Skip to content

Lock in tag-scoped on.push as a valid scoped trigger#45362

Merged
pelikhan merged 3 commits into
mainfrom
copilot/aw-compat-fix-tag-push-validation
Jul 14, 2026
Merged

Lock in tag-scoped on.push as a valid scoped trigger#45362
pelikhan merged 3 commits into
mainfrom
copilot/aw-compat-fix-tag-push-validation

Conversation

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Tag-only push triggers were being reported as unscoped in cross-repo compatibility auditing, even though on.push.tags is a valid ref-scoped trigger and should not require branch filters. This surfaced against first-party release workflows and exposed a gap between the scope validator and the existing filter validation logic.

  • Scope validation

    • Align push-scope messaging with actual accepted ref filters by treating push scoping as branch or tag based, not branch-only.
    • Update nearby validator/orchestrator wording so errors and logs describe the accepted scope correctly.
  • Regression coverage

    • Add unit coverage for:
      • on.push.tags
      • on.push.tags-ignore
    • Add compile-level coverage proving a tag-scoped workflow compiles without surfacing an unscoped-push warning.
  • Why this matters

    • Preserves standard release workflow patterns such as:
on:
  push:
    tags:
      - 'v*.*.*'
  • Prevents future regressions where tag-scoped release workflows are misclassified as branch-unscoped fan-out triggers.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix validation for tag-scoped on.push.tags trigger Lock in tag-scoped on.push as a valid scoped trigger Jul 14, 2026
Copilot AI requested a review from pelikhan July 14, 2026 03:23
@pelikhan pelikhan marked this pull request as ready for review July 14, 2026 06:59
Copilot AI review requested due to automatic review settings July 14, 2026 06:59
@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

PR Code Quality Reviewer completed the code quality review.

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR does not have the 'implementation' label and has ≤100 new lines of code in business logic directories (48 additions detected across 4 files).

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Test Quality Sentinel completed test quality analysis.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes cross-repo scope auditing/validation for GitHub Actions on.push by treating tag-scoped push triggers (on.push.tags / on.push.tags-ignore) as valid “scoped” triggers (not “unscoped”), and updates related logs/tests to prevent regressions.

Changes:

  • Expand push-scope validation to consider tags / tags-ignore as valid ref scoping (in addition to branches / branches-ignore).
  • Update orchestrator/validator log wording to consistently describe “branch/tag” scoping.
  • Add regression tests covering tag-scoped push filters (unit-level and compile-level).
Show a summary per file
File Description
pkg/workflow/push_branch_scope_test.go Adds compile-level coverage that tag-scoped push workflows compile cleanly (no unscoped warning/error).
pkg/workflow/compiler_orchestrator_frontmatter.go Updates strict/non-strict logging to reflect branch-or-tag scoping.
pkg/workflow/compiler_filters_validation.go Updates push-scope validation messaging and accepts tag ref filters as scoping.
pkg/workflow/compiler_filters_validation_test.go Adds unit tests ensuring tags and tags-ignore are treated as scoped push filters.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 4/4 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment on lines 91 to +95
// ValidatePushBranchScope ensures that any push event in the on: section specifies a
// branches or branches-ignore filter. An unscoped push trigger fires on every push to
// every branch, which causes unintended workflow fan-out on feature branches (the
// workflows activate immediately after new lock files are first pushed to the branch,
// producing zero-turn failures for every agentic workflow in the repository).
// branch or tag ref filter. An unscoped push trigger fires on every push to every
// branch, which causes unintended workflow fan-out on feature branches (the workflows
// activate immediately after new lock files are first pushed to the branch, producing
// zero-turn failures for every agentic workflow in the repository).

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in c975eda: the ValidatePushBranchScope doc comment now states that unscoped push fires for both branches and tags.

Comment on lines 143 to 145
"push (no branch or tag filter)",
"push event must specify a 'branches', 'branches-ignore', 'tags', or 'tags-ignore' filter; an unscoped push trigger fires on every push to every branch and causes unintended workflow fan-out on feature branches",
"Add a branch or tag filter to the push trigger:\n\non:\n push:\n branches:\n - main",

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in c975eda: the validation error message now says unscoped push applies to every branch and tag, not branches only.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: Lock in tag-scoped on.push as a valid scoped trigger

The fix is correct and complete.

What was wrong: The validation logic already accepted tags/tags-ignore filters in the map lookup, but the surrounding comments, log messages, and error messages all said "branch" only — creating a confusing mismatch between behaviour and documentation.

What changed:

  • Comment, log, and error message wording updated to say "branch or tag" throughout
  • Two new unit test cases added for tags and tags-ignore filters
  • One compile-level test added confirming tag-scoped workflows pass without warnings

No logic bugs, no security concerns, no regressions. The changes are minimal, focused, and well-tested.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"

See Network Configuration for more information.

🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 16.4 AIC · ⌖ 4.96 AIC · ⊞ 4.8K

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skills-Based Review 🧠

Applied /codebase-design — changes are accurate and well-tested; approving with one minor suggestion.

📋 Key Themes & Highlights

Key Themes

  • Correct scope fix: tags and tags-ignore are now recognised as valid ref-scope filters. The logic at lines 126-134 of compiler_filters_validation.go was already handling tags correctly; this PR aligns all messaging and documentation to match.
  • Good regression coverage: both unit table-driven cases and the compile-level integration case are included.

One Minor Suggestion

  • The remediation hint in newUnScopedPushError still shows only a branches example (see inline comment). Adding a short tags example would make the hint consistent with the expanded accepted scope.

Positive Highlights

  • ✅ Minimal, surgical diff — only wording changes, no logic changes
  • ✅ Test names read as specifications
  • ✅ PR description clearly explains the motivation

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 19.2 AIC · ⌖ 4.44 AIC · ⊞ 6.6K
Comment /matt to run again

"push (no branch filter)",
"push (no branch or tag filter)",
"push event must specify a 'branches', 'branches-ignore', 'tags', or 'tags-ignore' filter; an unscoped push trigger fires on every push to every branch and causes unintended workflow fan-out on feature branches",
"Add a branch or tag filter to the push trigger:\n\non:\n push:\n branches:\n - main",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/codebase-design] The hint example only shows a branches filter, but now that tags and tags-ignore are first-class accepted filters, users hitting this error for a tag-only workflow won't see the idiomatic pattern.

💡 Suggested addition
"Add a branch or tag filter to the push trigger:\n\non:\n  push:\n    branches:\n      - main\n\n# or for tag-based releases:\n\non:\n  push:\n    tags:\n      - 'v*.*.*'\n",

A short tags example alongside the branches example keeps the hint aligned with the now-expanded accepted scope.

@copilot please address this.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in c975eda: the remediation hint now includes both a branch-scoped example and a tag-scoped release example (on.push.tags).

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The functional fix is correct — adding tags and tags-ignore to the scope check (lines 126–134) is the right change, and the tests cover the new cases well.

The two existing review comments capture the only remaining issue: the newUnScopedPushError() message still describes the problem in branch-only terms, which will confuse users whose tag-scoped push is flagged as unscoped. Once that message is updated to mention both branches and tags, this PR is ready.

🔎 Code quality review by PR Code Quality Reviewer · 22.8 AIC · ⌖ 4.29 AIC · ⊞ 5.4K
Comment /review to run again

@github-actions

Copy link
Copy Markdown
Contributor

🧪 Test Quality Sentinel Report

Test Quality Score: 80/100 — Acceptable

Analyzed 3 test(s): 3 design, 0 implementation, 0 violation(s).

📊 Metrics (3 tests)
Metric Value
Analyzed 3 (Go: 3, JS: 0)
✅ Design 3 (100%)
⚠️ Implementation 0 (0%)
Edge/error coverage 3 (100%)
Duplicate clusters 0
Inflation YES (5.43:1 ratio)
🚨 Violations 0
Test File Classification Issues
push with tags filter compiler_filters_validation_test.go:388 behavioral_contract, high_value, design_test None
push with tags-ignore filter compiler_filters_validation_test.go:399 behavioral_contract, high_value, design_test None
scoped push with tags in strict mode is allowed push_branch_scope_test.go:74 behavioral_contract, high_value, design_test None
⚠️ Test Inflation Details

Ratio: 5.43:1 (38 test lines added vs. 7 production lines added)

  • compiler_filters_validation_test.go: +22 lines vs. compiler_filters_validation.go: +7 lines → 3.14:1 ratio
  • push_branch_scope_test.go: +16 lines (new test file, no corresponding prod file)

The inflation exceeds the 2:1 threshold. However, the added tests are necessary and well-structured table-driven cases for the new tag-scoped push trigger support.

Verdict

Passed. 0% implementation tests (threshold: 30%). All tests verify design contracts and behavioral guarantees for the new tag-scoped on.push trigger feature. No coding guideline violations detected.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🧪 Test quality analysis by Test Quality Sentinel · 18.3 AIC · ⌖ 6.93 AIC · ⊞ 6.8K ·
Comment /review to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 80/100. 0% implementation tests (threshold: 30%). All tests verify design contracts and behavioral guarantees for the new tag-scoped on.push trigger feature.

@pelikhan

Copy link
Copy Markdown
Collaborator

@copilot run pr-finisher skill

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

@copilot run pr-finisher skill

Ran pr-finisher pass and pushed c975eda. Addressed all in-scope review feedback with replies, ran local validation (make fmt, make lint, make recompile pass; make test-unit/make test still fail on pre-existing host-dependent tests), and CI on this new head needs maintainer re-trigger.

@pelikhan pelikhan merged commit 4d4e28b into main Jul 14, 2026
42 checks passed
@pelikhan pelikhan deleted the copilot/aw-compat-fix-tag-push-validation branch July 14, 2026 08:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[aw-compat] Tag-scoped on.push.tags false-flagged as unscoped push (breaks first-party gh-aw-mcpg/release.md)

3 participants