From d2a205cab15ca838b2a70b10ee55e24ac3a4fc03 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 13 Feb 2026 07:56:21 +0000
Subject: [PATCH 1/4] Initial plan


From 42d2cf015e6d0f38f8ca45e8aaa7e24d38127f01 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 13 Feb 2026 08:02:57 +0000
Subject: [PATCH 2/4] Initial investigation: Label trigger schema validation
 issue

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .github/workflows/refiner.lock.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml
index eb410e58bee..ef292ba6282 100644
--- a/.github/workflows/refiner.lock.yml
+++ b/.github/workflows/refiner.lock.yml
@@ -176,7 +176,7 @@ jobs:
               staged: false,
               allowed_domains: ["defaults"],
               firewall_enabled: true,
-              awf_version: "v0.16.2",
+              awf_version: "v0.16.3",
               awmg_version: "",
               steps: {
                 firewall: "squid"
@@ -200,9 +200,9 @@ jobs:
       - name: Install GitHub Copilot CLI
         run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.409
       - name: Install awf binary
-        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.16.2
+        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.16.3
       - name: Download container images
-        run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.16.2 ghcr.io/github/gh-aw-firewall/squid:0.16.2 ghcr.io/github/gh-aw-mcpg:v0.1.4 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine
+        run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.16.3 ghcr.io/github/gh-aw-firewall/squid:0.16.3 ghcr.io/github/gh-aw-mcpg:v0.1.4 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine
       - name: Write Safe Outputs Config
         run: |
           mkdir -p /opt/gh-aw/safeoutputs
@@ -651,7 +651,7 @@ jobs:
         timeout-minutes: 30
         run: |
           set -o pipefail
-          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.16.2 --skip-pull \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.16.3 --skip-pull \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:

From eef5ee2fbc207a36606bee543672cc245d142fbe Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 13 Feb 2026 08:07:29 +0000
Subject: [PATCH 3/4] Fix label trigger schema validation for issues events

- Remove incorrect assumption that GitHub Actions supports native label filtering for issues
- Change issues events to use 'names' field (same as pull_request and discussion)
- Update label trigger parser to use job condition filtering for all event types
- Update tests to reflect new behavior
- Recompile all workflow files

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .../label_trigger_integration_test.go         |  9 +++---
 pkg/workflow/label_trigger_parser.go          | 27 +++++------------
 pkg/workflow/label_trigger_parser_test.go     | 29 ++++++-------------
 3 files changed, 22 insertions(+), 43 deletions(-)

diff --git a/pkg/workflow/label_trigger_integration_test.go b/pkg/workflow/label_trigger_integration_test.go
index 328c02e20e4..d49f131731c 100644
--- a/pkg/workflow/label_trigger_integration_test.go
+++ b/pkg/workflow/label_trigger_integration_test.go
@@ -48,10 +48,11 @@ func TestLabelTriggerIntegrationSimple(t *testing.T) {
 		t.Errorf("issues.names = %v, want [bug enhancement]", names)
 	}
 
-	// Check that the native filter marker is present
-	nativeFilter, ok := issues["__gh_aw_native_label_filter__"].(bool)
-	if !ok || !nativeFilter {
-		t.Errorf("__gh_aw_native_label_filter__ = %v, want true", nativeFilter)
+	// Check that the native filter marker is NOT present
+	// (GitHub Actions doesn't support native label filtering for issues)
+	_, hasMarker := issues["__gh_aw_native_label_filter__"]
+	if hasMarker {
+		t.Errorf("__gh_aw_native_label_filter__ should not be present (no native label filtering support)")
 	}
 
 	// Check workflow_dispatch exists
diff --git a/pkg/workflow/label_trigger_parser.go b/pkg/workflow/label_trigger_parser.go
index a3128549fd8..bb9edc7fb87 100644
--- a/pkg/workflow/label_trigger_parser.go
+++ b/pkg/workflow/label_trigger_parser.go
@@ -79,8 +79,8 @@ func parseLabelTriggerShorthand(input string) (entityType string, labelNames []s
 
 // expandLabelTriggerShorthand takes an entity type and label names and returns a map that represents
 // the expanded label trigger + workflow_dispatch configuration with item_number input.
-// Note: For discussion events, GitHub Actions doesn't support the `labels` field,
-// so we use the native label filter marker but the labels will be filtered via job conditions.
+// Note: GitHub Actions doesn't support native label filtering for any event type,
+// so all labels are filtered via job conditions using the internal `names` field.
 func expandLabelTriggerShorthand(entityType string, labelNames []string) map[string]any {
 	// Create the trigger configuration based on entity type
 	var triggerKey string
@@ -96,28 +96,17 @@ func expandLabelTriggerShorthand(entityType string, labelNames []string) map[str
 	}
 
 	// Build the trigger configuration
-	// Add a marker to indicate this uses native GitHub Actions label filtering
-	// (not job condition filtering), so names should not be commented out
-	// Note: For discussion events, GitHub Actions doesn't support names field,
-	// so we don't include it but still use the marker to indicate shorthand expansion
+	// GitHub Actions doesn't support native label filtering for any event type,
+	// so we use the `names` field (internal representation) for job condition filtering
 	triggerConfig := map[string]any{
 		"types": []any{"labeled"},
 	}
 
