🏥 CI Failure Investigation - Run #34863
Summary
sh_test.go/sh_integration_test.go still assert on the raw PROMPT_EOF literal even though WritePromptTextToYAML now uses GenerateHeredocDelimiter("PROMPT"), so the tests never see any heredoc blocks or EOF markers.TestSafeOutputsTargetValidation_ValidValues/github_expression now fails because the sample workflow compiles with ${{ github.event.issue.number }} embedded directly in a shell command, and the compiler rejects it as a template-injection risk.
Failure Details
Root Cause Analysis
The prompt chunking helpers switched to GenerateHeredocDelimiter("PROMPT"), which yields GH_AW_PROMPT_EOF. The unit and integration tests were still counting cat << 'PROMPT_EOF'/PROMPT_EOF, so they reported zero chunks even though the YAML uses the new prefix. Separately, the github_expression case writes ${{ github.event.issue.number }} straight into a shell command; the compiler now flags that as template injection, so the workflow no longer compiles and the safe-outputs test fails before it can reach the prompt tests.
Failed Jobs and Errors
test: TestWritePromptTextToYAML_MaxChunksLimit / _EmptyText never saw heredoc markers because they were hard-coded to PROMPT_EOF instead of GH_AW_PROMPT_EOF.build: make recompile aborted with "compilation failed" after the unit tests failed, so the lock files were never refreshed.Integration: Workflow Safe Outputs: TestSafeOutputsTargetValidation_ValidValues/github_expression fails with template injection vulnerabilities detected in compiled workflow because ${{ github.event.issue.number }} is embedded directly in the run command.Integration: Workflow Rendering & Bundling: TestWritePromptTextToYAML_IntegrationWithCompiler (and related helpers) were looking for the old PROMPT_EOF literal, hitting the same mismatch as the unit tests.
Investigation Findings
- The prompt tests now need to reference the helper-generated delimiter instead of hard-coded strings. I moved that helper into a shared file so both build types can reuse
promptHeredocPattern.
- The safe-outputs workflow fixture is the same one that prints
github.event directly, and the compiler security checks reject it as unsafe. The warning log suggests promoting the expression into an environment variable and relying on $MY_VALUE in the run script.
- Unable to re-run
go test ./pkg/workflow -run TestWritePromptTextToYAML locally because Go tries to download Go 1.25.0 via proxy.golang.org (Forbidden), and GOTOOLCHAIN=local fails because the environment only has Go 1.24.12 (< module requirement).
Recommended Actions
Prevention Strategies
- Always derive heredoc expectations via
GenerateHeredocDelimiter to avoid hard-coded prefixes that drift when the helper changes.
- When
safe-outputs workflows need GitHub context, assign expressions to env: keys and reference the env values in shell steps instead of embedding expressions directly.
AI Team Self-Improvement
When verifying heredoc output in tests, do not hard-code PROMPT_EOF; call GenerateHeredocDelimiter("PROMPT") so the assertion follows the production delimiter prefixes.
Historical Context
This run is the first time we've observed the prompt heredoc mismatch after the GenerateHeredocDelimiter change, and it coincides with the compiler flagging direct github.event expressions in safe-output workflows as template-injection risks.
AI generated by CI Failure Doctor
To add this workflow in your repository, run gh aw add githubnext/agentics/workflows/ci-doctor.md@ea350161ad5dcc9624cf510f134c6a9e39a6f94d. See usage guide.
🏥 CI Failure Investigation - Run #34863
Summary
sh_test.go/sh_integration_test.gostill assert on the rawPROMPT_EOFliteral even thoughWritePromptTextToYAMLnow usesGenerateHeredocDelimiter("PROMPT"), so the tests never see any heredoc blocks or EOF markers.TestSafeOutputsTargetValidation_ValidValues/github_expressionnow fails because the sample workflow compiles with${{ github.event.issue.number }}embedded directly in a shell command, and the compiler rejects it as a template-injection risk.Failure Details
Root Cause Analysis
The prompt chunking helpers switched to
GenerateHeredocDelimiter("PROMPT"), which yieldsGH_AW_PROMPT_EOF. The unit and integration tests were still countingcat << 'PROMPT_EOF'/PROMPT_EOF, so they reported zero chunks even though the YAML uses the new prefix. Separately, thegithub_expressioncase writes${{ github.event.issue.number }}straight into a shell command; the compiler now flags that as template injection, so the workflow no longer compiles and the safe-outputs test fails before it can reach the prompt tests.Failed Jobs and Errors
test:TestWritePromptTextToYAML_MaxChunksLimit/_EmptyTextnever saw heredoc markers because they were hard-coded toPROMPT_EOFinstead ofGH_AW_PROMPT_EOF.build:make recompileaborted with "compilation failed" after the unit tests failed, so the lock files were never refreshed.Integration: Workflow Safe Outputs:TestSafeOutputsTargetValidation_ValidValues/github_expressionfails withtemplate injection vulnerabilities detected in compiled workflowbecause${{ github.event.issue.number }}is embedded directly in the run command.Integration: Workflow Rendering & Bundling:TestWritePromptTextToYAML_IntegrationWithCompiler(and related helpers) were looking for the oldPROMPT_EOFliteral, hitting the same mismatch as the unit tests.Investigation Findings
promptHeredocPattern.github.eventdirectly, and the compiler security checks reject it as unsafe. The warning log suggests promoting the expression into an environment variable and relying on$MY_VALUEin the run script.go test ./pkg/workflow -run TestWritePromptTextToYAMLlocally because Go tries to download Go 1.25.0 viaproxy.golang.org(Forbidden), andGOTOOLCHAIN=localfails because the environment only has Go 1.24.12 (< module requirement).Recommended Actions
GenerateHeredocDelimiter(unit + integration files now usepromptHeredocPattern).TestSafeOutputsTargetValidation_ValidValues(and/or its fixture) so the workflow no longer injects${{ github.event.issue.number }}directly into a shell command; move the expression into an environment variable before the heredoc that writes toGH_AW_PROMPT.go test ./pkg/workflow -run TestWritePromptTextToYAMLto confirm the fix.Prevention Strategies
GenerateHeredocDelimiterto avoid hard-coded prefixes that drift when the helper changes.safe-outputsworkflows need GitHub context, assign expressions toenv:keys and reference the env values in shell steps instead of embedding expressions directly.AI Team Self-Improvement
When verifying heredoc output in tests, do not hard-code
PROMPT_EOF; callGenerateHeredocDelimiter("PROMPT")so the assertion follows the production delimiter prefixes.Historical Context
This run is the first time we've observed the prompt heredoc mismatch after the
GenerateHeredocDelimiterchange, and it coincides with the compiler flagging directgithub.eventexpressions in safe-output workflows as template-injection risks.