fix(workflow): escape PowerShell variable delimiter in ai-issue-triage

[rjmurillo-bot]

Summary

• Fixes PowerShell parser error in AI Issue Triage workflow's sweep job
• The colon after $issueNumber was being interpreted as a scope modifier (like $global:var)
• Changed to ${issueNumber}: to properly delimit the variable name

Root Cause

# Before (broken)
Write-Host "  Issue #$issueNumber: $issueTitle - NOT TRIAGED" -ForegroundColor Yellow

# After (fixed)
Write-Host "  Issue #${issueNumber}: $issueTitle - NOT TRIAGED" -ForegroundColor Yellow

PowerShell syntax reference: When a colon follows a variable name, PowerShell interprets it as a scope modifier. Using ${} syntax properly delimits the variable name.

Test plan

• Verify fix compiles (PowerShell syntax validation)
• Wait for scheduled sweep job to run successfully

Related

Fixes workflow run failure: https://github.com/rjmurillo/ai-agents/actions/runs/20458459981

🤖 Generated with Claude Code

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[Copilot]

Pull request overview

This PR fixes a PowerShell syntax error in the AI Issue Triage workflow that was causing workflow run failures. The issue occurred when PowerShell misinterpreted $issueNumber: as a scope modifier (like $global:var) instead of a variable followed by a literal colon character.

Key Change:

• Escaped the PowerShell variable delimiter by changing $issueNumber: to ${issueNumber}: to properly delimit the variable name from the following colon

[github-actions]

AI Quality Gate Review

Tip

✅ Final Verdict: PASS

Walkthrough

This PR was reviewed by six AI agents in parallel, analyzing different aspects of the changes:

• Security Agent: Scans for vulnerabilities, secrets exposure, and security anti-patterns
• QA Agent: Evaluates test coverage, error handling, and code quality
• Analyst Agent: Assesses code quality, impact analysis, and maintainability
• Architect Agent: Reviews design patterns, system boundaries, and architectural concerns
• DevOps Agent: Evaluates CI/CD, build pipelines, and infrastructure changes
• Roadmap Agent: Assesses strategic alignment, feature scope, and user value

Review Summary

Agent	Verdict	Status
Security	PASS	✅
QA	PASS	✅
Analyst	PASS	✅
Architect	PASS	✅
DevOps	PASS	✅
Roadmap	PASS	✅

Security Review Details

Security Review: ai-issue-triage.yml PowerShell Variable Fix

Findings

Severity	Category	Finding	Location	CWE
None	-	No security issues detected	-	-

Analysis

Change Reviewed: Single-line change from $issueNumber: to ${issueNumber}: in a Write-Host statement.

Security Considerations Evaluated:

1. Injection (CWE-78): The $issueNumber variable comes from gh issue list output. The variable is used in a logging statement, not command execution. No injection vector introduced.

2. Secret Detection: No credentials, API keys, or tokens in the change.

3. Workflow Security: The change does not modify workflow permissions, secrets handling, or untrusted input processing.

4. Infrastructure: This is a syntax fix for variable interpolation. The fix uses standard PowerShell variable delimiting syntax.

Recommendations

None required. The change is a minimal syntax correction that does not alter security posture.

Verdict

VERDICT: PASS
MESSAGE: Syntax-only fix with no security impact. Variable delimiting change does not introduce vulnerabilities.

Roadmap Review Details

Strategic Alignment Assessment

Criterion	Rating	Notes
Aligns with project goals	High	Fixes broken CI/CD infrastructure that blocks automated issue triage
Priority appropriate	High	Workflow failures block automation; quick fix with immediate value
User value clear	Medium	Indirect value through reliable automation; maintainers benefit from working triage
Investment justified	High	Single-line fix resolves workflow failure

Feature Completeness

• Scope Assessment: Right-sized
• Ship Ready: Yes
• MVP Complete: Yes
• Enhancement Opportunities: None identified

Impact Analysis

Dimension	Assessment	Notes
User Value	Medium	Restores automated issue triage functionality
Business Impact	Medium	Enables reliable issue management workflow
Technical Leverage	Low	Bug fix, no reusable infrastructure created
Competitive Position	Neutral	Table stakes for project maintenance

Concerns

Priority	Concern	Recommendation
Low	No automated syntax validation in PR	Consider adding PowerShell linting to CI

Recommendations

1. Merge this fix promptly to restore workflow functionality
2. Consider adding a PowerShell syntax validation step to catch similar issues in future PRs

Verdict

VERDICT: PASS
MESSAGE: Surgical bug fix restores broken CI automation. Single-line change with clear root cause and minimal risk.

QA Review Details

Now I have a complete picture. Let me verify all usages of $issueNumber in the file to check for consistency:

I see the issue pattern. Line 570 (the fix) uses ${issueNumber}: to avoid the scope modifier issue. However, line 603 has the same pattern (#$issueNumber :) but with a space before the colon. Let me check line 603 more closely:

Line 603 has a space before the colon (#$issueNumber : $result), which prevents the scope modifier issue. The fix at line 570 is correct because the colon immediately follows the variable name without a space.

QA Review Report

---

VERDICT: PASS
MESSAGE: Single-line syntax fix is correct and addresses the documented PowerShell parser error.

---

EVIDENCE

Tests found: 0 for 0 new functions (change is a 1-character syntax fix, no new logic)

Edge cases: N/A - this is a string interpolation syntax correction, not new functionality

Error handling: Not applicable - no error handling code changed

Blocking issues: 0

---

Test Coverage Assessment

Area	Status	Evidence	Files Checked
Unit tests	N/A	No new functionality requiring tests	ai-issue-triage.yml
Edge cases	N/A	Syntax fix only	Line 570
Error paths	N/A	No error handling modified	N/A
Assertions	N/A	No testable logic added	N/A

Rationale: This change modifies a single Write-Host statement to fix a PowerShell variable interpolation issue. The fix changes $issueNumber: to ${issueNumber}: to prevent PowerShell from interpreting the colon as a scope modifier. No new code paths, logic, or functionality were introduced.

---

Quality Concerns

Severity	Issue	Location	Evidence	Required Fix
-	None identified	-	-	-

---

Code Quality Verification

1. Fix is syntactically correct: The ${variableName} syntax is standard PowerShell for variable name delimiting
2. Consistency check: Line 603 uses #$issueNumber : (space before colon) which is safe. Line 570 had #$issueNumber: (no space) which triggered the bug. The fix is appropriate.
3. No other instances: All other $issueNumber usages in the file either:
   • Have a space after the variable name (lines 599, 603)
   • Are followed by non-colon characters (lines 564, 569, 600)
   • Are at end of expression (lines 571, 604)

---

Regression Risk Assessment

• Risk Level: Low
• Affected Components: .github/workflows/ai-issue-triage.yml (sweep job logging only)
• Breaking Changes: None - cosmetic fix to error output formatting
• Required Testing: Scheduled sweep job run will validate (as noted in PR test plan)

---

Verification Notes

The PR description correctly identifies:

1. The root cause (PowerShell scope modifier syntax)
2. The fix (variable delimiting with ${})
3. A reference to the failing workflow run

The fix is minimal and surgical - exactly one character change that addresses the documented parsing error.

Architect Review Details

Design Quality Assessment

Aspect	Rating (1-5)	Notes
Pattern Adherence	5	Correct PowerShell variable scoping syntax
Boundary Respect	5	Change is contained within workflow file
Coupling	5	No coupling changes
Cohesion	5	No cohesion changes
Extensibility	5	No impact

Overall Design Score: 5/5

Architectural Concerns

Severity	Concern	Location	Recommendation
None	-	-	-

Breaking Change Assessment

• Breaking Changes: No
• Impact Scope: None
• Migration Required: No
• Migration Path: N/A

Technical Debt Analysis

• Debt Added: None
• Debt Reduced: Low (fixes syntax bug)
• Net Impact: Improved

ADR Assessment

• ADR Required: No
• Decisions Identified: None
• Existing ADR: N/A
• Recommendation: N/A

Recommendations

1. None. This is a minimal, correct fix for a PowerShell syntax issue.

Verdict

VERDICT: PASS
MESSAGE: Single-character fix corrects PowerShell variable delimiter parsing. No architectural impact.

DevOps Review Details

Let me verify the YAML syntax and check for other similar patterns in the workflow:

I notice the file fetched from GitHub still has the OLD version. Let me check the actual diff in the PR:

The fix is applied in the local copy. Let me complete the analysis:

Pipeline Impact Assessment

Area	Impact	Notes
Build	None	No build changes
Test	None	No test changes
Deploy	None	No deployment changes
Cost	None	No additional compute

CI/CD Quality Checks

Check	Status	Location
YAML syntax valid	✅	.github/workflows/ai-issue-triage.yml
Actions pinned	✅	Line 70, 545: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
Secrets secure	✅	Uses ${{ secrets.BOT_PAT }}, not logged
Permissions minimal	✅	Line 38-40: contents: read, issues: write
Shell scripts robust	✅	PowerShell with proper variable handling

Findings

Severity	Category	Finding	Location	Fix
Low	Best Practice	Fix correctly addresses PowerShell scope modifier parsing	Line 570	Applied correctly

Analysis

The fix is correct. In PowerShell, $variable: syntax is interpreted as a scope modifier (e.g., $global:var, $script:var). The original code $issueNumber: caused a parser error because PowerShell tried to interpret : as a scope modifier delimiter.

The fix uses ${issueNumber}: which properly delimits the variable name using brace notation, allowing the colon to be treated as a literal character in the string.

