Extract hardcoded file paths to named constants#39938
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR centralizes previously hardcoded filesystem/workspace path literals into named constants (primarily in pkg/constants/constants.go) and updates workflow/compiler/parser/CLI code to reference those constants, including a small DIFC proxy log exclusion fix.
Changes:
- Added grouped path constants for repo-relative dirs,
/tmp/gh-awruntime layout, shell/env/action-expression forms, and a few system paths. - Replaced hardcoded path literals across workflow compilation/rendering, parser path handling, and CLI utilities with constant references.
- Fixed DIFC proxy log artifact exclusion construction by using a dedicated proxy TLS directory constant rather than runtime string slicing.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/threat_detection.go | Uses centralized threat detection log path constant. |
| pkg/workflow/step_order_validation.go | Replaces hardcoded temp/path prefixes with constants for redaction scanning rules. |
| pkg/workflow/setup_action_paths.go | Adds workflow-scoped constants for safe-jobs and upload-artifacts staging paths. |
| pkg/workflow/safe_outputs_steps.go | Uses temp dir constant for artifact download path. |
| pkg/workflow/safe_outputs_config_generation.go | Uses repo-memory temp dir constant when generating config paths. |
| pkg/workflow/safe_jobs.go | Uses new safe-jobs download constants for expression-based paths. |
| pkg/workflow/runtime_import_validation.go | Uses .github/ prefix constant for normalization logic. |
| pkg/workflow/repo_memory.go | Uses repo-memory temp dir constant for memory directories/artifact paths. |
| pkg/workflow/pi_engine.go | Uses constants for prompt and Pi agent dir paths. |
| pkg/workflow/opencode_mcp.go | Uses constant for MCP servers JSON config path. |
| pkg/workflow/mcp_renderer_builtin.go | Uses GhAwBinaryPath constant for release-mode entrypoint. |
| pkg/workflow/mcp_environment.go | Uses constant for Codex MCP config directory path. |
| pkg/workflow/mcp_config_playwright_renderer.go | Uses constant for Playwright MCP logs output dir. |
| pkg/workflow/gemini_mcp.go | Uses constant for MCP servers JSON config path (shell form). |
| pkg/workflow/gemini_logs.go | Uses constant for agent stdio log path. |
| pkg/workflow/gemini_engine.go | Uses constants for prompt path and Gemini error glob. |
| pkg/workflow/frontmatter_extraction_metadata.go | Uses .github/ prefix constant for source URL construction. |
| pkg/workflow/engine_output.go | Uses temp dir prefix constant when filtering output files. |
| pkg/workflow/crush_mcp.go | Uses constant for MCP servers JSON config path. |
| pkg/workflow/crush_engine.go | Uses constant for prompt file path. |
| pkg/workflow/copilot_logs.go | Uses constant for sandbox agent logs directory. |
| pkg/workflow/copilot_engine.go | Uses .github/ prefix constant for manifest path prefixes. |
| pkg/workflow/copilot_engine_execution.go | Uses constants for temp dirs, prompt path, and Copilot binary path. |
| pkg/workflow/compiler_yaml.go | Uses .github/ prefix constant in path normalization / workspace root resolution. |
| pkg/workflow/compiler_yaml_main_job.go | Uses constants for prompt/log paths and artifact collection globs/dirs. |
| pkg/workflow/compiler_safe_outputs_job.go | Uses temp dir constant for patch artifact download paths. |
| pkg/workflow/compiler_main_job.go | Uses constant for safe-outputs MCP log dir env var. |
| pkg/workflow/compiler_difc_proxy.go | Uses constants for proxy TLS CA path and fixes log exclusion glob building. |
| pkg/workflow/codex_mcp.go | Uses constant for MCP servers JSON config path (shell form). |
| pkg/workflow/codex_engine.go | Uses constants for MCP config/log dirs and prompt/TOML paths. |
| pkg/workflow/claude_mcp.go | Uses constant for MCP servers JSON config path (shell form). |
| pkg/workflow/claude_engine.go | Uses constant for MCP servers JSON Actions-expression path. |
| pkg/workflow/awf_helpers.go | Uses constants for RUNNER_TEMP gh-aw root and DIFC proxy CA cert path. |
| pkg/workflow/antigravity_mcp.go | Uses constant for MCP servers JSON config path (shell form). |
| pkg/workflow/antigravity_logs.go | Uses constant for agent stdio log path. |
| pkg/workflow/antigravity_engine.go | Uses constants for prompt path and Antigravity error glob. |
| pkg/workflow/agentic_engine.go | Uses constant for default agent stdio log path. |
| pkg/parser/remote_fetch.go | Uses constants for workflows/agents dir detection and .github/ prefix checks. |
| pkg/parser/mcp.go | Uses constant for Playwright MCP logs docker volume mount spec. |
| pkg/parser/include_expander.go | Uses .github/ prefix constant when resolving imports. |
| pkg/parser/import_field_extractor.go | Uses .github/ prefix constant when computing import-relative paths. |
| pkg/linters/hardcodedfilepath/hardcodedfilepath.go | Adds //nolint:hardcodedfilepath annotations to linter’s own canonical prefixes. |
| pkg/constants/constants.go | Adds grouped path constants and updates GetWorkflowDir() to return WorkflowsDir. |
| pkg/cli/trial_repository.go | Uses workflows dir constant for trial compilation markdown path. |
| pkg/cli/shell_completion.go | Uses constants for Homebrew prefixes and bash completion paths. |
| pkg/cli/mcp_tools_privileged.go | Uses constant for MCP logs output directory in privileged tools. |
| pkg/cli/logs_run_processor.go | Uses workflows dir constant when inferring lockfile paths. |
| pkg/cli/includes.go | Uses .github/ prefix constant when resolving shared includes. |
| pkg/cli/git.go | Uses workflow dir/gitattributes constants and adds a nolint on a log string. |
| actions/setup-cli/install.sh | Adjusts header comment related to script sync/copy instructions. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 50/50 changed files
- Comments generated: 1
| set +o histexpand | ||
|
|
||
| # Kept in sync with install-gh-aw.sh — edit that file, then copy to this path. | ||
| # Kept in sync with actions/setup-cli/install.sh — edit this file, then copy to that path. |
|
\nPlease summarize the remaining blockers after the review note is addressed.