 	// Add label names for filtering
-	// For issues: GitHub Actions supports native `labels` field - use it with marker
-	// For pull_request & discussion: Use `names` field for job condition filtering (no marker)
-	//   Note: The `names` field is an internal representation for job condition generation
-	//   and won't be rendered in the final GitHub Actions YAML for these event types
-	switch entityType {
-	case "issues":
-		triggerConfig["labels"] = labelNames
-		triggerConfig["__gh_aw_native_label_filter__"] = true // Marker to use native filtering
-	case "pull_request", "discussion":
-		// For pull_request and discussion: add names field for job condition filtering
-		triggerConfig["names"] = labelNames
-		// No marker - this will be filtered via job conditions
-	}
+	// All event types use `names` field for job condition filtering
+	// The `names` field is an internal representation for job condition generation
+	// and won't be rendered in the final GitHub Actions YAML for these event types
+	triggerConfig["names"] = labelNames
 
 	// Create workflow_dispatch with item_number input
 	workflowDispatchConfig := map[string]any{
diff --git a/pkg/workflow/label_trigger_parser_test.go b/pkg/workflow/label_trigger_parser_test.go
index baab95b845a..7351281705e 100644
--- a/pkg/workflow/label_trigger_parser_test.go
+++ b/pkg/workflow/label_trigger_parser_test.go
@@ -329,26 +329,15 @@ func TestExpandLabelTriggerShorthand(t *testing.T) {
 				t.Errorf("expandLabelTriggerShorthand() types = %v, want [labeled]", types)
 			}
 
-			// Check labels/names field:
-			// - For issues: uses native 'labels' field
-			// - For pull_request & discussion: uses 'names' field for job condition filtering
-			switch tt.entityType {
-			case "issues":
-				labels, ok := triggerConfig["labels"].([]string)
-				if !ok {
-					t.Fatalf("expandLabelTriggerShorthand() labels is not a string array for issues")
-				}
-				if !slicesEqual(labels, tt.labelNames) {
-					t.Errorf("expandLabelTriggerShorthand() labels = %v, want %v", labels, tt.labelNames)
-				}
-			case "pull_request", "discussion":
-				names, ok := triggerConfig["names"].([]string)
-				if !ok {
-					t.Fatalf("expandLabelTriggerShorthand() names is not a string array for %s", tt.entityType)
-				}
-				if !slicesEqual(names, tt.labelNames) {
-					t.Errorf("expandLabelTriggerShorthand() names = %v, want %v", names, tt.labelNames)
-				}
+			// Check names field:
+			// All entity types use 'names' field for job condition filtering
+			// (GitHub Actions doesn't support native label filtering)
+			names, ok := triggerConfig["names"].([]string)
+			if !ok {
+				t.Fatalf("expandLabelTriggerShorthand() names is not a string array for %s", tt.entityType)
+			}
+			if !slicesEqual(names, tt.labelNames) {
+				t.Errorf("expandLabelTriggerShorthand() names = %v, want %v", names, tt.labelNames)
 			}
 
 			// Check workflow_dispatch

From 53415542958189d8a90f966a1f70294e6473fd8d Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 13 Feb 2026 08:11:01 +0000
Subject: [PATCH 4/4] Fix fuzz test for label trigger expansion

Update FuzzExpandLabelTriggerShorthand to expect names field for all event types including discussion, matching the corrected behavior where all events use job condition filtering

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .../label_trigger_parser_fuzz_test.go         | 22 ++++++-------------
 1 file changed, 7 insertions(+), 15 deletions(-)

diff --git a/pkg/workflow/label_trigger_parser_fuzz_test.go b/pkg/workflow/label_trigger_parser_fuzz_test.go
index 8103fa49199..6684a8980e2 100644
--- a/pkg/workflow/label_trigger_parser_fuzz_test.go
+++ b/pkg/workflow/label_trigger_parser_fuzz_test.go
@@ -138,21 +138,13 @@ func FuzzExpandLabelTriggerShorthand(f *testing.F) {
 						t.Errorf("types array is empty for entityType=%q", entityType)
 					}
 
-					// Check for names field (only for issues and pull_request, not discussion)
-					switch entityType {
-					case "issues", "pull_request":
-						if names, hasNames := triggerMap["names"]; !hasNames {
-							t.Errorf("trigger missing names field for entityType=%q", entityType)
-						} else if namesArray, ok := names.([]string); !ok {
-							t.Errorf("names is not a string array for entityType=%q", entityType)
-						} else if len(namesArray) != len(labelNames) {
-							t.Errorf("names array length mismatch: got %d, want %d for entityType=%q", len(namesArray), len(labelNames), entityType)
-						}
-					case "discussion":
-						// Discussion should not have names field (GitHub Actions doesn't support it)
-						if _, hasNames := triggerMap["names"]; hasNames {
-							t.Errorf("discussion trigger should not have names field, but it does")
-						}
+					// Check for names field (all event types use names for job condition filtering)
+					if names, hasNames := triggerMap["names"]; !hasNames {
+						t.Errorf("trigger missing names field for entityType=%q", entityType)
+					} else if namesArray, ok := names.([]string); !ok {
+						t.Errorf("names is not a string array for entityType=%q", entityType)
+					} else if len(namesArray) != len(labelNames) {
+						t.Errorf("names array length mismatch: got %d, want %d for entityType=%q", len(namesArray), len(labelNames), entityType)
 					}
 				}
 			}