Add auto-hoist-run-expressions codemod: hoist all ${{ ... }} run-block expressions to env bindings

[Copilot]

The existing steps-run-secrets-to-env codemod only handles secrets.*, env.*, and github.token — leaving expressions like github.repository, inputs.*, or steps.*.outputs.* in run: scripts, which triggers the compiler's hard "compiler regression detected" guardrail error with no automated fix path.

New codemod: auto-hoist-run-expressions

Covers every ${{ ... }} expression that slips past steps-run-secrets-to-env, registered immediately after it in the codemod chain.

Naming convention:

• Simple property chains → EXPR_ + sanitised uppercase body: github.token → EXPR_GITHUB_TOKEN, inputs.my-input → EXPR_INPUTS_MY_INPUT
• Complex expressions (operators, function calls) → EXPR_<fnv32-8hex> for collision safety

PowerShell awareness: steps with shell: pwsh or shell: powershell get $env:VARNAME instead of $VARNAME.

Before / After (the failing microsoft/aspire pattern):

# Before
- name: Capture token
  run: |
    echo "GH_TOKEN=${{ github.token }}" >> "$GITHUB_OUTPUT"

# After
- name: Capture token
  env:
    EXPR_GITHUB_TOKEN: ${{ github.token }}
  run: |
    echo "GH_TOKEN=$EXPR_GITHUB_TOKEN" >> "$GITHUB_OUTPUT"

Changes

• pkg/cli/codemod_auto_hoist_run_expressions.go — codemod implementation; reuses shared parseStepKeyLine / effectiveStepLineIndentLen / hashedBindingName helpers from the existing codemod
• pkg/cli/codemod_auto_hoist_run_expressions_test.go — 18 test cases covering: block and inline run forms, simple/complex/PowerShell/multi-expression/dedup/pre-existing-binding scenarios
• pkg/cli/fix_codemods.go — registers codemod after steps-run-secrets-to-env
• pkg/cli/fix_codemods_test.go — updates expected count (48 → 49) and order
• docs/ — adds codemod to cli.md and gh-aw-as-mcp-server.md
• .changeset/ — minor release entry

[pelikhan]

@copilot aren't those codemods the same?

[Copilot]

They're distinct and complementary:

• steps-run-secrets-to-env handles only secrets.*, env.*, and github.token, producing names like MY_TOKEN, GH_AW_ENV_FOO, GH_AW_GITHUB_TOKEN.
• auto-hoist-run-expressions is a catch-all for every remaining ${{ ... }} expression (e.g. github.repository, inputs.*, steps.*.outputs.*) that slips past the first codemod, using the EXPR_ prefix naming convention.

Because steps-run-secrets-to-env runs first and replaces its specific patterns, auto-hoist-run-expressions never sees those expressions again — it only picks up anything the first codemod didn't handle.

[pelikhan]

@copilot merge both code modes, move all expressions out of runs

[Copilot]

@copilot merge both code modes, move all expressions out of runs

Done. auto-hoist-run-expressions has been merged into steps-run-secrets-to-env:

• The catch-all EXPR_ logic (for github.repository, inputs.*, steps.*.outputs.*, etc.) and PowerShell awareness ($env:VARNAME) are now part of steps-run-secrets-to-env.
• The separate codemod_auto_hoist_run_expressions.go file and its registration in fix_codemods.go are removed.
• The codemod count drops from 49 → 48.

Commit: the latest two commits on this branch.

[pelikhan]

@copilot recompile, add tests, fuzz tests

[Copilot]

@copilot recompile, add tests, fuzz tests

Done. Build passes. Three fuzz functions now cover the merged codemod:

• FuzzStepsRunSecretsToEnvCodemod (updated) — validation now checks that no ${{ ... }} remains in run lines (previously only checked specific secrets/env/github.token patterns)
• FuzzStepsRunSecretsToEnvCodemodExpr (new) — covers EXPR_* catch-all for generic property-access chains (github.X, inputs.X, etc.), verifying correct EXPR_GITHUB_X naming and dedup
• FuzzStepsRunSecretsToEnvCodemodPowerShell (new) — verifies that pwsh/powershell steps receive $env:VARNAME instead of bare $VARNAME

Commits: the last two on this branch.

[pelikhan]

@copilot recompile, add tests