Fix SC2129: use grouped redirect for prompt construction in compiler template

[Copilot]

The compiler was emitting multiple individual > / >> redirects to $GH_AW_PROMPT, triggering SC2129 in 151 of 158 compiled workflows (164 occurrences). Since this is a compiler artifact, fixing the template eliminates all instances at once.

Changes

• pkg/workflow/unified_prompt_step.go — Wrap all prompt construction commands in a single grouped redirect. Removed isFirstContent tracking (was used to switch between > and >>).

  Before:

  cat << 'GH_AW_PROMPT_EOF' > "$GH_AW_PROMPT"
  <system>
  GH_AW_PROMPT_EOF
  cat "/opt/gh-aw/prompts/xpia.md" >> "$GH_AW_PROMPT"
  cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT"
  cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT"
  ...

  After:

  {
  cat << 'GH_AW_PROMPT_EOF'
  <system>
  GH_AW_PROMPT_EOF
  cat "/opt/gh-aw/prompts/xpia.md"
  cat "/opt/gh-aw/prompts/temp_folder_prompt.md"
  cat << 'GH_AW_PROMPT_EOF'
  ...
  } > "$GH_AW_PROMPT"

• Tests — Updated TestGenerateUnifiedPromptCreationStep_FirstContentUsesCreate → TestGenerateUnifiedPromptCreationStep_UsesGroupedRedirect to assert the new pattern; updated integration/golden tests that searched for the old > "$GH_AW_PROMPT" heredoc pattern.

