fix: update tests for copilot pre-flight diagnostic step

Update all Copilot engine tests to account for the new pre-flight
diagnostic step (2 steps instead of 1). Extract a shared helper
for finding the Copilot execution step, and regenerate WASM golden
files to include the new step.

Fixes:
- TestFirewallArgsInCopilotEngine
- TestFirewallBlockedDomainsInCopilotEngine
- TestFirewallLogLevelInCopilotEngine
- TestChrootModeInAWFContainer
- TestChrootModeEnvFlags
- TestMCPScriptsWithFirewallIncludesHostDockerInternal
- TestEngineAWFEnableApiProxy
- TestWasmGolden_CompileFixtures (golden files)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: lpcox

pkg/workflow/enable_api_proxy_test.go

@@ -5,6 +5,35 @@ import (
 	"testing"
 )
 
+func requireCopilotPreflightAndExecutionSteps(t *testing.T, steps []GitHubActionStep) (string, string) {
+	t.Helper()
+
+	if len(steps) != 2 {
+		t.Fatalf("Expected 2 execution steps (preflight + execution), got %d", len(steps))
+	}
+
+	preflightContent := strings.Join(steps[0], "\n")
+	if !strings.Contains(preflightContent, "Copilot pre-flight diagnostic") {
+		t.Fatalf("Expected first Copilot step to be the pre-flight diagnostic, got:\n%s", preflightContent)
+	}
+	if !strings.Contains(preflightContent, "id: copilot-preflight") {
+		t.Fatalf("Expected pre-flight step to have id 'copilot-preflight', got:\n%s", preflightContent)
+	}
+	if !strings.Contains(preflightContent, "copilot_preflight_diagnostic.sh") {
+		t.Fatalf("Expected pre-flight step to run the diagnostic script, got:\n%s", preflightContent)
+	}
+
+	executionContent := strings.Join(steps[1], "\n")
+	if !strings.Contains(executionContent, "Execute GitHub Copilot CLI") {
+		t.Fatalf("Expected second Copilot step to execute the CLI, got:\n%s", executionContent)
+	}
+	if !strings.Contains(executionContent, "id: agentic_execution") {
+		t.Fatalf("Expected execution step to have id 'agentic_execution', got:\n%s", executionContent)
+	}
+
+	return preflightContent, executionContent
+}
+
 // TestEngineAWFEnableApiProxy tests that engines with LLM gateway support
 // include --enable-api-proxy flag in AWF commands.
 func TestEngineAWFEnableApiProxy(t *testing.T) {
@@ -51,11 +80,7 @@ func TestEngineAWFEnableApiProxy(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		if len(steps) == 0 {
-			t.Fatal("Expected at least one execution step")
-		}
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		if !strings.Contains(stepContent, "--enable-api-proxy") {
 			t.Error("Expected Copilot AWF command to contain '--enable-api-proxy' flag")

pkg/workflow/firewall_args_test.go

@@ -27,11 +27,7 @@ func TestFirewallArgsInCopilotEngine(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		if len(steps) == 0 {
-			t.Fatal("Expected at least one execution step")
-		}
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Check that the command contains awf (AWF v0.15.0+ uses chroot mode by default)
 		if !strings.Contains(stepContent, "sudo -E awf") {
@@ -69,11 +65,7 @@ func TestFirewallArgsInCopilotEngine(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		if len(steps) == 0 {
-			t.Fatal("Expected at least one execution step")
-		}
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Check that custom args are included
 		if !strings.Contains(stepContent, "--custom-arg") {
@@ -111,11 +103,7 @@ func TestFirewallArgsInCopilotEngine(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		if len(steps) == 0 {
-			t.Fatal("Expected at least one execution step")
-		}
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Check that args with spaces are present (they should be escaped)
 		if !strings.Contains(stepContent, "--message") {
@@ -144,11 +132,7 @@ func TestFirewallArgsInCopilotEngine(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		if len(steps) == 0 {
-			t.Fatal("Expected at least one execution step")
-		}
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Check that AWF is used for transparent host access (AWF v0.15.0+)
 		// Chroot mode is now the default, so no --enable-chroot flag is needed
@@ -178,11 +162,7 @@ func TestFirewallArgsInCopilotEngine(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		if len(steps) == 0 {
-			t.Fatal("Expected at least one execution step")
-		}
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Check that --image-tag is included with default version (without v prefix)
 		expectedImageTag := "--image-tag " + strings.TrimPrefix(string(constants.DefaultFirewallVersion), "v")
@@ -209,11 +189,7 @@ func TestFirewallArgsInCopilotEngine(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		if len(steps) == 0 {
-			t.Fatal("Expected at least one execution step")
-		}
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Check that --image-tag is included with custom version (without v prefix)
 		expectedImageTag := "--image-tag " + strings.TrimPrefix(customVersion, "v")
@@ -245,11 +221,7 @@ func TestFirewallArgsInCopilotEngine(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		if len(steps) == 0 {
-			t.Fatal("Expected at least one execution step")
-		}
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Check that --ssl-bump flag is included
 		if !strings.Contains(stepContent, "--ssl-bump") {
@@ -275,11 +247,7 @@ func TestFirewallArgsInCopilotEngine(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		if len(steps) == 0 {
-			t.Fatal("Expected at least one execution step")
-		}
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Check that --ssl-bump flag is included
 		if !strings.Contains(stepContent, "--ssl-bump") {
@@ -314,11 +282,7 @@ func TestFirewallArgsInCopilotEngine(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		if len(steps) == 0 {
-			t.Fatal("Expected at least one execution step")
-		}
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Check that --ssl-bump flag is NOT included
 		if strings.Contains(stepContent, "--ssl-bump") {

pkg/workflow/firewall_blocked_domains_test.go

@@ -29,9 +29,7 @@ func TestFirewallBlockedDomainsInCopilotEngine(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		assert.NotEmpty(t, steps, "Expected at least one execution step")
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Verify --allow-domains is present
 		assert.Contains(t, stepContent, "--allow-domains", "Expected command to contain '--allow-domains'")
@@ -61,9 +59,7 @@ func TestFirewallBlockedDomainsInCopilotEngine(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		assert.NotEmpty(t, steps, "Expected at least one execution step")
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Verify --allow-domains is present
 		assert.Contains(t, stepContent, "--allow-domains", "Expected command to contain '--allow-domains'")
@@ -90,9 +86,7 @@ func TestFirewallBlockedDomainsInCopilotEngine(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		assert.NotEmpty(t, steps, "Expected at least one execution step")
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Verify --block-domains is present
 		assert.Contains(t, stepContent, "--block-domains", "Expected command to contain '--block-domains'")

pkg/workflow/firewall_log_level_test.go

@@ -137,11 +137,7 @@ func TestFirewallLogLevelInCopilotEngine(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		if len(steps) == 0 {
-			t.Fatal("Expected at least one execution step")
-		}
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Check that the command contains --log-level info (default)
 		if !strings.Contains(stepContent, "--log-level info") {
@@ -166,11 +162,7 @@ func TestFirewallLogLevelInCopilotEngine(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		if len(steps) == 0 {
-			t.Fatal("Expected at least one execution step")
-		}
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Check that the command contains --log-level debug
 		if !strings.Contains(stepContent, "--log-level debug") {
@@ -198,11 +190,7 @@ func TestFirewallLogLevelInCopilotEngine(t *testing.T) {
 			engine := NewCopilotEngine()
 			steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-			if len(steps) == 0 {
-				t.Fatalf("Expected at least one execution step for log-level '%s'", level)
-			}
-
-			stepContent := strings.Join(steps[0], "\n")
+			_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 			expectedFlag := "--log-level " + level
 			if !strings.Contains(stepContent, expectedFlag) {

pkg/workflow/gh_cli_mount_test.go

@@ -25,11 +25,7 @@ func TestChrootModeInAWFContainer(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		if len(steps) == 0 {
-			t.Fatal("Expected at least one execution step")
-		}
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Check that AWF is used (chroot mode is default in v0.15.0+)
 		if !strings.Contains(stepContent, "sudo -E awf") {
@@ -53,11 +49,7 @@ func TestChrootModeInAWFContainer(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		if len(steps) == 0 {
-			t.Fatal("Expected at least one execution step")
-		}
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Check that AWF command is not used
 		if strings.Contains(stepContent, "awf") {
@@ -81,11 +73,7 @@ func TestChrootModeInAWFContainer(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		if len(steps) == 0 {
-			t.Fatal("Expected at least one execution step")
-		}
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Verify AWF is present (chroot mode is default in v0.15.0+)
 		if !strings.Contains(stepContent, "sudo -E awf") {
@@ -125,11 +113,7 @@ func TestChrootModeInAWFContainer(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		if len(steps) == 0 {
-			t.Fatal("Expected at least one execution step")
-		}
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Verify AWF is present with custom args (chroot mode is default in v0.15.0+)
 		if !strings.Contains(stepContent, "sudo -E awf") {
@@ -163,11 +147,7 @@ func TestChrootModeInAWFContainer(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		if len(steps) == 0 {
-			t.Fatal("Expected at least one execution step")
-		}
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Verify AWF is being used (chroot mode is default in v0.15.0+)
 		if !strings.Contains(stepContent, "awf") {
@@ -194,11 +174,7 @@ func TestChrootModeEnvFlags(t *testing.T) {
 		engine := NewCopilotEngine()
 		steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-		if len(steps) == 0 {
-			t.Fatal("Expected at least one execution step")
-		}
-
-		stepContent := strings.Join(steps[0], "\n")
+		_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 		// Verify AWF is present (chroot mode is default in v0.15.0+)
 		if !strings.Contains(stepContent, "sudo -E awf") {

pkg/workflow/mcp_scripts_firewall_test.go

@@ -37,11 +37,7 @@ func TestMCPScriptsWithFirewallIncludesHostDockerInternal(t *testing.T) {
 	engine := NewCopilotEngine()
 	steps := engine.GetExecutionSteps(workflowData, "test.log")
 
-	if len(steps) == 0 {
-		t.Fatal("Expected at least one execution step")
-	}
-
-	stepContent := strings.Join(steps[0], "\n")
+	_, stepContent := requireCopilotPreflightAndExecutionSteps(t, steps)
 
 	// Verify that host.docker.internal is in the allowed domains
 	if !strings.Contains(stepContent, "host.docker.internal") {

pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden

@@ -328,6 +328,14 @@ jobs:
           path: /tmp/gh-aw
       - name: Clean git credentials
         run: bash /opt/gh-aw/actions/clean_git_credentials.sh
+      - name: Copilot pre-flight diagnostic
+        id: copilot-preflight
+        continue-on-error: true
+        env:
+          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
+          GITHUB_SERVER_URL: ${{ github.server_url }}
+          GITHUB_API_URL: ${{ github.api_url }}
+        run: bash /opt/gh-aw/actions/copilot_preflight_diagnostic.sh
       - name: Execute GitHub Copilot CLI
         id: agentic_execution
         # Copilot CLI tool arguments (sorted):

pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden

@@ -506,6 +506,14 @@ jobs:
           path: /tmp/gh-aw
       - name: Clean git credentials
         run: bash /opt/gh-aw/actions/clean_git_credentials.sh
+      - name: Copilot pre-flight diagnostic
+        id: copilot-preflight
+        continue-on-error: true
+        env:
+          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
+          GITHUB_SERVER_URL: ${{ github.server_url }}
+          GITHUB_API_URL: ${{ github.api_url }}
+        run: bash /opt/gh-aw/actions/copilot_preflight_diagnostic.sh
       - name: Execute GitHub Copilot CLI
         id: agentic_execution
         # Copilot CLI tool arguments (sorted):

pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden

@@ -331,6 +331,14 @@ jobs:
           path: /tmp/gh-aw
       - name: Clean git credentials
         run: bash /opt/gh-aw/actions/clean_git_credentials.sh
+      - name: Copilot pre-flight diagnostic
+        id: copilot-preflight
+        continue-on-error: true
+        env:
+          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
+          GITHUB_SERVER_URL: ${{ github.server_url }}
+          GITHUB_API_URL: ${{ github.api_url }}
+        run: bash /opt/gh-aw/actions/copilot_preflight_diagnostic.sh
       - name: Execute GitHub Copilot CLI
         id: agentic_execution
         # Copilot CLI tool arguments (sorted):