatting_test.go

@@ -6,65 +6,68 @@ import (
 	"testing"
 
 	"github.com/github/gh-aw/pkg/console"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestFormatNumber(t *testing.T) {
 	tests := []struct {
+		name     string
 		input    int
 		expected string
 	}{
-		{0, "0"},
-		{5, "5"},
-		{42, "42"},
-		{999, "999"},
-		{1000, "1.00k"},
-		{1200, "1.20k"},
-		{1234, "1.23k"},
-		{12000, "12.0k"},
-		{12300, "12.3k"},
-		{123000, "123k"},
-		{999999, "1000k"},
-		{1000000, "1.00M"},
-		{1200000, "1.20M"},
-		{1234567, "1.23M"},
-		{12000000, "12.0M"},
-		{12300000, "12.3M"},
-		{123000000, "123M"},
-		{999999999, "1000M"},
-		{1000000000, "1.00B"},
-		{1200000000, "1.20B"},
-		{1234567890, "1.23B"},
-		{12000000000, "12.0B"},
-		{123000000000, "123B"},
+		{"zero", 0, "0"},
+		{"single digit", 5, "5"},
+		{"two digits", 42, "42"},
+		{"three digits", 999, "999"},
+		{"one thousand", 1000, "1.00k"},
+		{"1.2k", 1200, "1.20k"},
+		{"1.23k", 1234, "1.23k"},
+		{"12k", 12000, "12.0k"},
+		{"12.3k", 12300, "12.3k"},
+		{"123k", 123000, "123k"},
+		{"999.999k rounds to 1000k", 999999, "1000k"},
+		{"one million", 1000000, "1.00M"},
+		{"1.2M", 1200000, "1.20M"},
+		{"1.23M", 1234567, "1.23M"},
+		{"12M", 12000000, "12.0M"},
+		{"12.3M", 12300000, "12.3M"},
+		{"123M", 123000000, "123M"},
+		{"999.999M rounds to 1000M", 999999999, "1000M"},
+		{"one billion", 1000000000, "1.00B"},
+		{"1.2B", 1200000000, "1.20B"},
+		{"1.23B", 1234567890, "1.23B"},
+		{"12B", 12000000000, "12.0B"},
+		{"123B", 123000000000, "123B"},
 	}
 
-	for _, test := range tests {
-		result := console.FormatNumber(test.input)
-		if result != test.expected {
-			t.Errorf("console.FormatNumber(%d) = %s, expected %s", test.input, result, test.expected)
-		}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := console.FormatNumber(tt.input)
+			assert.Equal(t, tt.expected, result, "FormatNumber(%d)", tt.input)
+		})
 	}
 }
 
 func TestFormatFileSize(t *testing.T) {
 	tests := []struct {
+		name     string
 		size     int64
 		expected string
 	}{
-		{0, "0 B"},
-		{100, "100 B"},
-		{1024, "1.0 KB"},
-		{1536, "1.5 KB"},          // 1.5 * 1024
-		{1048576, "1.0 MB"},       // 1024 * 1024
-		{2097152, "2.0 MB"},       // 2 * 1024 * 1024
-		{1073741824, "1.0 GB"},    // 1024^3
-		{1099511627776, "1.0 TB"}, // 1024^4
+		{"zero bytes", 0, "0 B"},
+		{"100 bytes", 100, "100 B"},
+		{"one kilobyte", 1024, "1.0 KB"},
+		{"1.5 KB", 1536, "1.5 KB"},                // 1.5 * 1024
+		{"one megabyte", 1048576, "1.0 MB"},       // 1024 * 1024
+		{"two megabytes", 2097152, "2.0 MB"},      // 2 * 1024 * 1024
+		{"one gigabyte", 1073741824, "1.0 GB"},    // 1024^3
+		{"one terabyte", 1099511627776, "1.0 TB"}, // 1024^4
 	}
 
 	for _, tt := range tests {
-		result := console.FormatFileSize(tt.size)
-		if result != tt.expected {
-			t.Errorf("console.FormatFileSize(%d) = %q, expected %q", tt.size, result, tt.expected)
-		}
+		t.Run(tt.name, func(t *testing.T) {
+			result := console.FormatFileSize(tt.size)
+			assert.Equal(t, tt.expected, result, "FormatFileSize(%d)", tt.size)
+		})
 	}
 }

pkg/cli/workflows/test-copilot-cache-memory-threat-detection-expression.md

@@ -0,0 +1,50 @@
+---
+description: Test workflow combining cache-memory with expression-controlled threat detection
+on:
+  workflow_call:
+    inputs:
+      enable-threat-detection:
+        description: 'Whether to enable threat detection at runtime'
+        type: boolean
+        default: true
+      task:
+        description: 'Task to store in cache'
+        type: string
+        default: 'Cache this result'
+
+permissions: read-all
+
+engine: copilot
+
+tools:
+  cache-memory:
+    retention-days: 7
+  github:
+    allowed: [get_repository]
+
+safe-outputs:
+  create-issue:
+    title-prefix: "[bot] "
+    labels: [automated]
+    max: 1
+  threat-detection: ${{ inputs.enable-threat-detection }}
+
+timeout-minutes: 10
+---
+
+# Test Cache Memory with Expression-Controlled Threat Detection
+
+This workflow demonstrates `cache-memory` combined with expression-controlled threat detection.
+The caller controls whether detection runs by passing `enable-threat-detection`.
+
+The compiled output must contain:
+- `detection` job with `if:` referencing `inputs.enable-threat-detection`
+- `actions/cache/restore` in the agent job (detection is present at compile time)
+- `update_cache_memory` job depending on `detection`
+- `update_cache_memory` condition using `always()` and accepting detection `skipped`
+  so cache is saved even when detection is skipped at runtime
+
+Steps:
+1. Check existing files in `/tmp/gh-aw/cache-memory/`
+2. Store a new entry: "Run ${{ github.run_number }}: ${{ inputs.task }}"
+3. Report a summary in a new issue

