Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions pkg/parser/schemas/main_workflow_schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -5584,6 +5584,13 @@
"github-token": {
"$ref": "#/$defs/github_token",
"description": "GitHub token to use for this specific output type. Overrides global github-token if specified."
},
"allowed-repos": {
"type": "array",
"items": {
"type": "string"
},
"description": "List of additional repositories in format 'owner/repo' that labels can be removed from. When specified, the agent can use a 'repo' field in the output to specify which repository to remove labels from. The target repository (current or target-repo) is always implicitly allowed."
Comment on lines +5588 to +5593
Copy link

Copilot AI Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The schema changes correctly add allowed-repos to the JSON schema, which will allow the YAML to compile and the field will be parsed into the Go structs via the embedded SafeOutputTargetConfig. However, the runtime configuration generation in pkg/workflow/safe_outputs_config_generation.go does not emit these fields to the handler configuration in config.json / GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG.

Specifically, lines 285-289 use generateMaxWithAllowedConfig for remove_labels, which only includes max and allowed fields. This means the following fields from SafeOutputTargetConfig will be missing from the runtime config:

  • target (already in schema)
  • target-repo (already in schema)
  • allowed-repos (newly added in this PR)

Additionally, the blocked field (also in the Go struct and schema) is not being emitted.

For remove_labels to work correctly with all its schema-defined fields, the config generation should be updated to use generateTargetConfigWithRepos like add_labels does (lines 272-282). The same pattern should include blocked in additionalFields.

Without this fix, allowed-repos will compile without errors but won't be included in the runtime configuration, rendering the feature non-functional.

This issue also appears on line 5839 of the same file.

Copilot uses AI. Check for mistakes.
}
},
"additionalProperties": false
Expand Down Expand Up @@ -5828,6 +5835,13 @@
"github-token": {
"$ref": "#/$defs/github_token",
"description": "GitHub token to use for this specific output type. Overrides global github-token if specified."
},
"allowed-repos": {
"type": "array",
"items": {
"type": "string"
},
"description": "List of allowed repositories in format 'owner/repo' for cross-repository user assignment operations. Use with 'repo' field in tool calls."
}
},
"additionalProperties": false
Expand Down
4 changes: 0 additions & 4 deletions pkg/workflow/schemas/github-workflow.json
Original file line number Diff line number Diff line change
Expand Up @@ -171,10 +171,6 @@
"checks": {
"$ref": "#/definitions/permissions-level"
},
Comment on lines 171 to 173
Copy link

Copilot AI Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removal of the copilot-requests permission from the GitHub workflow schema is unrelated to the stated purpose of this PR, which is to add allowed-repos to remove-labels and assign-to-user schema. While the changeset .changeset/patch-merge-detection-job.md indicates this removal is intentional ("removed the unused copilot-requests permission schema entry"), this change should ideally be in a separate PR focused on that specific cleanup to maintain clear PR scope and make reviews easier.

Copilot uses AI. Check for mistakes.
"copilot-requests": {
"type": "string",
"enum": ["write", "none"]
},
"contents": {
"$ref": "#/definitions/permissions-level"
},
Expand Down