fix(errors): replace fmt.Errorf("%s") with errors.New and preserve error chains in pkg/workflow + pkg/parser (#29197)

Author: Copilot

pkg/parser/frontmatter_content.go

@@ -99,7 +99,7 @@ func ExtractFrontmatterFromContent(content string) (*FrontmatterResult, error) {
 		// Use FormatYAMLError to provide source-positioned error output with adjusted line numbers
 		// FrontmatterStart is 2 (line 2 is where frontmatter content starts after opening ---)
 		formattedErr := FormatYAMLError(err, 2, frontmatterYAML)
-		return nil, fmt.Errorf("failed to parse frontmatter:\n%s", formattedErr)
+		return nil, &FormattedParserError{formatted: "failed to parse frontmatter:\n" + formattedErr, cause: err}
 	}
 
 	// Ensure frontmatter is never nil (yaml.Unmarshal sets it to nil for empty YAML)

pkg/parser/import_error.go

@@ -65,7 +65,7 @@ func FormatImportCycleError(err *ImportCycleError) error {
 	messageBuilder.WriteString("2. Remove one of the imports to break the cycle\n")
 	messageBuilder.WriteString("3. Consider restructuring your workflow imports to avoid circular dependencies\n")
 
-	return fmt.Errorf("%s", messageBuilder.String())
+	return &FormattedParserError{formatted: messageBuilder.String(), cause: err}
 }
 
 // FormattedParserError is a sentinel error type returned by FormatImportError (and similar

pkg/workflow/dangerous_permissions_validation.go

@@ -1,6 +1,7 @@
 package workflow
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 )
@@ -93,5 +94,5 @@ func formatDangerousPermissionsError(writePermissions []PermissionScope) error {
 		lines = append(lines, fmt.Sprintf("  %s: read", scope))
 	}
 
-	return fmt.Errorf("%s", strings.Join(lines, "\n"))
+	return errors.New(strings.Join(lines, "\n"))
 }

pkg/workflow/engine_definition.go

@@ -28,6 +28,7 @@
 package workflow
 
 import (
+	"errors"
 	"fmt"
 	"sort"
 	"strings"
@@ -277,5 +278,5 @@ func (c *EngineCatalog) Resolve(id string, config *EngineConfig) (*ResolvedEngin
 			constants.DocsEnginesURL)
 	}
 
-	return nil, fmt.Errorf("%s", errMsg)
+	return nil, errors.New(errMsg)
 }

pkg/workflow/engine_validation.go

@@ -35,6 +35,7 @@ package workflow
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -139,7 +140,7 @@ func (c *Compiler) validateEngineInlineDefinition(config *EngineConfig) error {
 				errMsg = fmt.Sprintf("inline engine definition references unknown runtime.id: %s. Known runtime IDs are: %s.\n\nDid you mean: %s?\n\nExample:\nengine:\n  runtime:\n    id: codex\n\nSee: %s",
 					config.ID, enginesStr, suggestions[0], constants.DocsEnginesURL)
 			}
-			return fmt.Errorf("%s", errMsg)
+			return errors.New(errMsg)
 		}
 	}
 

pkg/workflow/permissions_validation.go

@@ -2,6 +2,7 @@ package workflow
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"maps"
 	"slices"
@@ -351,7 +352,7 @@ func (c *Compiler) ValidateIncludedPermissions(topPermissionsYAML string, import
 			fmt.Fprintf(&errorMsg, "  %s: %s\n", scope, level)
 		}
 
-		return fmt.Errorf("%s", errorMsg.String())
+		return errors.New(errorMsg.String())
 	}
 
 	permissionsValidationLog.Print("All included workflow permissions are satisfied by main workflow")

pkg/workflow/runtime_validation.go

@@ -40,6 +40,7 @@
 package workflow
 
 import (
+	"errors"
 	"fmt"
 	"os"
 	"strings"
@@ -88,7 +89,7 @@ func (c *Compiler) validateExpressionSizes(yamlContent string) error {
 					lineNum+1, actualSize, maxSizeFormatted)
 			}
 
-			return fmt.Errorf("%s", errorMsg)
+			return errors.New(errorMsg)
 		}
 	}
 

pkg/workflow/safe_update_enforcement.go

@@ -1,7 +1,7 @@
 package workflow
 
 import (
-	"fmt"
+	"errors"
 	"sort"
 	"strings"
 
@@ -254,7 +254,7 @@ func buildSafeUpdateError(secretViolations, addedActions, removedActions []strin
 	}
 
 	sb.WriteString("\n\nRemediation options:\n  1. Use the --approve flag to allow the changes.\n  2. Revert the unapproved changes.\n  3. Use an interactive coding agent to review and approve the changes.")
-	return fmt.Errorf("%s", sb.String())
+	return errors.New(sb.String())
 }
 
 // buildSafeUpdateWarningPrompt wraps the raw safe update violation message in a

pkg/workflow/template_injection_utils.go

@@ -1,6 +1,7 @@
 package workflow
 
 import (
+	"errors"
 	"fmt"
 	"regexp"
 	"sort"
@@ -226,5 +227,5 @@ func formatTemplateInjectionError(violations []TemplateInjectionViolation) error
 	builder.WriteString("  - https://docs.zizmor.sh/audits/#template-injection\n")
 	builder.WriteString("  - scratchpad/template-injection-prevention.md\n")
 
-	return fmt.Errorf("%s", builder.String())
+	return errors.New(builder.String())
 }

pkg/workflow/tools_validation_github_toolsets.go

@@ -1,6 +1,7 @@
 package workflow
 
 import (
+	"errors"
 	"fmt"
 	"sort"
 	"strings"
@@ -94,7 +95,7 @@ func validateGitHubToolsAgainstToolsetsImpl(allowedTools []string, enabledToolse
 		errMsg.WriteString(fmt.Sprintf("Valid GitHub tools include: %s\n\n", formatList(validTools[:exampleCount])))
 		errMsg.WriteString("See all tools: https://github.com/github/gh-aw/blob/main/pkg/workflow/data/github_tool_to_toolset.json")
 
-		return fmt.Errorf("%s", errMsg.String())
+		return errors.New(errMsg.String())
 	}
 
 	if len(missingToolsets) > 0 {