pkg/cli/workflows/test-copilot-cache-memory-threat-detection.md

@@ -0,0 +1,43 @@
+---
+description: Test workflow combining cache-memory with threat detection enabled
+on:
+  workflow_dispatch:
+    inputs:
+      task:
+        description: 'Task to store in cache'
+        required: true
+        default: 'Cache this result'
+
+permissions: read-all
+
+engine: copilot
+
+tools:
+  cache-memory:
+    retention-days: 7
+  github:
+    allowed: [get_repository]
+
+safe-outputs:
+  create-issue:
+    title-prefix: "[bot] "
+    labels: [automated]
+    max: 1
+  threat-detection: true
+
+timeout-minutes: 10
+---
+
+# Test Cache Memory with Threat Detection Enabled
+
+This workflow demonstrates `cache-memory` combined with standard threat detection.
+When detection is enabled the compiled output must contain:
+- `actions/cache/restore` (instead of `actions/cache`) in the agent job
+- An `update_cache_memory` job that depends on `detection`
+- `update_cache_memory` condition using `always()` and accepting detection `skipped`
+
+Steps:
+1. Check what files exist in `/tmp/gh-aw/cache-memory/` from previous runs
+2. Store a new entry: "Run ${{ github.run_number }}: ${{ inputs.task }}"
+3. Get basic repository information with the GitHub tool
+4. Report a summary in a new issue

pkg/cli/workflows/test-copilot-repo-memory-threat-detection-expression.md

@@ -0,0 +1,51 @@
+---
+description: Test workflow combining repo-memory with expression-controlled threat detection
+on:
+  workflow_call:
+    inputs:
+      enable-threat-detection:
+        description: 'Whether to enable threat detection at runtime'
+        type: boolean
+        default: true
+      task:
+        description: 'Task to store in memory'
+        type: string
+        default: 'Record this run'
+
+permissions: read-all
+
+engine: copilot
+
+tools:
+  repo-memory:
+    branch-name: memory/test-threat-detection-expr
+    description: "Test repo-memory with expression-controlled threat detection"
+    max-file-size: 524288
+  github:
+    allowed: [get_repository]
+
+safe-outputs:
+  create-issue:
+    title-prefix: "[bot] "
+    labels: [automated]
+    max: 1
+  threat-detection: ${{ inputs.enable-threat-detection }}
+
+timeout-minutes: 10
+---
+
+# Test Repo Memory with Expression-Controlled Threat Detection
+
+This workflow demonstrates `repo-memory` combined with expression-controlled threat detection.
+The caller controls whether detection runs by passing `enable-threat-detection`.
+
+The compiled output must contain:
+- `detection` job with `if:` referencing `inputs.enable-threat-detection`
+- `push_repo_memory` job depending on `detection`
+- `push_repo_memory` condition using `always()` and accepting detection `skipped`
+  so that the memory is persisted even when detection is skipped at runtime
+
+Steps:
+1. Check existing files in `/tmp/gh-aw/repo-memory-default/memory/default/`
+2. Append a new entry: "Run ${{ github.run_number }}: ${{ inputs.task }}"
+3. Report a summary in a new issue

pkg/cli/workflows/test-copilot-repo-memory-threat-detection.md

@@ -0,0 +1,44 @@
+---
+description: Test workflow combining repo-memory with threat detection enabled
+on:
+  workflow_dispatch:
+    inputs:
+      task:
+        description: 'Task to store in memory'
+        required: true
+        default: 'Record this run'
+
+permissions: read-all
+
+engine: copilot
+
+tools:
+  repo-memory:
+    branch-name: memory/test-threat-detection
+    description: "Test repo-memory with threat detection"
+    max-file-size: 524288
+  github:
+    allowed: [get_repository]
+
+safe-outputs:
+  create-issue:
+    title-prefix: "[bot] "
+    labels: [automated]
+    max: 1
+  threat-detection: true
+
+timeout-minutes: 10
+---
+
+# Test Repo Memory with Threat Detection Enabled
+
+This workflow demonstrates `repo-memory` combined with threat detection enabled.
+The compiled output must contain:
+- `push_repo_memory` job depending on `detection`
+- `push_repo_memory` job condition using `always()` and accepting detection `skipped`
+
+Steps:
+1. Check what files exist in `/tmp/gh-aw/repo-memory-default/memory/default/` from prior runs
+2. Append a new entry: "Run ${{ github.run_number }}: ${{ inputs.task }}"
+3. Get basic repository information with the GitHub tool
+4. Report a summary in a new issue