Skip to content

Add workflow_run branch restriction validation (warning in normal mode, error in strict mode)#2963

Merged
pelikhan merged 4 commits intomainfrom
copilot/update-compiler-warning-workflow-run
Nov 1, 2025
Merged

Add workflow_run branch restriction validation (warning in normal mode, error in strict mode)#2963
pelikhan merged 4 commits intomainfrom
copilot/update-compiler-warning-workflow-run

Conversation

Copy link
Contributor

Copilot AI commented Nov 1, 2025
edited
Loading

Add warning/error for workflow_run without branch restrictions ✅

Summary

Implemented validation to ensure workflow_run triggers include branch restrictions for security and performance. The validation emits warnings in normal mode and errors in strict mode.

Implementation Details

Files Changed:

  1. pkg/workflow/validation.go - Added validateWorkflowRunBranches() function
  2. pkg/workflow/compiler.go - Integrated validation into compilation pipeline
  3. pkg/workflow/workflow_run_validation_test.go - Comprehensive test suite

Validation Logic:

  • Parses the on: YAML field to detect workflow_run triggers
  • Checks if branches field is present in the workflow_run configuration
  • Normal mode: Emits warning and increments warning count
  • Strict mode: Returns error and fails compilation

Testing

All tests pass:

  • Unit tests: 100% pass rate
  • Integration tests: All pass
  • Manual testing: Verified warnings and errors
  • Full test suite: make test-unit - PASS
  • Linter: make lint - PASS
  • Formatter: make fmt - PASS
  • Complete validation: make agent-finish - PASS

Test Coverage:

  • workflow_run without branches (normal mode) → warning
  • workflow_run without branches (strict mode) → error
  • workflow_run with branches → pass
  • workflow_run with empty branches array → pass (has branches field)
  • Mixed triggers with workflow_run → appropriate validation
  • No workflow_run trigger → no validation
  • Edge cases handled correctly

Repository Impact:

  • Found 2 existing workflows without branch restrictions
  • Both now show warnings during compilation
  • No breaking changes to existing workflows

Example Output

Normal mode (warning):

.github/workflows/ci-doctor.md:1:1: warning: workflow_run trigger should include branch restrictions for security and performance.

Without branch restrictions, the workflow will run for workflow runs on ALL branches,
which can cause unexpected behavior and security issues.

Suggested fix: Add branch restrictions to your workflow_run trigger:
on:
  workflow_run:
    workflows: ["your-workflow"]
    types: [completed]
    branches:
      - main
      - develop

Strict mode (error):

error: workflow_run trigger should include branch restrictions for security and performance.
[Same helpful message with suggested fix]
✗ Compilation failed

Security & Performance Benefits

This validation helps prevent:

  • ✅ Workflows running on all branches unnecessarily
  • ✅ Potential security issues from unconstrained triggers
  • ✅ Resource waste from excessive workflow runs
  • ✅ Unexpected workflow behavior across branches

Recent Updates

  • Updated dev-hawk workflow_run branches from copilot/** to copilot/* per feedback

Checklist

  • Explore repository structure and understand compiler workflow
  • Understand workflow_run trigger and YAML structure
  • Build project successfully
  • Add validation function to check workflow_run for branch restrictions
  • Integrate validation into compiler with warning in normal mode
  • Make validation an error in strict mode
  • Add comprehensive tests for the new validation
  • Test the implementation manually
  • Run full test suite and verify all tests pass
  • Format and lint code
  • Run make agent-finish - ALL PASS ✅
  • Address feedback: Update dev-hawk branches restriction
Original prompt

Update compiler such that it emits a warning if workflow_run is used without branch restrictions. Make it an error if strict mode.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@pelikhan
Copy link
Contributor

pelikhan commented Nov 1, 2025

@copilot update dev-hawk to restrict workflow_run branches to copilot/*

Copilot AI and others added 2 commits November 1, 2025 19:37
@pelikhan
Add workflow_run branch restriction validation (warning/error based o…
87fcea0 
…n strict mode)

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Validation complete - all tests pass, agent-finish successful
49fef72 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Update compiler to warn on workflow_run without branch restrictions Add workflow_run branch restriction validation (warning in normal mode, error in strict mode) Nov 1, 2025
Copilot AI requested a review from pelikhan November 1, 2025 19:45
@pelikhan
Update dev-hawk workflow_run branches to 'copilot/*'
549754e 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Nov 1, 2025

@copilot update dev-hawk to restrict workflow_run branches to copilot/*

Updated dev-hawk.md to restrict workflow_run branches to copilot/* (changed from copilot/**). Commit: 549754e

@pelikhan pelikhan marked this pull request as ready for review November 1, 2025 19:53
Copilot AI review requested due to automatic review settings November 1, 2025 19:53
@pelikhan pelikhan enabled auto-merge (squash) November 1, 2025 19:53
@pelikhan pelikhan merged commit 79567a6 into main Nov 1, 2025
40 of 45 checks passed
@pelikhan pelikhan deleted the copilot/update-compiler-warning-workflow-run branch November 1, 2025 19:54
Copilot AI reviewed Nov 1, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds validation for workflow_run triggers to ensure they include branch restrictions, which is a security and performance best practice. Without branch restrictions, workflows run on all branches, potentially causing unexpected behavior and security issues.

Key changes:

  • Adds a new validation function validateWorkflowRunBranches that checks for branch restrictions in workflow_run triggers
  • Validation emits warnings in normal mode and errors in strict mode
  • Includes comprehensive test coverage for various workflow_run configurations
  • Updates workflow documentation and applies the branch restriction fix to the dev-hawk workflow

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
pkg/workflow/validation.go Adds validateWorkflowRunBranches function to validate branch restrictions in workflow_run triggers
pkg/workflow/compiler.go Integrates the new validation function into the compilation pipeline
pkg/workflow/workflow_run_validation_test.go Comprehensive test suite covering various workflow_run configurations and edge cases
.github/workflows/dev-hawk.md Fixes branch pattern from copilot/** to copilot/* (applies the validation fix)
.github/workflows/dev-hawk.lock.yml Generated lock file reflecting the branch pattern fix
docs/src/content/docs/status.mdx Updates workflow table entries and removes extraneous blank lines
docs/src/content/docs/reference/frontmatter-full.md Documentation cleanup removing blank lines and undocumented min fields

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

pkg/workflow/validation.go
Comment on lines +732 to +738
_, hasBranches := workflowRunMap["branches"]
if hasBranches {
// Has branch restrictions, validation passed
if c.verbose {
fmt.Fprintln(os.Stderr, console.FormatInfoMessage("✓ workflow_run trigger has branch restrictions"))
}
return nil
Copy link

Copilot AI Nov 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The validation incorrectly passes when the branches field exists but is empty. According to test case "workflow_run with empty branches array", an empty branches array (branches: []) should NOT trigger a warning, but the current logic treats it as valid branch restrictions. The check should verify that branches not only exists but also contains at least one branch pattern, or explicitly handle empty arrays as a special case if they're intentionally allowed.

Suggested change
_, hasBranches := workflowRunMap["branches"]
if hasBranches {
// Has branch restrictions, validation passed
if c.verbose {
fmt.Fprintln(os.Stderr, console.FormatInfoMessage("✓ workflow_run trigger has branch restrictions"))
}
return nil
branchesVal, hasBranches := workflowRunMap["branches"]
if hasBranches {
// Check that branches is a non-empty array
if branchesSlice, ok := branchesVal.([]any); ok && len(branchesSlice) > 0 {
// Has branch restrictions, validation passed
if c.verbose {
fmt.Fprintln(os.Stderr, console.FormatInfoMessage("✓ workflow_run trigger has branch restrictions"))
}
return nil
}
// branches exists but is empty or not an array, treat as missing restrictions

Copilot uses AI. Check for mistakes.
@github-actions github-actions bot mentioned this pull request Nov 2, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan