Externalize threat detection prompt template to runtime file

[Copilot]

Move threat detection prompt to actions/setup and update JavaScript to read at runtime

• Copy threat detection prompt file from pkg/workflow/prompts/threat_detection.md to actions/setup/md/threat_detection.md
• Update setup_threat_detection.cjs to read the prompt file from runtime prompts directory at /opt/gh-aw/prompts/threat_detection.md
• Remove the embed directive from threat_detection.go and update to pass file path instead of content
• Update test expectations to validate file reading instead of embedded content
• Run tests to verify changes work correctly
• Fix path resolution to use absolute runtime path instead of relative path

Summary

Successfully moved the threat detection prompt text from an embedded Go string to a file in actions/setup/md/threat_detection.md. The JavaScript code now reads this file at runtime from /opt/gh-aw/prompts/threat_detection.md where the setup action copies it. All tests pass and linting is clean.

Path Resolution Fix

The initial implementation used a relative path ../md/threat_detection.md, but at runtime the JavaScript files are executed from /opt/gh-aw/actions/, not from the source directory. The setup action copies markdown files from actions/setup/md/ to /opt/gh-aw/prompts/, so the correct runtime path is /opt/gh-aw/prompts/threat_detection.md.

Original prompt

Move threat detection prompt text into a file in actions/setup and update the JavaScript code to read this file at runtime.

Search

const templateContent = `# Threat Detection Analysis

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[github-actions]

⚠️ Security scanning failed for Smoke Codex. Review the logs for details.

[github-actions]

⚠️ Security scanning failed for Changeset Generator. Review the logs for details.

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

⚠️ Security scanning failed for Smoke Claude. Review the logs for details.

[github-actions]

⚠️ Security scanning failed for Smoke Copilot. Review the logs for details.

[pelikhan]

@copilot fix resolution path

See https://github.com/githubnext/gh-aw/actions/runs/21546038294/job/62087632348#step:7:1

[Copilot]

@copilot fix resolution path

...

Fixed in f22fa56. Changed the path from relative ../md/threat_detection.md to absolute /opt/gh-aw/prompts/threat_detection.md to match where the setup action copies markdown files at runtime.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.52.0
jq	✅	1.7
yq	✅	4.50.1
curl	✅	8.5.0
gh	✅	2.86.0
node	✅	24.13.0
python3	✅	3.13.11
go	✅	1.24.12
java	❌	not found
dotnet	❌	not found

Result: 10/12 tools available ⚠️

Missing tools:

• java - Command not found
• dotnet - Command not found

Status: PARTIAL - Core tools (bash, git, jq, yq, curl, gh, node, python, go) are all available. Java and .NET runtimes are missing but may not be required for typical workflows.

AI generated by Agent Container Smoke Test

[github-actions]

Smoke Test: PASS ✅

• ✅ GitHub MCP
• ✅ Safe Inputs GH CLI
• ✅ Serena MCP
• ✅ Playwright
• ✅ File Writing
• ✅ Bash Tool
• ✅ Discussion Interaction
• ✅ Build gh-aw

PRs: #12941, #12930

@pelikhan @Copilot

AI generated by Smoke Copilot

[github-actions]

GitHub MCP merged PRs ✅ 🔧 Improve Agentic Workflow Authoring Structure / Remove noop from handler registry and clarify skip reason logging
safeinputs-gh PR list ✅ [WIP] Remove update-project and create-project-update-status outputs / Externalize threat detection prompt template to runtime file
Serena activate ✅
Playwright github.com title ✅
Tavily search ✅
File write+cat ✅
Build gh-aw ✅
Discussion comment ✅
Overall status: PASS

AI generated by Smoke Codex

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Smoke Test: Claude ✅

Last 2 Merged PRs:

• 🔧 Improve Agentic Workflow Authoring Structure #12935: 🔧 Improve Agentic Workflow Authoring Structure
• chore: refine default campaign orchestrator rules #12925: chore: refine default campaign orchestrator rules

Test Results:

• ✅ GitHub MCP
• ✅ Safe Inputs GH CLI
• ✅ Serena MCP
• ✅ Make Build
• ✅ Playwright
• ✅ Tavily Web Search
• ✅ File Writing
• ✅ Bash Tool
• ✅ Discussion Interaction

Overall Status: PASS ✅

AI generated by Smoke Claude