From e72c5b7c74cc94cff8e963908b00d7dc766cf04b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 2 Nov 2025 03:03:34 +0000 Subject: [PATCH 1/3] Initial plan From f5cd401b3f6aa2e4feebad7d39143044779d26f9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 2 Nov 2025 03:16:54 +0000 Subject: [PATCH 2/3] Change default behavior of forks for pull_request events to disallow all by default - Modified applyPullRequestForkFilter to apply fork filtering by default when no forks field is specified - When forks field is not present, only same-repo PRs are allowed (disallow all forks by default) - Users must explicitly specify forks: ["*"] to allow all forks - Updated JSON schema to document the forks, draft, and names custom fields - Added test case for default fork filtering behavior - All existing tests continue to pass Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/changeset.lock.yml | 6 ++- .github/workflows/smoke-claude.lock.yml | 8 ++-- .github/workflows/smoke-codex.lock.yml | 8 ++-- .../workflows/smoke-copilot.firewall.lock.yml | 8 ++-- .github/workflows/smoke-copilot.lock.yml | 8 ++-- .github/workflows/smoke-opencode.lock.yml | 8 ++-- pkg/workflow/compiler_test.go | 21 ++++++++++ pkg/workflow/filters.go | 41 ++++++++++--------- pkg/workflow/schemas/github-workflow.json | 34 +++++++++++++++ 9 files changed, 106 insertions(+), 36 deletions(-) diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index d970a9064c..eee692130a 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -62,7 +62,8 @@ jobs: activation: needs: pre_activation if: > - (needs.pre_activation.outputs.activated == 'true') && ((github.event.pull_request.base.ref == github.event.repository.default_branch) && + (needs.pre_activation.outputs.activated == 'true') && (((github.event.pull_request.base.ref == github.event.repository.default_branch) && + ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository))) && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'changeset')))) runs-on: ubuntu-slim permissions: @@ -5262,7 +5263,8 @@ jobs: pre_activation: if: > - (github.event.pull_request.base.ref == github.event.repository.default_branch) && ((github.event_name != 'pull_request') || + ((github.event.pull_request.base.ref == github.event.repository.default_branch) && ((github.event_name != 'pull_request') || + (github.event.pull_request.head.repo.full_name == github.repository))) && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'changeset'))) runs-on: ubuntu-slim outputs: diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index a348053cc9..18aabe826b 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -59,8 +59,8 @@ jobs: activation: needs: pre_activation if: > - (needs.pre_activation.outputs.activated == 'true') && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || - (github.event.label.name == 'smoke'))) + (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke')))) runs-on: ubuntu-slim steps: - name: Check workflow file timestamps @@ -3772,7 +3772,9 @@ jobs: }); pre_activation: - if: (github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke')) + if: > + ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke'))) runs-on: ubuntu-slim outputs: activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index abd41a2696..0d44d9df37 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -59,8 +59,8 @@ jobs: activation: needs: pre_activation if: > - (needs.pre_activation.outputs.activated == 'true') && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || - (github.event.label.name == 'smoke'))) + (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke')))) runs-on: ubuntu-slim steps: - name: Check workflow file timestamps @@ -3412,7 +3412,9 @@ jobs: }); pre_activation: - if: (github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke')) + if: > + ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke'))) runs-on: ubuntu-slim outputs: activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} diff --git a/.github/workflows/smoke-copilot.firewall.lock.yml b/.github/workflows/smoke-copilot.firewall.lock.yml index 4e319ffcd8..9fee758064 100644 --- a/.github/workflows/smoke-copilot.firewall.lock.yml +++ b/.github/workflows/smoke-copilot.firewall.lock.yml @@ -59,8 +59,8 @@ jobs: activation: needs: pre_activation if: > - (needs.pre_activation.outputs.activated == 'true') && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || - (github.event.label.name == 'smoke'))) + (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke')))) runs-on: ubuntu-slim steps: - name: Check workflow file timestamps @@ -4476,7 +4476,9 @@ jobs: }); pre_activation: - if: (github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke')) + if: > + ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke'))) runs-on: ubuntu-slim outputs: activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 07bdf24716..f0280f4351 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -59,8 +59,8 @@ jobs: activation: needs: pre_activation if: > - (needs.pre_activation.outputs.activated == 'true') && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || - (github.event.label.name == 'smoke'))) + (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke')))) runs-on: ubuntu-slim steps: - name: Check workflow file timestamps @@ -4476,7 +4476,9 @@ jobs: }); pre_activation: - if: (github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke')) + if: > + ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke'))) runs-on: ubuntu-slim outputs: activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index ec9dba7ba5..f6308346de 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -63,8 +63,8 @@ jobs: activation: needs: pre_activation if: > - (needs.pre_activation.outputs.activated == 'true') && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || - (github.event.label.name == 'smoke'))) + (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke')))) runs-on: ubuntu-slim steps: - name: Check workflow file timestamps @@ -2997,7 +2997,9 @@ jobs: }); pre_activation: - if: (github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke')) + if: > + ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke'))) runs-on: ubuntu-slim outputs: activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} diff --git a/pkg/workflow/compiler_test.go b/pkg/workflow/compiler_test.go index e5b1444168..0beaabb91e 100644 --- a/pkg/workflow/compiler_test.go +++ b/pkg/workflow/compiler_test.go @@ -4947,6 +4947,27 @@ func TestPullRequestForksArrayFilter(t *testing.T) { expectedConditions []string // Expected substrings in the generated condition shouldHaveIf bool // Whether an if condition should be present }{ + { + name: "pull_request without forks field (default: disallow all forks)", + frontmatter: `--- +on: + pull_request: + types: [opened, edited] + +permissions: + contents: read + issues: write + pull-requests: read + +tools: + github: + allowed: [get_issue] +---`, + expectedConditions: []string{ + "github.event.pull_request.head.repo.full_name == github.repository", + }, + shouldHaveIf: true, + }, { name: "pull_request with forks array (exact matches)", frontmatter: `--- diff --git a/pkg/workflow/filters.go b/pkg/workflow/filters.go index ffbe1b5da0..10a474f357 100644 --- a/pkg/workflow/filters.go +++ b/pkg/workflow/filters.go @@ -89,6 +89,7 @@ func (c *Compiler) applyPullRequestDraftFilter(data *WorkflowData, frontmatter m // applyPullRequestForkFilter applies fork filter conditions for pull_request triggers // Supports "forks: []string" with glob patterns +// Default behavior: When forks field is not specified, only same-repo PRs are allowed (forks are disallowed by default) func (c *Compiler) applyPullRequestForkFilter(data *WorkflowData, frontmatter map[string]any) { filtersLog.Print("Applying pull request fork filter") @@ -119,28 +120,30 @@ func (c *Compiler) applyPullRequestForkFilter(data *WorkflowData, frontmatter ma // Check for "forks" field (string or array) forksValue, hasForks := prMap["forks"] - if !hasForks { - return - } - - filtersLog.Print("Found forks filter configuration") - - // Convert forks value to []string, handling both string and array formats + // Default behavior: If forks field is not specified, only allow same-repo PRs (disallow all forks by default) var allowedForks []string - - // Handle string format (e.g., forks: "*" or forks: "org/*") - if forksStr, isForksStr := forksValue.(string); isForksStr { - allowedForks = []string{forksStr} - } else if forksArray, isForksArray := forksValue.([]any); isForksArray { - // Handle array format (e.g., forks: ["*", "org/repo"]) - for _, fork := range forksArray { - if forkStr, isForkStr := fork.(string); isForkStr { - allowedForks = append(allowedForks, forkStr) + if !hasForks { + filtersLog.Print("No forks field specified - applying default fork filter (disallow all forks)") + // Empty allowedForks array means only same-repo PRs are allowed + allowedForks = []string{} + } else { + filtersLog.Print("Found forks filter configuration") + + // Convert forks value to []string, handling both string and array formats + // Handle string format (e.g., forks: "*" or forks: "org/*") + if forksStr, isForksStr := forksValue.(string); isForksStr { + allowedForks = []string{forksStr} + } else if forksArray, isForksArray := forksValue.([]any); isForksArray { + // Handle array format (e.g., forks: ["*", "org/repo"]) + for _, fork := range forksArray { + if forkStr, isForkStr := fork.(string); isForkStr { + allowedForks = append(allowedForks, forkStr) + } } + } else { + // Invalid forks format, skip + return } - } else { - // Invalid forks format, skip - return } // If "*" wildcard is present, skip fork filtering (allow all forks) diff --git a/pkg/workflow/schemas/github-workflow.json b/pkg/workflow/schemas/github-workflow.json index 6b93ceff0b..d6fe925d0c 100644 --- a/pkg/workflow/schemas/github-workflow.json +++ b/pkg/workflow/schemas/github-workflow.json @@ -1313,6 +1313,40 @@ }, "paths-ignore": { "$ref": "#/definitions/path" + }, + "draft": { + "type": "boolean", + "description": "Filter pull requests by draft status. When true, only draft PRs trigger the workflow. When false, only non-draft PRs trigger the workflow. If not specified, both draft and non-draft PRs trigger the workflow." + }, + "forks": { + "oneOf": [ + { + "type": "string", + "description": "Filter pull requests from forked repositories. Use '*' to allow all forks, or specify a repository pattern (e.g., 'org/*' or 'org/repo'). Default behavior (when not specified): only same-repo PRs are allowed (forks are disallowed by default)." + }, + { + "type": "array", + "items": { + "type": "string" + }, + "description": "Filter pull requests from forked repositories. Provide a list of allowed repository patterns (e.g., ['org/*', 'org/repo']). Use ['*'] to allow all forks, or [] to allow only same-repo PRs. Default behavior (when not specified): only same-repo PRs are allowed (forks are disallowed by default)." + } + ] + }, + "names": { + "oneOf": [ + { + "type": "string", + "description": "Filter labeled/unlabeled events by label name. Only triggers when the specified label is added or removed." + }, + { + "type": "array", + "items": { + "type": "string" + }, + "description": "Filter labeled/unlabeled events by label names. Only triggers when one of the specified labels is added or removed." + } + ] } }, "additionalProperties": false From 7e306f01c44c2f7738460c47417a19781da7a1d9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 2 Nov 2025 04:43:37 +0000 Subject: [PATCH 3/3] Use repository ID instead of full_name for fork filtering - Updated BuildNotFromFork() to compare github.event.pull_request.head.repo.id with github.repository_id - Changed from full_name comparison to repository ID comparison for more reliable matching - Repository ID is not affected by repository renames - Updated all test expectations to use repository_id instead of full_name - All tests pass including agent-finish Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/brave.lock.yml | 2 +- .github/workflows/changeset.lock.yml | 6 ++-- .github/workflows/craft.lock.yml | 2 +- .github/workflows/issue-classifier.lock.yml | 2 +- .github/workflows/mergefest.lock.yml | 2 +- .github/workflows/pdf-summary.lock.yml | 2 +- .github/workflows/plan.lock.yml | 2 +- .github/workflows/poem-bot.lock.yml | 2 +- .github/workflows/q.lock.yml | 2 +- .github/workflows/scout.lock.yml | 2 +- .github/workflows/smoke-claude.lock.yml | 4 +-- .github/workflows/smoke-codex.lock.yml | 4 +-- .../workflows/smoke-copilot.firewall.lock.yml | 4 +-- .github/workflows/smoke-copilot.lock.yml | 4 +-- .github/workflows/smoke-detector.lock.yml | 2 +- .github/workflows/smoke-opencode.lock.yml | 4 +-- .github/workflows/tidy.lock.yml | 2 +- .github/workflows/unbloat-docs.lock.yml | 2 +- pkg/workflow/compiler_test.go | 14 ++++---- pkg/workflow/expressions.go | 5 +-- pkg/workflow/expressions_test.go | 6 ++-- pkg/workflow/schemas/github-workflow.json | 34 ------------------- 22 files changed, 38 insertions(+), 71 deletions(-) diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 5c435d9141..2e8d582acb 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -336,7 +336,7 @@ jobs: await main(); - name: Add eyes reaction to the triggering item id: react - if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_REACTION: eyes diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index eee692130a..7e2db627ac 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -63,7 +63,7 @@ jobs: needs: pre_activation if: > (needs.pre_activation.outputs.activated == 'true') && (((github.event.pull_request.base.ref == github.event.repository.default_branch) && - ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository))) && + ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id))) && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'changeset')))) runs-on: ubuntu-slim permissions: @@ -336,7 +336,7 @@ jobs: await main(); - name: Add rocket reaction to the triggering item id: react - if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_REACTION: rocket @@ -5264,7 +5264,7 @@ jobs: pre_activation: if: > ((github.event.pull_request.base.ref == github.event.repository.default_branch) && ((github.event_name != 'pull_request') || - (github.event.pull_request.head.repo.full_name == github.repository))) && ((github.event_name != 'pull_request') || + (github.event.pull_request.head.repo.id == github.repository_id))) && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'changeset'))) runs-on: ubuntu-slim outputs: diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index b9dc12de4b..1ba88f938c 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -336,7 +336,7 @@ jobs: await main(); - name: Add eyes reaction to the triggering item id: react - if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_REACTION: eyes diff --git a/.github/workflows/issue-classifier.lock.yml b/.github/workflows/issue-classifier.lock.yml index 9941ee68f3..808437aa42 100644 --- a/.github/workflows/issue-classifier.lock.yml +++ b/.github/workflows/issue-classifier.lock.yml @@ -328,7 +328,7 @@ jobs: await main(); - name: Add eyes reaction to the triggering item id: react - if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_REACTION: eyes diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index f656436888..d2aa42c7e0 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -137,7 +137,7 @@ jobs: }); - name: Add eyes reaction to the triggering item id: react - if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_REACTION: eyes diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 42da6f929d..332d5e0996 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -358,7 +358,7 @@ jobs: await main(); - name: Add eyes reaction to the triggering item id: react - if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_REACTION: eyes diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index f963b52190..bba668d234 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -337,7 +337,7 @@ jobs: await main(); - name: Add eyes reaction to the triggering item id: react - if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_REACTION: eyes diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 84cd88e6e9..5fadc573fe 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -371,7 +371,7 @@ jobs: await main(); - name: Add eyes reaction to the triggering item id: react - if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_REACTION: eyes diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 57dd6380fb..541591a2ec 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -380,7 +380,7 @@ jobs: await main(); - name: Add rocket reaction to the triggering item id: react - if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_REACTION: rocket diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 53c7874374..9f17228159 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -383,7 +383,7 @@ jobs: await main(); - name: Add eyes reaction to the triggering item id: react - if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_REACTION: eyes diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 18aabe826b..296c67e052 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -59,7 +59,7 @@ jobs: activation: needs: pre_activation if: > - (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke')))) runs-on: ubuntu-slim steps: @@ -3773,7 +3773,7 @@ jobs: pre_activation: if: > - ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke'))) runs-on: ubuntu-slim outputs: diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 0d44d9df37..6f52096039 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -59,7 +59,7 @@ jobs: activation: needs: pre_activation if: > - (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke')))) runs-on: ubuntu-slim steps: @@ -3413,7 +3413,7 @@ jobs: pre_activation: if: > - ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke'))) runs-on: ubuntu-slim outputs: diff --git a/.github/workflows/smoke-copilot.firewall.lock.yml b/.github/workflows/smoke-copilot.firewall.lock.yml index 9fee758064..045c397b5c 100644 --- a/.github/workflows/smoke-copilot.firewall.lock.yml +++ b/.github/workflows/smoke-copilot.firewall.lock.yml @@ -59,7 +59,7 @@ jobs: activation: needs: pre_activation if: > - (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke')))) runs-on: ubuntu-slim steps: @@ -4477,7 +4477,7 @@ jobs: pre_activation: if: > - ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke'))) runs-on: ubuntu-slim outputs: diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index f0280f4351..4b74f47254 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -59,7 +59,7 @@ jobs: activation: needs: pre_activation if: > - (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke')))) runs-on: ubuntu-slim steps: @@ -4477,7 +4477,7 @@ jobs: pre_activation: if: > - ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke'))) runs-on: ubuntu-slim outputs: diff --git a/.github/workflows/smoke-detector.lock.yml b/.github/workflows/smoke-detector.lock.yml index 756aa7b8b1..5f3020babf 100644 --- a/.github/workflows/smoke-detector.lock.yml +++ b/.github/workflows/smoke-detector.lock.yml @@ -152,7 +152,7 @@ jobs: }); - name: Add eyes reaction to the triggering item id: react - if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_REACTION: eyes diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index f6308346de..527d8d9cd3 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -63,7 +63,7 @@ jobs: activation: needs: pre_activation if: > - (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke')))) runs-on: ubuntu-slim steps: @@ -2998,7 +2998,7 @@ jobs: pre_activation: if: > - ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)) && + ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) && ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke'))) runs-on: ubuntu-slim outputs: diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 6c2b108682..4ca566ab87 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -153,7 +153,7 @@ jobs: }); - name: Add eyes reaction to the triggering item id: react - if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_REACTION: eyes diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index dc999ecdf2..fecb0a669d 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -152,7 +152,7 @@ jobs: }); - name: Add eyes reaction to the triggering item id: react - if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GH_AW_REACTION: eyes diff --git a/pkg/workflow/compiler_test.go b/pkg/workflow/compiler_test.go index 0beaabb91e..f5a3e06d2c 100644 --- a/pkg/workflow/compiler_test.go +++ b/pkg/workflow/compiler_test.go @@ -4964,7 +4964,7 @@ tools: allowed: [get_issue] ---`, expectedConditions: []string{ - "github.event.pull_request.head.repo.full_name == github.repository", + "github.event.pull_request.head.repo.id == github.repository_id", }, shouldHaveIf: true, }, @@ -4988,7 +4988,7 @@ tools: allowed: [get_issue] ---`, expectedConditions: []string{ - "github.event.pull_request.head.repo.full_name == github.repository", + "github.event.pull_request.head.repo.id == github.repository_id", "github.event.pull_request.head.repo.full_name == 'githubnext/test-repo'", "github.event.pull_request.head.repo.full_name == 'octocat/hello-world'", }, @@ -5014,7 +5014,7 @@ tools: allowed: [get_issue] ---`, expectedConditions: []string{ - "github.event.pull_request.head.repo.full_name == github.repository", + "github.event.pull_request.head.repo.id == github.repository_id", "startsWith(github.event.pull_request.head.repo.full_name, 'githubnext/')", "startsWith(github.event.pull_request.head.repo.full_name, 'octocat/')", }, @@ -5041,7 +5041,7 @@ tools: allowed: [get_issue] ---`, expectedConditions: []string{ - "github.event.pull_request.head.repo.full_name == github.repository", + "github.event.pull_request.head.repo.id == github.repository_id", "github.event.pull_request.head.repo.full_name == 'githubnext/test-repo'", "startsWith(github.event.pull_request.head.repo.full_name, 'octocat/')", "github.event.pull_request.head.repo.full_name == 'microsoft/vscode'", @@ -5066,7 +5066,7 @@ tools: allowed: [get_issue] ---`, expectedConditions: []string{ - "github.event.pull_request.head.repo.full_name == github.repository", + "github.event.pull_request.head.repo.id == github.repository_id", }, shouldHaveIf: true, }, @@ -5114,7 +5114,7 @@ tools: allowed: [get_issue] ---`, expectedConditions: []string{ - "github.event.pull_request.head.repo.full_name == github.repository", + "github.event.pull_request.head.repo.id == github.repository_id", "github.event.pull_request.head.repo.full_name == 'githubnext/test-repo'", }, shouldHaveIf: true, @@ -5137,7 +5137,7 @@ tools: allowed: [get_issue] ---`, expectedConditions: []string{ - "github.event.pull_request.head.repo.full_name == github.repository", + "github.event.pull_request.head.repo.id == github.repository_id", "startsWith(github.event.pull_request.head.repo.full_name, 'githubnext/')", }, shouldHaveIf: true, diff --git a/pkg/workflow/expressions.go b/pkg/workflow/expressions.go index 123ca8d6cd..8154f84605 100644 --- a/pkg/workflow/expressions.go +++ b/pkg/workflow/expressions.go @@ -328,10 +328,11 @@ func BuildActionEquals(action string) *ComparisonNode { // BuildNotFromFork creates a condition to check that a pull request is not from a forked repository // This prevents the job from running on forked PRs where write permissions are not available +// Uses repository ID comparison instead of full name for more reliable matching func BuildNotFromFork() *ComparisonNode { return BuildEquals( - BuildPropertyAccess("github.event.pull_request.head.repo.full_name"), - BuildPropertyAccess("github.repository"), + BuildPropertyAccess("github.event.pull_request.head.repo.id"), + BuildPropertyAccess("github.repository_id"), ) } diff --git a/pkg/workflow/expressions_test.go b/pkg/workflow/expressions_test.go index 94794486c7..7735c9e8cd 100644 --- a/pkg/workflow/expressions_test.go +++ b/pkg/workflow/expressions_test.go @@ -153,7 +153,7 @@ func TestBuildReactionCondition(t *testing.T) { "github.event_name == 'discussion'", "github.event_name == 'discussion_comment'", "github.event_name == 'pull_request'", - "github.event.pull_request.head.repo.full_name == github.repository", + "github.event.pull_request.head.repo.id == github.repository_id", "&&", "||", } @@ -166,7 +166,7 @@ func TestBuildReactionCondition(t *testing.T) { // With the fork check, the pull_request condition should be more complex // It should contain both the event name check and the not-from-fork check - if !strings.Contains(rendered, "(github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository)") { + if !strings.Contains(rendered, "(github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id)") { t.Errorf("Expected pull_request condition to include fork check, but got: %s", rendered) } } @@ -976,7 +976,7 @@ func TestBuildNotFromFork(t *testing.T) { result := BuildNotFromFork() rendered := result.Render() - expected := "github.event.pull_request.head.repo.full_name == github.repository" + expected := "github.event.pull_request.head.repo.id == github.repository_id" if rendered != expected { t.Errorf("Expected '%s', got '%s'", expected, rendered) } diff --git a/pkg/workflow/schemas/github-workflow.json b/pkg/workflow/schemas/github-workflow.json index d6fe925d0c..6b93ceff0b 100644 --- a/pkg/workflow/schemas/github-workflow.json +++ b/pkg/workflow/schemas/github-workflow.json @@ -1313,40 +1313,6 @@ }, "paths-ignore": { "$ref": "#/definitions/path" - }, - "draft": { - "type": "boolean", - "description": "Filter pull requests by draft status. When true, only draft PRs trigger the workflow. When false, only non-draft PRs trigger the workflow. If not specified, both draft and non-draft PRs trigger the workflow." - }, - "forks": { - "oneOf": [ - { - "type": "string", - "description": "Filter pull requests from forked repositories. Use '*' to allow all forks, or specify a repository pattern (e.g., 'org/*' or 'org/repo'). Default behavior (when not specified): only same-repo PRs are allowed (forks are disallowed by default)." - }, - { - "type": "array", - "items": { - "type": "string" - }, - "description": "Filter pull requests from forked repositories. Provide a list of allowed repository patterns (e.g., ['org/*', 'org/repo']). Use ['*'] to allow all forks, or [] to allow only same-repo PRs. Default behavior (when not specified): only same-repo PRs are allowed (forks are disallowed by default)." - } - ] - }, - "names": { - "oneOf": [ - { - "type": "string", - "description": "Filter labeled/unlabeled events by label name. Only triggers when the specified label is added or removed." - }, - { - "type": "array", - "items": { - "type": "string" - }, - "description": "Filter labeled/unlabeled events by label names. Only triggers when one of the specified labels is added or removed." - } - ] } }, "additionalProperties": false