rust-guard: extract post-integrity adjustment helper + const bot list

[Copilot]

Two small refactors to guards/github-guard/rust-guard/src/labels/helpers.rs to reduce duplication and improve maintainability.

Extract apply_post_integrity_adjustments

The three-step pipeline (approval-label promotion → endorsement promotion → disapproval demotion) was copy-pasted verbatim at the tail of both pr_integrity and issue_integrity. Centralised into a single private helper:

fn apply_post_integrity_adjustments(
    item: &Value,
    resource_type: &str,
    repo_full_name: &str,
    integrity: Vec<String>,
    ctx: &PolicyContext,
) -> Vec<String> { ... }

// pr_integrity tail:
apply_post_integrity_adjustments(item, "pr", repo_full_name, integrity, ctx)

// issue_integrity tail:
apply_post_integrity_adjustments(item, "issue", repo_full_name, integrity, ctx)

Replace boolean chain with const TRUSTED_FIRST_PARTY_BOTS

is_trusted_first_party_bot was a 9-arm || chain. Replaced with a module-level const slice so adding a new bot is a one-line diff:

const TRUSTED_FIRST_PARTY_BOTS: &[&str] = &[
    "dependabot[bot]",
    "github-actions[bot]",
    // ...
];

pub fn is_trusted_first_party_bot(username: &str) -> bool {
    TRUSTED_FIRST_PARTY_BOTS
        .iter()
        .any(|b| username.eq_ignore_ascii_case(b))
}

No behaviour changes; all 329 existing tests pass.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• example.com
  • Triggering command: /tmp/go-build4257419140/b513/launcher.test /tmp/go-build4257419140/b513/launcher.test -test.testlogfile=/tmp/go-build4257419140/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build4257419140/b494/vet.cfg g_.a -I x_amd64/vet --gdwarf-5 grpcsync -o x_amd64/vet -W .cfg om/tetratelabs/w-ifaceassert x_amd64/vet . --gdwarf2 (dns block)
• invalid-host-that-does-not-exist-12345.com
  • Triggering command: /tmp/go-build4257419140/b495/config.test /tmp/go-build4257419140/b495/config.test -test.testlogfile=/tmp/go-build4257419140/b495/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build4257419140/b398/vet.cfg 0/unicode/bidi/b-errorsas 0/unicode/bidi/b-ifaceassert x_amd64/vet --gdwarf-5 nal/detrand -o x_amd64/vet 5287�� g_.a /opt/hostedtoolc-ifaceassert x_amd64/vet /tmp/go-build163/opt/hostedtoolcache/go/1.25.9/x64/pkg/tool/linux_amd64/vet -imultiarch x86_64-linux-gnu-bool x_amd64/vet (dns block)
• nonexistent.local
  • Triggering command: /tmp/go-build4257419140/b513/launcher.test /tmp/go-build4257419140/b513/launcher.test -test.testlogfile=/tmp/go-build4257419140/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build4257419140/b494/vet.cfg g_.a -I x_amd64/vet --gdwarf-5 grpcsync -o x_amd64/vet -W .cfg om/tetratelabs/w-ifaceassert x_amd64/vet . --gdwarf2 (dns block)
• slow.example.com
  • Triggering command: /tmp/go-build4257419140/b513/launcher.test /tmp/go-build4257419140/b513/launcher.test -test.testlogfile=/tmp/go-build4257419140/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build4257419140/b494/vet.cfg g_.a -I x_amd64/vet --gdwarf-5 grpcsync -o x_amd64/vet -W .cfg om/tetratelabs/w-ifaceassert x_amd64/vet . --gdwarf2 (dns block)
• this-host-does-not-exist-12345.com
  • Triggering command: /tmp/go-build4257419140/b522/mcp.test /tmp/go-build4257419140/b522/mcp.test -test.testlogfile=/tmp/go-build4257419140/b522/testlog.txt -test.paniconexit0 -test.timeout=10m0s go1.25.9 -c=4 -nolocalimports -importcfg /tmp/go-build4257419140/b521/importcfg -pack /home/REDACTED/work/gh-aw-mcpg/gh-aw-mcpg/internal/mcp/collaborator_permission.go /home/REDACTED/work/gh-aw-mcpg/gh-aw-mcpg/internal/mcp/connection.go .cfg�� 5287358/b306/_pkg_.a -I x_amd64/vet --gdwarf-5 .io/otel/exporterun -o x_amd64/vet (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Refactors integrity-label logic in rust-guard to reduce duplication and make trusted bot detection easier to maintain.

Changes:

• Extracts the shared post-integrity adjustment pipeline (approval-label promotion → endorsement promotion → disapproval demotion) into a private helper.
• Replaces the is_trusted_first_party_bot boolean || chain with a module-level const bot list + iter().any(...) lookup.

Show a summary per file

File	Description
guards/github-guard/rust-guard/src/labels/helpers.rs	Centralizes post-integrity adjustment steps into a helper and introduces a constant trusted-bot list used for case-insensitive matching.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

guards/github-guard/rust-guard/src/labels/helpers.rs:1423

• The doc comment that previously introduced pr_integrity ("Determine integrity level for a pull request") appears to have been replaced by the new helper’s docs, leaving pr_integrity starting with just /// Rules:. For consistency with issue_integrity (helpers.rs:1585) and commit_integrity (helpers.rs:1672), add back a one-line summary for pr_integrity before the rules list (or move the helper elsewhere so the PR summary remains adjacent).

/// Apply the standard post-integrity adjustment pipeline for user-authored content items:
/// 1. Approval-label promotion  → raise to at least approved
/// 2. Endorsement promotion     → raise to at least approved on maintainer reaction
/// 3. Disapproval demotion      → cap at configured level on maintainer reaction (wins last)
fn apply_post_integrity_adjustments(

• Files reviewed: 1/1 changed files
• Comments generated: 2

[Copilot]

apply_post_integrity_adjustments is documented as applying to “user-authored content items”, but it’s called unconditionally by both pr_integrity and issue_integrity after baseline calculation. Either update the doc comment to reflect that it applies to all items, or gate the call so it truly only runs for user-authored items (if that was the intent).

This issue also appears on line 1419 of the same file.

Suggested change

	/// Apply the standard post-integrity adjustment pipeline for user-authored content items:
	/// Apply the standard post-integrity adjustment pipeline to a content item after
	/// baseline integrity calculation:

[Copilot]

The TRUSTED_FIRST_PARTY_BOTS doc says “Each entry is the canonical username form”, but the list intentionally includes non-canonical variants like github-actions (no [bot]) and app/... prefixes (as returned by some APIs/gh CLI). Adjust the comment to clarify that entries include known username variants to match against, not only canonical forms.

[lpcox]

@copilot addresss the review feedback

[Copilot]

@copilot addresss the review feedback

Done in ff7ebb3. Both doc comment issues addressed:

1. apply_post_integrity_adjustments now reads "Apply the standard post-integrity adjustment pipeline to a content item after baseline integrity calculation" — no longer implies it only applies to user-authored items.
2. TRUSTED_FIRST_PARTY_BOTS now clarifies that entries are "known username variants" (including variants like github-actions without [bot] and app/ prefixes) rather than "canonical forms".