Fix GH_AW_WORKFLOW_ID propagation to safe_outputs job for create_pull_request

[Copilot]

The consolidated safe outputs implementation was missing critical environment variables for create_pull_request operations, causing 100% failure rate with "GH_AW_WORKFLOW_ID environment variable is required".

Changes

Updated buildCreatePullRequestStepConfig in compiler_safe_outputs_consolidated.go:

• Added GH_AW_WORKFLOW_ID (from mainJobName) and GH_AW_BASE_BRANCH (required by create_pull_request.cjs)
• Added GH_AW_PR_ALLOW_EMPTY, GH_AW_COMMENT_ID/REPO, and GH_AW_PR_EXPIRES to match non-consolidated implementation
• Changed GH_AW_PR_DRAFT and GH_AW_PR_IF_NO_CHANGES to always be set with defaults (true, "warn")
• Fixed targetRepoSlug propagation to buildStandardSafeOutputEnvVars

Added test coverage:

• create_pull_request_env_vars_test.go validates all environment variables with full/default/cross-repo configurations

The consolidated mode now matches the original implementation's environment variable setup, enabling create_pull_request to generate unique branch names in the format ${workflowId}-${randomHex}.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Fix GH_AW_WORKFLOW_ID propagation to safe_outputs job</issue_title>
<issue_description>## Objective

Fix the missing GH_AW_WORKFLOW_ID environment variable in the safe_outputs job context, which is causing all create_pull_request operations to fail.

Context

The create_pull_request safe output job requires GH_AW_WORKFLOW_ID to generate unique branch names in the format ${workflowId}-${randomHex}. Currently, this variable is set in the agent job but not propagated to the safe_outputs job, resulting in 100% failure rate (2/2 attempts failed).

Error: Error: GH_AW_WORKFLOW_ID environment variable is required

Approach

1. Locate the workflow compilation code that generates the safe_outputs job definition
2. Identify where environment variables are passed to the safe_outputs job
3. Add GH_AW_WORKFLOW_ID to the environment variables propagated to this job
4. Ensure the variable is available in the agent job context (verify it exists)
5. Test with the security-fix-pr workflow or create a minimal test workflow

Files to Modify

• Workflow compiler code (likely in pkg/workflow/ directory)
• Look for code that generates GitHub Actions YAML for safe_outputs job
• May need to update environment variable mapping/propagation logic

Acceptance Criteria

• GH_AW_WORKFLOW_ID is available in safe_outputs job environment
• create_pull_request operations succeed in test workflows
• No regressions in other safe output job types
• Manual test of security-fix-pr workflow succeeds

Testing

# After fix, test with:
./gh-aw compile .github/workflows/security-fix-pr.md
# Verify GH_AW_WORKFLOW_ID is in safe_outputs job env section

Priority

High - Blocking all PR creation via safe outputs
Related to #7023

AI generated by Plan Command for discussion #7018

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Fix GH_AW_WORKFLOW_ID propagation to safe_outputs job #7024

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

🤖 DIAGNOSTIC COMPLETE: Smoke Copilot No Firewall STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🎉 Yo ho ho! Smoke Copilot Safe Inputs found the treasure and completed successfully! ⚓💰

[github-actions]

✅ Firewall validation complete... Smoke Codex Firewall confirmed network sandboxing is operational. 🛡️

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Smoke Test: Copilot Engine (No Firewall) - FAIL

PRs Reviewed (last 2 merged):

• Fix smoke-copilot-safe-inputs workflow testing disabled tools #7022: Fix smoke-copilot-safe-inputs workflow testing disabled tools
• Rename Firewall Escape Test Agent to The Great Escapi #7019: Rename Firewall Escape Test Agent to The Great Escapi

Test Results:

• ✅ GitHub MCP - Accessed PRs
• ✅ File Writing - /tmp/gh-aw/agent/smoke-test-copilot-20387184640.txt created
• ✅ Bash Tool - File verified with cat
• ✅ Playwright - Navigated to github.com, title verified
• ❌ Safe Input gh Tool - safeinputs-gh command not found

Overall Status: FAIL - safeinputs-gh tool unavailable

🤖 DIAGNOSTIC REPORT GENERATED BY Smoke Copilot No Firewall fer issue #7029 🗺️

[github-actions]

Smoke Test Results

✅ File Writing: Created test file successfully
✅ Bash Tool: Verified file content
❌ Safe Input gh Tool: Tool not available (safeinputs-gh missing)

Overall Status: ⚠️ PARTIAL PASS (2/3 tests passed)

Ahoy! This treasure was crafted by 🏴‍☠️ Smoke Copilot Safe Inputs fer issue #7029 🗺️

[github-actions]

Smoke Test: Copilot Engine (Run 20387184651)

Last 2 merged PRs:

• Fix smoke-copilot-safe-inputs workflow testing disabled tools #7022: Fix smoke-copilot-safe-inputs workflow testing disabled tools
• Add toolchains support for AWF sandbox containers #7008: Add toolchains support for AWF sandbox containers

Test Results:

• ✅ GitHub MCP Testing
• ✅ File Writing Testing
• ✅ Bash Tool Testing
• ✅ Cache Memory Testing
• ✅ GitHub MCP Default Toolset (confirmed get_me unavailable with default toolsets)

Overall: PASS ✅

cc @pelikhan

📰 BREAKING: Report filed by Smoke Copilot fer issue #7029 🗺️

[github-actions]

PRs: Fix smoke-copilot-safe-inputs workflow testing disabled tools; Rename Firewall Escape Test Agent to The Great Escapi
OpenAI curl blocked: ✅
GitHub MCP PR fetch: ✅
File write/read: ✅
Blocked domain curl: ✅
Network: SANDBOXED
Overall: PASS

🔥 Firewall tested by Smoke Codex Firewall fer issue #7029 🗺️

[github-actions]

Smoke Test Results

Last 2 merged PRs:

• Fix smoke-copilot-safe-inputs workflow testing disabled tools #7022: Fix smoke-copilot-safe-inputs workflow testing disabled tools
• Add toolchains support for AWF sandbox containers #7008: Add toolchains support for AWF sandbox containers

✅ GitHub MCP Testing
✅ File Writing Testing
✅ Bash Tool Testing
✅ Playwright MCP Testing
✅ Cache Memory Testing
❌ Safe Input gh Tool Testing (tool not available)

Overall Status: FAIL (5/6 tests passed)

💥 [THE END] — Illustrated by Smoke Claude fer issue #7029 🗺️

[github-actions]

Recent merged PRs: Fix smoke-copilot-safe-inputs workflow testing disabled tools; Remove redundant structure explanation from quick start
GitHub MCP test: ✅
File write (/tmp/gh-aw/agent): ✅
Bash cat verification: ✅
Playwright title contains “GitHub”: ✅
Cache memory file: ✅
safeinputs-gh issues list: ❌ (tool unavailable)
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex fer issue #7029 🗺️