test: add workflow fixture coverage for detection environment propagation

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Author: Copilot

pkg/cli/workflows/test-copilot-threat-detection-environment.md

@@ -0,0 +1,31 @@
+---
+description: Test workflow for top-level environment propagation to threat detection
+on:
+  workflow_dispatch:
+    inputs:
+      task:
+        description: 'Task summary'
+        required: true
+        default: 'Check environment propagation'
+
+environment: production
+permissions: read-all
+
+engine: copilot
+
+safe-outputs:
+  create-issue:
+    title-prefix: "[bot] "
+    labels: [automated]
+    max: 1
+  threat-detection: true
+
+timeout-minutes: 10
+---
+
+# Test Threat Detection Environment Propagation
+
+This workflow verifies that when a top-level `environment` is configured,
+the compiled `detection` job inherits it.
+
+Create an issue summarizing the provided task input.

pkg/workflow/environment_test.go

@@ -342,8 +342,7 @@ This is a test.`,
 }
 
 // TestDetectionJobEnvironmentPropagation verifies that the top-level environment: field is
-// propagated to the detection job during full workflow compilation, matching the same
-// unconditional fallback used by agent / conclusion / safe_outputs jobs.
+// propagated to the detection job during full workflow compilation.
 func TestDetectionJobEnvironmentPropagation(t *testing.T) {
 	tests := []struct {
 		name             string
@@ -384,25 +383,6 @@ This is a test.`,
 			expectEnvInDet:   false,
 			expectedEnvValue: "",
 		},
-		{
-			name: "threat-detection environment override takes precedence over top-level",
-			frontmatter: `---
-on:
-  issues:
-    types: [opened]
-environment: production
-safe-outputs:
-  add-comment: {}
-  threat-detection:
-    environment: aoai-model
----
-
-# Test Workflow
-
-This is a test.`,
-			expectEnvInDet:   true,
-			expectedEnvValue: "environment: aoai-model",
-		},
 	}
 
 	for _, tt := range tests {

pkg/workflow/threat_detection_job_combinations_integration_test.go

@@ -365,6 +365,7 @@ func TestWorkflowFilesCompile(t *testing.T) {
 
 	threatFiles := []string{
 		"test-copilot-threat-detection-expression.md",
+		"test-copilot-threat-detection-environment.md",
 		"test-copilot-repo-memory-threat-detection.md",
 		"test-copilot-repo-memory-threat-detection-expression.md",
 		"test-copilot-cache-memory-threat-detection.md",
@@ -410,6 +411,14 @@ func TestWorkflowFilesCompile(t *testing.T) {
 					"file %s should produce a detection job", filename)
 			}
 
+			// Environment fixture must propagate top-level environment to detection.
+			if filename == "test-copilot-threat-detection-environment.md" {
+				detectionSection := extractJobSection(yaml, string(constants.DetectionJobName))
+				require.NotEmpty(t, detectionSection, "detection job section should be present")
+				assert.Contains(t, detectionSection, "environment: production",
+					"detection job in %s should inherit top-level environment", filename)
+			}
+
 			// Repo-memory files should produce push_repo_memory job
 			if strings.Contains(filename, "repo-memory") {
 				assert.Contains(t, yaml, "  push_repo_memory:",