Skip to content

[cli-tools-test] Compile error suggestions redact GH_AW_* env var names as secrets #16990

New issue
New issue
Closed
#17029
Closed
[cli-tools-test] Compile error suggestions redact GH_AW_* env var names as secrets#16990
#17029
Assignees
pelikhancopilot-swe-agent
Labels
automationcli-toolstesting
@github-actions

Description

@github-actions
github-actions
bot
opened on Feb 20, 2026

Problem Description

When compiling workflows with package validation errors, the compile error suggestions show [REDACTED] instead of the actual environment variable name that users should set to fix or skip the issue.

Example: When npm is not installed and a workflow uses npx packages (e.g., mcp-inspector.md), the error suggestion reads:

Alternatively, disable validation by setting [REDACTED]=true
```
instead of the actionable:
```
Alternatively, disable validation by setting GH_AW_SKIP_NPX_VALIDATION=true
```

### Command/Tool

- **Tool**: `compile` (via `agenticworkflows-compile` MCP tool and `gh aw compile`)
- **Affects**: Any workflow using `npx` packages when `npm` is not installed, or `pip`/`uv` packages when the respective package manager is not installed

### Root Cause

`SanitizeErrorMessage` in `pkg/stringutil/sanitize.go` uses the regex `\b([A-Z][A-Z0-9]*_[A-Z0-9_]+)\b` to redact all uppercase snake_case identifiers, with only a small whitelist of common workflow keywords (`GITHUB`, `ACTIONS`, `RUNNER`, etc.). This matches and redacts `GH_AW_SKIP_NPX_VALIDATION`, `GH_AW_SKIP_UV_VALIDATION`, etc.

The sanitization is applied in `pkg/cli/compile_config.go` via `sanitizeValidationResults()`, which sanitizes all compile error messages before they are returned via the MCP tool or JSON output. This is meant to prevent secrets from leaking, but incorrectly redacts documented public configuration variables.

### Steps to Reproduce

1. Run `gh aw compile .github/workflows/mcp-inspector.md` in an environment without `npm` installed
2. Observe the error output — the env var name for disabling validation is shown as `[REDACTED]`

### Expected Behavior

The suggestion should show the full environment variable name: `GH_AW_SKIP_NPX_VALIDATION=true`

### Actual Behavior

```
Alternatively, disable validation by setting [REDACTED]=true

Suggested Fix

Add GH_AW and any gh-aw-specific prefixes to the commonWorkflowKeywords whitelist in pkg/stringutil/sanitize.go, or use a prefix-based exclusion:

// In commonWorkflowKeywords map or with a check:
if strings.HasPrefix(match, "GH_AW_") {
    return match  // Don't redact gh-aw config variables
}

Alternatively, environment variable names that appear in known suggestion text strings (e.g., in the npm_validation.go and pip_validation.go suggestion strings) should be explicitly whitelisted.

Environment

  • Repository: github/gh-aw
  • Run ID: 22205061685
  • Date: 2026-02-19
  • File: pkg/stringutil/sanitize.go, pkg/cli/compile_config.go

Impact

  • Severity: Medium
  • Frequency: Always (reproducible whenever npm/pip/uv is not installed)
  • Workaround: Users must look up the environment variable name in documentation or source code

Generated by Daily CLI Tools Exploratory Tester

  • expires on Feb 27, 2026, 12:01 AM UTC

Metadata

Metadata

Assignees

Labels

automationcli-toolstesting

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions