Extract hardcoded file paths to named constants#39938
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR centralizes previously hardcoded filesystem/workspace path literals into named constants (primarily in pkg/constants/constants.go) and updates workflow/compiler/parser/CLI code to reference those constants, including a small DIFC proxy log exclusion fix.
Changes:
- Added grouped path constants for repo-relative dirs,
/tmp/gh-awruntime layout, shell/env/action-expression forms, and a few system paths. - Replaced hardcoded path literals across workflow compilation/rendering, parser path handling, and CLI utilities with constant references.
- Fixed DIFC proxy log artifact exclusion construction by using a dedicated proxy TLS directory constant rather than runtime string slicing.
Show a summary per file
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 50/50 changed files
- Comments generated: 1
| set +o histexpand | ||
|
|
||
| # Kept in sync with install-gh-aw.sh — edit that file, then copy to this path. | ||
| # Kept in sync with actions/setup-cli/install.sh — edit this file, then copy to that path. |
|
\nPlease summarize the remaining blockers after the review note is addressed.
|
|
\n@copilot review all comments and address the unresolved review note, then rebase/push an update.
|
|
@copilot merge main and recompile |
…extract-hardcoded-paths # Conflicts: # actions/setup-cli/install.sh Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨ |
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing... |
Smoke Test Results
Overall Status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
💥 Smoke Test: Claude — Run 27737100396Core #1-12: all ✅ Overall: PARTIAL (1 skipped) Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude
| // Find git root and add .github/workflows relative to it | ||
| if gitRoot, err := gitutil.FindGitRoot(); err == nil { | ||
| workflowsPath := filepath.Join(gitRoot, ".github/workflows/") | ||
| workflowsPath := filepath.Join(gitRoot, constants.WorkflowsDirSlash) |
There was a problem hiding this comment.
Nice — extracting .github/workflows/ into constants.WorkflowsDirSlash improves consistency.
|
|
||
| gitAttributesPath := filepath.Join(gitRoot, ".gitattributes") | ||
| lockYmlEntry := ".github/workflows/*.lock.yml linguist-generated=true merge=ours" | ||
| lockYmlEntry := constants.WorkflowsLockYmlGitAttributesEntry |
There was a problem hiding this comment.
Good use of constants.WorkflowsLockYmlGitAttributesEntry for the gitattributes entry.
|
Smoke Copilot: Extract hardcoded file paths to named constants Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
|
Smoke test: FAIL
Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
Smoke Copilot review: tool paths, build, and safe outputs all exercised.
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot

120 hardcoded file path literals were scattered across 55 files, creating maintenance risk and making path configuration opaque. This PR centralizes all path definitions as named constants.
New constants (
pkg/constants/constants.go)~40 constants added in four logical groups:
GithubDir,WorkflowsDir,WorkflowsDirSlash,AgentsDir,WorkflowsLockYmlGlob,WorkflowsLockYmlGitAttributesEntry/tmp/gh-aw/…):TmpGhAwDirSlash,TmpGhAwAgentDir,AwPromptsFile,TmpMcpServersJsonPath,TmpProxyLogsDir,TmpProxyTLSDir,TmpProxyTLSCACert,TmpRepoMemoryDir,ThreatDetectionLogPath, etc.${RUNNER_TEMP}/…,${{ runner.temp }}/…):GhAwRootDirShellSlash,ShellMcpServersJsonPath,McpServersJsonPathExpr,CodexMcpConfigTomlPath, etc.CopilotBinaryPath,BashCompletionDir,BashCompletionGhAwPath,HomebrewPrefix,UsrLocalPrefixTwo workflow-scoped constants added to
pkg/workflow/setup_action_paths.go:SafeJobsDownloadDirExpr,SafeOutputsUploadArtifactsDir.Bug fix (
compiler_difc_proxy.go)The exclusion glob for the proxy TLS directory was using broken runtime string slicing. Fixed using the new
TmpProxyTLSDirconstant:Replacements
All hardcoded literals replaced with constant references across:
pkg/workflow/— 30+ filespkg/parser/—remote_fetch.go,mcp.go,include_expander.go,import_field_extractor.gopkg/cli/—shell_completion.go,git.go,logs_run_processor.go,includes.go,trial_repository.go,mcp_tools_privileged.goFiles that didn't previously import
pkg/constantshad the import added.Linter self-reference
pkg/linters/hardcodedfilepath/hardcodedfilepath.godefines the canonical path prefixes it detects. Those definitions are now annotated//nolint:hardcodedfilepathsince they are the pattern source, not path usage. A log message string ingit.gocontaining.github/aw/logs/.gitignore(not a real path) gets the same treatment.\npr-sous-chef requested a branch update during run https://github.com/github/gh-aw/actions/runs/27735451041
Changeset\n\n- Type: patch\n- Description: Centralized hardcoded file paths into named constants and fixed a proxy TLS directory exclusion bug.
✨ PR Review Safe Output Test - Run 27737100396
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.