Skip to content

Add comprehensive strict mode reference documentation #4224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 2 commits into from
Nov 17, 2025
Merged

Add comprehensive strict mode reference documentation #4224

pelikhan merged 2 commits into from
Nov 17, 2025

Conversation

Copy link
Contributor

Copilot AI commented Nov 17, 2025
edited
Loading

Strict mode enforcement was documented in the security guide but lacked detailed reference documentation explaining the CLI flag, frontmatter field relationship, and complete constraint list.

Changes

Reference Documentation (frontmatter.md)

  • Expanded strict mode section with all 6 enforcement areas:
    1. Write permissions (requires safe-outputs)
    2. Network configuration (explicit required)
    3. Network wildcards (no * allowed)
    4. MCP network (containers need config)
    5. Action pinning (SHA required)
    6. Deprecated fields (refused)
  • Clarified CLI flag vs frontmatter field: CLI takes precedence, frontmatter cannot disable when CLI flag set
  • Added cross-references to CLI and security documentation

CLI Documentation (cli.md)

  • Added dedicated --strict flag section under compile command
  • Documented precedence: CLI flag applies to all workflows, cannot be overridden per-workflow
  • Included usage examples: 
    gh aw compile --strict
gh aw compile --strict --zizmor
gh aw compile --validate --strict

Security Guide (security.md)

  • Updated enforcement areas list to match reference docs (added action pinning and deprecated fields)
  • Added cross-reference to CLI documentation

All three files now consistently document the same 6 enforcement areas found in pkg/workflow/strict_mode_validation.go.

Addresses #4177

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • telemetry.astro.build
    • Triggering command: node /home/REDACTED/work/gh-aw/gh-aw/docs/node_modules/.bin/astro build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>[task] Add strict-mode reference documentation in frontmatter.md</issue_title>
<issue_description>## Objective
Add comprehensive reference documentation for the strict-mode CLI feature in the frontmatter reference guide.

Context

The schema consistency audit (Discussion #4177) found that while strict-mode is mentioned in guides/security.md, it lacks detailed documentation in the reference documentation. Users need clear guidance on what strict mode does and how to use it.

Related to #4177

Current State

  • Brief mention: docs/src/content/docs/guides/security.md:124-126
  • Missing from: docs/src/content/docs/reference/frontmatter.md
  • Missing from: docs/src/content/docs/setup/cli.md (CLI reference)

Proposed Approach

Add a dedicated section in the appropriate documentation file(s):

  1. In frontmatter.md - Add note that this is CLI-only in the "Agentic Workflow Specific Fields" section
  2. In cli.md - Document the --strict flag with full details

Suggested Content Structure

### Strict Mode (CLI-only)

Strict mode enforces enhanced security and validation rules during compilation. Enable via CLI flag:

\`\`\`bash
gh aw compile --strict
\`\`\`

**Enforcement Areas:**
- **Action Pinning**: Requires all GitHub Actions to be pinned to specific commit SHAs
- **Network Permissions**: Requires explicit network configuration (no implicit defaults)
- **Write Permissions**: Requires use of safe-outputs for GitHub API write operations
- **Bash Tool Restrictions**: Restricts wildcard usage in bash tool configurations

**Note**: Strict mode is a CLI-only feature and cannot be configured in workflow frontmatter.

Files to Modify

  • docs/src/content/docs/reference/frontmatter.md - Add CLI-only features note
  • docs/src/content/docs/setup/cli.md - Add --strict flag documentation
  • Consider adding to docs/src/content/docs/guides/security.md - Expand existing mention

Acceptance Criteria

  • Reference documentation includes strict-mode section
  • Documentation clearly states it's CLI-only
  • All four enforcement areas are documented
  • Examples show CLI usage: gh aw compile --strict
  • Cross-references to related security guide sections
  • Follows Diátaxis framework (reference style)

Related Files

Implementation references:

AI generated by Plan Command for discussion #4177</issue_description>

Comments on the Issue (you are @copilot in this section)

@pelikhan @copilot the strict mode should be equivalent to the "strict" flag in the schema.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@pelikhan
Add comprehensive strict mode reference documentation
700ae10 
- Enhanced frontmatter.md: Added detailed enforcement areas section with 6 specific constraints
- Expanded CLI.md: Added dedicated --strict flag section with examples and precedence rules
- Updated security.md: Aligned enforcement areas list with other documentation
- All three docs now consistently document all 6 enforcement areas:
  1. Write permissions (use safe-outputs instead)
  2. Network configuration (explicit required)
  3. Network wildcards (no * allowed)
  4. MCP network (containers need network config)
  5. Action pinning (SHA pinning required)
  6. Deprecated fields (not allowed)
- Added cross-references between frontmatter, CLI, and security docs
- Clarified CLI flag vs frontmatter field relationship and precedence
- Documentation builds successfully without errors

Addresses #4177

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add strict-mode reference documentation in frontmatter.md Add comprehensive strict mode reference documentation Nov 17, 2025
Copilot AI requested a review from pelikhan November 17, 2025 21:58
@pelikhan pelikhan marked this pull request as ready for review November 17, 2025 22:47
Copilot AI review requested due to automatic review settings November 17, 2025 22:47
@pelikhan pelikhan merged commit c5df8f0 into main Nov 17, 2025
4 checks passed
@pelikhan pelikhan deleted the copilot/add-strict-mode-documentation branch November 17, 2025 22:47
Copilot AI reviewed Nov 17, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds comprehensive reference documentation for strict mode across three documentation files. The changes expand the brief mentions of strict mode into detailed sections that explain the CLI flag, frontmatter field relationship, and complete list of enforcement areas.

