Skip to content

fix(schema): add allowed-repos to remove-labels and assign-to-user schema #18132

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pelikhan merged 3 commits into from
Feb 24, 2026
Merged

fix(schema): add allowed-repos to remove-labels and assign-to-user schema #18132

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fd72020
Initial plan
Copilot Feb 24, 2026
90a354f
Initial plan for fixing allowed-repos schema gap
Copilot Feb 24, 2026
5e61475
fix(schema): add allowed-repos to remove-labels and assign-to-user sc…
Copilot Feb 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions pkg/parser/schemas/main_workflow_schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5584,6 +5584,13 @@
"github-token": {
"$ref": "#/$defs/github_token",
"description": "GitHub token to use for this specific output type. Overrides global github-token if specified."
},
"allowed-repos": {
"type": "array",
"items": {
"type": "string"
},
"description": "List of additional repositories in format 'owner/repo' that labels can be removed from. When specified, the agent can use a 'repo' field in the output to specify which repository to remove labels from. The target repository (current or target-repo) is always implicitly allowed."
Comment on lines +5588 to +5593
Copy link

Copilot AI Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The schema changes correctly add allowed-repos to the JSON schema, which will allow the YAML to compile and the field will be parsed into the Go structs via the embedded SafeOutputTargetConfig. However, the runtime configuration generation in pkg/workflow/safe_outputs_config_generation.go does not emit these fields to the handler configuration in config.json / GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG.

Specifically, lines 285-289 use generateMaxWithAllowedConfig for remove_labels, which only includes max and allowed fields. This means the following fields from SafeOutputTargetConfig will be missing from the runtime config:

  • target (already in schema)
  • target-repo (already in schema)
  • allowed-repos (newly added in this PR)

Additionally, the blocked field (also in the Go struct and schema) is not being emitted.

For remove_labels to work correctly with all its schema-defined fields, the config generation should be updated to use generateTargetConfigWithRepos like add_labels does (lines 272-282). The same pattern should include blocked in additionalFields.

Without this fix, allowed-repos will compile without errors but won't be included in the runtime configuration, rendering the feature non-functional.

This issue also appears on line 5839 of the same file.

Copilot uses AI. Check for mistakes.
}
},
"additionalProperties": false
Expand Down Expand Up @@ -5828,6 +5835,13 @@
"github-token": {
"$ref": "#/$defs/github_token",
"description": "GitHub token to use for this specific output type. Overrides global github-token if specified."
},
"allowed-repos": {
"type": "array",
"items": {
"type": "string"
},
"description": "List of allowed repositories in format 'owner/repo' for cross-repository user assignment operations. Use with 'repo' field in tool calls."
}
},
"additionalProperties": false
Expand Down
4 changes: 0 additions & 4 deletions pkg/workflow/schemas/github-workflow.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,10 +171,6 @@
"checks": {
"$ref": "#/definitions/permissions-level"
},
Comment on lines 171 to 173
Copy link

Copilot AI Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removal of the copilot-requests permission from the GitHub workflow schema is unrelated to the stated purpose of this PR, which is to add allowed-repos to remove-labels and assign-to-user schema. While the changeset .changeset/patch-merge-detection-job.md indicates this removal is intentional ("removed the unused copilot-requests permission schema entry"), this change should ideally be in a separate PR focused on that specific cleanup to maintain clear PR scope and make reviews easier.

Copilot uses AI. Check for mistakes.
"copilot-requests": {
"type": "string",
"enum": ["write", "none"]
},
"contents": {
"$ref": "#/definitions/permissions-level"
},
Expand Down