Skip to content

Skip activation secret validation when environment is configured#26509

Merged
pelikhan merged 7 commits intomainfrom
copilot/skip-token-validation-in-job
Apr 15, 2026
Merged

Skip activation secret validation when environment is configured#26509
pelikhan merged 7 commits intomainfrom
copilot/skip-token-validation-in-job

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 15, 2026
edited
Loading

  • Locate activation-job secret/token validation flow and environment extraction path
  • Implement skip logic for activation secret validation when a top-level environment is configured (including imported frontmatter)
  • Add/adjust unit tests for the new skip behavior
  • Run targeted tests for workflow secret-validation/activation logic
  • Run full required validation (make agent-finish) and capture any unrelated pre-existing failures
  • Create/update PR with final changes

Copilot AI and others added 5 commits April 15, 2026 22:43
@pelikhan
Skip activation secret validation when environment is configured
3b6a9fa 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/a7843a88-39e3-430a-b982-450cab6805c4

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Refine environment skip tests for activation secret validation
088ddd3 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/a7843a88-39e3-430a-b982-450cab6805c4

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Tighten environment-based secret validation skip tests
a9e84a8 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/a7843a88-39e3-430a-b982-450cab6805c4

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Polish environment skip tests per review feedback
20a31dc 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/a7843a88-39e3-430a-b982-450cab6805c4

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Rename environment skip test for clarity
6aa55c0 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/a7843a88-39e3-430a-b982-450cab6805c4

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI requested a review from pelikhan April 15, 2026 22:53
@pelikhan pelikhan marked this pull request as ready for review April 15, 2026 23:02
Copilot AI review requested due to automatic review settings April 15, 2026 23:02
Copilot AI reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the workflow compiler’s activation-job secret validation behavior to skip validation when a top-level GitHub Actions environment is configured.

Changes:

  • Skip generating the engine secret validation step when workflowData.Environment is set.
  • Add unit tests asserting validation/outputs are omitted when a top-level environment is present.
  • Add cross-engine test coverage to ensure all supported engines follow the new skip behavior.
Show a summary per file
File Description
pkg/workflow/engine_helpers.go Adds environment-based guard to skip default secret validation step generation.
pkg/workflow/secret_verification_output_test.go Adds compilation test ensuring activation outputs and validate-secret step are omitted when environment is set.
pkg/workflow/secret_validation_test.go Adds cross-engine unit test ensuring GetSecretValidationStep returns empty when environment is configured.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 3/3 changed files
  • Comments generated: 1

Comment thread pkg/workflow/engine_helpers.go
Comment on lines 263 to +269
func BuildDefaultSecretValidationStep(workflowData *WorkflowData, secrets []string, name, docsURL string) GitHubActionStep {
if workflowData.EngineConfig != nil && workflowData.EngineConfig.Command != "" {
engineHelpersLog.Printf("Skipping secret validation step: custom command specified (%s)", workflowData.EngineConfig.Command)
return GitHubActionStep{}
}
if workflowData != nil && strings.TrimSpace(workflowData.Environment) != "" {
engineHelpersLog.Print("Skipping secret validation step: top-level environment is configured")
Copy link

Copilot AI Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BuildDefaultSecretValidationStep dereferences workflowData (workflowData.EngineConfig) before any nil check. Since the function now explicitly handles nil workflowData for the environment check, calling it with a nil workflowData would panic. Add an early if workflowData == nil { ... } guard (or fold workflowData != nil into the existing EngineConfig check) before accessing workflowData.EngineConfig.

Copilot uses AI. Check for mistakes.
@github-actions github-actions bot mentioned this pull request Apr 15, 2026
Closed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 15, 2026

🧪 Test Quality Sentinel Report

Test Quality Score: 80/100

Excellent test quality

Metric Value
New/modified tests analyzed 2
✅ Design tests (behavioral contracts) 2 (100%)
⚠️ Implementation tests (low value) 0 (0%)
Tests with error/edge cases 2 (100%)
Duplicate test clusters 0
Test inflation detected Yes (76 test lines added vs 4 production lines)
🚨 Coding-guideline violations None

Test Classification Details

Test File Classification Issues Detected
TestEngineSecretValidationSkippedWhenEnvironmentConfigured pkg/workflow/secret_validation_test.go:283 ✅ Design None — table-driven across 4 engines, clear behavioral assertion
TestSecretVerificationOutputSkippedWithEnvironment pkg/workflow/secret_verification_output_test.go:94 ✅ Design None — end-to-end compilation check with multiple t.Error assertions

Test Descriptions

TestEngineSecretValidationSkippedWhenEnvironmentConfigured — Table-driven over 4 engines (copilot, claude, codex, gemini). Sets WorkflowData.Environment = "production" and asserts GetSecretValidationStep() returns an empty slice. Directly verifies the behavioral contract: "when a top-level environment is configured, no secret validation steps are emitted." Uses real engine constructors (no mocks), has a descriptive t.Fatalf message, and covers all supported engines.

TestSecretVerificationOutputSkippedWithEnvironment — End-to-end test: writes a workflow markdown with environment: production, runs CompileWorkflow(), reads the output .lock.yml, and asserts three things: the environment: production key is preserved, no validate-secret step is emitted, and no secret_verification_result activation output is emitted. Verifies the full compilation pipeline honours the skip behaviour.

Score Breakdown

Component Points Notes
Behavioral Coverage (40 pts) 40 100% design tests — both verify observable compiled output or direct API return values
Error/Edge Case Coverage (30 pts) 30 Both tests specifically exercise the new edge case (environment configured = skip validation)
Low Duplication (20 pts) 20 No copy-paste clusters detected
Proportional Growth (10 pts) 0 Inflation penalty applied: 76 test lines added vs 4 production lines in engine_helpers.go (19:1 ratio)
Total 80

i️ On test inflation: The 19:1 ratio exceeds the 2:1 threshold, triggering the proportional-growth penalty. However, the high ratio reflects good testing practice for this change — a 4-line guard added to one function is exercised across all 4 supported engines and through a full end-to-end compilation cycle. The metric fires on the raw ratio, but the tests are genuinely thorough rather than inflated.

Language Support

Tests analyzed:

  • 🐹 Go (*_test.go): 2 tests — unit (//go:build !integration)
  • 🟨 JavaScript: 0 tests changed in this PR

Verdict

Check passed. 0% of new tests are implementation tests (threshold: 30%). Both tests verify behavioral contracts — that the skip-validation feature works at the engine level and survives the full compilation pipeline. No coding-guideline violations detected.

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

  • Assert on observable outputs, return values, or state changes
  • Cover error paths and boundary conditions
  • Would catch a behavioral regression if deleted
  • Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

  • Assert on internal function calls (mocking internals)
  • Only test the happy path with typical inputs
  • Break during legitimate refactoring even when behavior is correct
  • Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §24482807335

🧪 Test quality analysis by Test Quality Sentinel · ● 837.5K ·

github-actions[bot]
github-actions bot approved these changes Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 80/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). Both new tests verify behavioral contracts: engine-level secret validation skip and full end-to-end compilation output.

@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 15, 2026

@copilot review all comments

@github-actions github-actions bot mentioned this pull request Apr 15, 2026
Closed
Copilot AI and others added 2 commits April 15, 2026 23:17
@pelikhan
Guard nil workflow data in secret validation helper
ceffca3 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/f835cc24-6ee6-4012-9776-08ab293cff4d

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Use testify assertions in nil workflow data test
5ce1103 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/f835cc24-6ee6-4012-9776-08ab293cff4d

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 15, 2026

@copilot review all comments

Done — I reviewed and addressed the actionable review feedback. I fixed the nil dereference risk in BuildDefaultSecretValidationStep and added nil-workflow regression coverage (plus assertion-style cleanup). Addressed in commits ceffca3 and 5ce1103.

@pelikhan pelikhan merged commit 1a84cc9 into main Apr 15, 2026
@pelikhan pelikhan deleted the copilot/skip-token-validation-in-job branch April 15, 2026 23:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@github-actions github-actions[bot] github-actions[bot] approved these changes

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan