Add environment variable validation to safe output jobs

- Create shared validateEnvironment utility function
- Add validation to create_pull_request, create_issue, add_comment, create_discussion
- Update all test files to set required GH_AW_WORKFLOW_NAME
- All tests passing successfully

Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>

Author: Copilot

pkg/workflow/js/add_comment.cjs

@@ -6,6 +6,7 @@ const { generateFooterWithMessages } = require("./messages_footer.cjs");
 const { getRepositoryUrl } = require("./get_repository_url.cjs");
 const { replaceTemporaryIdReferences, loadTemporaryIdMap } = require("./temporary_id.cjs");
 const { getTrackerID } = require("./get_tracker_id.cjs");
+const { validateEnvironment } = require("./validate_environment.cjs");
 
 /**
  * Hide/minimize a comment using the GraphQL API
@@ -262,6 +263,9 @@ async function commentOnDiscussion(github, owner, repo, discussionNumber, messag
 }
 
 async function main() {
+  // Environment validation - fail early if required variables are missing
+  validateEnvironment(["GH_AW_WORKFLOW_NAME"]);
+
   // Check if we're in staged mode
   const isStaged = process.env.GH_AW_SAFE_OUTPUTS_STAGED === "true";
   const isDiscussionExplicit = process.env.GITHUB_AW_COMMENT_DISCUSSION === "true";

pkg/workflow/js/add_comment.test.cjs

@@ -41,7 +41,7 @@ const mockCore = {
       (fs.writeFileSync(tempFilePath, content), (process.env.GH_AW_AGENT_OUTPUT = tempFilePath));
     };
     (beforeEach(() => {
-      (vi.clearAllMocks(), delete process.env.GH_AW_AGENT_OUTPUT, delete process.env.GITHUB_WORKFLOW, (global.context.eventName = "issues"), (global.context.payload.issue = { number: 123 }));
+      (vi.clearAllMocks(), delete process.env.GH_AW_AGENT_OUTPUT, delete process.env.GITHUB_WORKFLOW, (global.context.eventName = "issues"), (global.context.payload.issue = { number: 123 }), (process.env.GH_AW_WORKFLOW_NAME = "Test Workflow"));
       const scriptPath = path.join(process.cwd(), "add_comment.cjs");
       createCommentScript = fs.readFileSync(scriptPath, "utf8");
     }),

pkg/workflow/js/create_discussion.cjs

@@ -8,6 +8,7 @@ const { replaceTemporaryIdReferences, loadTemporaryIdMap } = require("./temporar
 const { parseAllowedRepos, getDefaultTargetRepo, validateRepo, parseRepoSlug } = require("./repo_helpers.cjs");
 const { addExpirationComment } = require("./expiration_helpers.cjs");
 const { removeDuplicateTitleFromDescription } = require("./remove_duplicate_title.cjs");
+const { validateEnvironment } = require("./validate_environment.cjs");
 
 /**
  * Fetch repository ID and discussion categories for a repository
@@ -91,6 +92,9 @@ async function main() {
   core.setOutput("discussion_number", "");
   core.setOutput("discussion_url", "");
 
+  // Environment validation - fail early if required variables are missing
+  validateEnvironment(["GH_AW_WORKFLOW_NAME"]);
+
   // Load the temporary ID map from create_issue job
   const temporaryIdMap = loadTemporaryIdMap();
   if (temporaryIdMap.size > 0) {

pkg/workflow/js/create_discussion.test.cjs

@@ -46,7 +46,8 @@ const mockCore = {
         delete process.env.GH_AW_DISCUSSION_TITLE_PREFIX,
         delete process.env.GH_AW_DISCUSSION_CATEGORY,
         delete process.env.GH_AW_TARGET_REPO_SLUG,
-        delete process.env.GH_AW_ALLOWED_REPOS);
+        delete process.env.GH_AW_ALLOWED_REPOS,
+        (process.env.GH_AW_WORKFLOW_NAME = "Test Workflow"));
       const scriptPath = path.join(process.cwd(), "create_discussion.cjs");
       ((createDiscussionScript = fs.readFileSync(scriptPath, "utf8")), (createDiscussionScript = createDiscussionScript.replace("export {};", "")));
     }),

pkg/workflow/js/create_issue.cjs

@@ -10,6 +10,7 @@ const { generateTemporaryId, isTemporaryId, normalizeTemporaryId, replaceTempora
 const { parseAllowedRepos, getDefaultTargetRepo, validateRepo, parseRepoSlug } = require("./repo_helpers.cjs");
 const { addExpirationComment } = require("./expiration_helpers.cjs");
 const { removeDuplicateTitleFromDescription } = require("./remove_duplicate_title.cjs");
+const { validateEnvironment } = require("./validate_environment.cjs");
 
 async function main() {
   // Initialize outputs to empty strings to ensure they're always set
@@ -18,6 +19,9 @@ async function main() {
   core.setOutput("temporary_id_map", "{}");
   core.setOutput("issues_to_assign_copilot", "");
 
+  // Environment validation - fail early if required variables are missing
+  validateEnvironment(["GH_AW_WORKFLOW_NAME"]);
+
   const isStaged = process.env.GH_AW_SAFE_OUTPUTS_STAGED === "true";
 
   const result = loadAgentOutput();

pkg/workflow/js/create_issue.test.cjs

@@ -47,7 +47,8 @@ const mockCore = {
         delete process.env.GH_AW_ISSUE_TITLE_PREFIX,
         delete process.env.GH_AW_TARGET_REPO_SLUG,
         delete process.env.GH_AW_ALLOWED_REPOS,
-        delete global.context.payload.issue);
+        delete global.context.payload.issue,
+        (process.env.GH_AW_WORKFLOW_NAME = "Test Workflow"));
       const scriptPath = path.join(process.cwd(), "create_issue.cjs");
       ((createIssueScript = fs.readFileSync(scriptPath, "utf8")),
         (createIssueScript = createIssueScript.replace("export {};", "")),

pkg/workflow/js/create_pull_request.cjs

@@ -9,6 +9,7 @@ const { updateActivationComment } = require("./update_activation_comment.cjs");
 const { getTrackerID } = require("./get_tracker_id.cjs");
 const { addExpirationComment } = require("./expiration_helpers.cjs");
 const { removeDuplicateTitleFromDescription } = require("./remove_duplicate_title.cjs");
+const { validateEnvironment } = require("./validate_environment.cjs");
 
 /**
  * Generate a patch preview with max 500 lines and 2000 chars for issue body
@@ -53,15 +54,10 @@ async function main() {
   const isStaged = process.env.GH_AW_SAFE_OUTPUTS_STAGED === "true";
 
   // Environment validation - fail early if required variables are missing
-  const workflowId = process.env.GH_AW_WORKFLOW_ID;
-  if (!workflowId) {
-    throw new Error("GH_AW_WORKFLOW_ID environment variable is required");
-  }
+  validateEnvironment(["GH_AW_WORKFLOW_ID", "GH_AW_BASE_BRANCH"]);
 
+  const workflowId = process.env.GH_AW_WORKFLOW_ID;
   const baseBranch = process.env.GH_AW_BASE_BRANCH;
-  if (!baseBranch) {
-    throw new Error("GH_AW_BASE_BRANCH environment variable is required");
-  }
 
   const agentOutputFile = process.env.GH_AW_AGENT_OUTPUT || "";
 

pkg/workflow/js/create_pull_request.test.cjs

@@ -12,8 +12,9 @@ const createTestableFunction = scriptContent => {
     (scriptBody = scriptBody.replace(/const \{ getTrackerID \} = require\("\.\/get_tracker_id\.cjs"\);?\s*/g, "")),
     (scriptBody = scriptBody.replace(/const \{ addExpirationComment \} = require\("\.\/expiration_helpers\.cjs"\);?\s*/g, "")),
     (scriptBody = scriptBody.replace(/const \{ removeDuplicateTitleFromDescription \} = require\("\.\/remove_duplicate_title\.cjs"\);?\s*/g, "")),
+    (scriptBody = scriptBody.replace(/const \{ validateEnvironment \} = require\("\.\/validate_environment\.cjs"\);?\s*/g, "")),
     new Function(
-      `\n    const { fs, crypto, github, core, context, process, console, updateActivationComment, getTrackerID, addExpirationComment, removeDuplicateTitleFromDescription } = arguments[0];\n    \n    ${scriptBody}\n    \n    return main;\n  `
+      `\n    const { fs, crypto, github, core, context, process, console, updateActivationComment, getTrackerID, addExpirationComment, removeDuplicateTitleFromDescription, validateEnvironment } = arguments[0];\n    \n    ${scriptBody}\n    \n    return main;\n  `
     )
   );
 };
@@ -70,6 +71,18 @@ describe("create_pull_request.cjs", () => {
         getTrackerID: vi.fn(format => ""),
         addExpirationComment: vi.fn(),
         removeDuplicateTitleFromDescription: vi.fn((title, description) => description),
+        validateEnvironment: vi.fn((required) => {
+          // Implement actual validation logic for tests
+          const missing = required.filter(varName => {
+            const value = mockDependencies.process.env[varName];
+            return value === undefined || value === null || value.trim() === "";
+          });
+          if (missing.length > 0) {
+            throw new Error(
+              `Missing required environment variable${missing.length > 1 ? "s" : ""}: ${missing.join(", ")}\n\nPlease ensure these are set in the safe_outputs job configuration.`
+            );
+          }
+        }),
       }));
   }),
     afterEach(() => {
@@ -79,12 +92,12 @@ describe("create_pull_request.cjs", () => {
     }),
     it("should throw error when GH_AW_WORKFLOW_ID is missing", async () => {
       const mainFunction = createMainFunction(mockDependencies);
-      await expect(mainFunction()).rejects.toThrow("GH_AW_WORKFLOW_ID environment variable is required");
+      await expect(mainFunction()).rejects.toThrow("Missing required environment variables: GH_AW_WORKFLOW_ID, GH_AW_BASE_BRANCH");
     }),
     it("should throw error when GH_AW_BASE_BRANCH is missing", async () => {
       mockDependencies.process.env.GH_AW_WORKFLOW_ID = "test-workflow";
       const mainFunction = createMainFunction(mockDependencies);
-      await expect(mainFunction()).rejects.toThrow("GH_AW_BASE_BRANCH environment variable is required");
+      await expect(mainFunction()).rejects.toThrow("Missing required environment variable: GH_AW_BASE_BRANCH");
     }),
     it("should handle missing patch file with default warn behavior", async () => {
       ((mockDependencies.process.env.GH_AW_WORKFLOW_ID = "test-workflow"), (mockDependencies.process.env.GH_AW_BASE_BRANCH = "main"), mockDependencies.fs.existsSync.mockReturnValue(!1));

pkg/workflow/js/validate_environment.cjs

@@ -0,0 +1,57 @@
+// @ts-check
+/// <reference types="@actions/github-script" />
+
+/**
+ * Validate Environment Variables Module
+ *
+ * This module provides utilities for validating required environment variables
+ * in safe output job scripts. It ensures that necessary variables are present
+ * before execution, providing clear error messages when variables are missing.
+ *
+ * Usage:
+ *   const { validateEnvironment } = require("./validate_environment.cjs");
+ *   validateEnvironment(['GH_AW_WORKFLOW_ID', 'GITHUB_TOKEN']);
+ */
+
+/**
+ * Validate that required environment variables are present
+ *
+ * Checks for the presence of required environment variables and throws a
+ * descriptive error if any are missing. This provides clear feedback to users
+ * about what configuration is needed.
+ *
+ * @param {string[]} required - Array of required environment variable names
+ * @throws {Error} If any required environment variables are missing
+ *
+ * @example
+ * // Check for a single required variable
+ * validateEnvironment(['GH_AW_WORKFLOW_ID']);
+ *
+ * @example
+ * // Check for multiple required variables
+ * validateEnvironment(['GH_AW_WORKFLOW_ID', 'GH_AW_BASE_BRANCH']);
+ */
+function validateEnvironment(required) {
+  if (!Array.isArray(required) || required.length === 0) {
+    return;
+  }
+
+  const missing = required.filter(varName => {
+    const value = process.env[varName];
+    return value === undefined || value === null || value.trim() === "";
+  });
+
+  if (missing.length > 0) {
+    const errorMessage = [
+      `Missing required environment variable${missing.length > 1 ? "s" : ""}: ${missing.join(", ")}`,
+      "",
+      "Please ensure these are set in the safe_outputs job configuration.",
+    ].join("\n");
+
+    throw new Error(errorMessage);
+  }
+}
+
+module.exports = {
+  validateEnvironment,
+};

pkg/workflow/js/validate_environment.test.cjs

@@ -0,0 +1,133 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+
+describe("validate_environment.cjs", () => {
+  let validateEnvironment;
+  let originalEnv;
+
+  beforeEach(async () => {
+    // Save original environment
+    originalEnv = { ...process.env };
+
+    // Import the module
+    const module = await import("./validate_environment.cjs");
+    validateEnvironment = module.validateEnvironment;
+  });
+
+  afterEach(() => {
+    // Restore original environment
+    process.env = originalEnv;
+  });
+
+  it("should not throw when all required variables are present", () => {
+    process.env.GH_AW_WORKFLOW_ID = "test-workflow";
+    process.env.GITHUB_TOKEN = "test-token";
+
+    expect(() => {
+      validateEnvironment(["GH_AW_WORKFLOW_ID", "GITHUB_TOKEN"]);
+    }).not.toThrow();
+  });
+
+  it("should throw when a single required variable is missing", () => {
+    delete process.env.GH_AW_WORKFLOW_ID;
+
+    expect(() => {
+      validateEnvironment(["GH_AW_WORKFLOW_ID"]);
+    }).toThrow(/Missing required environment variable: GH_AW_WORKFLOW_ID/);
+  });
+
+  it("should throw when multiple required variables are missing", () => {
+    delete process.env.GH_AW_WORKFLOW_ID;
+    delete process.env.GITHUB_TOKEN;
+
+    expect(() => {
+      validateEnvironment(["GH_AW_WORKFLOW_ID", "GITHUB_TOKEN"]);
+    }).toThrow(/Missing required environment variables: GH_AW_WORKFLOW_ID, GITHUB_TOKEN/);
+  });
+
+  it("should include helpful message about safe_outputs configuration", () => {
+    delete process.env.GH_AW_WORKFLOW_ID;
+
+    expect(() => {
+      validateEnvironment(["GH_AW_WORKFLOW_ID"]);
+    }).toThrow(/Please ensure these are set in the safe_outputs job configuration/);
+  });
+
+  it("should treat empty string as missing", () => {
+    process.env.GH_AW_WORKFLOW_ID = "";
+
+    expect(() => {
+      validateEnvironment(["GH_AW_WORKFLOW_ID"]);
+    }).toThrow(/Missing required environment variable: GH_AW_WORKFLOW_ID/);
+  });
+
+  it("should treat whitespace-only string as missing", () => {
+    process.env.GH_AW_WORKFLOW_ID = "   ";
+
+    expect(() => {
+      validateEnvironment(["GH_AW_WORKFLOW_ID"]);
+    }).toThrow(/Missing required environment variable: GH_AW_WORKFLOW_ID/);
+  });
+
+  it("should not throw when required array is empty", () => {
+    expect(() => {
+      validateEnvironment([]);
+    }).not.toThrow();
+  });
+
+  it("should handle mix of present and missing variables", () => {
+    process.env.GH_AW_WORKFLOW_ID = "test-workflow";
+    delete process.env.GH_AW_BASE_BRANCH;
+
+    expect(() => {
+      validateEnvironment(["GH_AW_WORKFLOW_ID", "GH_AW_BASE_BRANCH"]);
+    }).toThrow(/Missing required environment variable: GH_AW_BASE_BRANCH/);
+  });
+
+  it("should not include present variables in error message", () => {
+    process.env.GH_AW_WORKFLOW_ID = "test-workflow";
+    delete process.env.GH_AW_BASE_BRANCH;
+
+    try {
+      validateEnvironment(["GH_AW_WORKFLOW_ID", "GH_AW_BASE_BRANCH"]);
+      expect.fail("Should have thrown an error");
+    } catch (error) {
+      expect(error.message).not.toContain("GH_AW_WORKFLOW_ID");
+      expect(error.message).toContain("GH_AW_BASE_BRANCH");
+    }
+  });
+
+  it("should handle validation with a single variable", () => {
+    process.env.GITHUB_TOKEN = "test-token";
+
+    expect(() => {
+      validateEnvironment(["GITHUB_TOKEN"]);
+    }).not.toThrow();
+  });
+
+  it("should handle validation with many variables", () => {
+    process.env.VAR1 = "value1";
+    process.env.VAR2 = "value2";
+    process.env.VAR3 = "value3";
+    process.env.VAR4 = "value4";
+    process.env.VAR5 = "value5";
+
+    expect(() => {
+      validateEnvironment(["VAR1", "VAR2", "VAR3", "VAR4", "VAR5"]);
+    }).not.toThrow();
+  });
+
+  it("should report all missing variables when multiple are absent", () => {
+    delete process.env.VAR1;
+    delete process.env.VAR2;
+    delete process.env.VAR3;
+
+    try {
+      validateEnvironment(["VAR1", "VAR2", "VAR3"]);
+      expect.fail("Should have thrown an error");
+    } catch (error) {
+      expect(error.message).toContain("VAR1");
+      expect(error.message).toContain("VAR2");
+      expect(error.message).toContain("VAR3");
+    }
+  });
+});