github · lpcox · Mar 19, 2026 · Mar 19, 2026 · Mar 19, 2026
diff --git a/guards/github-guard/rust-guard/src/labels/helpers.rs b/guards/github-guard/rust-guard/src/labels/helpers.rs
@@ -812,8 +812,6 @@ pub fn pr_integrity(
 pub fn issue_integrity(
     item: &Value,
     repo_full_name: &str,
-    _owner: &str,
-    _repo: &str,
     repo_private: bool,
     ctx: &PolicyContext,
 ) -> Vec<String> {

diff --git a/guards/github-guard/rust-guard/src/labels/mod.rs b/guards/github-guard/rust-guard/src/labels/mod.rs
@@ -729,15 +729,13 @@ mod tests {
     fn test_issue_integrity() {
         let ctx = default_ctx();
         let repo = "github/copilot";
-        let owner = "github";
-        let repo_name = "copilot";
 
         // Private repo issues get approved integrity
         let bot_issue = json!({
             "user": {"login": "dependabot[bot]"}
         });
         assert_eq!(
-            issue_integrity(&bot_issue, repo, owner, repo_name, true, &ctx),
+            issue_integrity(&bot_issue, repo, true, &ctx),
             writer_integrity(repo, &ctx)
         );
 
@@ -746,7 +744,7 @@ mod tests {
             "user": {"login": "github"}
         });
         assert_eq!(
-            issue_integrity(&owner_issue, repo, owner, repo_name, false, &ctx),
+            issue_integrity(&owner_issue, repo, false, &ctx),
             none_integrity(repo, &ctx)
         );
 
@@ -755,28 +753,21 @@ mod tests {
             "user": {"login": "someone"}
         });
         assert_eq!(
-            issue_integrity(&issue, "", "", "", false, &ctx),
+            issue_integrity(&issue, "", false, &ctx),
             none_integrity("", &ctx)
         );
 
         // Public issue with OWNER association retains approved floor
         let owner_assoc_issue = json!({"author_association": "OWNER"});
         assert_eq!(
-            issue_integrity(&owner_assoc_issue, repo, owner, repo_name, false, &ctx),
+            issue_integrity(&owner_assoc_issue, repo, false, &ctx),
             writer_integrity(repo, &ctx)
         );
 
         // Public issue with CONTRIBUTOR association gets unapproved floor
         let contributor_assoc_issue = json!({"author_association": "CONTRIBUTOR"});
         assert_eq!(
-            issue_integrity(
-                &contributor_assoc_issue,
-                repo,
-                owner,
-                repo_name,
-                false,
-                &ctx
-            ),
+            issue_integrity(&contributor_assoc_issue, repo, false, &ctx),
             reader_integrity(repo, &ctx)
         );
     }
@@ -857,8 +848,6 @@ mod tests {
     fn test_trusted_bot_issue_integrity_public_repo() {
         let ctx = default_ctx();
         let repo = "github/copilot";
-        let owner = "github";
-        let repo_name = "copilot";
 
         // Trusted bot issue on public repo gets approved (writer) integrity
         // even though author_association is NONE
@@ -867,7 +856,7 @@ mod tests {
             "author_association": "NONE"
         });
         assert_eq!(
-            issue_integrity(&dependabot_issue, repo, owner, repo_name, false, &ctx),
+            issue_integrity(&dependabot_issue, repo, false, &ctx),
             writer_integrity(repo, &ctx)
         );
 
@@ -876,15 +865,15 @@ mod tests {
             "author_association": "NONE"
         });
         assert_eq!(
-            issue_integrity(&actions_issue, repo, owner, repo_name, false, &ctx),
+            issue_integrity(&actions_issue, repo, false, &ctx),
             writer_integrity(repo, &ctx)
         );
 
         let merge_queue_issue = json!({
             "user": {"login": "github-merge-queue[bot]"}
         });
         assert_eq!(
-            issue_integrity(&merge_queue_issue, repo, owner, repo_name, false, &ctx),
+            issue_integrity(&merge_queue_issue, repo, false, &ctx),
             writer_integrity(repo, &ctx)
         );
 
@@ -893,7 +882,7 @@ mod tests {
             "author_association": "NONE"
         });
         assert_eq!(
-            issue_integrity(&copilot_issue, repo, owner, repo_name, false, &ctx),
+            issue_integrity(&copilot_issue, repo, false, &ctx),
             writer_integrity(repo, &ctx)
         );
 
@@ -903,7 +892,7 @@ mod tests {
             "author_association": "NONE"
         });
         assert_eq!(
-            issue_integrity(&renovate_issue, repo, owner, repo_name, false, &ctx),
+            issue_integrity(&renovate_issue, repo, false, &ctx),
             none_integrity(repo, &ctx)
         );
     }

diff --git a/guards/github-guard/rust-guard/src/labels/response_items.rs b/guards/github-guard/rust-guard/src/labels/response_items.rs
@@ -205,13 +205,10 @@ pub fn label_response_items(
 
                 let repo_private = repo_visibility_private_for_repo_id(&repo_full_name)
                     .unwrap_or(default_repo_private);
-                let repo_owner = repo_full_name.split('/').next().unwrap_or("");
                 let number = item.get("number").and_then(|v| v.as_i64()).unwrap_or(0);
                 let integrity = issue_integrity(
                     item,
                     &repo_full_name,
-                    repo_owner,
-                    &arg_repo,
                     repo_private,
                     ctx,
                 );

diff --git a/guards/github-guard/rust-guard/src/labels/response_paths.rs b/guards/github-guard/rust-guard/src/labels/response_paths.rs
@@ -221,17 +221,13 @@ pub fn label_response_paths(
                         &item_repo
                     };
 
-                    // Extract owner from repo for owner check
-                    let owner = repo_for_labels.split('/').next().unwrap_or("");
                     let item_repo_private = repo_visibility_private_for_repo_id(repo_for_labels)
                         .unwrap_or(default_repo_private);
 
                     let issue_number = item.get("number").and_then(|v| v.as_u64()).unwrap_or(0);
                     let integrity = issue_integrity(
                         item,
                         repo_for_labels,
-                        owner,
-                        &arg_repo,
                         item_repo_private,
                         ctx,
                     );

diff --git a/guards/github-guard/rust-guard/src/labels/tool_rules.rs b/guards/github-guard/rust-guard/src/labels/tool_rules.rs
@@ -277,8 +277,10 @@ pub fn apply_tool_labels(
 
             // Additional secrecy checks for workflow files
             if tool_name == "actions_get"
-                && tool_args.get("method")
-                    == Some(&Value::String("download_workflow_run_artifact".to_string()))
+                && tool_args
+                    .get("method")
+                    .and_then(|v| v.as_str())
+                    == Some("download_workflow_run_artifact")
             {
                 // Artifacts may contain secrets
                 secrecy = secret_label();