Implement security validation to prevent HTTP header injection attacks:
- Reject header values containing \r or \n characters
- Add comprehensive test coverage for CRLF protection
- Replace multiline YAML test with proper rejection test
Security improvements:
- Validates header values to prevent header injection
- Clear warning messages when values are rejected
- Four new test cases covering LF, CR, CRLF, and multiline scenarios
This addresses a critical security concern where malicious headers
could be injected via newline characters in header values.
All 84 tests passing.
Address Copilot AI feedback:
- Remove underscore support from header names (RFC 7230 compliance)
- Add explicit null check for JSON parsing
- Update validation regex to /^[A-Za-z0-9-]+$/
- Add test case for null value handling
- Update documentation to clarify header name requirements
Changes:
- Header names now only accept alphanumeric characters and hyphens
- Improved error messages for invalid headers
- Added test for null JSON input
- Updated APIM example tests
All 81 tests passing.
This change adds support for custom HTTP headers in AI inference requests,
enabling integration with API Management platforms (Azure APIM, AWS API
Gateway, Kong, etc.) and custom request routing/tracking.
Features:
- New 'custom-headers' input supporting both YAML and JSON formats
- Auto-detection of input format for better UX
- Header name validation (alphanumeric, hyphens, underscores)
- Automatic masking of sensitive headers in logs
- Full backward compatibility (optional parameter)
Changes:
- Added parseCustomHeaders() function in helpers.ts
- Updated InferenceRequest interface with optional customHeaders field
- Modified simpleInference() and mcpInference() to pass headers to OpenAI client
- Added 18 comprehensive test cases
- Updated documentation with examples and use cases
All 80 tests passing. Zero breaking changes.
The temporary file created for response-file was being cleaned up
before downstream steps could access it. Now using keep: true to
ensure the file persists until the job completes.
Also added script/ to eslint ignores for the mock server.
In a tool loop, you can't set response_format because the model needs to
be able to think in plain English. But you still need the final response
to be in the desired format, so we add response_format only on the last
iteration.
This enhancement adds the ability to load a system prompt from a file, similar to
the existing prompt-file functionality, providing more flexibility when working with
complex system prompts.
Key changes:
- Added new `system-prompt-file` input to action.yml with proper description
- Updated main.ts implementation to handle file-based system prompts with:
- File existence checking and appropriate error handling
- Proper precedence (system-prompt-file takes priority over system-prompt)
- Consistent error messages with existing prompt-file implementation
Test coverage added:
- Basic usage: Test verifies system-prompt-file loads content correctly
- Error handling: Test ensures proper errors when system-prompt-file doesn't exist
- Precedence: Test confirms system-prompt-file overrides system-prompt when both exist
- Integration: Test validates both prompt-file and system-prompt-file work together
- Max tokens: Test verifies custom token limits are properly passed to the model
- Testing infrastructure: Improved mock implementations that detect unexpected calls
Documentation:
- Updated README.md with system-prompt-file in inputs table
- Added dedicated usage example for system-prompt-file
- Fixed formatting in inputs table
CI/CD:
- Updated workflow to test system-prompt-file functionality with actual file content
This feature maintains backward compatibility while adding a useful option
for workflows that need to use more complex system prompts stored in files.
