From fe10b555bb38545a7e83ddb5467c47ed4fa759fe Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Mar 2026 15:06:36 +0000 Subject: [PATCH 1/2] Initial plan From 5b00551bc27bfa29bfe9827b99e3bddd0d049789 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Mar 2026 15:13:24 +0000 Subject: [PATCH 2/2] rust-guard: remove dead params from issue_integrity + fix heap-alloc string comparison Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --- .../rust-guard/src/labels/helpers.rs | 2 -- .../github-guard/rust-guard/src/labels/mod.rs | 31 ++++++------------- .../rust-guard/src/labels/response_items.rs | 3 -- .../rust-guard/src/labels/response_paths.rs | 4 --- .../rust-guard/src/labels/tool_rules.rs | 6 ++-- 5 files changed, 14 insertions(+), 32 deletions(-) diff --git a/guards/github-guard/rust-guard/src/labels/helpers.rs b/guards/github-guard/rust-guard/src/labels/helpers.rs index 047058ed..7a924a60 100644 --- a/guards/github-guard/rust-guard/src/labels/helpers.rs +++ b/guards/github-guard/rust-guard/src/labels/helpers.rs @@ -812,8 +812,6 @@ pub fn pr_integrity( pub fn issue_integrity( item: &Value, repo_full_name: &str, - _owner: &str, - _repo: &str, repo_private: bool, ctx: &PolicyContext, ) -> Vec { diff --git a/guards/github-guard/rust-guard/src/labels/mod.rs b/guards/github-guard/rust-guard/src/labels/mod.rs index dfc30f19..c8094e08 100644 --- a/guards/github-guard/rust-guard/src/labels/mod.rs +++ b/guards/github-guard/rust-guard/src/labels/mod.rs @@ -729,15 +729,13 @@ mod tests { fn test_issue_integrity() { let ctx = default_ctx(); let repo = "github/copilot"; - let owner = "github"; - let repo_name = "copilot"; // Private repo issues get approved integrity let bot_issue = json!({ "user": {"login": "dependabot[bot]"} }); assert_eq!( - issue_integrity(&bot_issue, repo, owner, repo_name, true, &ctx), + issue_integrity(&bot_issue, repo, true, &ctx), writer_integrity(repo, &ctx) ); @@ -746,7 +744,7 @@ mod tests { "user": {"login": "github"} }); assert_eq!( - issue_integrity(&owner_issue, repo, owner, repo_name, false, &ctx), + issue_integrity(&owner_issue, repo, false, &ctx), none_integrity(repo, &ctx) ); @@ -755,28 +753,21 @@ mod tests { "user": {"login": "someone"} }); assert_eq!( - issue_integrity(&issue, "", "", "", false, &ctx), + issue_integrity(&issue, "", false, &ctx), none_integrity("", &ctx) ); // Public issue with OWNER association retains approved floor let owner_assoc_issue = json!({"author_association": "OWNER"}); assert_eq!( - issue_integrity(&owner_assoc_issue, repo, owner, repo_name, false, &ctx), + issue_integrity(&owner_assoc_issue, repo, false, &ctx), writer_integrity(repo, &ctx) ); // Public issue with CONTRIBUTOR association gets unapproved floor let contributor_assoc_issue = json!({"author_association": "CONTRIBUTOR"}); assert_eq!( - issue_integrity( - &contributor_assoc_issue, - repo, - owner, - repo_name, - false, - &ctx - ), + issue_integrity(&contributor_assoc_issue, repo, false, &ctx), reader_integrity(repo, &ctx) ); } @@ -857,8 +848,6 @@ mod tests { fn test_trusted_bot_issue_integrity_public_repo() { let ctx = default_ctx(); let repo = "github/copilot"; - let owner = "github"; - let repo_name = "copilot"; // Trusted bot issue on public repo gets approved (writer) integrity // even though author_association is NONE @@ -867,7 +856,7 @@ mod tests { "author_association": "NONE" }); assert_eq!( - issue_integrity(&dependabot_issue, repo, owner, repo_name, false, &ctx), + issue_integrity(&dependabot_issue, repo, false, &ctx), writer_integrity(repo, &ctx) ); @@ -876,7 +865,7 @@ mod tests { "author_association": "NONE" }); assert_eq!( - issue_integrity(&actions_issue, repo, owner, repo_name, false, &ctx), + issue_integrity(&actions_issue, repo, false, &ctx), writer_integrity(repo, &ctx) ); @@ -884,7 +873,7 @@ mod tests { "user": {"login": "github-merge-queue[bot]"} }); assert_eq!( - issue_integrity(&merge_queue_issue, repo, owner, repo_name, false, &ctx), + issue_integrity(&merge_queue_issue, repo, false, &ctx), writer_integrity(repo, &ctx) ); @@ -893,7 +882,7 @@ mod tests { "author_association": "NONE" }); assert_eq!( - issue_integrity(&copilot_issue, repo, owner, repo_name, false, &ctx), + issue_integrity(&copilot_issue, repo, false, &ctx), writer_integrity(repo, &ctx) ); @@ -903,7 +892,7 @@ mod tests { "author_association": "NONE" }); assert_eq!( - issue_integrity(&renovate_issue, repo, owner, repo_name, false, &ctx), + issue_integrity(&renovate_issue, repo, false, &ctx), none_integrity(repo, &ctx) ); } diff --git a/guards/github-guard/rust-guard/src/labels/response_items.rs b/guards/github-guard/rust-guard/src/labels/response_items.rs index 1d77d4a1..6676bef2 100644 --- a/guards/github-guard/rust-guard/src/labels/response_items.rs +++ b/guards/github-guard/rust-guard/src/labels/response_items.rs @@ -205,13 +205,10 @@ pub fn label_response_items( let repo_private = repo_visibility_private_for_repo_id(&repo_full_name) .unwrap_or(default_repo_private); - let repo_owner = repo_full_name.split('/').next().unwrap_or(""); let number = item.get("number").and_then(|v| v.as_i64()).unwrap_or(0); let integrity = issue_integrity( item, &repo_full_name, - repo_owner, - &arg_repo, repo_private, ctx, ); diff --git a/guards/github-guard/rust-guard/src/labels/response_paths.rs b/guards/github-guard/rust-guard/src/labels/response_paths.rs index 477a694b..ed927b32 100644 --- a/guards/github-guard/rust-guard/src/labels/response_paths.rs +++ b/guards/github-guard/rust-guard/src/labels/response_paths.rs @@ -221,8 +221,6 @@ pub fn label_response_paths( &item_repo }; - // Extract owner from repo for owner check - let owner = repo_for_labels.split('/').next().unwrap_or(""); let item_repo_private = repo_visibility_private_for_repo_id(repo_for_labels) .unwrap_or(default_repo_private); @@ -230,8 +228,6 @@ pub fn label_response_paths( let integrity = issue_integrity( item, repo_for_labels, - owner, - &arg_repo, item_repo_private, ctx, ); diff --git a/guards/github-guard/rust-guard/src/labels/tool_rules.rs b/guards/github-guard/rust-guard/src/labels/tool_rules.rs index b1006bb0..c2b2b6f3 100644 --- a/guards/github-guard/rust-guard/src/labels/tool_rules.rs +++ b/guards/github-guard/rust-guard/src/labels/tool_rules.rs @@ -277,8 +277,10 @@ pub fn apply_tool_labels( // Additional secrecy checks for workflow files if tool_name == "actions_get" - && tool_args.get("method") - == Some(&Value::String("download_workflow_run_artifact".to_string())) + && tool_args + .get("method") + .and_then(|v| v.as_str()) + == Some("download_workflow_run_artifact") { // Artifacts may contain secrets secrecy = secret_label();