Template Assessment

• PR Template: Adequate
• Issue Templates: Not evaluated (not in scope)
• Template Issues: None

Automation Opportunities

Opportunity	Type	Benefit	Effort
None identified	-	-	-

Recommendations

1. None required. The fix is minimal and correct.

Verdict

VERDICT: PASS
MESSAGE: PowerShell variable delimiting fix is correct and resolves the parser error.

Analyst Review Details

Analysis: PowerShell Variable Delimiter Fix

Code Quality Score

Criterion	Score (1-5)	Notes
Readability	5	Fix is clear and well-documented
Maintainability	5	Standard PowerShell syntax pattern
Consistency	5	Matches PowerShell best practices
Simplicity	5	Minimal change, correct solution

Overall: 5/5

Impact Assessment

• Scope: Isolated (single line in workflow file)
• Risk Level: Low
• Affected Components: .github/workflows/ai-issue-triage.yml sweep job only

Findings

Priority	Category	Finding	Location
N/A	Fix	Correct use of ${} syntax to delimit variable before colon	ai-issue-triage.yml:570

Technical Verification

The fix is correct. In PowerShell, $issueNumber: is parsed as a scoped variable reference (like $global:var or $script:var). Using ${issueNumber}: explicitly delimits the variable name, preventing the colon from being interpreted as a scope modifier.

Recommendations

None. The fix is minimal, correct, and follows PowerShell syntax conventions.

Verdict

VERDICT: PASS
MESSAGE: Single-line fix correctly addresses PowerShell variable parsing. Root cause identified, solution verified against PowerShell syntax rules.

---

Run Details

Property	Value
Run ID	20458881401
Triggered by	pull_request on 294/merge
Commit	cf7c804ee8544d85896499c109a6dfeda5703bc3

_{Powered by AI Quality Gate - View Workflow}

[coderabbitai]

📝 Walkthrough

Walkthrough

Minor update to a GitHub Actions workflow file. Variable interpolation syntax changed from $issueNumber to ${issueNumber} in a logging statement. No functional behavior changes.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/ai-issue-triage.yml	Changed shell variable interpolation from $issueNumber to ${issueNumber} in echo log statement for Sweep Untriaged Issues step

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

bug, area-workflows, github-actions

Suggested reviewers

• rjmurillo

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows conventional commit format with 'fix' prefix and clearly describes the PowerShell variable delimiter fix in the workflow file.
Description check	✅ Passed	The description is directly related to the changeset, explaining the PowerShell parser error, the fix applied, and the root cause with code examples.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/ai-triage-pwsh-syntax

---

📜 Recent review details

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2928fac and be55af6.

📒 Files selected for processing (1)

• .github/workflows/ai-issue-triage.yml

🧰 Additional context used

📓 Path-based instructions (31)

{.github/workflows/*,*/.githooks/*,Dockerfile}

📄 CodeRabbit inference engine (.agents/governance/interviews/security-interview.md)

Review infrastructure code changes including GitHub Actions workflows, git hooks, and Dockerfile for security vulnerabilities

Files:

• .github/workflows/ai-issue-triage.yml

{.githooks/**,**/.github/**,**/infrastructure/**,**/config/**,**/*.tf,**/*.yml,**/*.yaml}

📄 CodeRabbit inference engine (.agents/metrics/baseline-report.md)

Infrastructure files (including .githooks/pre-commit) must receive security review before deployment

Files:

• .github/workflows/ai-issue-triage.yml

.github/workflows/*

📄 CodeRabbit inference engine (.agents/metrics/dashboard-template.md)

Ensure infrastructure files in GitHub workflows directory are reviewed by agents with target rate of 100%

Implement full CodeRabbit enforcement for CI/CD workflow files in .github/workflows/ directory

.github/workflows/*: Detect files matching .github/workflows/* as infrastructure changes requiring specialist review from devops and security agents
GitHub Actions workflows must include an explicit permissions block with minimally privileged permissions
GitHub Actions workflows must not use pull_request_target trigger with actions/checkout action using pull request head SHA reference, as this creates a dangerous security pattern
GitHub Actions workflows requiring test reporting must explicitly grant checks: write permission for dorny/test-reporter compatibility
GitHub Actions workflows must avoid using overly permissive permissions: write-all and instead use explicit minimal permissions

Files:

• .github/workflows/ai-issue-triage.yml

.github/workflows/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/security/infrastructure-file-patterns.md)

GitHub Actions workflow files (.github/workflows/*.yml and .github/workflows/*.yaml) should trigger security agent review due to critical security implications

Add security detection check to CI/CD pipelines to analyze staged files for infrastructure changes before implementation

.github/workflows/*.{yml,yaml}: Infrastructure files (.github/workflows/) require devops and security agent review before commit
Add pre-commit validation that fails on infrastructure files (.github/workflows/) lacking security review documentation
Infrastructure files must include a security impact analysis document before creation or modification
Retroactive security review is required for quick-fix changes to workflow files made without pre-commit review
Workflow files must validate that all required permissions are explicitly declared and justified

