Main workflow orchestration and YAML generation\n//\n// The orchestrator follows a phased approach with typed result structures\n// for clear data flow between compilation stages. Each module handles a specific\n// concern in the compilation pipeline, making the codebase easier to understand\n// and maintain.\npackage workflow\n\nimport (\n\t\"github.com/github/gh-aw/pkg/logger\"\n)\n\n// Shared logger used across compiler orchestrator modules\nvar detectionLog = logger.New(\"workflow:detection\")\n","numLines":23,"startLine":1,"totalLines":23}}}

JavaScript runtime mode compatibility\n//\n// # Pass-Through Field Validation\n//\n// Several workflow frontmatter fields are \"pass-through\" fields - they are extracted\n// from frontmatter and passed directly to GitHub Actions without modification:\n// - concurrency: Workflow concurrency control\n// - container: Container configuration for jobs\n// - environment: GitHub environment configuration\n// - env: Environment variables\n// - runs-on: Runner selection\n// - services: Service containers\n//\n// These fields ARE validated during frontmatter parsing using JSON Schema validation\n// (see pkg/parser/schemas/main_workflow_schema.json). The schema catches:\n// - Invalid data types (e.g., array when object expected)\n// - Missing required properties (e.g., container missing 'image')\n// - Invalid additional properties (e.g., unknown fields in concurrency)\n// - Structure violations (e.g., runs-on as number instead of string/array/object)\n//\n// Schema validation happens in pkg/parser/schema_validation.go during frontmatter\n// parsing, so errors are caught at compile time rather than GitHub Actions runtime.\n// See pkg/parser/schema_passthrough_validation_test.go for comprehensive test coverage.\n//\n// # When to Add New Validation\n//\n// Add validation to existing domain files when:\n// - It fits the domain (e.g., package validation → pip_validation.go)\n// - It extends existing functionality\n//\n// Create a new validation file when:\n// - It represents a distinct validation domain\n// - It has multiple related validation functions\n// - It requires its own caching or state management\n//\n// # Validation Patterns\n//\n// The validation system uses several patterns:\n// - Schema validation: JSON schema validation with caching\n// - External resource validation: Docker images, npm/pip packages\n// - Size limit validation: Expression sizes, file sizes\n// - Feature detection: Repository capabilities\n// - Security validation: Permission restrictions, expression safety\n\npackage workflow\n","numLines":71,"startLine":1,"totalLines":71}}}

Topological ordering\npackage parser\n\nimport \"github.com/github/gh-aw/pkg/logger\"\n\nvar importLog = logger.New(\"parser:import_processor\")\n\n// ImportsResult holds the result of processing imports from frontmatter\ntype ImportsResult struct {\n\tMergedTools string // Merged tools configuration from all imports\n\tMergedMCPServers string // Merged mcp-servers configuration from all imports\n\tMergedEngines []string // Merged engine configurations from all imports\n\tMergedSafeOutputs []string // Merged safe-outputs configurations from all imports\n\tMergedMCPScripts []string // Merged mcp-scripts configurations from all imports\n\tMergedMarkdown string // Only contains imports WITH inputs (for compile-time substitution)\n\tImportPaths []string // List of import file paths for runtime-import macro generation (replaces MergedMarkdown)\n\tMergedSteps string // Merged steps configuration from all imports (excluding copilot-setup-steps)\n\tCopilotSetupSteps string // Steps from copilot-setup-steps.yml (inserted at start)\n\tMergedPreSteps string // Merged pre-steps configuration from all imports (prepended in order)\n\tMergedPreAgentSteps string // Merged pre-agent-steps configuration from all imports (prepended in order)\n\tMergedRuntimes string // Merged runtimes configuration from all imports\n\tMergedRunInstallScripts bool // true if any imported workflow sets run-install-scripts: true (global or node-level)\n\tMergedServices string // Merged services configuration from all imports\n\tMergedNetwork string // Merged network configuration from all imports\n\tMergedPermissions string // Merged permissions configuration from all imports\n\tMergedSecretMasking string // Merged secret-masking steps from all imports\n\tMergedBots []string // Merged bots list from all imports (union of bot names)\n\tMergedSkipRoles []string // Merged skip-roles list from all imports (union of role names)\n\tMergedSkipBots []string // Merged skip-bots list from all imports (union of usernames)\n\tMergedActivationGitHubToken string // GitHub token from on.github-token in first imported workflow that defines it\n\tMergedActivationGitHubApp string // JSON-encoded on.github-app from first imported workflow that defines it\n\tMergedTopLevelGitHubApp string // JSON-encoded top-level github-app from first imported workflow that defines it\n\tMergedCheckout string // JSON-encoded checkout configurations from imported workflows (one JSON value per line)\n\tMergedPostSteps string // Merged post-steps configuration from all imports (appended in order)\n\tMergedLabels []string // Merged labels from all imports (union of label names)\n\tMergedCaches []string // Merged cache configurations from all imports (appended in order)\n\tMergedJobs string // Merged jobs from imported YAML workflows (JSON format)\n\tMergedEnv string // Merged env configuration from all imports (JSON format)\n\tMergedEnvSources map[string]string // env var name → source import path (for conflict detection and lock file header listing)\n\tMergedFeatures []map[string]any // Merged features configuration from all imports (parsed YAML structures)\n\tMergedObservability string // Observability config (JSON) from first import that defines it (first-wins)\n\tImportedFiles []string // List of imported file paths (for manifest)\n\tAgentFile string // Path to custom a

GitHub MCP guard policy automatically applied for public repository. min-integrity='approved' and repos='all' ensure only approved-integrity content is accessible.