Skip to content

fix: map author_association NONE to unapproved integrity#4430

Merged
lpcox merged 2 commits intomainfrom
fix/author-association-none-unapproved
Apr 23, 2026
Merged

fix: map author_association NONE to unapproved integrity#4430
lpcox merged 2 commits intomainfrom
fix/author-association-none-unapproved

Conversation

@lpcox
Copy link
Copy Markdown
Collaborator

@lpcox lpcox commented Apr 23, 2026

Summary

Maps GitHub author_association: NONE to unapproved integrity instead of none.

Problem

GitHub's author_association enum value NONE means "Author has no association with the repository" (docs). This is intentionally vague and does not mean the user is established or trustworthy — only that they are not FIRST_TIMER.

Previously, the guard mapped NONE to the lowest integrity level (none), identical to FIRST_TIMER ("Author has not previously committed to GitHub" — a brand-new account). This incorrectly treated users with existing GitHub activity the same as completely new accounts.

Changes

Rust guard (core logic)

  • author_association_floor_from_str in helpers.rs: Added "NONE" to the unapproved match arm alongside CONTRIBUTOR and FIRST_TIME_CONTRIBUTOR
  • Added dedicated test_author_association_none_maps_to_unapproved test
  • Updated 10 existing tests that used "NONE" and expected none_integrity() → now expect reader_integrity()

Documentation

  • INTEGRITY_TAG_SPEC.md: Updated Author Association Initialization section with rationale table, GitHub API links, and clear note that NONE does not mean established
  • INTEGRITY_TAG_SPEC.md: Updated resource/response label rule tables to distinguish NONE (unapproved) from FIRST_TIMER (none)
  • TESTING.md: Updated author_association mapping documentation to move NONE from the none group to unapproved

Go test fix (pre-existing)

  • flags_test.go: Fixed TestRegisterFlagCompletions tests that checked flag.Annotations (not populated by RegisterFlagCompletionFunc) — now uses GetFlagCompletionFunc to verify completions

Mapping (after this change)

author_association Integrity Level Rationale
OWNER, MEMBER, COLLABORATOR approved Known repo contributors
CONTRIBUTOR, FIRST_TIME_CONTRIBUTOR, NONE unapproved Not brand-new to GitHub, no special repo relationship
FIRST_TIMER, unknown/missing none Brand-new GitHub accounts or unrecognized values

Closes #4419

@lpcox
fix: map author_association NONE to unapproved integrity
c8631de 
GitHub's author_association NONE means 'no association with the repo'
which does NOT imply the user is established or trustworthy. Previously
NONE mapped to the lowest integrity level (none), same as FIRST_TIMER.

Now NONE maps to unapproved (reader_integrity), matching
FIRST_TIME_CONTRIBUTOR and CONTRIBUTOR, since all three represent users
who are not brand-new to GitHub but have no special repo relationship.

Only FIRST_TIMER ('has not previously committed to GitHub') and
unknown/missing values remain at the none baseline.

Also fixes pre-existing TestRegisterFlagCompletions failures by checking
GetFlagCompletionFunc instead of flag.Annotations (RegisterFlagCompletionFunc
does not populate annotations).

Closes #4419

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 23, 2026 22:52
Copilot AI reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adjusts GitHub Guard integrity labeling to treat author_association: NONE as unapproved integrity (rather than none), aligning behavior with GitHub’s semantics and preventing established-but-new-to-repo contributors from being overly filtered.

Changes:

  • Update Rust guard author-association mapping so NONE maps to unapproved (reader integrity) and add a focused regression test.
  • Update Rust labeling tests to reflect the new NONEunapproved behavior across issue/PR/commit scenarios.
  • Update documentation to clarify the rationale and tables for NONE vs FIRST_TIMER, and fix a Go flag-completion test to validate completion functions via Cobra APIs.
Show a summary per file
File Description
internal/cmd/flags_test.go Fixes completion tests to assert via GetFlagCompletionFunc instead of flag annotations.
guards/github-guard/rust-guard/src/labels/helpers.rs Changes author_association mapping (NONE → reader) and adds a dedicated unit test.
guards/github-guard/rust-guard/src/labels/mod.rs Updates expectations/comments in label/integrity tests for NONE → reader integrity.
guards/github-guard/docs/INTEGRITY_TAG_SPEC.md Updates spec mapping tables and adds rationale clarifying NONE vs FIRST_TIMER.
guards/github-guard/docs/TESTING.md Updates testing documentation to match new mapping and explain rationale.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 5/5 changed files
  • Comments generated: 1

Comment thread guards/github-guard/rust-guard/src/labels/helpers.rs Outdated
@lpcox
Potential fix for pull request finding
c72f4c1 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@lpcox lpcox merged commit bb83fe4 into main Apr 23, 2026
14 checks passed
@lpcox lpcox deleted the fix/author-association-none-unapproved branch April 23, 2026 22:59
This was referenced Apr 23, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Open
Copilot AI mentioned this pull request Apr 24, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[gateway] GitHub author_association NONE should map to unapproved integrity, not none

2 participants

@lpcox