remove_labels and assign_to_user safe output handlers do not support target-repo for cross-repository operationsΒ #15216
Description
π€: Bug report submitted by AI
Summary
Follow-up to #15027 β the same context.repo hardcoding bug that was fixed in add_labels.cjs and close_issue.cjs also exists in remove_labels.cjs and assign_to_user.cjs. Both handlers ignore the target-repo config and always operate against the workflow's own repository.
Affected Files
actions/setup/js/remove_labels.cjs
- Lines 11-12: Only imports
safe_output_validator.cjsanderror_helpers.cjsβ does NOT importrepo_helpers.cjs - Line 124: Hardcoded
...context.repoin theremoveLabelAPI call:await github.rest.issues.removeLabel({ ...context.repo, issue_number: itemNumber, name: label, });
actions/setup/js/assign_to_user.cjs
- Lines 8-9: Only imports
safe_output_processor.cjsanderror_helpers.cjsβ does NOT importrepo_helpers.cjs - Lines 104-105: Hardcoded
context.repo.owner/context.repo.repoin theaddAssigneesAPI call:await github.rest.issues.addAssignees({ owner: context.repo.owner, repo: context.repo.repo, issue_number: issueNumber, assignees: uniqueAssignees, });
Root Cause
When #15027 was fixed, add_labels.cjs and close_issue.cjs were updated to use resolveTargetRepoConfig / resolveAndValidateRepo from repo_helpers.cjs. The same fix was not applied to remove_labels.cjs and assign_to_user.cjs.
The Plumbing Already Works
Everything upstream of the handler JS is wired correctly:
- Go compiler structs: Both
RemoveLabelsConfigandAssignToUserConfigembedSafeOutputTargetConfig(which providesTargetRepoSlugandAllowedRepos) - Config generation (
compiler_safe_outputs_config.go): Theremove_labelsbuilder callsAddIfNotEmpty("target-repo", c.TargetRepoSlug)andAddStringSlice("allowed_repos", c.AllowedRepos). Theassign_to_userbuilder similarly extracts the config viaaddRepoParameterIfNeededinsafe_outputs_config_generation.go(line 894-898). - Docs (
.github/aw/github-agentic-workflows.md): Bothremove-labelsandassign-to-userdocumenttarget-repoas a supported field. - MCP tool schema: The compiler correctly adds the
repoparameter to the safe-outputs MCP tool description whenallowed-reposis configured.
The config IS passed correctly at runtime β it's just never read by the handlers.
Fix
Apply the exact same pattern from add_labels.cjs (the fix from #15027):
For each handler:
-
Add the import:
const { resolveTargetRepoConfig, resolveAndValidateRepo } = require("./repo_helpers.cjs");
-
In the
main()factory function, resolve the target repo from config:const { defaultTargetRepo, allowedRepos } = resolveTargetRepoConfig(config);
-
In the message handler function, resolve and validate per-message:
const repoResult = resolveAndValidateRepo(message, defaultTargetRepo, allowedRepos, "label"); // or "assignee" if (!repoResult.success) { core.warning(`Skipping: ${repoResult.error}`); return { success: false, error: repoResult.error }; } const { repo: itemRepo, repoParts } = repoResult;
-
Replace
context.repo/...context.repowithrepoParts.owner/repoParts.repoin the API call.
Reference implementation: actions/setup/js/add_labels.cjs lines 13, 24, 57, 65, 127-128
Use Case
We're building a stale-issue re-triage workflow in a side repo (gh-aw-test) that will eventually run cross-repo from microsoft/vscode-engineering against microsoft/vscode. The workflow needs to:
- Add area labels (works β
add_labelswas fixed inclose_issueandadd_labelssafe output handlers do not support target-repo for cross-repository operationsΒ #15027) - Remove the
triage-neededlabel (broken βremove_labelsignorestarget-repo) - Assign the suggested owner (broken β
assign_to_userignorestarget-repo)
Reproduction
- Create a workflow with
target-reposet to an external repo:safe-outputs: remove-labels: allowed: ["triage-needed"] target-repo: "org/other-repo" assign-to-user: max: 1 target-repo: "org/other-repo"
- Trigger the workflow and have the agent call
remove_labelsorassign_to_useron an issue in the external repo - Both will 404 because they operate on
context.repoinstead of the configured target repo