Skip to content

Fix runtime-imports path resolution to default to .github/workflows/ #14850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pelikhan merged 8 commits into from
Feb 11, 2026
Merged

Fix runtime-imports path resolution to default to .github/workflows/ #14850

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
ebc7b33
Initial plan
Copilot Feb 10, 2026
655d443
Fix runtime-imports path resolution to use workflows/ prefix
Copilot Feb 10, 2026
b3a12d9
Fix all runtime_import tests - update expected messages and fix .acti…
Copilot Feb 10, 2026
cd29036
Fix Go runtime import test to use workflows directory
Copilot Feb 10, 2026
617efd9
Replace .actions/ handling with .agents/ for skills directory
Copilot Feb 11, 2026
ab67f3e
Fix .agents/ to resolve to top-level folder (not .github/agents/)
Copilot Feb 11, 2026
7ceb675
Merge remote-tracking branch 'origin/main' into copilot/fix-runtime-i…
Copilot Feb 11, 2026
9675a82
Merge main branch and verify linting passes
Copilot Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 56 additions & 22 deletions actions/setup/js/runtime_import.cjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -713,34 +713,68 @@ async function processRuntimeImport(filepathOrUrl, optional, workspaceDir, start

// Otherwise, process as a file
let filepath = filepathOrUrl;

// Trim .github/ prefix if provided (support both .github/file and file)
// This allows users to use either format
if (filepath.startsWith(".github/")) {
let isAgentsPath = false;

// Check if this is a .agents/ path (top-level folder for skills)
if (filepath.startsWith(".agents/")) {
isAgentsPath = true;
// Keep .agents/ as is - it's a top-level folder at workspace root
} else if (filepath.startsWith(".agents\\")) {
isAgentsPath = true;
// Keep .agents\ as is - it's a top-level folder at workspace root (Windows)
} else if (filepath.startsWith(".github/")) {
// Trim .github/ prefix if provided (support both .github/file and file)
filepath = filepath.substring(8); // Remove ".github/"
} else if (filepath.startsWith(".github\\")) {
filepath = filepath.substring(8); // Remove ".github\" (Windows)
} else {
// If path doesn't start with .github or .agents, prefix with workflows/
// This makes imports like "a.md" resolve to ".github/workflows/a.md"
filepath = path.join("workflows", filepath);
}

// Remove leading ./ or ../ if present
if (filepath.startsWith("./")) {
filepath = filepath.substring(2);
} else if (filepath.startsWith(".\\")) {
filepath = filepath.substring(2);
// Remove leading ./ or ../ if present (only for non-agents paths)
if (!isAgentsPath) {
if (filepath.startsWith("./")) {
filepath = filepath.substring(2);
} else if (filepath.startsWith(".\\")) {
filepath = filepath.substring(2);
}
}
// Note: We don't allow ../ paths as they would escape .github folder

// Construct the path within .github folder
const githubFolder = path.join(workspaceDir, ".github");
const absolutePath = path.resolve(githubFolder, filepath);
const normalizedPath = path.normalize(absolutePath);
const normalizedGithubFolder = path.normalize(githubFolder);

// Security check: ensure the resolved path is within the .github folder
// Use path.relative to check if the path escapes the .github folder
const relativePath = path.relative(normalizedGithubFolder, normalizedPath);
if (relativePath.startsWith("..") || path.isAbsolute(relativePath)) {
throw new Error(`Security: Path ${filepathOrUrl} must be within .github folder (resolves to: ${relativePath})`);
// Note: We don't allow ../ paths as they would escape the base folder

// Construct the absolute path - .agents paths are relative to workspace root, others to .github
let absolutePath, normalizedPath, baseFolder, normalizedBaseFolder;

if (isAgentsPath) {
// .agents/ paths resolve to top-level .agents folder at workspace root
baseFolder = workspaceDir;
absolutePath = path.resolve(workspaceDir, filepath);
normalizedPath = path.normalize(absolutePath);
normalizedBaseFolder = path.normalize(baseFolder);

// Security check: ensure the resolved path is within the workspace
const relativePath = path.relative(normalizedBaseFolder, normalizedPath);
if (relativePath.startsWith("..") || path.isAbsolute(relativePath)) {
throw new Error(`Security: Path ${filepathOrUrl} must be within workspace (resolves to: ${relativePath})`);
}
// Additional check: ensure path stays within .agents folder
if (!relativePath.startsWith(".agents" + path.sep) && relativePath !== ".agents") {
throw new Error(`Security: Path ${filepathOrUrl} must be within .agents folder`);
}
} else {
// Regular paths resolve within .github folder
const githubFolder = path.join(workspaceDir, ".github");
baseFolder = githubFolder;
absolutePath = path.resolve(githubFolder, filepath);
normalizedPath = path.normalize(absolutePath);
normalizedBaseFolder = path.normalize(githubFolder);

// Security check: ensure the resolved path is within the .github folder
const relativePath = path.relative(normalizedBaseFolder, normalizedPath);
if (relativePath.startsWith("..") || path.isAbsolute(relativePath)) {
throw new Error(`Security: Path ${filepathOrUrl} must be within .github folder (resolves to: ${relativePath})`);
}
}

// Check if file exists
Expand Down
Loading
Loading