Escape OTLP endpoints JSON before YAML single-quote wrapping (#30527)

Author: Copilot

pkg/workflow/observability_otlp.go

@@ -399,7 +399,8 @@ func (c *Compiler) injectOTLPConfig(workflowData *WorkflowData) {
 	// The value is single-quoted to prevent YAML parsers from interpreting the
 	// leading '[' as a YAML sequence node rather than a plain string.
 	if encoded := encodeOTLPEndpoints(entries); encoded != "" {
-		otlpEnvLines += "\n  GH_AW_OTLP_ENDPOINTS: '" + encoded + "'"
+		escapedEncoded := strings.ReplaceAll(encoded, "'", "''")
+		otlpEnvLines += "\n  GH_AW_OTLP_ENDPOINTS: '" + escapedEncoded + "'"
 		otlpLog.Printf("Injected GH_AW_OTLP_ENDPOINTS env var")
 	}
 

pkg/workflow/observability_otlp_test.go

@@ -1060,6 +1060,33 @@ func TestInjectOTLPConfig_MultipleEndpoints(t *testing.T) {
 		assert.Contains(t, wd.Env, "secondary.example.com", "secondary endpoint should appear in GH_AW_OTLP_ENDPOINTS")
 	})
 
+	t.Run("escapes single quotes in GH_AW_OTLP_ENDPOINTS", func(t *testing.T) {
+		wd := &WorkflowData{
+			RawFrontmatter: map[string]any{
+				"observability": map[string]any{
+					"otlp": map[string]any{
+						"endpoint": []any{
+							map[string]any{
+								"url":     "https://primary.example.com:4317",
+								"headers": map[string]any{"Authorization": "Bearer O'Reilly"},
+							},
+							map[string]any{"url": "https://secondary.example.com:4317"},
+						},
+					},
+				},
+			},
+		}
+		c.injectOTLPConfig(wd)
+
+		assert.Contains(t, wd.Env, "GH_AW_OTLP_ENDPOINTS:", "multi-endpoint env var should be injected")
+		assert.Contains(
+			t,
+			wd.Env,
+			"GH_AW_OTLP_ENDPOINTS: '[{\"url\":\"https://primary.example.com:4317\",\"headers\":\"Authorization=Bearer O''Reilly\"}",
+			"single quotes must be escaped inside GH_AW_OTLP_ENDPOINTS YAML single-quoted scalar",
+		)
+	})
+
 	t.Run("adds all static endpoint domains to firewall allowlist", func(t *testing.T) {
 		wd := &WorkflowData{
 			RawFrontmatter: map[string]any{