Restrict dispatch_workflow to only search .github/workflows directory

[Copilot]

Problem

dispatch_workflow needed to be restricted to only search for workflows in the standard .github/workflows/ directory for security and organizational reasons.

# .github/aw/dispatcher.md
safe-outputs:
  dispatch-workflow:
    workflows:
      - ci  # Must be in .github/workflows/ only

Changes

Single directory search (dispatch_workflow_validation.go):

• Modified findWorkflowFile() helper to only search .github/workflows/ directory
• Removed multi-directory search capability
• Path traversal validation on all searched paths
• Updated error messages to reflect single search location

MCP tool generation (safe_outputs_config_generation.go):

• Updated tool descriptions to specify .github/workflows/ requirement
• Populates WorkflowFiles map with resolved file extensions

Runtime configuration (compiler_safe_outputs_config.go):

• Fixed handler registry to include workflow_files mapping
• Enables runtime dispatch with correct extensions (.lock.yml vs .yml)

Test coverage (dispatch_workflow_test.go):

• Only .github/workflows/ directory search
• Error cases (not found, missing workflow_dispatch trigger)
• File extension resolution
• Verification that same-directory workflows are not discovered

Result

Workflows can only dispatch to workflows in .github/workflows/:

# .github/aw/dispatcher.md
safe-outputs:
  dispatch-workflow:
    workflows:
      - ci  # ✅ Found in .github/workflows/ci.lock.yml
      - security-compliance  # ✅ Found in .github/workflows/

Workflows in the same directory are no longer discoverable:

# .github/aw/dispatcher.md
safe-outputs:
  dispatch-workflow:
    workflows:
      - local-workflow  # ❌ Will not find .github/aw/local-workflow.lock.yml

Handler config correctly includes file mappings:

{
  "dispatch_workflow": {
    "workflows": ["ci", "security-compliance"],
    "workflow_files": {
      "ci": ".lock.yml",
      "security-compliance": ".lock.yml"
    }
  }
}

Original prompt

Analyze dispatch_workflow and how it integrates with MCP. Currently, workflows (in .github/workflows) are not recognized as workflows to dispatch to:
rpc safeoutputs→tools/call {"jsonrpc":"2.0","method":"tools/call","params":{"arguments":{"alternatives":"The tools may need to be registered or the MCP server may need to be configured to expose these compliance checker tools","reason":"The compliance dispatcher requires these tools from the safeoutputs MCP server to dispatch compliance checks for issue #230 with label ai:compliance-check","tool":"security_compliance_checker, accessibility_compliance_checker, privacy_compliance_checker, rai_compliance_checker"},"name":"missing_tool"}.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

🔍 PR Triage Results

Category: bug | Risk: high | Priority: 55/100

Scores Breakdown

• Impact: 35/50 - Critical bug fix affecting workflow dispatch functionality
• Urgency: 10/30 - Recent PR (0 days old) with standard urgency
• Quality: 10/20 - Draft status, CI pending completion

📋 Recommended Action: batch_review

This PR is part of Batch #1: Bug Fixes (batch-bug-001) along with PRs #12869 and #12664. These bug fixes should be reviewed together to ensure no conflicts in workflow configuration and dispatch mechanisms.

Batch Review Strategy: Test all fixes together to validate workflow discovery, documentation links, and MCP configuration work harmoniously.

Next Steps:

1. Complete CI validation
2. Convert from draft to ready for review
3. Coordinate review with other bug fixes in batch-bug-001

---

Triaged by PR Triage Agent on 2026-01-31 | Run #21540069309

AI generated by PR Triage Agent

[mnkiefer]

@copilot Only allow from .github/workflows/

[Copilot]

@copilot Only allow from .github/workflows/

Done. dispatch_workflow now only searches in .github/workflows/ directory and no longer searches the current workflow's directory. (commit ce38166)