• Lock files — Regenerated all 158 workflows via make recompile. SC2129 count: 164 → 0.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -nolocalimports -importcfg echo fall�� /home/REDACTED/work/gh-aw/gh-aw/pkg/repoutil/repoutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/repoutil/repoutil_test.go 8001564/b430/workflow.test set-url origin x_amd64/vet 8001564/b430/workflow.test (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw x_amd64/vet /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git config /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw git /usr/bin/git git _lab�� --show-toplevel git /usr/bin/git --show-toplevel ache/node/24.13.rev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha runs/20260222-120346-15210/test-1621878993/.github/workflows (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git /tmp/go-build138git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha 8001564/b395=> git 0/x64/bin/node --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git rev-�� --show-toplevel git 0/x64/bin/node l && debian-sa1 git Test User /usr/bin/git git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha 5778932/b061/vet.cfg /tmp/go-build1546371119/b223/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel 3fdfd1e3..HEAD /usr/bin/git -unreachable=falgit /tmp/go-build154rev-parse 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 5778932/b081/vetgit /tmp/go-build154rev-parse ache/go/1.25.0/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel nly /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha /tmp/go-build1385778932/b203/vet.cfg -dwarf=false /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet go1.25.0 -c=4 -nolocalimports /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� runs/20260222-120346-15210/test-2182255266/.github/workflows /tmp/go-build1891972389/b001/_testmain.go 8001564/b354/vet.cfg l 4175913+pelikhanrev-parse x_amd64/asm /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha test.txt resolved$ /usr/bin/git HEAD (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 4112472476/.github/workflows (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha ithub/workflows/brave.md -buildtags ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -errorsas -ifaceassert -nilfunc ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --git-dir x_amd64/vet /usr/bin/git --noprofile .cfg x_amd64/vet git rev-�� --git-dir x_amd64/vet /usr/bin/git command -v debiagit (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/infocmp-f --show-toplevel ls /usr/bin/git infocmp (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel git /usr/bin/git p/TestGetNpmBinPnode git /usr/bin/git git rev-�� ch git /usr/bin/git --show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel find /usr/bin/git -maxdepth 4 /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git 0/x64/bin/node git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build2668001564/b391/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/envutil/envutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/envutil/envutil_test.go conf�� --local .cfg x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build2668001564/b394/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil_test.go conf�� --local .cfg x_amd64/vet (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha --show-toplevel infocmp /usr/bin/infocmp xterm-color sed /usr/bin/git infocmp -1 xterm-color git r: $owner, name: $name) { hasDiscussionsEnabled } } -m Initial commit 0/x64/bin/node sed (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha /tmp/go-build1385778932/b136/vet-errorsas conntrack /opt/hostedtoolcache/go/1.25.0/x-nilfunc INVALID,NEW -j DROP /opt/hostedtoolcache/go/1.25.0/x-tests -uns�� runs/20260222-120346-15210/test-3042406684/.github/workflows (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linu-w /usr/bin/git t.go t_test.go 0/x64/bin/node git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/find vaScript25395740git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha tags/v5 git /usr/lib/git-core/git --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git /usr/lib/git-core/git main�� run --auto 0/x64/bin/node --detach /opt/hostedtoolcrev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha --show-toplevel git $name) { hasDiscussionsEnabled } } --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git e/git --show-toplevel git /usr/bin/git e/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha /repos/actions/checkout/git/ref/tags/v3 --jq $name) { hasDiscussionsEnabled } } 49ff36eb45a39981git /opt/hostedtoolc-c /usr/bin/git git rev-�� --show-toplevel git e/git --show-toplevel git /usr/bin/git e/git (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� 13b2a6e3..HEAD git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� heckout/git/ref/tags/v4 git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� etup-node/git/ref/tags/v4 git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /ref/tags/v8 owner /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linu-importcfg 0 -j ACCEPT /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/pkg/styles/theme_test.go -uns�� 0346-15210/test-2331256360 k/_temp/ghcca-no-buildtags 8001564/b291/vet.cfg k/_temp/copilot-git 4175913+pelikhanrev-parse rgo/bin/git /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linu-ifaceassert /usr/bin/git --noprofile stmain.go 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /tmp/TestGetNpmBinPathSetup_GorootOrdering2175042872/001/go/1.25.0/x64/bin/go g_.a (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /repos/actions/ai-inference/git/ref/tags/v1 --jq /usr/bin/git --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git git add initial.txt git 0/x64/bin/node --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git e/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha 1221595a9f06d8a613b2a6e3..HEAD git /usr/bin/git --show-toplevel wc x_amd64/vet git rev-�� --show-toplevel x_amd64/vet r: $owner, name:-f HEAD git 0/x64/bin/node git (http block)
• https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0
  • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha --show-toplevel bash /usr/bin/git source '/home/rugit /usr/lib/git-cor-C x_amd64/vet git rev-�� --show-toplevel x_amd64/vet r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel git 0/x64/bin/node git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha --show-toplevel git /usr/bin/gh --show-toplevel git /usr/bin/git gh api /repos/actions/cremote.origin.url --jq /usr/bin/sed HEAD git 0/x64/bin/node sed (http block)
• https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel bash /usr/bin/git source '/home/ruinfocmp git x_amd64/cgo git rev-�� --show-toplevel x_amd64/cgo /usr/bin/git --show-toplevel git 0/x64/bin/node git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/infocmp --show-toplevel git /usr/bin/git infocmp -1 xterm-color git /usr/bin/bash --exact-match --tags 0/x64/bin/node bash (http block)
• https://api.github.com/repos/docker/login-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha --show-toplevel find (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha --show-toplevel git /usr/bin/infocmp --show-toplevel git (http block)
• https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha --show-toplevel go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha --show-toplevel git /usr/bin/infocmp --show-toplevel sed /usr/bin/git infocmp -1 xterm-color git /usr/bin/sed user.name Test User 0/x64/bin/node sed (http block)
• https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel bash /usr/bin/git source '/home/rugit git x_amd64/compile git rev-�� --show-toplevel x_amd64/compile r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel git 0/x64/bin/node git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� heckout/git/ref/remote.origin.url git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel git 0/x64/bin/node bash (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 6371119/b102/vet.cfg x_amd64/vet OUTPUT -d 168.63.129.16 x_amd64/vet ortc�� .cfg stmain.go 64/pkg/tool/linux_amd64/vet 0 -j ACCEPT 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 6371119/b133/vetgithub.com/github/gh-aw/scripts x_amd64/link (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 6371119/b092/vet.cfg 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 6371119/b097/vet.cfg x_amd64/compile OUTPUT -d 168.63.129.16 x_amd64/compile .cfg�� pkg/mod/github.com/davecgh/go-spew@v1.1.1/spew/bypass.go pkg/mod/github.com/davecgh/go-spew@v1.1.1/spew/common.go 64/pkg/tool/linux_amd64/vet 0 -j ACCEPT 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 6371119/b139/vet.cfg x_amd64/vet OUTPUT -d 168.63.129.16 x_amd64/vet .cfg�� --noprofile conntrack 64/pkg/tool/linux_amd64/vet INVALID,NEW -j DROP 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 6371119/b099/vet.cfg x_amd64/compile OUTPUT -d 168.63.129.16 x_amd64/compile --no�� .cfg owner x_amd64/compile 0 -j ACCEPT x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 6371119/b114/vet.cfg x_amd64/compile OUTPUT -d 168.63.129.16 x_amd64/compile --no�� .cfg conntrack x_amd64/compile INVALID,NEW -j DROP x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path submodules | head -n 10 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha --show-toplevel git ch --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel bash /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha .cfg 6371119/b215/vet.cfg 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/brave.md x_amd64/vet /usr/bin/git se 6371119/b079/vetrev-parse x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git .cfg 6371119/b181/vetrev-parse 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linujs/fuzz_mentions_harness.cjs /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linujs/fuzz_sanitize_label_harness.cjs /usr/bin/git git (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /opt/hostedtoolc--git-dir git rev-�� --show-toplevel node /usr/bin/git install --package-lock-o-C /usr/bin/git git (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha .cfg 6371119/b218/vet.cfg 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha github.repository x_amd64/vet /usr/bin/git se 6371119/b054/vetrev-parse 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linu-tests /usr/bin/git .cfg 6371119/b178/vetrev-parse 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linujs/fuzz_mentions_harness.cjs /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linujs/fuzz_sanitize_label_harness.cjs /usr/bin/git in 2>/dev/null | tr '\n' ':')$PATH"; [ -n "$GOROOT" ] && export (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/vet (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build2668001564/b380/cli.test /tmp/go-build2668001564/b380/cli.test -test.testlogfile=/tmp/go-build2668001564/b380/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name submodules | head -n 10 (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Fix SC2129 compiler template: use grouped redirects instead of sequential >></issue_title>
<issue_description>## Objective

Fix the compiler template that generates cat << 'GH_AW_PROMPT_EOF' > "$GH_AW_PROMPT" followed by >> appends, which triggers SC2129 (style suggestion: use grouped redirects) across 151 of 158 compiled workflows.

Context

From Static Analysis Report discussion github/gh-aw#17668 (2026-02-22 scan):

• 164 SC2129 occurrences across 151 workflows — the most widespread issue
• SC2129 is a compiler output artifact — the shell script template in the compiler generates this pattern, so all lock files inherit it
• Fixing at the compiler level will eliminate 151 workflow issues at once

Technical Details

SC2129: "Consider using { cmd1; cmd2; } > file instead of individual redirects."

The compiler currently generates something like:

cat << 'GH_AW_PROMPT_EOF' > "$GH_AW_PROMPT"
...first chunk...
GH_AW_PROMPT_EOF
echo "...more content..." >> "$GH_AW_PROMPT"

The fix is to use a single grouped redirect or a single heredoc for the entire prompt construction, avoiding multiple separate >> redirections.

Steps

1. Locate the shell script template in the compiler — search for the GH_AW_PROMPT_EOF heredoc pattern in pkg/workflow/ or actions/setup/sh/
2. Refactor the generated shell script to use grouped redirects or consolidate all prompt construction into a single heredoc/command group
3. Run make recompile to regenerate all lock files with the new template
4. Verify SC2129 no longer appears: actionlint .github/workflows/*.lock.yml 2>&1 | grep SC2129 | wc -l should return 0
5. Run make agent-finish to validate everything passes

Acceptance Criteria

• SC2129 no longer appears in any compiled lock files
• All 158 workflows compile successfully
• make agent-finish passes

Generated by Plan Command for issue #discussion #17668

• expires on Feb 24, 2026, 7:00 AM UTC

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Fix SC2129 compiler template: use grouped redirects instead of sequential >> #17670

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

---

Fix SC2129: use grouped redirect for prompt construction in compiler template

The compiler was emitting multiple individual > / >> redirects to $GH_AW_PROMPT, triggering SC2129 in 151 of 158 compiled workflows (164 occurrences). Wrapping the prompt construction commands in a grouped redirect removes every occurrence at once.

Changes

• pkg/workflow/unified_prompt_step.go — wrap all prompt construction commands in a single grouped redirect block and remove the isFirstContent counter that switched between > and >>.
• Tests — update the unified prompt creation tests plus the integration/golden assertions so they look for the grouped redirect pattern instead of individual heredocs.
• Lock files — run make recompile to regenerate all 158 workflows, bringing the SC2129 count down to zero.

Warning

Firewall rules blocked some GitHub API calls while preparing these changes.

• Fixes [plan] Fix SC2129 compiler template: use grouped redirects instead of sequential >> #17670

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Changeset

• Type: patch
• Description: Wrap compiler prompt construction in a grouped redirect to avoid SC2129 warnings in the generated workflows.

Generated by Changeset Generator for issue #17687

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• github.com

---

---

✨ PR Review Safe Output Test - Run 22276964835

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✅ Commit pushed: 09ffb7e

[github-actions]

Smoke test §22276964843 — @pelikhan @Copilot

Test
GitHub MCP	❌
safeinputs-gh	✅
Serena MCP	❌
Playwright	✅
File Writing	✅
Bash Tool	✅
Discussion Interaction	✅
Build gh-aw	✅
Discussion Creation	✅
Workflow Dispatch	✅
PR Review	✅

Overall: PASS (GitHub MCP + Serena unavailable in sandbox)

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

PRs (merged): #17667 Add templatable integer support for safe output max fields; #17653 Convert boolean safe output fields to templatable bools
GitHub MCP: ✅
Serena MCP: ✅
Playwright: ✅
File write: ✅
Bash cat: ✅
Build: ✅
Overall: PASS

🔮 The oracle has spoken through Smoke Codex

[Copilot]

Pull request overview

Refactors the compiler’s unified prompt-construction shell snippet to avoid ShellCheck SC2129 by emitting a single grouped redirect when writing $GH_AW_PROMPT, and updates tests/golden outputs accordingly.

Changes:

• Update prompt creation template to wrap all cat/heredoc output in { ... } > "$GH_AW_PROMPT" (eliminating repeated >> redirects).
• Adjust unit/integration assertions to match the grouped-redirect output.
• Regenerate workflow lock files and WASM golden fixtures to reflect the new compiled output.

Reviewed changes

Copilot reviewed 169 out of 169 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pkg/workflow/unified_prompt_step.go	Emits prompt construction as a grouped redirect into $GH_AW_PROMPT.
pkg/workflow/template_expression_integration_test.go	Updates prompt-content assertions for the new grouped redirect output shape.
pkg/workflow/secure_markdown_rendering_test.go	Updates expression-sanitization assertions for the new prompt construction output shape.
pkg/workflow/heredoc_interpolation_test.go	Updates checks around expression replacement; still validates quoted heredoc delimiters.
pkg/workflow/temp_folder_test.go	Updates expectations to match grouped redirect (no > / >> on each cat).
pkg/workflow/prompts_test.go	Updates expectations for prompt file inclusion without per-command redirects.
pkg/workflow/testdata/wasm_golden/**	Golden outputs updated to reflect the grouped redirect pattern.
.github/workflows/*.lock.yml	Recompiled lock workflows now use grouped redirect for prompt creation.
.changeset/patch-grouped-prompt-redirect.md	Records the change as a patch release note.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The test checks for "${GH_AW_" twice (once before and again after the original-expression check). This is redundant and makes failures noisier without increasing coverage. Consider keeping a single assertion for the placeholder references and removing the duplicate block.

[github-actions]

💥 Automated smoke test review - all systems nominal!

This PR correctly addresses SC2129 by wrapping all the cat/heredoc commands in a grouped redirect { ... } > "$GH_AW_PROMPT". The fix is clean, minimal, and eliminates all 164 SC2129 occurrences across 151 compiled workflows in one shot.

💥 [THE END] — Illustrated by Smoke Claude