From c4192755d073dec93bf8e0c5a48f45738b8358ab Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 4 Mar 2026 15:35:18 +0000 Subject: [PATCH 1/4] Initial plan From ce8cc46386810d1bf21300e97625f65ff6fc62c9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 4 Mar 2026 15:55:07 +0000 Subject: [PATCH 2/4] Initial plan for safe output default max = 1 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- actions/setup-cli/install.sh | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/actions/setup-cli/install.sh b/actions/setup-cli/install.sh index 58d73c6805d..e1ac3479a12 100755 --- a/actions/setup-cli/install.sh +++ b/actions/setup-cli/install.sh @@ -239,17 +239,8 @@ fi if [ "$TRY_GH_INSTALL" = true ] && command -v gh &> /dev/null; then print_info "Attempting to install gh-aw using 'gh extension install'..." - # Call gh extension install directly to avoid command injection - install_result=0 - if [ -n "$VERSION" ] && [ "$VERSION" != "latest" ]; then - gh extension install "$REPO" --force --pin "$VERSION" 2>&1 | tee /tmp/gh-install.log - install_result=${PIPESTATUS[0]} - else - gh extension install "$REPO" --force 2>&1 | tee /tmp/gh-install.log - install_result=${PIPESTATUS[0]} - fi - - if [ $install_result -eq 0 ]; then + # Try to install using gh + if gh extension install "$REPO" --force 2>&1 | tee /tmp/gh-install.log; then # Verify the installation succeeded if gh aw version &> /dev/null; then INSTALLED_VERSION=$(gh aw version 2>&1 | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' | head -1) @@ -258,7 +249,7 @@ if [ "$TRY_GH_INSTALL" = true ] && command -v gh &> /dev/null; then # Set output for GitHub Actions if [ -n "${GITHUB_OUTPUT}" ]; then - echo "installed_version=${INSTALLED_VERSION}" >> "${GITHUB_OUTPUT}" + echo "installed_version=${VERSION}" >> "${GITHUB_OUTPUT}" fi exit 0 From 1ef74bd539e6f530b06087893bdce8ad67d670f7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 4 Mar 2026 16:23:07 +0000 Subject: [PATCH 3/4] Set default max of 1 for all safe outputs unless explicitly specified Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/add_reviewer.go | 2 +- pkg/workflow/autofix_code_scanning_alert.go | 6 ++-- pkg/workflow/create_code_scanning_alert.go | 2 +- pkg/workflow/create_pr_review_comment.go | 6 ++-- pkg/workflow/create_project_status_update.go | 4 +-- pkg/workflow/hide_comment.go | 6 ++-- pkg/workflow/link_sub_issue.go | 6 ++-- pkg/workflow/publish_assets.go | 2 +- pkg/workflow/publish_assets_test.go | 2 +- pkg/workflow/push_to_pull_request_branch.go | 2 +- pkg/workflow/reply_to_pr_review_comment.go | 4 +-- pkg/workflow/resolve_pr_review_thread.go | 6 ++-- pkg/workflow/safe_output_validation_config.go | 30 +++++++++---------- .../safe_output_validation_config_test.go | 18 +++++------ .../safe_outputs_config_generation.go | 30 +++++++++---------- pkg/workflow/security_reports_test.go | 4 +-- pkg/workflow/update_project.go | 4 +-- 17 files changed, 67 insertions(+), 67 deletions(-) diff --git a/pkg/workflow/add_reviewer.go b/pkg/workflow/add_reviewer.go index 243d7346896..c73b3a6486f 100644 --- a/pkg/workflow/add_reviewer.go +++ b/pkg/workflow/add_reviewer.go @@ -41,7 +41,7 @@ func (c *Compiler) parseAddReviewerConfig(outputMap map[string]any) *AddReviewer // Set default max if not specified if config.Max == nil { - config.Max = defaultIntStr(3) + config.Max = defaultIntStr(1) } // Validate target-repo (wildcard "*" is not allowed for safe outputs) diff --git a/pkg/workflow/autofix_code_scanning_alert.go b/pkg/workflow/autofix_code_scanning_alert.go index 7e58f183cf8..1188fa15b3f 100644 --- a/pkg/workflow/autofix_code_scanning_alert.go +++ b/pkg/workflow/autofix_code_scanning_alert.go @@ -16,11 +16,11 @@ func (c *Compiler) parseAutofixCodeScanningAlertConfig(outputMap map[string]any) if configData, exists := outputMap["autofix-code-scanning-alert"]; exists { autofixCodeScanningAlertLog.Print("Parsing autofix-code-scanning-alert configuration") addCodeScanningAutofixConfig := &AutofixCodeScanningAlertConfig{} - addCodeScanningAutofixConfig.Max = defaultIntStr(10) // Default max is 10 + addCodeScanningAutofixConfig.Max = defaultIntStr(1) // Default max is 1 if configMap, ok := configData.(map[string]any); ok { - // Parse common base fields with default max of 10 - c.parseBaseSafeOutputConfig(configMap, &addCodeScanningAutofixConfig.BaseSafeOutputConfig, 10) + // Parse common base fields with default max of 1 + c.parseBaseSafeOutputConfig(configMap, &addCodeScanningAutofixConfig.BaseSafeOutputConfig, 1) } return addCodeScanningAutofixConfig diff --git a/pkg/workflow/create_code_scanning_alert.go b/pkg/workflow/create_code_scanning_alert.go index 56ea1b004a4..cbb9beb391a 100644 --- a/pkg/workflow/create_code_scanning_alert.go +++ b/pkg/workflow/create_code_scanning_alert.go @@ -39,7 +39,7 @@ func (c *Compiler) parseCodeScanningAlertsConfig(outputMap map[string]any) *Crea securityReportsConfig.AllowedRepos = parseAllowedReposFromConfig(configMap) // Parse common base fields with default max of 0 (unlimited) - c.parseBaseSafeOutputConfig(configMap, &securityReportsConfig.BaseSafeOutputConfig, 0) + c.parseBaseSafeOutputConfig(configMap, &securityReportsConfig.BaseSafeOutputConfig, 1) } else { // If configData is nil or not a map (e.g., "create-code-scanning-alert:" with no value), // still set the default max (nil = unlimited) diff --git a/pkg/workflow/create_pr_review_comment.go b/pkg/workflow/create_pr_review_comment.go index 5b7ce22f653..d7e242ef2d9 100644 --- a/pkg/workflow/create_pr_review_comment.go +++ b/pkg/workflow/create_pr_review_comment.go @@ -51,12 +51,12 @@ func (c *Compiler) parsePullRequestReviewCommentsConfig(outputMap map[string]any } prReviewCommentsConfig.TargetRepoSlug = targetRepoSlug - // Parse common base fields with default max of 10 - c.parseBaseSafeOutputConfig(configMap, &prReviewCommentsConfig.BaseSafeOutputConfig, 10) + // Parse common base fields with default max of 1 + c.parseBaseSafeOutputConfig(configMap, &prReviewCommentsConfig.BaseSafeOutputConfig, 1) } else { // If configData is nil or not a map (e.g., "create-pull-request-review-comment:" with no value), // still set the default max - prReviewCommentsConfig.Max = defaultIntStr(10) + prReviewCommentsConfig.Max = defaultIntStr(1) } return prReviewCommentsConfig diff --git a/pkg/workflow/create_project_status_update.go b/pkg/workflow/create_project_status_update.go index 981fca18d12..a7890261374 100644 --- a/pkg/workflow/create_project_status_update.go +++ b/pkg/workflow/create_project_status_update.go @@ -18,10 +18,10 @@ func (c *Compiler) parseCreateProjectStatusUpdateConfig(outputMap map[string]any if configData, exists := outputMap["create-project-status-update"]; exists { createProjectStatusUpdateLog.Print("Parsing create-project-status-update configuration") config := &CreateProjectStatusUpdateConfig{} - config.Max = defaultIntStr(10) // Default max is 10 + config.Max = defaultIntStr(1) // Default max is 1 if configMap, ok := configData.(map[string]any); ok { - c.parseBaseSafeOutputConfig(configMap, &config.BaseSafeOutputConfig, 10) + c.parseBaseSafeOutputConfig(configMap, &config.BaseSafeOutputConfig, 1) // Parse custom GitHub token if token, ok := configMap["github-token"]; ok { diff --git a/pkg/workflow/hide_comment.go b/pkg/workflow/hide_comment.go index 2d3d2f14082..deb29254603 100644 --- a/pkg/workflow/hide_comment.go +++ b/pkg/workflow/hide_comment.go @@ -41,14 +41,14 @@ func (c *Compiler) parseHideCommentConfig(outputMap map[string]any) *HideComment } } - // Parse common base fields with default max of 5 - c.parseBaseSafeOutputConfig(configMap, &hideCommentConfig.BaseSafeOutputConfig, 5) + // Parse common base fields with default max of 1 + c.parseBaseSafeOutputConfig(configMap, &hideCommentConfig.BaseSafeOutputConfig, 1) hideCommentLog.Printf("Parsed hide-comment config: max=%d, target_repo=%s", hideCommentConfig.Max, hideCommentConfig.TargetRepoSlug) } else { // If configData is nil or not a map, still set the default max - hideCommentConfig.Max = defaultIntStr(5) + hideCommentConfig.Max = defaultIntStr(1) } return hideCommentConfig diff --git a/pkg/workflow/link_sub_issue.go b/pkg/workflow/link_sub_issue.go index 4965b0e2be6..a1069a428c0 100644 --- a/pkg/workflow/link_sub_issue.go +++ b/pkg/workflow/link_sub_issue.go @@ -32,8 +32,8 @@ func (c *Compiler) parseLinkSubIssueConfig(outputMap map[string]any) *LinkSubIss } linkSubIssueConfig.SafeOutputTargetConfig = targetConfig - // Parse common base fields with default max of 5 - c.parseBaseSafeOutputConfig(configMap, &linkSubIssueConfig.BaseSafeOutputConfig, 5) + // Parse common base fields with default max of 1 + c.parseBaseSafeOutputConfig(configMap, &linkSubIssueConfig.BaseSafeOutputConfig, 1) // Parse parent-required-labels linkSubIssueConfig.ParentRequiredLabels = ParseStringArrayFromConfig(configMap, "parent-required-labels", linkSubIssueLog) @@ -52,7 +52,7 @@ func (c *Compiler) parseLinkSubIssueConfig(outputMap map[string]any) *LinkSubIss len(linkSubIssueConfig.SubRequiredLabels), linkSubIssueConfig.TargetRepoSlug) } else { // If configData is nil or not a map, still set the default max - linkSubIssueConfig.Max = defaultIntStr(5) + linkSubIssueConfig.Max = defaultIntStr(1) } return linkSubIssueConfig diff --git a/pkg/workflow/publish_assets.go b/pkg/workflow/publish_assets.go index 518ba1f7fb4..faf908a079f 100644 --- a/pkg/workflow/publish_assets.go +++ b/pkg/workflow/publish_assets.go @@ -64,7 +64,7 @@ func (c *Compiler) parseUploadAssetConfig(outputMap map[string]any) *UploadAsset } // Parse common base fields with default max of 0 (no limit) - c.parseBaseSafeOutputConfig(configMap, &config.BaseSafeOutputConfig, 0) + c.parseBaseSafeOutputConfig(configMap, &config.BaseSafeOutputConfig, 1) publishAssetsLog.Printf("Parsed upload-asset config: branch=%s, max_size_kb=%d, allowed_exts=%d", config.BranchName, config.MaxSizeKB, len(config.AllowedExts)) } else if configData == nil { // Handle null case: create config with defaults diff --git a/pkg/workflow/publish_assets_test.go b/pkg/workflow/publish_assets_test.go index 45fa53414d7..6a7ee1df5c0 100644 --- a/pkg/workflow/publish_assets_test.go +++ b/pkg/workflow/publish_assets_test.go @@ -29,7 +29,7 @@ func TestParseUploadAssetConfig(t *testing.T) { BranchName: "my-assets/${{ github.event.repository.name }}", MaxSizeKB: 5120, AllowedExts: []string{".jpg", ".png", ".txt"}, - BaseSafeOutputConfig: BaseSafeOutputConfig{GitHubToken: "${{ secrets.CUSTOM_TOKEN }}"}, + BaseSafeOutputConfig: BaseSafeOutputConfig{Max: strPtr("1"), GitHubToken: "${{ secrets.CUSTOM_TOKEN }}"}, }, }, { diff --git a/pkg/workflow/push_to_pull_request_branch.go b/pkg/workflow/push_to_pull_request_branch.go index aebf511e4b5..8f9a3ecd402 100644 --- a/pkg/workflow/push_to_pull_request_branch.go +++ b/pkg/workflow/push_to_pull_request_branch.go @@ -135,7 +135,7 @@ func (c *Compiler) parsePushToPullRequestBranchConfig(outputMap map[string]any) pushToBranchConfig.AllowedRepos = parseAllowedReposFromConfig(configMap) // Parse common base fields with default max of 0 (no limit) - c.parseBaseSafeOutputConfig(configMap, &pushToBranchConfig.BaseSafeOutputConfig, 0) + c.parseBaseSafeOutputConfig(configMap, &pushToBranchConfig.BaseSafeOutputConfig, 1) } return pushToBranchConfig diff --git a/pkg/workflow/reply_to_pr_review_comment.go b/pkg/workflow/reply_to_pr_review_comment.go index 036e9197ada..c312413b9db 100644 --- a/pkg/workflow/reply_to_pr_review_comment.go +++ b/pkg/workflow/reply_to_pr_review_comment.go @@ -24,7 +24,7 @@ func (c *Compiler) parseReplyToPullRequestReviewCommentConfig(outputMap map[stri replyToPRReviewCommentLog.Print("Found reply-to-pull-request-review-comment config map") // Parse common base fields with default max of 10 - c.parseBaseSafeOutputConfig(configMap, &config.BaseSafeOutputConfig, 10) + c.parseBaseSafeOutputConfig(configMap, &config.BaseSafeOutputConfig, 1) // Parse target if target, exists := configMap["target"]; exists { @@ -63,7 +63,7 @@ func (c *Compiler) parseReplyToPullRequestReviewCommentConfig(outputMap map[stri replyToPRReviewCommentLog.Printf("Parsed reply-to-pull-request-review-comment config: max=%d", config.Max) } else { // If configData is nil or not a map, still set the default max - config.Max = defaultIntStr(10) + config.Max = defaultIntStr(1) } return config diff --git a/pkg/workflow/resolve_pr_review_thread.go b/pkg/workflow/resolve_pr_review_thread.go index 3ef25a19ef0..099483d4a8c 100644 --- a/pkg/workflow/resolve_pr_review_thread.go +++ b/pkg/workflow/resolve_pr_review_thread.go @@ -23,8 +23,8 @@ func (c *Compiler) parseResolvePullRequestReviewThreadConfig(outputMap map[strin if configMap, ok := configData.