Summary
observability.otlp with headers set produces invalid YAML in the safe-outputs job. Compilation fails schema validation with:
error: invalid workflow: failed to parse YAML for schema validation:
yaml: line NNNN: could not find expected ':'
The auto-injected "Mask OTLP telemetry headers" step (added only when OTLP headers are present) causes the safe-outputs job's setup steps to be duplicated/misplaced — a run:-block line is emitted at with:-level indentation, where a YAML key is expected.
Removing headers (endpoint-only) compiles cleanly, so the trigger is specifically the header → masking-step injection path.
Affected versions
- v0.74.3 (reproduced)
- v0.77.5 (reproduced — latest at time of filing)
Reproduction
A real workflow that reliably reproduces uses safe-outputs.github-app + add-comment + add-labels + tools.github (mode: remote, github-app) + inlined-imports, with:
observability:
otlp:
endpoint: ${{ secrets.OTLP_ENDPOINT }}
headers:
Authorization: ${{ secrets.OTLP_TOKEN }}gh aw compile <file> --validate --approve → invalid YAML. Drop headers: → clean.
Evidence (the displaced line)
The "Setup agent output environment variable" step appears twice, and a run: line escapes into a neighboring step:
- name: Generate GitHub App token
uses: actions/create-github-app-token@...
with:
...
permission-pull-requests: write
echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT" # <-- shell line at with:-indent → parse errorMinimization
These simpler configs with headers all compiled cleanly (did not reproduce), so the trigger is an interaction, not a single key:
safe-outputs.add-comment alone+ safe-outputs.github-app+ tools.github (mode: remote, github-app)
Workaround
Drop headers and embed an ingest key in the endpoint URL (stored as a secret):
observability:
otlp:
endpoint: ${{ secrets.OTLP_ENDPOINT }} # URL carries the key/pathThe documented env-var alternative (OTEL_EXPORTER_OTLP_HEADERS in frontmatter env:) also triggers the masking-step injection (same bug), and additionally warns that the secret leaks to the agent container — so it is not a viable workaround.
Summary
observability.otlpwithheadersset produces invalid YAML in the safe-outputs job. Compilation fails schema validation with:The auto-injected "Mask OTLP telemetry headers" step (added only when OTLP headers are present) causes the safe-outputs job's setup steps to be duplicated/misplaced — a
run:-block line is emitted atwith:-level indentation, where a YAML key is expected.Removing
headers(endpoint-only) compiles cleanly, so the trigger is specifically the header → masking-step injection path.Affected versions
Reproduction
A real workflow that reliably reproduces uses
safe-outputs.github-app+add-comment+add-labels+tools.github(mode: remote, github-app) +inlined-imports, with:gh aw compile <file> --validate --approve→ invalid YAML. Dropheaders:→ clean.Evidence (the displaced line)
The "Setup agent output environment variable" step appears twice, and a
run:line escapes into a neighboring step:Minimization
These simpler configs with headers all compiled cleanly (did not reproduce), so the trigger is an interaction, not a single key:
safe-outputs.add-commentalone+ safe-outputs.github-app+ tools.github(mode: remote, github-app)Workaround
Drop
headersand embed an ingest key in the endpoint URL (stored as a secret):The documented env-var alternative (
OTEL_EXPORTER_OTLP_HEADERSin frontmatterenv:) also triggers the masking-step injection (same bug), and additionally warns that the secret leaks to the agent container — so it is not a viable workaround.