Key Changes:

  • Expanded strict mode documentation with detailed enforcement areas (write permissions, network configuration, wildcards, MCP network, action pinning, deprecated fields)
  • Clarified CLI flag vs frontmatter field precedence relationships
  • Added cross-references between CLI, reference, and security documentation
  • Provided usage examples for the --strict flag

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
docs/src/content/docs/setup/cli.md Added dedicated --strict flag section with enforcement areas, precedence rules, examples, and cross-references
docs/src/content/docs/reference/frontmatter.md Expanded strict mode field documentation with detailed enforcement areas, enabling methods, and precedence explanation
docs/src/content/docs/guides/security.md Updated enforcement areas list to match reference docs and added CLI documentation cross-reference

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

docs/src/content/docs/reference/frontmatter.md
Comment on lines +198 to +201
5. **Action Pinning**: Enforces GitHub Actions to be pinned to specific commit SHAs instead of tags or branches.

6. **Deprecated Fields**: Refuses use of deprecated frontmatter fields.

Copy link

Copilot AI Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The documentation lists "Action Pinning" as enforcement area #5, but action pinning is not validated in the validateStrictMode() function in strict_mode_validation.go. Instead, strict mode affects action pinning behavior indirectly through GetActionPinWithData() in action_pins.go (lines 121-127), which returns an error when an action cannot be pinned.

This enforcement happens during the compilation/pinning process, not as part of the centralized strict mode validation checks. The documentation should clarify that action pinning enforcement occurs during compilation, not as a validation check, or consider removing it from the "Enforcement Areas" list to accurately reflect what validateStrictMode() actually validates.

Suggested change
5. **Action Pinning**: Enforces GitHub Actions to be pinned to specific commit SHAs instead of tags or branches.
6. **Deprecated Fields**: Refuses use of deprecated frontmatter fields.
5. **Deprecated Fields**: Refuses use of deprecated frontmatter fields.
> **Note:** Strict mode also enforces that all GitHub Actions must be pinned to specific commit SHAs (not tags or branches). This enforcement occurs during the compilation process, not as part of the strict mode validation checks.

Copilot uses AI. Check for mistakes.
docs/src/content/docs/guides/security.md
Comment on lines +189 to +191
5. **Action Pinning**: Enforces GitHub Actions to be pinned to specific commit SHAs.
6. **Deprecated Fields**: Refuses use of deprecated frontmatter fields.

Copy link

Copilot AI Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The documentation lists "Action Pinning" as enforcement area #5, but action pinning is not validated in the validateStrictMode() function in strict_mode_validation.go. Instead, strict mode affects action pinning behavior indirectly through GetActionPinWithData() in action_pins.go (lines 121-127), which returns an error when an action cannot be pinned.

This enforcement happens during the compilation/pinning process, not as part of the centralized strict mode validation checks. The documentation should clarify that action pinning enforcement occurs during compilation, not as a validation check, or consider removing it from the "Enforcement Areas" list to accurately reflect what validateStrictMode() actually validates.

Suggested change
5. **Action Pinning**: Enforces GitHub Actions to be pinned to specific commit SHAs.
6. **Deprecated Fields**: Refuses use of deprecated frontmatter fields.
5. **Deprecated Fields**: Refuses use of deprecated frontmatter fields.
> [!NOTE]
> **Action Pinning:**
> Action pinning (requiring GitHub Actions to be pinned to specific commit SHAs) is always enforced during the compilation process, not as part of strict mode validation. Strict mode may affect action pinning behavior, but the enforcement occurs during compilation, not as a strict mode validation check.

Copilot uses AI. Check for mistakes.
docs/src/content/docs/setup/cli.md
Comment on lines +165 to +167
5. **Action Pinning**: Enforces GitHub Actions to be pinned to specific commit SHAs.

6. **No Deprecated Fields**: Refuses deprecated frontmatter fields.
Copy link

Copilot AI Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The documentation lists "Action Pinning" as enforcement area #5, but action pinning is not validated in the validateStrictMode() function in strict_mode_validation.go. Instead, strict mode affects action pinning behavior indirectly through GetActionPinWithData() in action_pins.go (lines 121-127), which returns an error when an action cannot be pinned.

This enforcement happens during the compilation/pinning process, not as part of the centralized strict mode validation checks. The documentation should clarify that action pinning enforcement occurs during compilation, not as a validation check, or consider removing it from the "Enforcement Areas" list to accurately reflect what validateStrictMode() actually validates.

Suggested change
5. **Action Pinning**: Enforces GitHub Actions to be pinned to specific commit SHAs.
6. **No Deprecated Fields**: Refuses deprecated frontmatter fields.
5. **No Deprecated Fields**: Refuses deprecated frontmatter fields.
**Note:** Action pinning (requiring all GitHub Actions to be pinned to specific commit SHAs) is always enforced during the compilation process. In strict mode, any unpinned actions will cause compilation to fail, but this is enforced during compilation/pinning, not as part of strict mode validation checks.

Copilot uses AI. Check for mistakes.
@github-actions github-actions bot mentioned this pull request Nov 18, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[task] Add strict-mode reference documentation in frontmatter.md

2 participants

@pelikhan