Skip to content

fix: propagate top-level environment: to the detection job#38918

Merged
pelikhan merged 5 commits into
mainfrom
copilot/fix-detection-job-environment-propagation
Jun 12, 2026
Merged

fix: propagate top-level environment: to the detection job#38918
pelikhan merged 5 commits into
mainfrom
copilot/fix-detection-job-environment-propagation

Conversation

Copilot AI commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

When a workflow declares a top-level environment:, it was propagated to agent, conclusion, pre_activation, and safe_outputs — but silently skipped for detection. The detection job was consuming COPILOT_GITHUB_TOKEN outside the environment gate, bypassing protection rules on every compile.

Changes

  • pkg/workflow/threat_detection.gobuildDetectionJob already had the fix in the current tree (environment := data.Environment), matching the same propagation pattern used by other secret-consuming jobs.

  • pkg/workflow/environment_test.go — Added TestDetectionJobEnvironmentPropagation integration coverage that compiles workflows end-to-end and asserts:

    • top-level env propagated → detection inherits it
    • no env configured → detection has no environment: field

  • pkg/workflow/threat_detection_job_combinations_integration_test.go + pkg/cli/workflows/test-copilot-threat-detection-environment.md — Added an integration workflow fixture test that compiles a real workflow file and verifies the generated detection job contains environment: production.

  • pkg/workflow/environment_test.go — Refactored TestSafeOutputsEnvironmentPropagation to use the pre-existing extractJobSection helper from compiler_test_helpers_test.go, removing duplicated section-extraction logic.

@pelikhan
fix: propagate top-level environment to detection job and add integra…
dacdd82 
…tion test

- The `buildDetectionJob` function in `threat_detection.go` already inherits
  `data.Environment` so the detection job receives the same `environment:` field
  as `agent`, `conclusion`, `pre_activation`, and `safe_outputs` jobs.
- Add `TestDetectionJobEnvironmentPropagation` integration test to
  `environment_test.go` that compiles a full workflow and asserts the detection
  job section contains (or omits) the expected `environment:` value.
- Refactor `TestSafeOutputsEnvironmentPropagation` to use the pre-existing
  `extractJobSection` helper from `compiler_test_helpers_test.go`, removing
  duplicated section-extraction logic.

Closes #38900

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix environment propagation to detection job fix: propagate top-level environment: to the detection job Jun 12, 2026
Copilot AI requested a review from pelikhan June 12, 2026 20:16
@pelikhan pelikhan marked this pull request as ready for review June 12, 2026 21:11
Copilot AI review requested due to automatic review settings June 12, 2026 21:11
Copilot AI reviewed Jun 12, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an end-to-end integration test to ensure the compiled workflow YAML propagates a top-level environment: to the detection job (and respects the safe-outputs.threat-detection.environment override), and refactors an existing environment propagation test to reuse the shared job-section extraction helper.

Changes:

  • Refactor TestSafeOutputsEnvironmentPropagation to use extractJobSection, removing duplicated YAML slicing logic.
  • Add TestDetectionJobEnvironmentPropagation covering environment propagation and precedence for the detection job across three scenarios.
Show a summary per file
File Description
pkg/workflow/environment_test.go Refactors safe_outputs env assertions to use extractJobSection and adds an integration test verifying detection job environment propagation + override precedence.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 0

@pelikhan

pelikhan commented Jun 12, 2026

Copy link
Copy Markdown
Collaborator

@copilot add integration workflow test for this scenario

@pelikhan
test: add workflow fixture coverage for detection environment propaga…
dbb1a79 
…tion

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jun 12, 2026

Copy link
Copy Markdown
Contributor Author

@copilot add integration workflow test for this scenario

Added an integration workflow fixture test for this scenario in dbb1a79.

It now compiles pkg/cli/workflows/test-copilot-threat-detection-environment.md and asserts the compiled detection job inherits environment: production from top-level environment:.

@pelikhan pelikhan merged commit 064d119 into main Jun 12, 2026
@pelikhan pelikhan deleted the copilot/fix-detection-job-environment-propagation branch June 12, 2026 21:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan