Skip to content

Split strict_mode_validation.go into focused concern-specific files#21506

Merged
pelikhan merged 3 commits intomainfrom
copilot/split-strict-mode-validation
Mar 18, 2026
Merged

Split strict_mode_validation.go into focused concern-specific files#21506
pelikhan merged 3 commits intomainfrom
copilot/split-strict-mode-validation

Conversation

Copy link
Contributor

Copilot AI commented Mar 18, 2026
edited
Loading

pkg/workflow/strict_mode_validation.go was 546 lines — 1.8× the 300-line hard limit — combining four unrelated validation concerns in a single file.

Split

File Lines Responsibility
strict_mode_validation.go 89 Orchestrator only: validateStrictMode + shared logger
strict_mode_permissions_validation.go 189 validateStrictPermissions, validateStrictDeprecatedFields, validateStrictFirewall
strict_mode_env_validation.go 147 validateEnvSecrets, getEngineBaseEnvVarKeys, validateEnvSecretsSection
strict_mode_network_validation.go 133 validateStrictNetwork, validateStrictMCPNetwork, validateStrictTools

Pure reorganization — no logic changes.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE x_amd64/link git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw infocmp /usr/bin/git ache/node/24.14.0/x64/bin/node s-33�� ctor }} git /usr/bin/git 3800966264/.githgit git /usr/bin/head git (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name /tmp/go-build1586221969/b338/_pkGOINSECURE -trimpath 64/bin/go -p github.com/githu-atomic -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --show-toplevel ortcfg /usr/bin/git g/repoutil/repougit g/repoutil/repourev-parse 7599747/b354/vet--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linuTest User /usr/bin/git /actions/secretsgit /tmp/go-build314rev-parse /opt/hostedtoolc--show-toplevel git (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -stringintconv -tests /usr/bin/git -json GO111MODULE nch,headSha,disp--show-toplevel git rev-�� --show-toplevel x_amd64/vet /usr/bin/git ub/workflows GO111MODULE 0/x64/bin/bash git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw rev-parse /opt/hostedtoolcache/node/24.14.0/x64/bin/node ithub-script/gitgit bash /usr/bin/git node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/bot-detection.md git /usr/bin/git --show-toplevel /tmp/go-build115rev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha t0 pkg/workflow/ 0/x64/bin/node m0s GO111MODULE (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git 0/x64/bin/node --show-toplevel Fj/loOf-cgjR6MKzrev-parse /usr/bin/git 0/x64/bin/node rev-�� ithub-script/git/ref/tags/v8 git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git node (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json stmain.go x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json .cfg 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 7599747/b209/vetrev-parse ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 7599747/b069/vetrev-parse /opt/hostedtoolc--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha GOMODCACHE go /usr/bin/git -json GO111MODULE x_amd64/vet git -C /home/REDACTED/work/gh-aw/gh-aw/pkg/cli rev-parse /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/TestHashConsistency_GoAndJavaScript1457093475/001/test-frontmatter-with-nested-objects.md go /usr/bin/git -json GO111MODULE x_amd64/vet git bran�� = get && echo "******"; }; f get = get && echo "******"; }; f get /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel ache/go/1.25.0/x1 /usr/bin/git se 7599747/b053/vetrev-parse 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/link /usr/bin/git 4276383509 7599747/b178/vetrev-parse ortcfg.link git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GOMOD 64/bin/go tierignore -collect-logs 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE x_amd64/vet git conf�� user.email test@example.com /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha /opt/hostedtoolc--show-toplevel git /usr/bin/gh --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git gh api /repos/actions/github-script/git/ref/tags/v8 --jq /usr/bin/git --show-toplevel ache/go/1.25.0/xrev-parse bin/node git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha user.email test@example.com /usr/bin/git -json GO111MODULE x_amd64/vet git init�� GOMODCACHE x_amd64/vet /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git e/git --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git e/git rev-�� --show-toplevel git 0/x64/bin/node --show-toplevel bash ache/uv/0.10.11/--show-toplevel 0/x64/bin/node (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -unreachable=false /tmp/go-build3147599747/b197/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet ript formatting git GO111MODULE 64/bin/go Hz/1Asxx--g8Y1gqqzxuvzF/5lFWf2h4QXZRGeYgK1OP -ato�� runs/20260318-015848-27409/test-2916481862/.github/workflows -buildtags 9cd2a4d648411bea64cdbec8c0f6453681c0dfaa756ae9a8-d -errorsas -ifaceassert -nilfunc bash (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha ithub/workflows/ace-editor.md git 0/x64/bin/node --show-toplevel x_amd64/compile /usr/bin/git git t-ha�� ithub/workflows/blog-auditor.md git tartedAt,updatedAt,event,headBranch,headSha,displayTitle --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git 0/x64/bin/node (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha t0 /tmp/go-build3147599747/b205/vet.cfg (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha t0 m0s /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha -unreachable=false /tmp/go-build3147599747/b210/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -json GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build3147599747/b074/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -json GO111MODULE 64/bin/go ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha OKEN }} m0s /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git 0/x64/bin/node --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git 0/x64/bin/node (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 ROOT" ] && expo 0/x64/bin/node -bool -buildtags /usr/bin/git git t-ha�� SameOutput498560682/001/stability-test.md git ptables --show-toplevel -tests /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 .cfg 64/pkg/tool/linu-nolocalimports GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/tmp/go-build1156222176/b419/_testmain.go env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 gh /usr/bin/git list --json /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel x_amd64/compile /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git -bool -buildtags /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel -tests /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 /tmp/go-build1156222176/b436/scripts.test /usr/bin/git -test.paniconexigit -test.v=true /usr/bin/git git rev-�� --show-toplevel git iptables --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env ub/workflows .