(map[string]any); ok { resolvePRReviewThreadLog.Print("Found resolve-pull-request-review-thread config map") - // Parse common base fields with default max of 10 - c.parseBaseSafeOutputConfig(configMap, &config.BaseSafeOutputConfig, 10) + // Parse common base fields with default max of 1 + c.parseBaseSafeOutputConfig(configMap, &config.BaseSafeOutputConfig, 1) // Parse target config (target, target-repo, allowed-repos) targetConfig, _ := ParseTargetConfig(configMap) @@ -33,7 +33,7 @@ func (c *Compiler) parseResolvePullRequestReviewThreadConfig(outputMap map[strin resolvePRReviewThreadLog.Printf("Parsed resolve-pull-request-review-thread config: max=%d, target_repo=%s", templatableIntValue(config.Max), config.TargetRepoSlug) } else { // If configData is nil or not a map, still set the default max - config.Max = defaultIntStr(10) + config.Max = defaultIntStr(1) } return config diff --git a/pkg/workflow/safe_output_validation_config.go b/pkg/workflow/safe_output_validation_config.go index 32603bdd0f7..04b6afee0ae 100644 --- a/pkg/workflow/safe_output_validation_config.go +++ b/pkg/workflow/safe_output_validation_config.go @@ -81,7 +81,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "add_labels": { - DefaultMax: 5, + DefaultMax: 1, Fields: map[string]FieldValidation{ "labels": {Required: true, Type: "array", ItemType: "string", ItemSanitize: true, ItemMaxLength: 128}, "item_number": {IssueOrPRNumber: true}, @@ -89,7 +89,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "add_reviewer": { - DefaultMax: 3, + DefaultMax: 1, Fields: map[string]FieldValidation{ "reviewers": {Required: true, Type: "array", ItemType: "string", ItemSanitize: true, ItemMaxLength: MaxGitHubUsernameLength}, "pull_request_number": {IssueOrPRNumber: true}, @@ -105,7 +105,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "set_issue_type": { - DefaultMax: 5, + DefaultMax: 1, Fields: map[string]FieldValidation{ "issue_number": {IssueOrPRNumber: true}, "issue_type": {Required: true, Type: "string", Sanitize: true, MaxLength: 128}, // Empty string clears the type @@ -187,7 +187,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "reply_to_pull_request_review_comment": { - DefaultMax: 10, + DefaultMax: 1, Fields: map[string]FieldValidation{ "comment_id": {Required: true, PositiveInteger: true}, "body": {Required: true, Type: "string", Sanitize: true, MaxLength: MaxBodyLength}, @@ -196,7 +196,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "resolve_pull_request_review_thread": { - DefaultMax: 10, + DefaultMax: 1, Fields: map[string]FieldValidation{ "thread_id": {Required: true, Type: "string"}, }, @@ -236,7 +236,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "missing_tool": { - DefaultMax: 20, + DefaultMax: 1, Fields: map[string]FieldValidation{ "tool": {Required: false, Type: "string", Sanitize: true, MaxLength: 128}, "reason": {Required: true, Type: "string", Sanitize: true, MaxLength: 256}, @@ -252,7 +252,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "upload_asset": { - DefaultMax: 10, + DefaultMax: 1, Fields: map[string]FieldValidation{ "path": {Required: true, Type: "string"}, }, @@ -264,7 +264,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "create_code_scanning_alert": { - DefaultMax: 40, + DefaultMax: 1, Fields: map[string]FieldValidation{ "file": {Required: true, Type: "string", Sanitize: true, MaxLength: 512}, "line": {Required: true, PositiveInteger: true}, @@ -275,7 +275,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "link_sub_issue": { - DefaultMax: 5, + DefaultMax: 1, CustomValidation: "parentAndSubDifferent", Fields: map[string]FieldValidation{ "parent_issue_number": {Required: true, IssueNumberOrTemporaryID: true}, @@ -284,7 +284,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "update_project": { - DefaultMax: 10, + DefaultMax: 1, Fields: map[string]FieldValidation{ "project": {Required: true, Type: "string", Sanitize: true, MaxLength: 512, Pattern: "^https://[^/]+/(orgs|users)/[^/]+/projects/\\d+", PatternError: "must be a full GitHub project URL (e.g., https://github.com/orgs/myorg/projects/42)"}, "content_type": {Type: "string", Enum: []string{"issue", "pull_request", "draft_issue"}}, @@ -306,7 +306,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "create_project_status_update": { - DefaultMax: 10, + DefaultMax: 1, Fields: map[string]FieldValidation{ "project": {Required: true, Type: "string", Sanitize: true, MaxLength: 512, Pattern: "^https://[^/]+/(orgs|users)/[^/]+/projects/\\d+", PatternError: "must be a full GitHub project URL (e.g., https://github.com/orgs/myorg/projects/42)"}, "body": {Required: true, Type: "string", Sanitize: true, MaxLength: 65536}, @@ -326,7 +326,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "remove_labels": { - DefaultMax: 5, + DefaultMax: 1, Fields: map[string]FieldValidation{ "labels": {Required: true, Type: "array", ItemType: "string", ItemSanitize: true, ItemMaxLength: 128}, "item_number": {IssueOrPRNumber: true}, @@ -343,7 +343,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "hide_comment": { - DefaultMax: 5, + DefaultMax: 1, Fields: map[string]FieldValidation{ "comment_id": {Required: true, Type: "string", MaxLength: 256}, "reason": {Type: "string", Enum: []string{"SPAM", "ABUSE", "OFF_TOPIC", "OUTDATED", "RESOLVED"}}, @@ -351,7 +351,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "missing_data": { - DefaultMax: 20, + DefaultMax: 1, Fields: map[string]FieldValidation{ "data_type": {Type: "string", Sanitize: true, MaxLength: 128}, "reason": {Type: "string", Sanitize: true, MaxLength: 256}, @@ -360,7 +360,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "autofix_code_scanning_alert": { - DefaultMax: 10, + DefaultMax: 1, Fields: map[string]FieldValidation{ "alert_number": {PositiveInteger: true}, "fix_description": {Required: true, Type: "string", Sanitize: true, MaxLength: MaxBodyLength}, diff --git a/pkg/workflow/safe_output_validation_config_test.go b/pkg/workflow/safe_output_validation_config_test.go index fcce47b74b5..1fdeec7200a 100644 --- a/pkg/workflow/safe_output_validation_config_test.go +++ b/pkg/workflow/safe_output_validation_config_test.go @@ -148,7 +148,7 @@ func TestGetValidationConfigForType(t *testing.T) { name: "link_sub_issue type", typeName: "link_sub_issue", wantFound: true, - wantMax: 5, + wantMax: 1, wantFields: []string{"parent_issue_number", "sub_issue_number"}, }, { @@ -184,14 +184,14 @@ func TestGetDefaultMaxForType(t *testing.T) { want int }{ {"create_issue", 1}, - {"add_labels", 5}, - {"missing_tool", 20}, - {"missing_data", 20}, - {"create_code_scanning_alert", 40}, - {"autofix_code_scanning_alert", 10}, - {"link_sub_issue", 5}, - {"hide_comment", 5}, - {"remove_labels", 5}, + {"add_labels", 1}, + {"missing_tool", 1}, + {"missing_data", 1}, + {"create_code_scanning_alert", 1}, + {"autofix_code_scanning_alert", 1}, + {"link_sub_issue", 1}, + {"hide_comment", 1}, + {"remove_labels", 1}, {"update_discussion", 1}, {"unassign_from_user", 1}, {"mark_pull_request_as_ready_for_review", 1}, diff --git a/pkg/workflow/safe_outputs_config_generation.go b/pkg/workflow/safe_outputs_config_generation.go index f0eadfd7b5b..b7e43f01e74 100644 --- a/pkg/workflow/safe_outputs_config_generation.go +++ b/pkg/workflow/safe_outputs_config_generation.go @@ -238,7 +238,7 @@ func generateSafeOutputsConfig(data *WorkflowData) string { if data.SafeOutputs.CreatePullRequestReviewComments != nil { safeOutputsConfig["create_pull_request_review_comment"] = generateMaxConfig( data.SafeOutputs.CreatePullRequestReviewComments.Max, - 10, // default max + 1, // default max ) } if data.SafeOutputs.SubmitPullRequestReview != nil { @@ -250,19 +250,19 @@ func generateSafeOutputsConfig(data *WorkflowData) string { if data.SafeOutputs.ResolvePullRequestReviewThread != nil { safeOutputsConfig["resolve_pull_request_review_thread"] = generateMaxConfig( data.SafeOutputs.ResolvePullRequestReviewThread.Max, - 10, // default max + 1, // default max ) } if data.SafeOutputs.CreateCodeScanningAlerts != nil { safeOutputsConfig["create_code_scanning_alert"] = generateMaxConfig( data.SafeOutputs.CreateCodeScanningAlerts.Max, - 0, // default: unlimited + 1, // default max ) } if data.SafeOutputs.AutofixCodeScanningAlert != nil { safeOutputsConfig["autofix_code_scanning_alert"] = generateMaxConfig( data.SafeOutputs.AutofixCodeScanningAlert.Max, - 10, // default max + 1, // default max ) } if data.SafeOutputs.AddLabels != nil { @@ -276,21 +276,21 @@ func generateSafeOutputsConfig(data *WorkflowData) string { safeOutputsConfig["add_labels"] = generateTargetConfigWithRepos( data.SafeOutputs.AddLabels.SafeOutputTargetConfig, data.SafeOutputs.AddLabels.Max, - 3, // default max + 1, // default max additionalFields, ) } if data.SafeOutputs.RemoveLabels != nil { safeOutputsConfig["remove_labels"] = generateMaxWithAllowedConfig( data.SafeOutputs.RemoveLabels.Max, - 3, // default max + 1, // default max data.SafeOutputs.RemoveLabels.Allowed, ) } if data.SafeOutputs.AddReviewer != nil { safeOutputsConfig["add_reviewer"] = generateMaxWithReviewersConfig( data.SafeOutputs.AddReviewer.Max, - 3, // default max + 1, // default max data.SafeOutputs.AddReviewer.Reviewers, ) } @@ -348,20 +348,20 @@ func generateSafeOutputsConfig(data *WorkflowData) string { if data.SafeOutputs.MarkPullRequestAsReadyForReview != nil { safeOutputsConfig["mark_pull_request_as_ready_for_review"] = generateMaxConfig( data.SafeOutputs.MarkPullRequestAsReadyForReview.Max, - 10, // default max + 1, // default max ) } if data.SafeOutputs.PushToPullRequestBranch != nil { safeOutputsConfig["push_to_pull_request_branch"] = generateMaxWithTargetConfig( data.SafeOutputs.PushToPullRequestBranch.Max, - 0, // default: unlimited + 1, // default max data.SafeOutputs.PushToPullRequestBranch.Target, ) } if data.SafeOutputs.UploadAssets != nil { safeOutputsConfig["upload_asset"] = generateMaxConfig( data.SafeOutputs.UploadAssets.Max, - 0, // default: unlimited + 1, // default max ) } if data.SafeOutputs.MissingTool != nil { @@ -421,13 +421,13 @@ func generateSafeOutputsConfig(data *WorkflowData) string { if data.SafeOutputs.UpdateProjects != nil { safeOutputsConfig["update_project"] = generateMaxConfig( data.SafeOutputs.UpdateProjects.Max, - 10, // default max + 1, // default max ) } if data.SafeOutputs.CreateProjectStatusUpdates != nil { safeOutputsConfig["create_project_status_update"] = generateMaxConfig( data.SafeOutputs.CreateProjectStatusUpdates.Max, - 10, // default max + 1, // default max ) } if data.SafeOutputs.CreateProjects != nil { @@ -454,7 +454,7 @@ func generateSafeOutputsConfig(data *WorkflowData) string { if data.SafeOutputs.LinkSubIssue != nil { safeOutputsConfig["link_sub_issue"] = generateMaxConfig( data.SafeOutputs.LinkSubIssue.Max, - 5, // default max + 1, // default max ) } if data.SafeOutputs.NoOp != nil { @@ -466,7 +466,7 @@ func generateSafeOutputsConfig(data *WorkflowData) string { if data.SafeOutputs.HideComment != nil { safeOutputsConfig["hide_comment"] = generateHideCommentConfig( data.SafeOutputs.HideComment.Max, - 5, // default max + 1, // default max data.SafeOutputs.HideComment.AllowedReasons, ) } @@ -478,7 +478,7 @@ func generateSafeOutputsConfig(data *WorkflowData) string { safeOutputsConfig["set_issue_type"] = generateTargetConfigWithRepos( data.SafeOutputs.SetIssueType.SafeOutputTargetConfig, data.SafeOutputs.SetIssueType.Max, - 5, // default max + 1, // default max additionalFields, ) } diff --git a/pkg/workflow/security_reports_test.go b/pkg/workflow/security_reports_test.go index f171ec814bc..86804676c72 100644 --- a/pkg/workflow/security_reports_test.go +++ b/pkg/workflow/security_reports_test.go @@ -44,7 +44,7 @@ func TestCodeScanningAlertsConfig(t *testing.T) { }, }, }, - expectedConfig: &CreateCodeScanningAlertsConfig{BaseSafeOutputConfig: BaseSafeOutputConfig{Max: nil}, Driver: "Custom Security Scanner"}, + expectedConfig: &CreateCodeScanningAlertsConfig{BaseSafeOutputConfig: BaseSafeOutputConfig{Max: strPtr("1")}, Driver: "Custom Security Scanner"}, }, { name: "code scanning alert with max and driver configuration", @@ -136,7 +136,7 @@ func TestParseCodeScanningAlertsConfig(t *testing.T) { "driver": "Test Security Scanner", }, }, - expectedMax: nil, + expectedMax: strPtr("1"), expectedDriver: "Test Security Scanner", expectNil: false, }, diff --git a/pkg/workflow/update_project.go b/pkg/workflow/update_project.go index 541edef7ba8..a95b899f0fe 100644 --- a/pkg/workflow/update_project.go +++ b/pkg/workflow/update_project.go @@ -35,11 +35,11 @@ func (c *Compiler) parseUpdateProjectConfig(outputMap map[string]any) *UpdatePro if configData, exists := outputMap["update-project"]; exists { updateProjectLog.Print("Parsing update-project configuration") updateProjectConfig := &UpdateProjectConfig{} - updateProjectConfig.Max = defaultIntStr(10) // Default max is 10 + updateProjectConfig.Max = defaultIntStr(1) // Default max is 1 if configMap, ok := configData.(map[string]any); ok { // Parse base config (max, github-token) - c.parseBaseSafeOutputConfig(configMap, &updateProjectConfig.BaseSafeOutputConfig, 10) + c.parseBaseSafeOutputConfig(configMap, &updateProjectConfig.BaseSafeOutputConfig, 1) // Parse github-token override if specified if token, exists := configMap["github-token"]; exists { From 8462b212f31419eeac3d047138b526be55c37c03 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 4 Mar 2026 16:35:14 +0000 Subject: [PATCH 4/4] Revert non-1 safe output defaults to their original values Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/add_reviewer.go | 2 +- pkg/workflow/autofix_code_scanning_alert.go | 6 ++-- pkg/workflow/create_code_scanning_alert.go | 2 +- pkg/workflow/create_pr_review_comment.go | 6 ++-- pkg/workflow/create_project_status_update.go | 4 +-- pkg/workflow/hide_comment.go | 6 ++-- pkg/workflow/link_sub_issue.go | 6 ++-- pkg/workflow/publish_assets.go | 2 +- pkg/workflow/publish_assets_test.go | 2 +- pkg/workflow/push_to_pull_request_branch.go | 2 +- pkg/workflow/reply_to_pr_review_comment.go | 4 +-- pkg/workflow/resolve_pr_review_thread.go | 6 ++-- pkg/workflow/safe_output_validation_config.go | 30 +++++++++---------- .../safe_output_validation_config_test.go | 18 +++++------ .../safe_outputs_config_generation.go | 30 +++++++++---------- pkg/workflow/security_reports_test.go | 4 +-- pkg/workflow/update_project.go | 4 +-- 17 files changed, 67 insertions(+), 67 deletions(-) diff --git a/pkg/workflow/add_reviewer.go b/pkg/workflow/add_reviewer.go index c73b3a6486f..243d7346896 100644 --- a/pkg/workflow/add_reviewer.go +++ b/pkg/workflow/add_reviewer.go @@ -41,7 +41,7 @@ func (c *Compiler) parseAddReviewerConfig(outputMap map[string]any) *AddReviewer // Set default max if not specified if config.Max == nil { - config.Max = defaultIntStr(1) + config.Max = defaultIntStr(3) } // Validate target-repo (wildcard "*" is not allowed for safe outputs) diff --git a/pkg/workflow/autofix_code_scanning_alert.go b/pkg/workflow/autofix_code_scanning_alert.go index 1188fa15b3f..7e58f183cf8 100644 --- a/pkg/workflow/autofix_code_scanning_alert.go +++ b/pkg/workflow/autofix_code_scanning_alert.go @@ -16,11 +16,11 @@ func (c *Compiler) parseAutofixCodeScanningAlertConfig(outputMap map[string]any) if configData, exists := outputMap["autofix-code-scanning-alert"]; exists { autofixCodeScanningAlertLog.Print("Parsing autofix-code-scanning-alert configuration") addCodeScanningAutofixConfig := &AutofixCodeScanningAlertConfig{} - addCodeScanningAutofixConfig.Max = defaultIntStr(1) // Default max is 1 + addCodeScanningAutofixConfig.Max = defaultIntStr(10) // Default max is 10 if configMap, ok := configData.(map[string]any); ok { - // Parse common base fields with default max of 1 - c.parseBaseSafeOutputConfig(configMap, &addCodeScanningAutofixConfig.BaseSafeOutputConfig, 1) + // Parse common base fields with default max of 10 + c.parseBaseSafeOutputConfig(configMap, &addCodeScanningAutofixConfig.BaseSafeOutputConfig, 10) } return addCodeScanningAutofixConfig diff --git a/pkg/workflow/create_code_scanning_alert.go b/pkg/workflow/create_code_scanning_alert.go index cbb9beb391a..56ea1b004a4 100644 --- a/pkg/workflow/create_code_scanning_alert.go +++ b/pkg/workflow/create_code_scanning_alert.go @@ -39,7 +39,7 @@ func (c *Compiler) parseCodeScanningAlertsConfig(outputMap map[string]any) *Crea securityReportsConfig.AllowedRepos = parseAllowedReposFromConfig(configMap) // Parse common base fields with default max of 0 (unlimited) - c.parseBaseSafeOutputConfig(configMap, &securityReportsConfig.BaseSafeOutputConfig, 1) + c.parseBaseSafeOutputConfig(configMap, &securityReportsConfig.BaseSafeOutputConfig, 0) } else { // If configData is nil or not a map (e.g., "create-code-scanning-alert:" with no value), // still set the default max (nil = unlimited) diff --git a/pkg/workflow/create_pr_review_comment.go b/pkg/workflow/create_pr_review_comment.go index d7e242ef2d9..5b7ce22f653 100644 --- a/pkg/workflow/create_pr_review_comment.go +++ b/pkg/workflow/create_pr_review_comment.go @@ -51,12 +51,12 @@ func (c *Compiler) parsePullRequestReviewCommentsConfig(outputMap map[string]any } prReviewCommentsConfig.TargetRepoSlug = targetRepoSlug - // Parse common base fields with default max of 1 - c.parseBaseSafeOutputConfig(configMap, &prReviewCommentsConfig.BaseSafeOutputConfig, 1) + // Parse common base fields with default max of 10 + c.parseBaseSafeOutputConfig(configMap, &prReviewCommentsConfig.BaseSafeOutputConfig, 10) } else { // If configData is nil or not a map (e.g., "create-pull-request-review-comment:" with no value), // still set the default max - prReviewCommentsConfig.Max = defaultIntStr(1) + prReviewCommentsConfig.Max = defaultIntStr(10) } return prReviewCommentsConfig diff --git a/pkg/workflow/create_project_status_update.go b/pkg/workflow/create_project_status_update.go index a7890261374..981fca18d12 100644 --- a/pkg/workflow/create_project_status_update.go +++ b/pkg/workflow/create_project_status_update.go @@ -18,10 +18,10 @@ func (c *Compiler) parseCreateProjectStatusUpdateConfig(outputMap map[string]any if configData, exists := outputMap["create-project-status-update"]; exists { createProjectStatusUpdateLog.Print("Parsing create-project-status-update configuration") config := &CreateProjectStatusUpdateConfig{} - config.Max = defaultIntStr(1) // Default max is 1 + config.Max = defaultIntStr(10) // Default max is 10 if configMap, ok := configData.(map[string]any); ok { - c.parseBaseSafeOutputConfig(configMap, &config.BaseSafeOutputConfig, 1) + c.parseBaseSafeOutputConfig(configMap, &config.BaseSafeOutputConfig, 10) // Parse custom GitHub token if token, ok := configMap["github-token"]; ok { diff --git a/pkg/workflow/hide_comment.go b/pkg/workflow/hide_comment.go index deb29254603..2d3d2f14082 100644 --- a/pkg/workflow/hide_comment.go +++ b/pkg/workflow/hide_comment.go @@ -41,14 +41,14 @@ func (c *Compiler) parseHideCommentConfig(outputMap map[string]any) *HideComment } } - // Parse common base fields with default max of 1 - c.parseBaseSafeOutputConfig(configMap, &hideCommentConfig.BaseSafeOutputConfig, 1) + // Parse common base fields with default max of 5 + c.parseBaseSafeOutputConfig(configMap, &hideCommentConfig.BaseSafeOutputConfig, 5) hideCommentLog.Printf("Parsed hide-comment config: max=%d, target_repo=%s", hideCommentConfig.Max, hideCommentConfig.TargetRepoSlug) } else { // If configData is nil or not a map, still set the default max - hideCommentConfig.Max = defaultIntStr(1) + hideCommentConfig.Max = defaultIntStr(5) } return hideCommentConfig diff --git a/pkg/workflow/link_sub_issue.go b/pkg/workflow/link_sub_issue.go index a1069a428c0..4965b0e2be6 100644 --- a/pkg/workflow/link_sub_issue.go +++ b/pkg/workflow/link_sub_issue.go @@ -32,8 +32,8 @@ func (c *Compiler) parseLinkSubIssueConfig(outputMap map[string]any) *LinkSubIss } linkSubIssueConfig.SafeOutputTargetConfig = targetConfig - // Parse common base fields with default max of 1 - c.parseBaseSafeOutputConfig(configMap, &linkSubIssueConfig.BaseSafeOutputConfig, 1) + // Parse common base fields with default max of 5 + c.parseBaseSafeOutputConfig(configMap, &linkSubIssueConfig.BaseSafeOutputConfig, 5) // Parse parent-required-labels linkSubIssueConfig.ParentRequiredLabels = ParseStringArrayFromConfig(configMap, "parent-required-labels", linkSubIssueLog) @@ -52,7 +52,7 @@ func (c *Compiler) parseLinkSubIssueConfig(outputMap map[string]any) *LinkSubIss len(linkSubIssueConfig.SubRequiredLabels), linkSubIssueConfig.TargetRepoSlug) } else { // If configData is nil or not a map, still set the default max - linkSubIssueConfig.Max = defaultIntStr(1) + linkSubIssueConfig.Max = defaultIntStr(5) } return linkSubIssueConfig diff --git a/pkg/workflow/publish_assets.go b/pkg/workflow/publish_assets.go index faf908a079f..518ba1f7fb4 100644 --- a/pkg/workflow/publish_assets.go +++ b/pkg/workflow/publish_assets.go @@ -64,7 +64,7 @@ func (c *Compiler) parseUploadAssetConfig(outputMap map[string]any) *UploadAsset } // Parse common base fields with default max of 0 (no limit) - c.parseBaseSafeOutputConfig(configMap, &config.BaseSafeOutputConfig, 1) + c.parseBaseSafeOutputConfig(configMap, &config.BaseSafeOutputConfig, 0) publishAssetsLog.Printf("Parsed upload-asset config: branch=%s, max_size_kb=%d, allowed_exts=%d", config.BranchName, config.MaxSizeKB, len(config.AllowedExts)) } else if configData == nil { // Handle null case: create config with defaults diff --git a/pkg/workflow/publish_assets_test.go b/pkg/workflow/publish_assets_test.go index 6a7ee1df5c0..45fa53414d7 100644 --- a/pkg/workflow/publish_assets_test.go +++ b/pkg/workflow/publish_assets_test.go @@ -29,7 +29,7 @@ func TestParseUploadAssetConfig(t *testing.T) { BranchName: "my-assets/${{ github.event.repository.name }}", MaxSizeKB: 5120, AllowedExts: []string{".jpg", ".png", ".txt"}, - BaseSafeOutputConfig: BaseSafeOutputConfig{Max: strPtr("1"), GitHubToken: "${{ secrets.CUSTOM_TOKEN }}"}, + BaseSafeOutputConfig: BaseSafeOutputConfig{GitHubToken: "${{ secrets.CUSTOM_TOKEN }}"}, }, }, { diff --git a/pkg/workflow/push_to_pull_request_branch.go b/pkg/workflow/push_to_pull_request_branch.go index 8f9a3ecd402..aebf511e4b5 100644 --- a/pkg/workflow/push_to_pull_request_branch.go +++ b/pkg/workflow/push_to_pull_request_branch.go @@ -135,7 +135,7 @@ func (c *Compiler) parsePushToPullRequestBranchConfig(outputMap map[string]any) pushToBranchConfig.AllowedRepos = parseAllowedReposFromConfig(configMap) // Parse common base fields with default max of 0 (no limit) - c.parseBaseSafeOutputConfig(configMap, &pushToBranchConfig.BaseSafeOutputConfig, 1) + c.parseBaseSafeOutputConfig(configMap, &pushToBranchConfig.BaseSafeOutputConfig, 0) } return pushToBranchConfig diff --git a/pkg/workflow/reply_to_pr_review_comment.go b/pkg/workflow/reply_to_pr_review_comment.go index c312413b9db..036e9197ada 100644 --- a/pkg/workflow/reply_to_pr_review_comment.go +++ b/pkg/workflow/reply_to_pr_review_comment.go @@ -24,7 +24,7 @@ func (c *Compiler) parseReplyToPullRequestReviewCommentConfig(outputMap map[stri replyToPRReviewCommentLog.Print("Found reply-to-pull-request-review-comment config map") // Parse common base fields with default max of 10 - c.parseBaseSafeOutputConfig(configMap, &config.BaseSafeOutputConfig, 1) + c.parseBaseSafeOutputConfig(configMap, &config.BaseSafeOutputConfig, 10) // Parse target if target, exists := configMap["target"]; exists { @@ -63,7 +63,7 @@ func (c *Compiler) parseReplyToPullRequestReviewCommentConfig(outputMap map[stri replyToPRReviewCommentLog.Printf("Parsed reply-to-pull-request-review-comment config: max=%d", config.Max) } else { // If configData is nil or not a map, still set the default max - config.Max = defaultIntStr(1) + config.Max = defaultIntStr(10) } return config diff --git a/pkg/workflow/resolve_pr_review_thread.go b/pkg/workflow/resolve_pr_review_thread.go index 099483d4a8c..3ef25a19ef0 100644 --- a/pkg/workflow/resolve_pr_review_thread.go +++ b/pkg/workflow/resolve_pr_review_thread.go @@ -23,8 +23,8 @@ func (c *Compiler) parseResolvePullRequestReviewThreadConfig(outputMap map[strin if configMap, ok := configData.(map[string]any); ok { resolvePRReviewThreadLog.Print("Found resolve-pull-request-review-thread config map") - // Parse common base fields with default max of 1 - c.parseBaseSafeOutputConfig(configMap, &config.BaseSafeOutputConfig, 1) + // Parse common base fields with default max of 10 + c.parseBaseSafeOutputConfig(configMap, &config.BaseSafeOutputConfig, 10) // Parse target config (target, target-repo, allowed-repos) targetConfig, _ := ParseTargetConfig(configMap) @@ -33,7 +33,7 @@ func (c *Compiler) parseResolvePullRequestReviewThreadConfig(outputMap map[strin resolvePRReviewThreadLog.Printf("Parsed resolve-pull-request-review-thread config: max=%d, target_repo=%s", templatableIntValue(config.Max), config.TargetRepoSlug) } else { // If configData is nil or not a map, still set the default max - config.Max = defaultIntStr(1) + config.Max = defaultIntStr(10) } return config diff --git a/pkg/workflow/safe_output_validation_config.go b/pkg/workflow/safe_output_validation_config.go index 04b6afee0ae..32603bdd0f7 100644 --- a/pkg/workflow/safe_output_validation_config.go +++ b/pkg/workflow/safe_output_validation_config.go @@ -81,7 +81,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "add_labels": { - DefaultMax: 1, + DefaultMax: 5, Fields: map[string]FieldValidation{ "labels": {Required: true, Type: "array", ItemType: "string", ItemSanitize: true, ItemMaxLength: 128}, "item_number": {IssueOrPRNumber: true}, @@ -89,7 +89,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "add_reviewer": { - DefaultMax: 1, + DefaultMax: 3, Fields: map[string]FieldValidation{ "reviewers": {Required: true, Type: "array", ItemType: "string", ItemSanitize: true, ItemMaxLength: MaxGitHubUsernameLength}, "pull_request_number": {IssueOrPRNumber: true}, @@ -105,7 +105,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "set_issue_type": { - DefaultMax: 1, + DefaultMax: 5, Fields: map[string]FieldValidation{ "issue_number": {IssueOrPRNumber: true}, "issue_type": {Required: true, Type: "string", Sanitize: true, MaxLength: 128}, // Empty string clears the type @@ -187,7 +187,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "reply_to_pull_request_review_comment": { - DefaultMax: 1, + DefaultMax: 10, Fields: map[string]FieldValidation{ "comment_id": {Required: true, PositiveInteger: true}, "body": {Required: true, Type: "string", Sanitize: true, MaxLength: MaxBodyLength}, @@ -196,7 +196,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "resolve_pull_request_review_thread": { - DefaultMax: 1, + DefaultMax: 10, Fields: map[string]FieldValidation{ "thread_id": {Required: true, Type: "string"}, }, @@ -236,7 +236,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "missing_tool": { - DefaultMax: 1, + DefaultMax: 20, Fields: map[string]FieldValidation{ "tool": {Required: false, Type: "string", Sanitize: true, MaxLength: 128}, "reason": {Required: true, Type: "string", Sanitize: true, MaxLength: 256}, @@ -252,7 +252,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "upload_asset": { - DefaultMax: 1, + DefaultMax: 10, Fields: map[string]FieldValidation{ "path": {Required: true, Type: "string"}, }, @@ -264,7 +264,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "create_code_scanning_alert": { - DefaultMax: 1, + DefaultMax: 40, Fields: map[string]FieldValidation{ "file": {Required: true, Type: "string", Sanitize: true, MaxLength: 512}, "line": {Required: true, PositiveInteger: true}, @@ -275,7 +275,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "link_sub_issue": { - DefaultMax: 1, + DefaultMax: 5, CustomValidation: "parentAndSubDifferent", Fields: map[string]FieldValidation{ "parent_issue_number": {Required: true, IssueNumberOrTemporaryID: true}, @@ -284,7 +284,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "update_project": { - DefaultMax: 1, + DefaultMax: 10, Fields: map[string]FieldValidation{ "project": {Required: true, Type: "string", Sanitize: true, MaxLength: 512, Pattern: "^https://[^/]+/(orgs|users)/[^/]+/projects/\\d+", PatternError: "must be a full GitHub project URL (e.g., https://github.com/orgs/myorg/projects/42)"}, "content_type": {Type: "string", Enum: []string{"issue", "pull_request", "draft_issue"}}, @@ -306,7 +306,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "create_project_status_update": { - DefaultMax: 1, + DefaultMax: 10, Fields: map[string]FieldValidation{ "project": {Required: true, Type: "string", Sanitize: true, MaxLength: 512, Pattern: "^https://[^/]+/(orgs|users)/[^/]+/projects/\\d+", PatternError: "must be a full GitHub project URL (e.g., https://github.com/orgs/myorg/projects/42)"}, "body": {Required: true, Type: "string", Sanitize: true, MaxLength: 65536}, @@ -326,7 +326,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "remove_labels": { - DefaultMax: 1, + DefaultMax: 5, Fields: map[string]FieldValidation{ "labels": {Required: true, Type: "array", ItemType: "string", ItemSanitize: true, ItemMaxLength: 128}, "item_number": {IssueOrPRNumber: true}, @@ -343,7 +343,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "hide_comment": { - DefaultMax: 1, + DefaultMax: 5, Fields: map[string]FieldValidation{ "comment_id": {Required: true, Type: "string", MaxLength: 256}, "reason": {Type: "string", Enum: []string{"SPAM", "ABUSE", "OFF_TOPIC", "OUTDATED", "RESOLVED"}}, @@ -351,7 +351,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "missing_data": { - DefaultMax: 1, + DefaultMax: 20, Fields: map[string]FieldValidation{ "data_type": {Type: "string", Sanitize: true, MaxLength: 128}, "reason": {Type: "string", Sanitize: true, MaxLength: 256}, @@ -360,7 +360,7 @@ var ValidationConfig = map[string]TypeValidationConfig{ }, }, "autofix_code_scanning_alert": { - DefaultMax: 1, + DefaultMax: 10, Fields: map[string]FieldValidation{ "alert_number": {PositiveInteger: true}, "fix_description": {Required: true, Type: "string", Sanitize: true, MaxLength: MaxBodyLength}, diff --git a/pkg/workflow/safe_output_validation_config_test.go b/pkg/workflow/safe_output_validation_config_test.go index 1fdeec7200a..fcce47b74b5 100644 --- a/pkg/workflow/safe_output_validation_config_test.go +++ b/pkg/workflow/safe_output_validation_config_test.go @@ -148,7 +148,7 @@ func TestGetValidationConfigForType(t *testing.T) { name: "link_sub_issue type", typeName: "link_sub_issue", wantFound: true, - wantMax: 1, + wantMax: 5, wantFields: []string{"parent_issue_number", "sub_issue_number"}, }, { @@ -184,14 +184,14 @@ func TestGetDefaultMaxForType(t *testing.T) { want int }{ {"create_issue", 1}, - {"add_labels", 1}, - {"missing_tool", 1}, - {"missing_data", 1}, - {"create_code_scanning_alert", 1}, - {"autofix_code_scanning_alert", 1}, - {"link_sub_issue", 1}, - {"hide_comment", 1}, - {"remove_labels", 1}, + {"add_labels", 5}, + {"missing_tool", 20}, + {"missing_data", 20}, + {"create_code_scanning_alert", 40}, + {"autofix_code_scanning_alert", 10}, + {"link_sub_issue", 5}, + {"hide_comment", 5}, + {"remove_labels", 5}, {"update_discussion", 1}, {"unassign_from_user", 1}, {"mark_pull_request_as_ready_for_review", 1}, diff --git a/pkg/workflow/safe_outputs_config_generation.go b/pkg/workflow/safe_outputs_config_generation.go index b7e43f01e74..f0eadfd7b5b 100644 --- a/pkg/workflow/safe_outputs_config_generation.go +++ b/pkg/workflow/safe_outputs_config_generation.go @@ -238,7 +238,7 @@ func generateSafeOutputsConfig(data *WorkflowData) string { if data.SafeOutputs.CreatePullRequestReviewComments != nil { safeOutputsConfig["create_pull_request_review_comment"] = generateMaxConfig( data.SafeOutputs.CreatePullRequestReviewComments.Max, - 1, // default max + 10, // default max ) } if data.SafeOutputs.SubmitPullRequestReview != nil { @@ -250,19 +250,19 @@ func generateSafeOutputsConfig(data *WorkflowData) string { if data.SafeOutputs.ResolvePullRequestReviewThread != nil { safeOutputsConfig["resolve_pull_request_review_thread"] = generateMaxConfig( data.SafeOutputs.ResolvePullRequestReviewThread.Max, - 1, // default max + 10, // default max ) } if data.SafeOutputs.CreateCodeScanningAlerts != nil { safeOutputsConfig["create_code_scanning_alert"] = generateMaxConfig( data.SafeOutputs.CreateCodeScanningAlerts.Max, - 1, // default max + 0, // default: unlimited ) } if data.SafeOutputs.AutofixCodeScanningAlert != nil { safeOutputsConfig["autofix_code_scanning_alert"] = generateMaxConfig( data.SafeOutputs.AutofixCodeScanningAlert.Max, - 1, // default max + 10, // default max ) } if data.SafeOutputs.AddLabels != nil { @@ -276,21 +276,21 @@ func generateSafeOutputsConfig(data *WorkflowData) string { safeOutputsConfig["add_labels"] = generateTargetConfigWithRepos( data.SafeOutputs.AddLabels.SafeOutputTargetConfig, data.SafeOutputs.AddLabels.Max, - 1, // default max + 3, // default max additionalFields, ) } if data.SafeOutputs.RemoveLabels != nil { safeOutputsConfig["remove_labels"] = generateMaxWithAllowedConfig( data.SafeOutputs.RemoveLabels.Max, - 1, // default max + 3, // default max data.SafeOutputs.RemoveLabels.Allowed, ) } if data.SafeOutputs.AddReviewer != nil { safeOutputsConfig["add_reviewer"] = generateMaxWithReviewersConfig( data.SafeOutputs.AddReviewer.Max, - 1, // default max + 3, // default max data.SafeOutputs.AddReviewer.Reviewers, ) } @@ -348,20 +348,20 @@ func generateSafeOutputsConfig(data *WorkflowData) string { if data.SafeOutputs.MarkPullRequestAsReadyForReview != nil { safeOutputsConfig["mark_pull_request_as_ready_for_review"] = generateMaxConfig( data.SafeOutputs.MarkPullRequestAsReadyForReview.Max, - 1, // default max + 10, // default max ) } if data.SafeOutputs.PushToPullRequestBranch != nil { safeOutputsConfig["push_to_pull_request_branch"] = generateMaxWithTargetConfig( data.SafeOutputs.PushToPullRequestBranch.Max, - 1, // default max + 0, // default: unlimited data.SafeOutputs.PushToPullRequestBranch.Target, ) } if data.SafeOutputs.UploadAssets != nil { safeOutputsConfig["upload_asset"] = generateMaxConfig( data.SafeOutputs.UploadAssets.Max, - 1, // default max + 0, // default: unlimited ) } if data.SafeOutputs.MissingTool != nil { @@ -421,13 +421,13 @@ func generateSafeOutputsConfig(data *WorkflowData) string { if data.SafeOutputs.UpdateProjects != nil { safeOutputsConfig["update_project"] = generateMaxConfig( data.SafeOutputs.UpdateProjects.Max, - 1, // default max + 10, // default max ) } if data.SafeOutputs.CreateProjectStatusUpdates != nil { safeOutputsConfig["create_project_status_update"] = generateMaxConfig( data.SafeOutputs.CreateProjectStatusUpdates.Max, - 1, // default max + 10, // default max ) } if data.SafeOutputs.CreateProjects != nil { @@ -454,7 +454,7 @@ func generateSafeOutputsConfig(data *WorkflowData) string { if data.SafeOutputs.LinkSubIssue != nil { safeOutputsConfig["link_sub_issue"] = generateMaxConfig( data.SafeOutputs.LinkSubIssue.Max, - 1, // default max + 5, // default max ) } if data.SafeOutputs.NoOp != nil { @@ -466,7 +466,7 @@ func generateSafeOutputsConfig(data *WorkflowData) string { if data.SafeOutputs.HideComment != nil { safeOutputsConfig["hide_comment"] = generateHideCommentConfig( data.SafeOutputs.HideComment.Max, - 1, // default max + 5, // default max data.SafeOutputs.HideComment.AllowedReasons, ) } @@ -478,7 +478,7 @@ func generateSafeOutputsConfig(data *WorkflowData) string { safeOutputsConfig["set_issue_type"] = generateTargetConfigWithRepos( data.SafeOutputs.SetIssueType.SafeOutputTargetConfig, data.SafeOutputs.SetIssueType.Max, - 1, // default max + 5, // default max additionalFields, ) } diff --git a/pkg/workflow/security_reports_test.go b/pkg/workflow/security_reports_test.go index 86804676c72..f171ec814bc 100644 --- a/pkg/workflow/security_reports_test.go +++ b/pkg/workflow/security_reports_test.go @@ -44,7 +44,7 @@ func TestCodeScanningAlertsConfig(t *testing.T) { }, }, }, - expectedConfig: &CreateCodeScanningAlertsConfig{BaseSafeOutputConfig: BaseSafeOutputConfig{Max: strPtr("1")}, Driver: "Custom Security Scanner"}, + expectedConfig: &CreateCodeScanningAlertsConfig{BaseSafeOutputConfig: BaseSafeOutputConfig{Max: nil}, Driver: "Custom Security Scanner"}, }, { name: "code scanning alert with max and driver configuration", @@ -136,7 +136,7 @@ func TestParseCodeScanningAlertsConfig(t *testing.T) { "driver": "Test Security Scanner", }, }, - expectedMax: strPtr("1"), + expectedMax: nil, expectedDriver: "Test Security Scanner", expectNil: false, }, diff --git a/pkg/workflow/update_project.go b/pkg/workflow/update_project.go index a95b899f0fe..541edef7ba8 100644 --- a/pkg/workflow/update_project.go +++ b/pkg/workflow/update_project.go @@ -35,11 +35,11 @@ func (c *Compiler) parseUpdateProjectConfig(outputMap map[string]any) *UpdatePro if configData, exists := outputMap["update-project"]; exists { updateProjectLog.Print("Parsing update-project configuration") updateProjectConfig := &UpdateProjectConfig{} - updateProjectConfig.Max = defaultIntStr(1) // Default max is 1 + updateProjectConfig.Max = defaultIntStr(10) // Default max is 10 if configMap, ok := configData.(map[string]any); ok { // Parse base config (max, github-token) - c.parseBaseSafeOutputConfig(configMap, &updateProjectConfig.BaseSafeOutputConfig, 1) + c.parseBaseSafeOutputConfig(configMap, &updateProjectConfig.BaseSafeOutputConfig, 10) // Parse github-token override if specified if token, exists := configMap["github-token"]; exists {