Prevent ANSI escape sequences in compiled workflow YAML files

[Copilot]

ANSI terminal escape sequences (\x1b[31m, \x1b[0m, \x1b[m) were breaking YAML parsing when accidentally introduced through copy-paste from colored terminal output or ANSI-aware text editors.

Changes

Compiler sanitization (pkg/workflow/compiler_yaml.go, pkg/workflow/compiler_activation_jobs.go, pkg/stringutil/stringutil.go)

• Strip ANSI codes from workflow metadata during compilation: descriptions, sources, file paths, stop-time, manual-approval
• Strip ANSI codes from YAML values: GH_AW_STOP_TIME environment variable, environment field for manual approval
• Pattern: \x1b\[[0-9;]*[a-zA-Z] matches all common ANSI sequences (colors, formatting, cursor control)

// Automatically strips during YAML generation
cleanDescription := stringutil.StripANSIEscapeCodes(data.Description)
cleanStopTime := stringutil.StripANSIEscapeCodes(data.StopTime)

Comprehensive test coverage (pkg/stringutil/stringutil_test.go, pkg/workflow/compiler_yaml_test.go)

• 24 unit tests covering various ANSI sequences: colors (16-color, 256-color, 24-bit RGB), text formatting, cursor control, edge cases
• 6 integration tests validating ANSI stripping in all workflow metadata fields and YAML values
• All 30 tests pass successfully

Documentation (AGENTS.md)

• Prevention guidelines: use --no-color flags, avoid copy-paste from colored output
• Detection command: find .github/workflows -name "*.yml" | xargs grep -P '\x1b\[[0-9;]*[a-zA-Z]'
• Multi-layer prevention strategy (sanitization, documentation, testing)

Example

Before: "description": "Run \x1b[31mmake recompile\x1b[0m after changes\x1b[m"
After: "description": "Run make recompile after changes"

Before: GH_AW_STOP_TIME: 2026-12-31\x1b[31mT23:59:59Z\x1b[0m
After: GH_AW_STOP_TIME: 2026-12-31T23:59:59Z

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[CI Failure Doctor] ANSI Escape Sequences in YAML Workflow Files - PR #11045</issue_title>
<issue_description>## Summary

CI failure in run #21219621737 caused by ANSI terminal escape sequences accidentally included in YAML workflow files. This issue was self-healing - the problematic commit was quickly superseded by subsequent commits that removed the escape codes.

Failure Details

• Run: 21219621737
• Commit: 80395ca
• PR: Enforce mandatory recompile in cli-version-checker workflow #11045 "Enforce mandatory recompile in cli-version-checker workflow"
• Failed Job: js (JavaScript linting/validation)
• Trigger: push to main
• Resolution: Self-healing - fixed in later commit c4a0b67

Root Cause Analysis

The commit introduced ANSI escape sequences ([m - color reset codes) into the compiled workflow YAML file:

Affected lines in .github/workflows/cli-version-checker.lock.yml:

• Line 810: 2. **REQUIRED**: Run 'make recompile' to update workflows (MUST be run after any constant changes)[m
• Line 886: - **SAVE TO CACHE**: Store help outputs (main and all subcommands) and version check results in cache-memory[m

The [m characters are ANSI escape codes (specifically, \x1b[m or ESC[m) used for resetting terminal colors. These were likely:

1. Copied from colored terminal output
2. Preserved by a text editor with ANSI code support
3. Or generated by a script that outputs colored text

These escape codes are invisible in many editors but break YAML parsing, causing the js job to fail during workflow validation.

Investigation Findings

What happened:

1. PR Enforce mandatory recompile in cli-version-checker workflow #11045 was merged at 17:39:40 (commit 80395ca)
2. CI workflow ran and failed at ~17:42:12 (js job failure)
3. Repository continued with normal development
4. By commit c4a0b67 (17:41:51), the ANSI codes were gone
5. Current main branch is clean (no ANSI escape sequences found)

Why it self-healed:
The repository appears to have a rapid commit cycle with multiple PRs being merged. The problematic YAML file was likely regenerated (via make recompile) by a subsequent PR that produced clean YAML without the escape codes.

Failed Jobs and Errors

Job: js (61050540090)

• Status: failure
• Likely error: YAML syntax validation failed due to unexpected characters

Note: Full job logs were inaccessible (403 permission error), but the diff analysis clearly shows the ANSI escape code injection.

Recommended Actions

Immediate (Already Resolved ✅)

• ✅ The issue self-resolved - current main branch has no ANSI escape sequences
• ✅ No manual intervention needed

Prevention (Future Improvements)

1. Add YAML validation to pre-commit hooks

   # Check for ANSI escape sequences in YAML files
   git diff --cached --name-only | grep '\.ya\?ml$' | xargs grep -P '\\x1b\\[[0-9;]*m' && exit 1

2. Add CI validation step before JS job

   - name: Check for ANSI escape sequences
     run: |
       if find .github/workflows -name "*.yml" -o -name "*.yaml" | xargs grep -P '\\x1b\\[[0-9;]*m'; then
         echo "ERROR: ANSI escape sequences found in YAML files"
         exit 1
       fi

3. Update compiler to strip ANSI codes

   • Modify the workflow compiler in pkg/workflow/ to automatically strip ANSI escape sequences
   • Add test cases that verify ANSI codes are removed during compilation

4. Editor configuration guidance

   • Document in CONTRIBUTING.md that editors should not preserve ANSI escape codes
   • Recommend plaintext-only modes for editing YAML

Prevention Strategies

Root cause: Copy-paste operations from colored terminal output or ANSI-aware editors.

Prevention layers:

1. Detection: Pre-commit hooks to catch ANSI codes before commit
2. Validation: CI checks that fail fast on ANSI escape sequences
3. Sanitization: Compiler automatically strips ANSI codes during workflow generation
4. Education: Developer documentation about ANSI code hazards

AI Team Self-Improvement

Add to AGENTS.md or developer instructions:

### YAML File Editing - ANSI Escape Code Prevention

**CRITICAL**: When editing or generating YAML workflow files (`.github/workflows/*.yml`, `*.lock.yml`):

1. **NEVER copy-paste from colored terminal output** - Always use `--no-color` or `2>&1 | cat` to strip colors
2. **Validate YAML before committing** - Run `python3 -c "import yaml; yaml.safe_load(open('file.yml'))"` to check syntax
3. **Check for invisible characters** - Use `cat -A file.yml | grep '\[m'` to detect ANSI escape sequences
4. **Run make recompile** - Always recompile workflows after editing .md files to regenerate clean .lock.yml files

**Example of safe command usage**:
```bash
# ❌ BAD - May include ...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

- Fixes githubnext/gh-aw#11062

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs.

[pelikhan]

@copilot add tests

[pelikhan]

@copilot revert this file

[pelikhan]

LEAVE THIS OPEN. Investigation underway.

[jmoseley]

@copilot add tests

[pelikhan]

@copilot add tests

[Copilot]

@copilot add tests

Added comprehensive test coverage in commit c6ec268:

Unit tests (24 test cases in pkg/stringutil/stringutil_test.go):

• Real-world ANSI patterns from the original issue
• Color codes (basic 16-color, 256-color, 24-bit RGB)
• Text formatting (bold, underline)
• Cursor control (movement, positioning, save/restore)
• Edge cases (consecutive codes, long strings, codes in middle of words)

Integration tests (6 test cases in pkg/workflow/compiler_yaml_test.go):

• ANSI stripping from descriptions, sources, imported files
• ANSI stripping from stop-time comments and environment variables
• ANSI stripping from manual-approval comments and environment fields
• Multiline descriptions with ANSI codes

Also fixed ANSI stripping in compiler_activation_jobs.go for GH_AW_STOP_TIME env var and environment field.

All 30 ANSI-related tests pass.