Add compile-time syntax validation for concurrency group expressions

[Copilot]

Custom concurrency group expressions can contain GitHub Actions expressions like ${{ github.ref }}. Previously, syntax errors (unbalanced braces, unclosed quotes, malformed operators) were only caught at runtime.

Changes

• New validation module (concurrency_validation.go)

  • Validates ${{ }} brace balance and nesting
  • Checks parentheses and quote pairing (single, double, backtick)
  • Detects malformed logical operators (&&, ||, !)
  • Leverages existing expression parser for complex boolean logic

• Compiler integration (compiler.go)

  • Validates both workflow-level and engine-level concurrency during validateWorkflowData()
  • Handles string format (concurrency: "group") and object format (concurrency: {group: "group"})

Example

Invalid expression:

concurrency: workflow-${{ github.ref

Compile error:

✗ workflow-level concurrency validation failed: unclosed expression braces
  found opening '${{' at position 9 without matching closing '}}'
  Suggestion: Add the missing closing braces.

Valid expressions pass through:

concurrency: workflow-${{ github.ref }}
concurrency: gh-aw-${{ github.workflow }}-${{ github.event.pr.number || github.ref }}

Original prompt

Add compiler support to validate the syntax of custom group expressions as thoroughly as possible and detect obvious syntactic errors at compile time.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[pelikhan]

At @copilot, add more tests.

[Copilot]

Pull request overview

Adds compile-time validation for GitHub Actions-style ${{ }} expressions used in custom concurrency group strings, surfacing common syntax issues during compilation instead of at runtime.

Changes:

• Introduces a new validation module for concurrency group expressions (braces, parentheses/quotes, and parsing for boolean logic).
• Integrates validation into the compiler for both workflow-level and engine-level concurrency configuration.
• Adds unit + integration tests (and benchmarks) covering common valid/invalid patterns and error message quality.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
pkg/workflow/concurrency_validation.go	Implements concurrency group expression extraction + syntax validation logic.
pkg/workflow/compiler.go	Calls the new validator during compile-time workflow data validation for workflow/engine concurrency.
pkg/workflow/concurrency_validation_test.go	Adds unit tests and benchmarks for the new validation helpers and extraction logic.
pkg/workflow/concurrency_validation_integration_test.go	Adds integration tests asserting compile-time failures/successes for concurrency syntax.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The extraction regex \\$\\{\\{([^}]*)\\}\\} fails to match valid expressions that contain a } character inside the expression (e.g., string literals or function calls producing/containing braces). In that case, matches becomes empty and the validator silently skips validating expression content (parentheses/quotes/parser), allowing syntax errors to pass. Consider replacing this regex-based extraction with a small scanner that finds ${{ and the corresponding }} using index searching (and/or reusing the brace-balance traversal) so expressions are always extracted and validated correctly.

Suggested change

	// Pattern to extract content between ${{ and }}
	expressionPattern := regexp.MustCompile(`\$\{\{([^}]*)\}\}`)
	// Pattern to extract content between ${{ and }}.
	// Use a non-greedy wildcard so that '}' characters inside the expression are allowed.
	expressionPattern := regexp.MustCompile(`\$\{\{(.*?)\}\}`)

[Copilot]

Parentheses are counted without considering whether they occur inside quoted strings/backticks. This can produce false positives for expressions like github.ref == '(' or format('(%)', ...), where parentheses inside quotes should not affect balance. A tangible fix is to perform the parentheses scan while tracking quote state (single/double/backtick + escapes), skipping ( and ) when inside any quote context.

[Copilot]

Unclosed quotes can be missed when the final character is a backslash. In that case the loop hits ch == '\\\\', sets escaped = true, continues, and never runs the i == len(expr)-1 unclosed-quote checks. A concrete fix is to move 'unclosed quote' checks after the loop (based on inSingleQuote/inDoubleQuote/inBacktick), rather than relying on the last-iteration branch inside the loop.

[Copilot]

Only parsing expressions when containsLogicalOperators(expr) is true leaves a gap where syntactically invalid expressions without &&, ||, or ! are accepted (e.g., github.ref == or other malformed comparisons/calls). If ParseExpression is intended to be the source of truth for syntax, it should be invoked for all extracted ${{ ... }} expressions after basic brace/quote checks (or at least for a broader set of operator tokens than just logical ones).

Suggested change

	// Try to parse complex expressions with logical operators
	if containsLogicalOperators(expr) {
	if _, err := ParseExpression(expr); err != nil {
	return NewValidationError(
	"concurrency",
	"invalid expression syntax",
	fmt.Sprintf("failed to parse expression in concurrency group: %s", err.Error()),
	fmt.Sprintf("Fix the syntax error in your concurrency group expression. Full expression: %s", fullGroup),
	)
	}
	}
	// Parse all non-empty expressions to validate syntax
	trimmedExpr := strings.TrimSpace(expr)
	if trimmedExpr == "" {
	return nil
	}
	if _, err := ParseExpression(trimmedExpr); err != nil {
	return NewValidationError(
	"concurrency",
	"invalid expression syntax",
	fmt.Sprintf("failed to parse expression in concurrency group: %s", err.Error()),
	fmt.Sprintf("Fix the syntax error in your concurrency group expression. Full expression: %s", fullGroup),
	)
	}