Add pre-emptive guard coverage for 5 workflow run cancel/rerun operations

[Copilot]

Neither cancel_* nor rerun_* are recognized prefix patterns in tools.rs, so future MCP tools for gh run cancel and gh run rerun would fall through to default handling, bypassing DIFC write-operation classification.

Changes

• tools.rs — Add 5 pre-emptive entries to WRITE_OPERATIONS:

  "cancel_workflow_run",       // gh run cancel
  "force_cancel_workflow_run", // gh run cancel --force
  "rerun_workflow_run",        // gh run rerun
  "rerun_failed_jobs",         // gh run rerun --failed
  "rerun_workflow_job",        // gh run rerun --job

• tool_rules.rs — Add match arm for all 5 operations following the actions_run_trigger pattern: repo-visibility secrecy + writer integrity:

  "cancel_workflow_run"
  | "force_cancel_workflow_run"
  | "rerun_workflow_run"
  | "rerun_failed_jobs"
  | "rerun_workflow_job" => {
      secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx);
      integrity = writer_integrity(repo_id, ctx);
  }

• labels/mod.rs — Tests asserting writer integrity for all 5 new operations via apply_tool_labels.

[Copilot]

Pull request overview

This PR extends the GitHub Guard DIFC labeling rules to proactively classify upcoming gh run cancel / gh run rerun MCP tool operations as write operations, ensuring they receive repo-visibility secrecy and writer integrity (rather than falling through to default handling).

Changes:

• Added five workflow run cancel/rerun operation names to WRITE_OPERATIONS in tools.rs.
• Added a apply_tool_labels match arm in tool_rules.rs to apply repo-visibility secrecy + writer integrity for the five new operations.
• Added unit tests in tools.rs and labels/mod.rs to assert the new operations are treated as writes and receive writer integrity.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
guards/github-guard/rust-guard/src/tools.rs	Classifies workflow run cancel/rerun operations as write operations and tests the classification.
guards/github-guard/rust-guard/src/labels/tool_rules.rs	Applies repo-scoped secrecy + writer integrity labeling for the new actions operations.
guards/github-guard/rust-guard/src/labels/mod.rs	Adds tests asserting writer integrity for the new operations via apply_tool_labels.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.