Fix YAML syntax error in generated devsecops.yml templates

[Copilot]

Shell heredocs inside run: | blocks require content at column 0, which YAML block scalars interpret as ending the scalar — causing a parse error at the package main line in the embedded Rego policy. All 6 templates (3 GitHub, 3 GitLab) were broken.

Changes

• GitHub templates — replace the cat <<'REGO' heredoc in the "Write default policy" step with an env variable holding the Rego content as a YAML literal block scalar, written via printf:

      - name: Write default policy
        env:
          DEFAULT_REGO: |
            package main

            import future.keywords.if
            import future.keywords.in

            deny[msg] if {
                run := input.runs[_]
                result := run.results[_]
                result.level == "error"
                tool := run.tool.driver.name
                msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId])
            }
        run: |
          if [ ! -d policy ] || [ -z "$(ls -A policy/*.rego 2>/dev/null)" ]; then
            mkdir -p policy
            printf '%s' "$DEFAULT_REGO" > policy/active.rego
          fi

• GitLab templates — same fix, using a variables block on the cast-gate job instead of step-level env.

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

[Copilot]

Pull request overview

Fixes YAML parsing errors in generated DevSecOps pipeline templates by removing shell heredocs embedded inside YAML run: | blocks and instead writing the default Rego policy from a YAML literal block scalar.

Changes:

• GitHub Actions templates: move the default Rego policy into a step-level env.DEFAULT_REGO YAML literal block and write it using printf.
• GitLab CI templates: add a job-level variables.DEFAULT_REGO YAML literal block and write it using printf.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
templates/python/devsecops.yml	Replaces heredoc-based policy generation with env.DEFAULT_REGO + printf to avoid YAML scalar termination issues.
templates/nodejs/devsecops.yml	Same GitHub Actions fix: multiline env var for the default Rego policy + printf writer.
templates/go/devsecops.yml	Same GitHub Actions fix: multiline env var for the default Rego policy + printf writer.
templates/gitlab/python/devsecops.yml	Same fix for GitLab CI using variables.DEFAULT_REGO on cast-gate and writing via printf.
templates/gitlab/nodejs/devsecops.yml	Same GitLab CI fix using job variables + printf.
templates/gitlab/go/devsecops.yml	Same GitLab CI fix using job variables + printf.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.