Skip to content

Use envsubst with quoted heredoc for environment variable substitution#4715

Merged
pelikhan merged 2 commits intospellcheck3from
copilot/sub-pr-4713
Nov 25, 2025
Merged

Use envsubst with quoted heredoc for environment variable substitution#4715
pelikhan merged 2 commits intospellcheck3from
copilot/sub-pr-4713

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Nov 25, 2025
edited
Loading

Switches prompt heredoc generation from unquoted heredoc to quoted heredoc piped through envsubst. This allows safe environment variable substitution while preventing shell command execution in the heredoc content.

Before:

cat >> "$GH_AW_PROMPT" << PROMPT_EOF
...content with $VARS...
PROMPT_EOF

After:

cat << 'PROMPT_EOF' | envsubst >> "$GH_AW_PROMPT"
...content with $VARS...
PROMPT_EOF

Changes

  • Core heredoc generation: Updated compiler_yaml.go, sh.go, and prompt_step.go to use quoted heredoc with envsubst pipe
  • Prompt files restored: Reverted accidental removal of backticks in markdown prompt templates (temp_folder_prompt.md, edit_tool_prompt.md, playwright_prompt.md, pr_context_prompt.md, github_context_prompt.md)
  • Tests updated: All heredoc pattern assertions updated across test files to match new syntax
  • Lock files recompiled: All 77 workflow lock files regenerated with new pattern

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI mentioned this pull request Nov 25, 2025
Merged
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Nov 25, 2025

@copilot there should be only one way to do heredoc and it is quoted + envsubst. Never allow doing unquoted with shell execution.

@pelikhan
Use envsubst with quoted heredoc for environment variable substitutio…
a8b035e 
…n in prompt text

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
pelikhan
pelikhan reviewed Nov 25, 2025
View reviewed changes
Comment thread .github/workflows/ai-triage-campaign.lock.yml
@@ -1516,7 +1516,7 @@ jobs:
GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
run: |
# shellcheck disable=SC2006,SC2287
Copy link
Copy Markdown
Collaborator

@pelikhan pelikhan Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot remove generation of shell heck comment

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Nov 25, 2025

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/user
    • Triggering command: /usr/bin/gh gh api user --jq .login (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title [WIP] Add Release ID context to workflows and update documentation Use envsubst with quoted heredoc for environment variable substitution Nov 25, 2025
Copilot AI requested a review from pelikhan November 25, 2025 03:16
@pelikhan pelikhan marked this pull request as ready for review November 25, 2025 03:17
@pelikhan pelikhan merged commit 9039541 into spellcheck3 Nov 25, 2025
41 of 42 checks passed
@pelikhan pelikhan deleted the copilot/sub-pr-4713 branch November 25, 2025 03:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan