Harden PATH export with sanitization to prevent empty element attacks

[Copilot]

• Understand the issue: PATH export command in GetHostedToolcachePathSetup() needs sanitization
• Create bash script actions/setup/sh/sanitize_path.sh with PATH sanitization logic
• Create bash test script actions/setup/sh/sanitize_path_test.sh for the sanitization script
• Refactor GetSanitizedPATHExport() to source the bash script from /opt/gh-aw/actions/sanitize_path.sh
• Update Go tests to match new implementation
• Run make fmt to format code
• Run make recompile to regenerate 141 workflow lock files
• Run make lint for validation
• Merge main and recompile workflows

Security Summary

• No security vulnerabilities found by CodeQL
• The change hardens PATH handling to prevent potential attacks from malformed PATH entries (empty elements, leading/trailing colons)

Original prompt

The agent runing inside awf firewall has this command:

export PATH="$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\n' ':')$PATH"

it can be attacked.

Harden this by applying some sanitization methods like remove empty elements and trailing/leading colons etc.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

---

Changeset

• Type: patch
• Description: Sanitize the AWF firewall PATH export by sourcing the new helper so empty elements and stray colons are removed before exporting.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

[Mossaka]

@copilot refactor it to a bash script and reference it

[Copilot]

@copilot refactor it to a bash script and reference it

Refactored the PATH sanitization logic to a bash script in actions/setup/sh/sanitize_path.sh with corresponding tests in sanitize_path_test.sh. The Go code now sources the script via source /opt/gh-aw/actions/sanitize_path.sh. Commit: 85c4bb3

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Smoke Test Results

PRs Retrieved:

• docs: Document agent container build/test environment from epic #11970 #12375 - docs: Document agent container build/test environment
• Add canary_go job to agent-ci.yml to detect untested Go functions #12353 - Add canary_go job to detect untested Go functions

Test Status:

• ✅ GitHub MCP
• ✅ Safe Inputs GH CLI
• ✅ Serena MCP
• ✅ Playwright
• ✅ File Writing
• ✅ Bash Tool
• ✅ Discussion Interaction
• ✅ Build gh-aw

Overall: ✅ PASS

cc @Mossaka

AI generated by Smoke Copilot

[github-actions]

Smoke Test: Claude - PASS ✅

PRs Reviewed:

• docs: Document agent container build/test environment from epic #11970 #12375: docs: Document agent container build/test environment
• Add canary_go job to agent-ci.yml to detect untested Go functions #12353: Add canary_go job to detect untested Go functions

Test Results: ✅ GitHub MCP | ✅ GH CLI | ✅ Serena | ✅ Make | ✅ Playwright | ✅ Tavily | ✅ File Ops | ✅ Bash | ✅ Discussion

Status: PASS

AI generated by Smoke Claude

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

GitHub MCP merged PRs ✅: docs: Document agent container build/test environment from epic #11970; Add canary_go job to agent-ci.yml to detect untested Go functions
safeinputs gh PRs ✅: [WIP] Add security documentation for container mounting risks; Create smoke test workflow to validate common development tool availability
Serena activate ✅; Playwright title ✅; Tavily search ✅
File write ✅; Bash cat ✅
Discussion comment ✅; Build ✅
Overall: PASS

AI generated by Smoke Codex

[pelikhan]

@copilot merge main, recompile

[Copilot]

@copilot merge main, recompile

Merged main and recompiled all 141 workflows. Commit: 57432ea