Skip to content

close_issue and add_labels safe output handlers do not support target-repo for cross-repository operations #15027

New issue
New issue
Closed
#15031
Closed
close_issue and add_labels safe output handlers do not support target-repo for cross-repository operations#15027
#15031
Assignees
pelikhancopilot-swe-agent
@benvillalobos

Description

@benvillalobos
benvillalobos
opened on Feb 11, 2026

🤖 AI generated bug report

Summary

The close_issue.cjs and add_labels.cjs safe output handlers are hardcoded to context.repo, which means they always operate on the repository where the workflow runs. The target-repo frontmatter config compiles correctly and is passed to the handler via GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG, but the handlers never read it.

This prevents cross-repository workflows (e.g., a workflow in org/engineering that closes issues or adds labels in org/product).

Expected Behavior

When target-repo is configured in frontmatter:

Note: My scenario ideally uses allowed-repos here, as we have a single repo that houses operations on many repos.

safe-outputs:
  close-issue:
    target: "*"
    target-repo: "microsoft/vscode"
  add-labels:
    target: "*"
    target-repo: "microsoft/vscode"

The handlers should resolve the target repository from config (and/or from the agent's repo field in the message).

Actual Behavior

  • add_labels.cjs uses ...context.repo at line 109
  • close_issue.cjs uses context.repo.owner / context.repo.repo at lines 140, 176, 181
  • Both ignore the target-repo value in the handler config

The config is correctly passed at runtime — visible in the GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG env var:

{
  "add_labels": {
    "allowed": ["~spam"],
    "max": 1,
    "target": "*",
    "target-repo": "benvillalobos/gh-aw-test-target"
  }
}

But neither handler reads config["target-repo"].

Working Reference Implementation

add_comment.cjs already supports target-repo correctly using repo_helpers.cjs:

const { resolveTargetRepoConfig, resolveAndValidateRepo } = require("./repo_helpers.cjs");
// ...
const { defaultTargetRepo, allowedRepos } = resolveTargetRepoConfig(config);
// ...
const repoResult = resolveAndValidateRepo(item, defaultTargetRepo, allowedRepos, "comment");

The same pattern can be applied to close_issue.cjs and add_labels.cjs.

Reproduction

  1. Create a workflow with target-repo set to an external repo
  2. Trigger the workflow and have the agent call add_labels or close_issue on an issue in the external repo
  3. The safe output job fails with Not Found because it tries to operate on context.repo instead of the target repo

Example failed run: https://github.com/benvillalobos/gh-aw-test/actions/runs/21918590680/job/63292710318

Relevant log output:

Adding 1 labels to issue #277977: ["~spam"]
Failed to add labels: Not Found
Failed to close issue #277977: Not Found

Issue #277977 exists in microsoft/vscode, but the handler looked in benvillalobos/gh-aw-test.

Documentation Reference

The Safe Outputs docs and individual sections for close-issue and add-labels both show target-repo as a supported field.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions