Conversation
… segments Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/2477f609-0fec-4df5-a908-631451c0f984 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Consolidate duplicate granular-write match arms and fix path splitting
[rust-guard] Deduplicate granular repo-write tool labeling and avoid repeated path scans in file secrecy checks
Apr 16, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refactors GitHub Guard (Rust) labeling rules to remove duplicated repo-scoped write labeling logic and optimizes check_file_secrecy by splitting the path once and reusing the segments, while adding tests to lock in labeling behavior for granular PR update tools.
Changes:
- Consolidate multiple identical match arms for granular repo-scoped write tools into a single shared arm (same secrecy/integrity semantics).
- Optimize
check_file_secrecyby reusing pre-split, lowercased path segments instead of repeatedly splitting/traversing the path. - Add unit test coverage for granular PR update tools to ensure repo-scoped secrecy + writer-integrity behavior.
Show a summary per file
| File | Description |
|---|---|
| guards/github-guard/rust-guard/src/labels/tool_rules.rs | Deduplicates granular repo write labeling match arms and reduces repeated path scanning in check_file_secrecy. |
| guards/github-guard/rust-guard/src/labels/mod.rs | Adds unit test for granular update_pull_request_* tools’ integrity/secrecy labeling. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 1
Comment on lines
+4826
to
+4828
| assert_eq!(secrecy, vec![] as Vec<String>, "{tool} secrecy mismatch"); | ||
| assert_eq!(integrity, writer_integrity(repo_id, &ctx), "{tool} should have writer integrity"); | ||
| } |
There was a problem hiding this comment.
The failure messages use the literal string "{tool} ..."; assert_eq! won’t interpolate {tool} unless you pass it as a format argument. Consider using a formatted message (e.g., include tool as an argument) so failures clearly identify which tool name mismatched.
Address review feedback: replace implicit named captures ({tool}) with
explicit format arguments ({}, tool) in assert_eq! failure messages for
granular PR update and PR review tool tests.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This was referenced Apr 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
tool_rules.rshad four adjacent match arms (21 tools total) implementing the same repo-scoped write labeling, andcheck_file_secrecyrepeatedly re-scanned the same path string. This PR consolidates the duplicated labeling logic and reduces file-path traversal overhead in the secrecy check path.Tool labeling: consolidate duplicate granular write arms
S = S(repo),I = writer) while removing duplicated arm bodies.File secrecy: split once, reuse segments
check_file_secrecynow computes path segments once and reuses them for:split('/')/rsplit('/')traversals with a single split pass.Coverage update
update_pull_request_*) to lock in repo-scoped secrecy + writer-integrity behavior.Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
example.com/tmp/go-build2652146382/b514/launcher.test /tmp/go-build2652146382/b514/launcher.test -test.testlogfile=/tmp/go-build2652146382/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true g_.a -I x_amd64/vet --gdwarf-5 metadata -o IKHi8OnZxBbc -E .cfg 0887644/b299/ 64/pkg/tool/linux_amd64/vet -I . -imultiarch 64/pkg/tool/linu-buildtags(dns block)/tmp/go-build1987576926/b514/launcher.test /tmp/go-build1987576926/b514/launcher.test -test.testlogfile=/tmp/go-build1987576926/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s -gua�� -guard/target/debug/deps/rustcZYhlM6/symbols.o -guard/target/debug/deps/github_guard-57d41235e07a5585.0r6f2y9pmz8tylr32cgwnziux.0d7kehr.rcgu.o -guard/target/debug/deps/github_guard-57d41235e07a5585.0y8i0suihruczucboywd9kbz6.0d7kehr.rcgu.o -guard/target/degit -guard/target/deconfig -guard/target/deextensions.objectformat -guard/target/debug/deps/github_guard-57d41235e07a5585.1yg4dgf4ofc88gtczrpthgg1u.0d7kehr.rcgu.o -gua�� -guard/target/debug/deps/github_guard-57d41235e07a5585.2slqyghiy5vmlrtxer9j2lnp9.0d7kehr.rcgu.o -guard/target/debug/deps/github_guard-57d41235e07a5585.2z8afzdm9zucrirrh7hnf4z1l.0d7kehr.rcgu.o -guard/target/debug/deps/github_guard-57d41235e07a5585.34w8f3apoo4qlefxtp7qruodt.0d7kehr.rcgu.o -guard/target/de/tmp/go-build1987576926/b499/rules.test -guard/target/de-test.testlogfile=/tmp/go-build1987576926/b499/testlog.txt -guard/target/de-test.paniconexit0 -guard/target/de-test.timeout=10m0s(dns block)invalid-host-that-does-not-exist-12345.com/tmp/go-build2652146382/b496/config.test /tmp/go-build2652146382/b496/config.test -test.testlogfile=/tmp/go-build2652146382/b496/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true rotocol/go-sdk@vgo1.25.8 -I x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet -I g_.a 0887644/b299/ x_amd64/vet --gdwarf-5 v3 -o x_amd64/vet(dns block)/tmp/go-build1987576926/b496/config.test /tmp/go-build1987576926/b496/config.test -test.testlogfile=/tmp/go-build1987576926/b496/testlog.txt -test.paniconexit0 -test.timeout=10m0s /lib64/ld-linux-x86-64.so.2 -pie -z now -z relro -o /home/REDACTED/work/gh-aw-mcpg/gh-aw-mcpg/guards/github-guard/rust-guard/target/debug/deps/github_guard-57d41235e07a5585 lib/�� lib/rustlib/x86_/home/REDACTED/work/gh-aw-mcpg/gh-aw-mcpg/guards/github-guard/rust-guard/target/de/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet lib/rustlib/x86_/home/REDACTED/work/gh-aw-mcpg/gh-aw-mcpg/guards/github-guard/rust-guard/target/de/tmp/go-build4284444941/b490/vet.cfg lib/rustlib/x86_/home/REDACTED/work/gh-aw-mcpg/gh-aw-mcpg/guards/github-guard/rust-guard/target/de--check-cfg lib/rustlib/x86_/home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/lib/rustlib/x86_64-REDACTED-linux-gnu/bin/rust-lld lib/rustlib/x86_-flavor lib/rustlib/x86_gnu lib/rustlib/x86_-plugin(dns block)nonexistent.local/tmp/go-build2652146382/b514/launcher.test /tmp/go-build2652146382/b514/launcher.test -test.testlogfile=/tmp/go-build2652146382/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true g_.a -I x_amd64/vet --gdwarf-5 metadata -o IKHi8OnZxBbc -E .cfg 0887644/b299/ 64/pkg/tool/linux_amd64/vet -I . -imultiarch 64/pkg/tool/linu-buildtags(dns block)/tmp/go-build1987576926/b514/launcher.test /tmp/go-build1987576926/b514/launcher.test -test.testlogfile=/tmp/go-build1987576926/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s -gua�� -guard/target/debug/deps/rustcZYhlM6/symbols.o -guard/target/debug/deps/github_guard-57d41235e07a5585.0r6f2y9pmz8tylr32cgwnziux.0d7kehr.rcgu.o -guard/target/debug/deps/github_guard-57d41235e07a5585.0y8i0suihruczucboywd9kbz6.0d7kehr.rcgu.o -guard/target/degit -guard/target/deconfig -guard/target/deextensions.objectformat -guard/target/debug/deps/github_guard-57d41235e07a5585.1yg4dgf4ofc88gtczrpthgg1u.0d7kehr.rcgu.o -gua�� -guard/target/debug/deps/github_guard-57d41235e07a5585.2slqyghiy5vmlrtxer9j2lnp9.0d7kehr.rcgu.o -guard/target/debug/deps/github_guard-57d41235e07a5585.2z8afzdm9zucrirrh7hnf4z1l.0d7kehr.rcgu.o -guard/target/debug/deps/github_guard-57d41235e07a5585.34w8f3apoo4qlefxtp7qruodt.0d7kehr.rcgu.o -guard/target/de/tmp/go-build1987576926/b499/rules.test -guard/target/de-test.testlogfile=/tmp/go-build1987576926/b499/testlog.txt -guard/target/de-test.paniconexit0 -guard/target/de-test.timeout=10m0s(dns block)slow.example.com/tmp/go-build2652146382/b514/launcher.test /tmp/go-build2652146382/b514/launcher.test -test.testlogfile=/tmp/go-build2652146382/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true g_.a -I x_amd64/vet --gdwarf-5 metadata -o IKHi8OnZxBbc -E .cfg 0887644/b299/ 64/pkg/tool/linux_amd64/vet -I . -imultiarch 64/pkg/tool/linu-buildtags(dns block)/tmp/go-build1987576926/b514/launcher.test /tmp/go-build1987576926/b514/launcher.test -test.testlogfile=/tmp/go-build1987576926/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s -gua�� -guard/target/debug/deps/rustcZYhlM6/symbols.o -guard/target/debug/deps/github_guard-57d41235e07a5585.0r6f2y9pmz8tylr32cgwnziux.0d7kehr.rcgu.o -guard/target/debug/deps/github_guard-57d41235e07a5585.0y8i0suihruczucboywd9kbz6.0d7kehr.rcgu.o -guard/target/degit -guard/target/deconfig -guard/target/deextensions.objectformat -guard/target/debug/deps/github_guard-57d41235e07a5585.1yg4dgf4ofc88gtczrpthgg1u.0d7kehr.rcgu.o -gua�� -guard/target/debug/deps/github_guard-57d41235e07a5585.2slqyghiy5vmlrtxer9j2lnp9.0d7kehr.rcgu.o -guard/target/debug/deps/github_guard-57d41235e07a5585.2z8afzdm9zucrirrh7hnf4z1l.0d7kehr.rcgu.o -guard/target/debug/deps/github_guard-57d41235e07a5585.34w8f3apoo4qlefxtp7qruodt.0d7kehr.rcgu.o -guard/target/de/tmp/go-build1987576926/b499/rules.test -guard/target/de-test.testlogfile=/tmp/go-build1987576926/b499/testlog.txt -guard/target/de-test.paniconexit0 -guard/target/de-test.timeout=10m0s(dns block)this-host-does-not-exist-12345.com/tmp/go-build2652146382/b523/mcp.test /tmp/go-build2652146382/b523/mcp.test -test.testlogfile=/tmp/go-build2652146382/b523/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true NHV5Q4M0b -I x_amd64/vet 0887644/b299/ .io/otel/sdk/tra--version -o x_amd64/vet .cfg�� aw-mcpg/internal/server/auth.go aw-mcpg/internal/server/circuit_-ifaceassert x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet(dns block)/tmp/go-build1987576926/b523/mcp.test /tmp/go-build1987576926/b523/mcp.test -test.testlogfile=/tmp/go-build1987576926/b523/testlog.txt -test.paniconexit0 -test.timeout=10m0s /usr��(dns block)If you need me to access, download, or install something from one of these locations, you can either: