github · pelikhan · Feb 19, 2026 · Feb 19, 2026 · Feb 19, 2026 · Feb 19, 2026
diff --git a/actions/setup/js/add_labels.cjs b/actions/setup/js/add_labels.cjs
@@ -28,6 +28,7 @@ const MAX_LABELS = 10;
 async function main(config = {}) {
   // Extract configuration
   const allowedLabels = config.allowed || [];
+  const blockedPatterns = config.blocked || [];
   const maxCount = config.max || 10;
   const { defaultTargetRepo, allowedRepos } = resolveTargetRepoConfig(config);
 
@@ -38,6 +39,9 @@ async function main(config = {}) {
   if (allowedLabels.length > 0) {
     core.info(`Allowed labels: ${allowedLabels.join(", ")}`);
   }
+  if (blockedPatterns.length > 0) {
+    core.info(`Blocked patterns: ${blockedPatterns.join(", ")}`);
+  }
   core.info(`Default target repo: ${defaultTargetRepo}`);
   if (allowedRepos.size > 0) {
     core.info(`Allowed repos: ${[...allowedRepos].join(", ")}`);
@@ -105,7 +109,7 @@ async function main(config = {}) {
     }
 
     // Use validation helper to sanitize and validate labels
-    const labelsResult = validateLabels(requestedLabels, allowedLabels, maxCount);
+    const labelsResult = validateLabels(requestedLabels, allowedLabels, maxCount, blockedPatterns);
     if (!labelsResult.valid) {
       // If no valid labels, log info and return gracefully
       if (labelsResult.error?.includes("No valid labels")) {

diff --git a/actions/setup/js/remove_labels.cjs b/actions/setup/js/remove_labels.cjs
@@ -20,6 +20,7 @@ const { resolveTargetRepoConfig, resolveAndValidateRepo } = require("./repo_help
 async function main(config = {}) {
   // Extract configuration
   const allowedLabels = config.allowed || [];
+  const blockedPatterns = config.blocked || [];
   const maxCount = config.max || 10;
   const { defaultTargetRepo, allowedRepos } = resolveTargetRepoConfig(config);
 
@@ -30,6 +31,9 @@ async function main(config = {}) {
   if (allowedLabels.length > 0) {
     core.info(`Allowed labels to remove: ${allowedLabels.join(", ")}`);
   }
+  if (blockedPatterns.length > 0) {
+    core.info(`Blocked patterns: ${blockedPatterns.join(", ")}`);
+  }
   core.info(`Default target repo: ${defaultTargetRepo}`);
   if (allowedRepos.size > 0) {
     core.info(`Allowed repos: ${Array.from(allowedRepos).join(", ")}`);
@@ -100,7 +104,7 @@ async function main(config = {}) {
     }
 
     // Use validation helper to sanitize and validate labels
-    const labelsResult = validateLabels(requestedLabels, allowedLabels, maxCount);
+    const labelsResult = validateLabels(requestedLabels, allowedLabels, maxCount, blockedPatterns);
     if (!labelsResult.valid) {
       // If no valid labels, log info and return gracefully
       if (labelsResult.error?.includes("No valid labels")) {

diff --git a/actions/setup/js/safe_output_validator.cjs b/actions/setup/js/safe_output_validator.cjs
@@ -84,9 +84,10 @@ function validateBody(body, fieldName = "body", required = false) {
  * @param {any} labels - The labels to validate
  * @param {string[]|undefined} allowedLabels - Optional list of allowed labels
  * @param {number} maxCount - Maximum number of labels allowed
+ * @param {string[]|undefined} blockedPatterns - Optional list of blocked label patterns (supports glob patterns like "~*", "*[bot]")
  * @returns {{valid: boolean, value?: string[], error?: string}} Validation result
  */
-function validateLabels(labels, allowedLabels = undefined, maxCount = 3) {
+function validateLabels(labels, allowedLabels = undefined, maxCount = 3, blockedPatterns = undefined) {
   if (!labels || !Array.isArray(labels)) {
     return { valid: false, error: "labels must be an array" };
   }
@@ -98,10 +99,27 @@ function validateLabels(labels, allowedLabels = undefined, maxCount = 3) {
     }
   }
 
-  // Filter labels based on allowed list if provided
+  // Filter out blocked labels first (security boundary)
   let validLabels = labels;
+  if (blockedPatterns && blockedPatterns.length > 0) {
+    const { matchesSimpleGlob } = require("./glob_pattern_helpers.cjs");
+    const blockedLabels = [];
+    validLabels = labels.filter(label => {
+      const labelStr = String(label).trim();
+      const isBlocked = blockedPatterns.some(pattern => matchesSimpleGlob(labelStr, pattern));
+      if (isBlocked) {
+        blockedLabels.push(labelStr);
+      }
+      return !isBlocked;
+    });
+    if (blockedLabels.length > 0) {
+      core.info(`Filtered out ${blockedLabels.length} blocked labels: ${blockedLabels.join(", ")}`);
-      core.info(`Filtered out ${blockedLabels.length} blocked labels: ${blockedLabels.join(", ")}`);
+      core.info(`Filtered out ${blockedLabels.length} blocked labels: ${JSON.stringify(blockedLabels)}`);
-      core.info(`Filtered out ${blockedLabels.length} blocked labels: ${blockedLabels.join(", ")}`);
+      core.info(`Filtered out ${blockedLabels.length} blocked labels: ${JSON.stringify(blockedLabels)}`);
+    }
+  }
+
+  // Filter labels based on allowed list if provided
   if (allowedLabels && allowedLabels.length > 0) {
-    validLabels = labels.filter(label => allowedLabels.includes(label));
+    validLabels = validLabels.filter(label => allowedLabels.includes(label));
   }
 
   // Sanitize and deduplicate labels

diff --git a/actions/setup/js/safe_output_validator.test.cjs b/actions/setup/js/safe_output_validator.test.cjs
@@ -228,6 +228,85 @@ describe("safe_output_validator.cjs", () => {
       expect(result.valid).toBe(false);
       expect(result.error).toContain("No valid labels found");
     });
+
+    it("should filter out labels matching blocked patterns", () => {
+      const result = validator.validateLabels(["bug", "~stale", "~archived", "enhancement"], undefined, 10, ["~*"]);
+
+      expect(result.valid).toBe(true);
+      expect(result.value).toHaveLength(2);
+      expect(result.value).toContain("bug");
+      expect(result.value).toContain("enhancement");
+      expect(result.value).not.toContain("~stale");
+      expect(result.value).not.toContain("~archived");
+      expect(mockCore.info).toHaveBeenCalledWith(expect.stringContaining("Filtered out 2 blocked labels"));
+    });
+
+    it("should apply blocked filter before allowed filter", () => {
+      const result = validator.validateLabels(
+        ["bug", "~stale", "enhancement", "custom"],
+        ["bug", "~stale", "enhancement"], // ~stale is in allowed list
+        10,
+        ["~*"] // but blocked by pattern
+      );
+
+      expect(result.valid).toBe(true);
+      expect(result.value).toHaveLength(2);
+      expect(result.value).toContain("bug");
+      expect(result.value).toContain("enhancement");
+      expect(result.value).not.toContain("~stale"); // blocked despite being in allowed list
+      expect(result.value).not.toContain("custom");
+    });
+
+    it("should handle exact match blocking", () => {
+      const result = validator.validateLabels(
+        ["bug", "stale", "enhancement"],
+        undefined,
+        10,
+        ["stale"] // exact match, no pattern
+      );
+
+      expect(result.valid).toBe(true);
+      expect(result.value).toHaveLength(2);
+      expect(result.value).toContain("bug");
+      expect(result.value).toContain("enhancement");
+      expect(result.value).not.toContain("stale");
+    });
+
+    it("should handle empty blocked patterns", () => {
+      const result = validator.validateLabels(["bug", "~stale"], undefined, 10, []);
+
+      expect(result.valid).toBe(true);
+      expect(result.value).toHaveLength(2);
+      expect(result.value).toContain("bug");
+      expect(result.value).toContain("~stale");
+    });
+
+    it("should handle undefined blocked patterns", () => {
+      const result = validator.validateLabels(["bug", "~stale"], undefined, 10, undefined);
+
+      expect(result.valid).toBe(true);
+      expect(result.value).toHaveLength(2);
+      expect(result.value).toContain("bug");
+      expect(result.value).toContain("~stale");
+    });
+
+    it("should reject when all labels are blocked", () => {
+      const result = validator.validateLabels(["~stale", "~archived"], undefined, 10, ["~*"]);
+
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain("No valid labels found");
+    });
+
+    it("should handle bot pattern blocking", () => {
+      const result = validator.validateLabels(["bug", "dependabot[bot]", "github-actions[bot]", "enhancement"], undefined, 10, ["*[bot]"]);
+
+      expect(result.valid).toBe(true);
+      expect(result.value).toHaveLength(2);
+      expect(result.value).toContain("bug");
+      expect(result.value).toContain("enhancement");
+      expect(result.value).not.toContain("dependabot[bot]");
+      expect(result.value).not.toContain("github-actions[bot]");
+    });
   });
 
   describe("validateMaxCount", () => {

diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json
@@ -5232,6 +5232,15 @@
                   "minItems": 1,
                   "maxItems": 50
                 },
+                "blocked": {
+                  "type": "array",
+                  "description": "Optional list of blocked label patterns (supports glob patterns like '~*', '*[bot]'). Labels matching these patterns will be rejected. Applied before allowed list filtering for security.",
+                  "items": {
+                    "type": "string"
+                  },
+                  "minItems": 1,
+                  "maxItems": 50
+                },
                 "max": {
                   "type": "integer",
                   "description": "Optional maximum number of labels to add (default: 3)",
@@ -5281,6 +5290,15 @@
                   "minItems": 1,
                   "maxItems": 50
                 },
+                "blocked": {
+                  "type": "array",
+                  "description": "Optional list of blocked label patterns (supports glob patterns like '~*', '*[bot]'). Labels matching these patterns will be rejected. Applied before allowed list filtering for security.",
+                  "items": {
+                    "type": "string"
+                  },
+                  "minItems": 1,
+                  "maxItems": 50
+                },
                 "max": {
                   "type": "integer",
                   "description": "Optional maximum number of labels to remove (default: 3)",

diff --git a/pkg/workflow/add_labels.go b/pkg/workflow/add_labels.go
@@ -13,6 +13,7 @@ type AddLabelsConfig struct {
 	BaseSafeOutputConfig   `yaml:",inline"`
 	SafeOutputTargetConfig `yaml:",inline"`
 	Allowed                []string `yaml:"allowed,omitempty"` // Optional list of allowed labels. Labels will be created if they don't already exist in the repository. If omitted, any labels are allowed (including creating new ones).
+	Blocked                []string `yaml:"blocked,omitempty"` // Optional list of blocked label patterns (supports glob patterns like "~*", "*[bot]"). Labels matching these patterns will be rejected.
 }
 
 // parseAddLabelsConfig handles add-labels configuration
@@ -33,7 +34,7 @@ func (c *Compiler) parseAddLabelsConfig(outputMap map[string]any) *AddLabelsConf
 		return &AddLabelsConfig{}
 	}
 
-	addLabelsLog.Printf("Parsed configuration: allowed_count=%d, target=%s", len(config.Allowed), config.Target)
+	addLabelsLog.Printf("Parsed configuration: allowed_count=%d, blocked_count=%d, target=%s", len(config.Allowed), len(config.Blocked), config.Target)
 
 	return &config
 }
@@ -52,6 +53,7 @@ func (c *Compiler) buildAddLabelsJob(data *WorkflowData, mainJobName string) (*J
 	listJobConfig := ListJobConfig{
 		SafeOutputTargetConfig: cfg.SafeOutputTargetConfig,
 		Allowed:                cfg.Allowed,
+		Blocked:                cfg.Blocked,
 	}
 
 	// Use shared builder for list-based safe-output jobs