Skip to content

[CI Failure Doctor] Heredoc tests broke after delimiter change #14975

@github-actions

Description

@github-actions

🏥 CI Failure Investigation - Run #34863

Summary

  • sh_test.go/sh_integration_test.go still assert on the raw PROMPT_EOF literal even though WritePromptTextToYAML now uses GenerateHeredocDelimiter("PROMPT"), so the tests never see any heredoc blocks or EOF markers.
  • TestSafeOutputsTargetValidation_ValidValues/github_expression now fails because the sample workflow compiles with ${{ github.event.issue.number }} embedded directly in a shell command, and the compiler rejects it as a template-injection risk.

Failure Details

Root Cause Analysis

The prompt chunking helpers switched to GenerateHeredocDelimiter("PROMPT"), which yields GH_AW_PROMPT_EOF. The unit and integration tests were still counting cat << 'PROMPT_EOF'/PROMPT_EOF, so they reported zero chunks even though the YAML uses the new prefix. Separately, the github_expression case writes ${{ github.event.issue.number }} straight into a shell command; the compiler now flags that as template injection, so the workflow no longer compiles and the safe-outputs test fails before it can reach the prompt tests.

Failed Jobs and Errors

  • test: TestWritePromptTextToYAML_MaxChunksLimit / _EmptyText never saw heredoc markers because they were hard-coded to PROMPT_EOF instead of GH_AW_PROMPT_EOF.
  • build: make recompile aborted with "compilation failed" after the unit tests failed, so the lock files were never refreshed.
  • Integration: Workflow Safe Outputs: TestSafeOutputsTargetValidation_ValidValues/github_expression fails with template injection vulnerabilities detected in compiled workflow because ${{ github.event.issue.number }} is embedded directly in the run command.
  • Integration: Workflow Rendering & Bundling: TestWritePromptTextToYAML_IntegrationWithCompiler (and related helpers) were looking for the old PROMPT_EOF literal, hitting the same mismatch as the unit tests.

Investigation Findings

  • The prompt tests now need to reference the helper-generated delimiter instead of hard-coded strings. I moved that helper into a shared file so both build types can reuse promptHeredocPattern.
  • The safe-outputs workflow fixture is the same one that prints github.event directly, and the compiler security checks reject it as unsafe. The warning log suggests promoting the expression into an environment variable and relying on $MY_VALUE in the run script.
  • Unable to re-run go test ./pkg/workflow -run TestWritePromptTextToYAML locally because Go tries to download Go 1.25.0 via proxy.golang.org (Forbidden), and GOTOOLCHAIN=local fails because the environment only has Go 1.24.12 (< module requirement).

Recommended Actions

  • Update every test that counts prompt heredocs to derive the pattern via GenerateHeredocDelimiter (unit + integration files now use promptHeredocPattern).
  • Rework TestSafeOutputsTargetValidation_ValidValues (and/or its fixture) so the workflow no longer injects ${{ github.event.issue.number }} directly into a shell command; move the expression into an environment variable before the heredoc that writes to GH_AW_PROMPT.
  • Once Go 1.25.0 is available in the local/test environment, re-run go test ./pkg/workflow -run TestWritePromptTextToYAML to confirm the fix.

Prevention Strategies

  • Always derive heredoc expectations via GenerateHeredocDelimiter to avoid hard-coded prefixes that drift when the helper changes.
  • When safe-outputs workflows need GitHub context, assign expressions to env: keys and reference the env values in shell steps instead of embedding expressions directly.

AI Team Self-Improvement

When verifying heredoc output in tests, do not hard-code PROMPT_EOF; call GenerateHeredocDelimiter("PROMPT") so the assertion follows the production delimiter prefixes.

Historical Context

This run is the first time we've observed the prompt heredoc mismatch after the GenerateHeredocDelimiter change, and it coincides with the compiler flagging direct github.event expressions in safe-output workflows as template-injection risks.

AI generated by CI Failure Doctor

To add this workflow in your repository, run gh aw add githubnext/agentics/workflows/ci-doctor.md@ea350161ad5dcc9624cf510f134c6a9e39a6f94d. See usage guide.

  • expires on Feb 12, 2026, 3:47 PM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    cookieIssue Monster Loves Cookies!

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions