Fix detection job environment YAML rendering

Copilot · zarenner · web-flow · commit d11316ca5f2e · 2026-06-12T00:37:45.000Z
Co-authored-by: zarenner &lt;13670625+zarenner@users.noreply.github.com&gt;
diff --git a/pkg/workflow/threat_detection.go b/pkg/workflow/threat_detection.go
@@ -1030,7 +1030,9 @@ func (c *Compiler) buildDetectionJob(data *WorkflowData) (*Job, error) {
 	// Azure OIDC federation rules require the environment to match the configured OIDC subject claims.
 	environment := ""
 	if data.SafeOutputs.ThreatDetection.Environment != "" {
-		environment = data.SafeOutputs.ThreatDetection.Environment
+		// ThreatDetectionConfig.Environment holds the raw environment name; normalize it to
+		// a YAML field so Job.Environment renders as "environment: <name>" not just "<name>".
+		environment = "environment: " + data.SafeOutputs.ThreatDetection.Environment
 	} else if data.EngineConfig != nil && data.EngineConfig.Auth != nil && data.EngineConfig.Auth.Type == "github-oidc" {
 		// When engine uses GitHub OIDC, inherit top-level environment for Azure federation
 		if data.Environment != "" {
@@ -1048,7 +1050,7 @@ func (c *Compiler) buildDetectionJob(data *WorkflowData) (*Job, error) {
 		Needs:       needs,
 		If:          jobCondition,
 		RunsOn:      c.indentYAMLLines(runsOn, "    "),
-		Environment: environment,
+		Environment: c.indentYAMLLines(environment, "    "),
 		Permissions: permissions,
 		Steps:       steps,
 		Outputs:     outputs,
