fix: push-to-pull-request-branch default max should be 1, not 0

[Copilot]

push-to-pull-request-branch compiled to max: 0 when max was omitted from frontmatter, effectively disabling the safe output. The documented default is max: 1.

Changes

• safe_outputs_config_generation.go: Change default max passed to generateMaxWithTargetConfig for push_to_pull_request_branch from 0 to 1
• push_to_pull_request_branch_test.go: Add assertion to TestPushToPullRequestBranchMinimalConfig verifying "push_to_pull_request_branch":{"max":1} is emitted when max is not set

Before / After

# Frontmatter with no explicit max
safe-outputs:
  push-to-pull-request-branch:
    if-no-changes: ignore

// Before
{"push_to_pull_request_branch":{"max":0}}

// After
{"push_to_pull_request_branch":{"max":1}}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE go env heck '**/*.cjs' GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE go env heck '**/*.cjs' GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD ode-gyp-bin/sh go (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go k/gh�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD erignore go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha d/gh-aw/main.go d/gh-aw/capitaliGOMOD 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGOPROXY env 0575947/b393/_pkGOSUMDB GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[Copilot]

Pull request overview

Fixes the push-to-pull-request-branch safe-outputs config generation so that omitting max in frontmatter emits the documented default (max: 1) rather than max: 0.

Changes:

• Update generateSafeOutputsConfig to default push_to_pull_request_branch.max to 1 when not provided.
• Add a regression assertion in TestPushToPullRequestBranchMinimalConfig to verify the default max is emitted as 1.
• Refresh checked-in workflow .lock.yml files to reflect the updated generated config.json content.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pkg/workflow/safe_outputs_config_generation.go	Changes default max for push_to_pull_request_branch in generated safe-outputs config.json from 0 to 1.
pkg/workflow/push_to_pull_request_branch_test.go	Adds a regression assertion ensuring minimal config emits push_to_pull_request_branch.max = 1.
.github/workflows/tidy.lock.yml	Updates embedded safe-outputs config.json to reflect default max: 1.
.github/workflows/smoke-update-cross-repo-pr.lock.yml	Updates embedded safe-outputs config.json to reflect default max: 1.
.github/workflows/smoke-claude.lock.yml	Updates embedded safe-outputs config.json to reflect default max: 1.
.github/workflows/poem-bot.lock.yml	Updates embedded safe-outputs config.json to reflect default max: 1.
.github/workflows/mergefest.lock.yml	Updates embedded safe-outputs config.json to reflect default max: 1.
.github/workflows/craft.lock.yml	Updates embedded safe-outputs config.json to reflect default max: 1.
.github/workflows/changeset.lock.yml	Updates embedded safe-outputs config.json to reflect default max: 1.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

This assertion is brittle because it depends on an exact JSON snippet (including the nested object ending with }), so it will fail if additional fields are later added to push_to_pull_request_branch config (e.g., target) or if formatting changes. Consider extracting the emitted config.json from the lock file and json.Unmarshal it, then assert config["push_to_pull_request_branch"].max == 1 regardless of other fields.