|
|
\n@copilot review all comments and address the unresolved review note, then rebase/push an update.
|
|
@copilot merge main and recompile |
…extract-hardcoded-paths # Conflicts: # actions/setup-cli/install.sh Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨ |
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing... |
Smoke Test Results
Overall Status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
💥 Smoke Test: Claude — Run 27737100396Core #1-12: all ✅ Overall: PARTIAL (1 skipped) Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude
| // Find git root and add .github/workflows relative to it | ||
| if gitRoot, err := gitutil.FindGitRoot(); err == nil { | ||
| workflowsPath := filepath.Join(gitRoot, ".github/workflows/") | ||
| workflowsPath := filepath.Join(gitRoot, constants.WorkflowsDirSlash) |
There was a problem hiding this comment.
Nice — extracting .github/workflows/ into constants.WorkflowsDirSlash improves consistency.
|
|
||
| gitAttributesPath := filepath.Join(gitRoot, ".gitattributes") | ||
| lockYmlEntry := ".github/workflows/*.lock.yml linguist-generated=true merge=ours" | ||
| lockYmlEntry := constants.WorkflowsLockYmlGitAttributesEntry |
There was a problem hiding this comment.
Good use of constants.WorkflowsLockYmlGitAttributesEntry for the gitattributes entry.
|
Smoke Copilot: Extract hardcoded file paths to named constants Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
|
Smoke test: FAIL
Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
Smoke Copilot review: tool paths, build, and safe outputs all exercised.
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot
|
Smoke test results:\n✅ Test1 ❌ Test2 ❌ Test3 ✅ Test4 ✅ Test5 ✅ Test6 ❌ Test7 ✅ Test8\nOverall: FAIL\n\ncc: Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
120 hardcoded file path literals were scattered across 55 files, creating maintenance risk and making path configuration opaque. This PR centralizes all path definitions as named constants.
New constants (
pkg/constants/constants.go)~40 constants added in four logical groups:
GithubDir,WorkflowsDir,WorkflowsDirSlash,AgentsDir,WorkflowsLockYmlGlob,WorkflowsLockYmlGitAttributesEntry/tmp/gh-aw/…):TmpGhAwDirSlash,TmpGhAwAgentDir,AwPromptsFile,TmpMcpServersJsonPath,TmpProxyLogsDir,TmpProxyTLSDir,TmpProxyTLSCACert,TmpRepoMemoryDir,ThreatDetectionLogPath, etc.${RUNNER_TEMP}/…,${{ runner.temp }}/…):GhAwRootDirShellSlash,ShellMcpServersJsonPath,McpServersJsonPathExpr,CodexMcpConfigTomlPath, etc.CopilotBinaryPath,BashCompletionDir,BashCompletionGhAwPath,HomebrewPrefix,UsrLocalPrefixTwo workflow-scoped constants added to
pkg/workflow/setup_action_paths.go:SafeJobsDownloadDirExpr,SafeOutputsUploadArtifactsDir.Bug fix (
compiler_difc_proxy.go)The exclusion glob for the proxy TLS directory was using broken runtime string slicing. Fixed using the new
TmpProxyTLSDirconstant:Replacements
All hardcoded literals replaced with constant references across:
pkg/workflow/— 30+ filespkg/parser/—remote_fetch.go,mcp.go,include_expander.go,import_field_extractor.gopkg/cli/—shell_completion.go,git.go,logs_run_processor.go,includes.go,trial_repository.go,mcp_tools_privileged.goFiles that didn't previously import
pkg/constantshad the import added.Linter self-reference
pkg/linters/hardcodedfilepath/hardcodedfilepath.godefines the canonical path prefixes it detects. Those definitions are now annotated//nolint:hardcodedfilepathsince they are the pattern source, not path usage. A log message string ingit.gocontaining.github/aw/logs/.gitignore(not a real path) gets the same treatment.\npr-sous-chef requested a branch update during run https://github.com/github/gh-aw/actions/runs/27735451041
Changeset\n\n- Type: patch\n- Description: Centralized hardcoded file paths into named constants and fixed a proxy TLS directory exclusion bug.
✨ PR Review Safe Output Test - Run 27737100396
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.