gh-aw compiler must reject env.* expressions in markdown per documented safety policy #22914
Description
This follows up on a reviewed security finding from githubnext/gh-aw-security. The finding indicates a likely gh-aw defect in the compile-time expression safety boundary, where env.* expressions (e.g. $\{\{ env.GITHUB_TOKEN }}) in workflow markdown are accepted by gh-aw compile without error and propagated into the generated lock file as GH_AW_ENV_GITHUB_TOKEN: $\{\{ env.GITHUB_TOKEN }} — wired into the agent's runtime environment. The canonical documentation (reference/templating/ and troubleshooting/common-issues/) explicitly lists env.* as a prohibited expression category in markdown. Workflow authors relying on compile-time rejection to prevent accidental secret exposure via env.* references are not protected. Suggested fix: add env.* to the markdown expression blocklist and add a regression test asserting that env_direct.md produces a non-zero exit with no lock output. Reproduced with v0.63.1 binary.
Affected area: Compile-time expression safety validator / markdown expression allowlist
Original finding: https://github.com/githubnext/gh-aw-security/issues/1524
gh-aw version (this workflow): v0.63.1
Generated by File gh-aw Issue · ◷