Keep workflow YAML files light and thin - MUST NOT put complex logic in workflow YAML files; use thin workflows with calls to external testable modules or skills

GitHub Actions workflows should remain thin and delegate complex logic to PowerShell modules rather than embedding bash-like commands in workflow YAML run blocks

.github/workflows/*.{yml,yaml}: Never use || true pattern without explicit error handling and ADR justification
Do not use || true error suppression in workflows without documenting rationale in an ADR

Use thin workflow pattern: minimize logic in YAML files, delegate complex operations to PowerShell modules

.github/workflows/*.{yml,yaml}: Use YAML heredoc with proper indentation for multi-line GitHub Actions values
Use GH_TOKEN for auto-authentication in GitHub Actions shell scripts
Use fixed-length lookbehinds for regex patterns in GitHub Actions
GitHub Actions outputs must be single-line format
Matrix jobs in GitHub Actions should use artifacts for output storage
Use environment variables for shell command interpolation in GitHub Actions to prevent injection vulnerabilities
Use verdict tokens for str...

Files:

• .github/workflows/ai-issue-triage.yml

{.github/workflows/**,{.githooks,husky}/**,**/Auth/**,**/Security/**}

📄 CodeRabbit inference engine (.agents/utilities/security-detection/SKILL.md)

CI/CD workflow files (.github/workflows/*), git hooks (.githooks/*, .husky/*), and authentication code (**/Auth/**, **/Security/**) require security agent review (CRITICAL level)

Files:

• .github/workflows/ai-issue-triage.yml

.github/workflows/*.yml

📄 CodeRabbit inference engine (.agents/analysis/pr41-issue-analysis.md)

.github/workflows/*.yml: Use dotnet-nunit reporter in dorny/test-reporter@v1 when Pester tests output NUnitXml format
Add explicit permissions block to GitHub Actions workflow jobs, specifying minimal required permissions (e.g., contents: read and checks: write for test reporting workflows)

.github/workflows/*.yml: Use minimal GitHub Actions permissions in CI workflows
Add workflow_dispatch trigger to GitHub Actions workflows for manual triggering capability
Add PowerShell-Yaml module installation step in CI workflows
Use ubuntu-latest for drift detection CI workflows for lighter weight execution
Add issue deduplication for drift alerts in GitHub Actions workflows
Use path filtering appropriately scoped in GitHub Actions workflows

CI/CD pipeline must include a drift-linting job that compares Claude agent content against generated VS Code and Copilot CLI variants on every PR modifying agent files

Create automated CI validation to detect absolute paths (Windows, macOS, Linux patterns) in markdown files with colored output, line numbers, and remediation steps

Configure concurrency groups in GitHub Actions workflows to prevent comment spam and race conditions when multiple commits trigger parallel workflow runs on the same PR

.github/workflows/*.yml: Remove silent || true error suppression from critical operations; instead track failures in arrays and provide summarized error reporting at workflow completion
Use minimal token scopes in GitHub Actions workflows: use repo scope for read-only operations, issues:write for issue modifications, and workflow permissions declarations following principle of least privilege

.github/workflows/*.yml: Store heredoc content in separate files instead of inline within YAML run: blocks to avoid YAML parsing errors when content lacks proper indentation
Use github.token (workflow's built-in token) for PR comments in GitHub Actions instead of service account PATs, as it automatically has write access t...

Files:

• .github/workflows/ai-issue-triage.yml

.github/**/*.yml

📄 CodeRabbit inference engine (.agents/planning/prd-pre-pr-security-gate.md)

Detect files matching .github/**/*.yml as infrastructure changes requiring specialist review from devops and security agents

Files:

• .github/workflows/ai-issue-triage.yml

.github/workflows/**/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/retrospective/pr-feedback-remediation.md)

Use 'ubuntu-latest' for CI runner preference instead of 'windows-latest' for significantly faster performance, except for PowerShell Desktop or Windows-specific features

.github/workflows/**/*.{yml,yaml}: Workflows should be thin and contain only orchestration logic; all business logic (parsing, validation, formatting) must be extracted to PowerShell modules (.psm1)
Keep workflow YAML files to a maximum of 100 lines (orchestration only)
Do not parse complex strings (verdict, labels, etc.) in workflow YAML run: blocks; delegate to PowerShell modules
Do not validate business rules directly in workflow YAML; delegate to PowerShell modules
All PowerShell scripting for workflows must be PowerShell-only (no bash or other shell languages embedded in workflows)

.github/workflows/**/*.{yml,yaml}: PowerShell used consistently for label and milestone parsing in AI workflow (extract parsing logic to AIReviewCommon.psm1::Get-LabelsFromAIOutput rather than inline bash)
Use ::error:: GitHub Actions format for error output instead of echo or Write-Error to ensure errors are properly captured and cause workflow failure
Remove all '|| true' patterns and silent failure suppression in workflow steps - errors must be aggregated and reported explicitly using ::error:: format
Add token masking with ::add-mask:: before using secrets in workflow run steps to prevent accidental token leakage in logs
Replace secrets.BOT_PAT with github.token for issue and PR operations to minimize token privileges and reduce security attack surface
Document minimum required token scopes in workflow comments for each operation (e.g., 'repo' scope for issue edit and label application, 'read' scope for readonly operations)
Extract AI workflow parsing logic to testable PowerShell module functions (AIReviewCommon.psm1) rather than inline bash - enables unit testing in isolation and reduces regression risk

.github/workflows/**/*.{yml,yaml}: Use bash/PowerShell error collection pattern: initialize FAILED_...

Files:

• .github/workflows/ai-issue-triage.yml

**/.github/workflows/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/skills/ci-runner-preference.md)

**/.github/workflows/*.{yml,yaml}: Use ubuntu-latest (or linux-latest) runners for GitHub Actions workflows instead of windows-latest for better CI/CD pipeline performance
Only use windows-latest runner when PowerShell Desktop (5.1) is required, Windows-specific features are needed, or testing Windows-only scenarios
Prefer PowerShell Core (pwsh) over PowerShell Desktop for GitHub Actions scripts to enable cross-platform compatibility on Linux runners

Workflows SHOULD be less than 100 lines, containing orchestration only. Business logic SHOULD be extracted to PowerShell modules (.psm1).

PowerShell workflow files must follow the thin-workflow pattern where orchestration logic stays in the workflow and business logic is extracted to reusable modules

Maintain consistent token scopes and authentication strategy throughout workflows; use the same token source for all related operations to avoid permission errors

**/.github/workflows/*.{yml,yaml}: Avoid code injection vulnerabilities by never directly interpolating unsanitized GitHub context variables (like ${{ github.event.issue.title }} or ${{ github.event.issue.body }}) into bash commands; instead save them to files using heredoc syntax and read them back
Use toJSON() to escape GitHub context variables when passing them to bash commands, or employ input validation before using variables in shell contexts
GitHub Actions workflows should request only the minimum necessary permissions (principle of least privilege) required for their operations

**/.github/workflows/*.{yml,yaml}: When ≥2 GitHub Actions workflows share logic, extract to composite action with parameterized inputs for reusability
GitHub Actions workflow files should include YAML syntax validation and actionlint checks in pre-commit configuration

**/.github/workflows/*.{yml,yaml}: Use artifacts instead of job outputs for passing data between matrix jobs in GitHub Actions workflows
Use environment variables for shell variable expans...

Files:

• .github/workflows/ai-issue-triage.yml

.github/workflows/**

📄 CodeRabbit inference engine (.agents/steering/security-practices.md)

Implement OWASP Top 10 prevention practices in GitHub Actions workflows

Use secure defaults and minimal exposure for security misconfiguration prevention

Files:

• .github/workflows/ai-issue-triage.yml

---

⚙️ CodeRabbit configuration file

.github/workflows/**: SECURITY-CRITICAL PATH - ASSERTIVE ENFORCEMENT
Review for: - Authentication and authorization (secrets handling, OIDC) - Credential exposure (env vars, git output, logs) - Injection vulnerabilities (command injection, script injection) - Race conditions (concurrent jobs, artifact operations) - Resource exhaustion (limits on runners, matrix expansions)
Flag: - Unquoted variables in shell commands - Direct use of user input in scripts - Missing error handling and early exit conditions - Hardcoded secrets or credentials - Unsafe use of 3rd party actions
DO NOT IGNORE any security-related findings on this path.

Files:

• .github/workflows/ai-issue-triage.yml

.github/workflows/**/*.yml

📄 CodeRabbit inference engine (.agents/architecture/DESIGN-REVIEW-pr-60-remediation-architecture.md)

Use GitHub Actions workflow steps with PowerShell for JSON parsing and data manipulation; reserve bash only for simple npm install, git operations, and environment variable exports

Aggregate errors across workflow steps using error accumulation arrays and export failure summary via GITHUB_OUTPUT

.github/workflows/**/*.yml: GitHub Actions workflows orchestrating multiple agents should use matrix strategy with fail-fast: false to ensure all reviews complete
Use artifact passing (not job outputs) to transfer data between workflow jobs when using matrix strategy
Implement idempotency in workflow comment generation using comment markers to distinguish update vs create operations
Use skip optimization to check for docs-only changes before executing expensive AI review jobs
Add CI validation step to verify prompt templates include required output format markers before merging

.github/workflows/**/*.yml: Replace bash parsing with PowerShell functions in GitHub Actions workflows - use Get-LabelsFromAIOutput and Get-MilestoneFromAIOutput from AIReviewCommon.psm1 instead of bash grep/tr/xargs to prevent command injection (CWE-78) and word splitting vulnerabilities (CWE-20)
In GitHub Actions workflows parsing AI output, never use bash xargs, unquoted variable expansion, or for loops with simple string parsing - replace with PowerShell cmdlets that handle structured output safely
Verify PowerShell Core is available on GitHub Actions ubuntu-latest runner before using PowerShell in workflows

Add checkout step to skip-validation job in GitHub Actions workflows that use dorny/paths-filter

Files:

• .github/workflows/ai-issue-triage.yml

**/.github/workflows/**/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/governance/PROJECT-CONSTRAINTS.md)

**/.github/workflows/**/*.{yml,yaml}: MUST NOT put business logic in workflow YAML files
SHOULD keep workflows under 100 lines (orchestration only)

Workflows must be thin and composed of testable, reusable modules

Follow Copilot follow-up PR naming convention: copilot/sub-pr-{original_pr_number} for branches targeting the original PR's base branch

**/.github/workflows/**/*.{yml,yaml}: Implement concurrency control using GitHub Actions concurrency group to prevent simultaneous PR maintenance runs
Configure GitHub Actions workflows to create an issue on failure with workflow diagnostics
Design thin GitHub Actions workflows that orchestrate logic rather than implementing testable module logic directly

Files:

• .github/workflows/ai-issue-triage.yml

**/.github/**/*.{yml,yaml,sh,bash}

📄 CodeRabbit inference engine (.agents/planning/PR-60/001-pr-60-review-gap-analysis.md)

Use unique identifiers (e.g., run ID, timestamp) for temporary file paths in CI/CD workflows to prevent conflicts in concurrent runs on shared runners

Files:

• .github/workflows/ai-issue-triage.yml

**/.github/workflows/**/*.yml

📄 CodeRabbit inference engine (.agents/planning/PR-60/004-pr-60-implementation-review.md)

**/.github/workflows/**/*.yml: Replace bash label parsing in GitHub Actions workflows with PowerShell validation to prevent command injection via untrusted AI output
Validate all label strings against regex pattern '^[\w-.\s]{1,50}$' before applying to GitHub issues
Validate all category strings against regex pattern '^[\w-]{1,30}$' before using in workflow outputs
Validate all milestone strings against regex pattern '^[\w-.\s]{1,50}$' before assigning to issues
Use explicit error handling with informative error messages instead of '|| true' for GitHub CLI (gh) commands that should not fail silently
Keep '|| true' only for commands where empty/missing results are valid expected outcomes (e.g., grep with no matches, find with no results)
Verify GitHub CLI authentication status is successful before attempting API operations in CI workflows
Log validation rejections with details (invalid format, rejected label) for debugging label application failures
Provide detailed error messages in GitHub Actions workflow steps including context (what failed, why, what to check)
Use PowerShell 'Write-Host' with color output for structured workflow logging instead of plain echo statements
Use '|| true' in workflows only for commands where missing data is an expected valid state; document the reason in comments
Validate workflow inputs and outputs against strict regex patterns before using them in GitHub API commands

**/.github/workflows/**/*.yml: Use environment variables instead of direct ${{ }} template syntax in shell scripts to prevent shell injection attacks
Use artifacts instead of job outputs to pass data between matrix job legs, since outputs only expose one matrix leg
Prepare multi-line content via prior steps with GITHUB_OUTPUT heredoc syntax rather than attempting to execute shell commands in YAML with: inputs

Files:

• .github/workflows/ai-issue-triage.yml

**/.github/workflows/*.yml

📄 CodeRabbit inference engine (.agents/planning/PR-60/007-phase-1-detailed-schedule.md)

Use PowerShell-only code (no bash, Python, or shell scripts) with all workflow steps configured with 'shell: pwsh' per ADR-006

Use quoted heredoc (with 'EOF' delimiter) for safely handling github.event.pull_request.title and github.event.pull_request.body in bash env vars to prevent code injection

GitHub Actions workflows must use PowerShell functions from exported modules rather than inline bash parsing (grep/sed/tr) for consistent security and testability

In workflow comments, use explicit language about verdict behavior and consequences (e.g., 'should cause the check to FAIL (block merge)' rather than ambiguous phrasing)

**/.github/workflows/*.yml: Use PowerShell syntax (shell: pwsh) for GitHub workflow steps when handling untrusted AI output
Import PowerShell modules using correct relative path format (Import-Module .github/scripts/AIReviewCommon.psm1) in GitHub workflows to ensure module dependencies are properly resolved
Use PowerShell environment variables for all user input in GitHub workflows instead of direct bash variable interpolation to eliminate word-splitting vulnerabilities

Use $env:GITHUB_WORKSPACE with absolute paths instead of relative ./ prefix when importing PowerShell modules in GitHub Actions workflows

Include env: GH_TOKEN in workflow steps that use GitHub CLI to ensure proper authentication

Files:

• .github/workflows/ai-issue-triage.yml

**/.github/{scripts,workflows}/*.{sh,yml}

📄 CodeRabbit inference engine (.agents/planning/pr-60-focused-plan.md)

Use sed with POSIX character classes instead of grep -P for regex patterns to ensure portability across Linux and macOS (grep -P is GNU-only)

Files:

• .github/workflows/ai-issue-triage.yml

.github/{workflows,scripts}/**/*.{yml,yaml,sh}

📄 CodeRabbit inference engine (.agents/planning/pr-60-security-review.md)

.github/{workflows,scripts}/**/*.{yml,yaml,sh}: Avoid leaking sensitive information or internal configuration details in error messages and workflow logs that could be visible to attackers. Use generic error messages in production and reserve detailed diagnostics for debug logs only.
Sanitize and validate all untrusted user input (such as GitHub event data like PR titles, issue bodies, commit messages) before using in shell commands, API calls, or other operations that could interpret special characters.
When updating GitHub comments in workflows, use idempotent markers (HTML comments with unique identifiers) in comment bodies to enable safe updates by specific comment ID rather than relying on comment position.

Enforce ADR-005 with pre-commit hook rejecting bash in .github/workflows/ and .github/scripts/ directories

Files:

• .github/workflows/ai-issue-triage.yml

**/.github/{workflows,scripts,prompts}/**

📄 CodeRabbit inference engine (.agents/retrospective/2025-12-18-ai-workflow-implementation.md)

AI automation in CI/CD requires verdict tokens (PASS/WARN/CRITICAL_FAIL) for deterministic bash parsing without AI interpretation

Files:

• .github/workflows/ai-issue-triage.yml

.github/workflows/ai-*.yml

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-03-ai-workflow-implementation.md)

.github/workflows/ai-*.yml: Use structured verdict tokens (PASS, WARN, CRITICAL_FAIL) for AI agent outputs in GitHub Actions workflows to enable machine parsing for CI decisions
Implement sequential agent invocation in workflows to allow dependencies between analyses
Implement concurrency groups in GitHub Actions workflows to prevent duplicate reviews on rapid commits
Use hybrid reporting (PR comments + check annotations) for AI review verdicts in GitHub Actions

.github/workflows/ai-*.yml: Use GitHub markdown alert syntax (> [!TIP], > [!CAUTION]) for verdict blocks in AI workflow comments
Add emoji headers (🤖, 🔒, 🧪, 📊, 📋, 📐) for visual appeal in AI workflow PR comments
Include verdict badges (✅ PASS, ⚠️ WARN, ❌ FAIL) in summary tables of AI workflow comments
Use collapsible details sections for verbose content in AI workflow comments to reduce visual noise
Add HTML comment markers in AI workflow comments for idempotent comment updates
Include a Run Details footer with metadata table (run ID, trigger info) in AI workflow comments
Add branded footer with links to workflow file and repository in AI workflow comments
Use left-aligned text and center-aligned status icons in AI workflow comment tables

Implement structured output tokens (PASS, WARN, CRITICAL_FAIL) for AI agent verdicts in workflows to enable deterministic bash parsing

Files:

• .github/workflows/ai-issue-triage.yml

{.github/**/*.sh,.github/workflows/*.yml,.github/actions/**/*.yml}

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-04-ai-workflow-debugging.md)

Avoid explicit gh auth login --with-token when GH_TOKEN environment variable is already set, as gh CLI automatically uses the env var and will fail with exit code 1

Files:

• .github/workflows/ai-issue-triage.yml

**/.github/{workflows,actions}/**/*.yml

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-13-workflow-lessons.md)

Use composite actions to encapsulate reusable workflow steps (Node.js/npm/Copilot CLI setup, authentication, agent loading, verdict parsing)

Files:

• .github/workflows/ai-issue-triage.yml

**/.github/workflows/ai-*.yml

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-13-workflow-lessons.md)

Use structured verdict tokens (PASS | WARN | CRITICAL_FAIL) for AI agent workflow automation decisions

Files:

• .github/workflows/ai-issue-triage.yml

**/.github/workflows/***.yml

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-13-workflow-lessons.md)

Convert single-job loops to multi-job matrix structures (detect → validate → aggregate) for parallel validation with artifact passing

Files:

• .github/workflows/ai-issue-triage.yml

{.github/**/*.{sh,yml,yaml},**/*.sh}

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-34-pr-60-comment-response.md)

{.github/**/*.{sh,yml,yaml},**/*.sh}: Avoid gh auth login authentication patterns; use session-based authentication instead (reference Session 04 for implementation details)
Use secret masking for sensitive tokens like BOT_PAT in shell commands and CI/CD workflows

Files:

• .github/workflows/ai-issue-triage.yml

.github/workflows/ai-issue-triage.yml

📄 CodeRabbit inference engine (.agents/security/SR-001-ai-issue-triage-remediation.md)

.github/workflows/ai-issue-triage.yml: Replace bash parsing with PowerShell when handling AI-generated output in CI workflows to prevent command injection vulnerabilities from improper input validation
Use PowerShell Get-LabelsFromAIOutput function for parsing labels from AI output instead of bash regex patterns with grep, tr, and xargs
Validate priority values to only accept P0-P4 format before using in commands or GitHub API calls
Use PowerShell ConvertFrom-Json with proper error handling instead of bash regex for parsing JSON output from AI agents

Regex patterns for issue title validation must reject trailing special characters and require 1-50 characters total with alphanumeric start/end boundaries, using pattern: ^(?=.{1,50}$)[A-Za-z0-9](?:[A-Za-z0-9 _\.-]*[A-Za-z0-9])?$

Files:

• .github/workflows/ai-issue-triage.yml

**/{.github/workflows/*.yml,.github/scripts/*.psm1}

📄 CodeRabbit inference engine (.agents/qa/057-pr-222-import-module-standardization.md)

Standardize Import-Module paths to use $env:GITHUB_WORKSPACE variable instead of relative paths

Files:

• .github/workflows/ai-issue-triage.yml

**/{.github,workflows}/**/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/sessions/2025-12-21-session-58-pr-141.md)

All skip jobs in workflows that document a checkout requirement must include the checkout step

Files:

• .github/workflows/ai-issue-triage.yml

**/{.github/workflows/*.{yml,yaml},**/*.ps1}

📄 CodeRabbit inference engine (.agents/retrospective/2025-12-22-pr-249-comprehensive-retrospective.md)

Parameterize branch references instead of hardcoding values like 'main' in workflow scripts and automation code

Files:

• .github/workflows/ai-issue-triage.yml

{**/.github/workflows/*.yml,**/*.ps1}

📄 CodeRabbit inference engine (.agents/sessions/2025-12-22-session-67-pr-249-review-response.md)

{**/.github/workflows/*.yml,**/*.ps1}: Default dry_run to true when inputs.dry_run is empty to prevent DryRun bypass for scheduled GitHub Actions runs
Allow protected branch checks to pass when GITHUB_ACTIONS=true to prevent CI workflow failures

Files:

• .github/workflows/ai-issue-triage.yml

**/.github/workflows/*.{yaml,yml}

📄 CodeRabbit inference engine (.agents/sessions/2025-12-22-session-72-pr-249-retrospective.md)

**/.github/workflows/*.{yaml,yml}: When workflow inputs are empty (scheduled triggers), default to fail-safe mode (dry_run=true) instead of fail-open
Explicitly declare environment variables (secrets, tokens) in each GitHub Actions workflow step that needs them, rather than relying on job-level inheritance

Files:

• .github/workflows/ai-issue-triage.yml

{**/*.test.{js,ts,ps1},.github/workflows/**/*.{yml,yaml}}

📄 CodeRabbit inference engine (.agents/sessions/2025-12-22-session-79-pr-268-review-response.md)

Use unique identifiers (such as issue numbers) in test cleanup operations to prevent race conditions across concurrent workflow runs

Files:

• .github/workflows/ai-issue-triage.yml

🔍 Remote MCP DeepWiki, GitHub Copilot, Microsoft Learn

Summary of extra context and quick checks for this PR

• The change is correct: in PowerShell a colon after a bare variable name is parsed as a scope modifier (e.g. $global:var); use the braced form ${issueNumber} so the following ":" is a literal. citeMicrosoft Learn::Microsoft_Learn_microsoft_docs_search
• Repository uses PowerShell scripts and lists PowerShell (5.1+/Core 7+) as a prerequisite; several install/automation scripts are PowerShell .ps1 files — workflows using pwsh are expected. citeDeepWiki::DeepWiki_read_wiki_contents
• The project wiki does not reference a specific ai-issue-triage workflow page (no DeepWiki entry found) — verify the actual workflow file in the repo. citeDeepWiki::DeepWiki_ask_question
• I attempted to fetch .github/workflows/ai-issue-triage.yml via the repo tool but the fetch failed (tool error); please confirm the exact diff/lines in that workflow and re-run/trigger the job to validate runtime behavior. citeGitHub Copilot::GitHub_Copilot_get_file_contents

Minimal reviewer checklist

1. Confirm the job/step that prints the message runs in pwsh (shell: pwsh) so PowerShell parsing applies.
2. Search the repo for occurrences of the pattern $[A-Za-z_]\w*: (e.g., $issueNumber:) and update to ${var} where the colon is intended as literal.
3. Re-run the workflow (or schedule the sweep job) to verify the parser error is gone at runtime.

Sources used:,,,,

🔇 Additional comments (1)

.github/workflows/ai-issue-triage.yml (1)

570-570: Fix is correct.

The braced syntax ${issueNumber} properly delimits the variable so PowerShell treats the colon as a literal character instead of a scope modifier. This resolves the parser error.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}