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 /opt/hostedtoolc4 /usr/bin/git -bool -buildtags /usr/bin/git git rev-�� --show-toplevel git es --show-toplevel -tests /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 /tmp/go-build1156222176/b433/workflow.test /usr/bin/git -test.paniconexigit -test.v=true /usr/bin/git git rev-�� --show-toplevel git ptables --show-toplevel 64/pkg/tool/linu/tmp/fuzz-expr-3124657082.js /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 git At,event,headBranch,headSha,displayTitle --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git /usr/bin/gh api graphql -f es -f owner=github -f git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path /tmp/go-build1586221969/b385/_pkGOINSECURE -trimpath 64/bin/go -p github.com/ayman-atomic -lang=go1.23 go env -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 /tmp/go-build1156222176/b416/importcfg -pack /tmp/go-build1156222176/b416/_testmain.go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linu.github/workflows/test.md estl�� -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel /opt/hostedtoolcache/go/1.25.0/x^remote\..*\.gh-resolved$ /usr/bin/git -unreachable=falgit /tmp/go-build314rev-parse 7599747/b309/vet--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git itattributes-tesgit /tmp/go-build314rev-parse ache/go/1.25.0/x--show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel bash /usr/bin/git --noprofile -tests /usr/bin/git git rev-�� --show-toplevel /usr/bin/git /usr/bin/git -v /opt/hostedtoolcrev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha --show-toplevel nly /usr/bin/git --noprofile 6221969/b406/imprev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git runs/20260318-01git /opt/hostedtoolcrev-parse /opt/hostedtoolc--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha --show-toplevel 0/x64/bin/node /usr/bin/git -bool -buildtags /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel -tests /opt/hostedtoolc--show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha --show-toplevel nly /usr/bin/git bility_SameInputgit -buildtags /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git s/test.md rev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ty-test.md .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 1149780503/.github/workflows GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/cgo /usr/bin/git vaScript14570934gh -buildtags 7599747/b341/vet/repos/actions/checkout/git/ref/tags/v5 git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git -unreachable=falgit /tmp/go-build314rev-parse (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --show-toplevel x_amd64/compile /usr/bin/git git rev-�� --show-toplevel git 0/x64/bin/node --show-toplevel 64/pkg/tool/linu/tmp/fuzz-expr-838342021.js /usr/bin/git git (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go -p github.com/githu-atomic -lang=go1.25 go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /usr/bin/git g_.a -buildtags /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git iK_VzgSGT /tmp/go-build314-w /proc/self/fd/9 git (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /usr/bin/git SameOutput114950git -buildtags /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git runs/20260318-01bash /tmp/go-build314--norc 6222176/b272/vet--noprofile git (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build1156222176/b383/cli.test /tmp/go-build1156222176/b383/cli.test -test.testlogfile=/tmp/go-build1156222176/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true tierignore (http block)
    • Triggering command: /tmp/go-build3198856279/b359/cli.test /tmp/go-build3198856279/b359/cli.test -test.testlogfile=/tmp/go-build3198856279/b359/testlog.txt -test.paniconexit0 -test.timeout=10m0s rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git -unreachable=falgit /tmp/go-build314rev-parse ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile /usr/bin/git 6222176/b391/_pkgit -buildtags 6222176/b391=> git (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name log.showsignature=false log 64/bin/go -d --format=format:-atomic 8f866cd6be8a go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --show-toplevel 64/pkg/tool/linux_amd64/link /usr/bin/git tutil.test m0s ortcfg.link git rev-�� --show-toplevel _hV3O2Cg4KalLpCxFj/loOf-cgjR6MKz0XVD7GS/mRL0tEU7JbrieQ94-F8q /usr/bin/git -unreachable=falgit /tmp/go-build314rev-parse g_.a git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI linked an issue Mar 18, 2026 that may be closed by this pull request
[plan] Split strict_mode_validation.go into focused concern-specific files #21478
Closed
8 tasks
@pelikhan
Split strict_mode_validation.go into focused concern-specific files
7568f6c 
- strict_mode_validation.go: orchestrator only (89 lines)
- strict_mode_network_validation.go: network, MCP network, tools checks (133 lines)
- strict_mode_env_validation.go: environment secrets validation (147 lines)
- strict_mode_permissions_validation.go: permissions, deprecated fields, firewall (189 lines)

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] [plan] Split strict_mode_validation.go into focused files Split strict_mode_validation.go into focused concern-specific files Mar 18, 2026
Copilot AI requested a review from pelikhan March 18, 2026 02:05
@pelikhan pelikhan marked this pull request as ready for review March 18, 2026 02:08
Copilot AI review requested due to automatic review settings March 18, 2026 02:08
Copilot AI reviewed Mar 18, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Splits the previous monolithic strict-mode validation implementation into smaller, concern-specific files while keeping validateStrictMode as an orchestrator.

Changes:

  • Reduced strict_mode_validation.go to orchestration + shared logger.
  • Moved permissions/deprecations/firewall validation into strict_mode_permissions_validation.go.
  • Moved network/MCP network/tools validation into strict_mode_network_validation.go and env secret validation into strict_mode_env_validation.go.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
pkg/workflow/strict_mode_validation.go Keeps only the strict-mode orchestration entrypoint and shared logger.
pkg/workflow/strict_mode_permissions_validation.go Holds strict-mode validation for permissions, deprecated fields, and firewall behavior.
pkg/workflow/strict_mode_network_validation.go Holds strict-mode validation for network rules, MCP container network requirements, and tools checks.
pkg/workflow/strict_mode_env_validation.go Holds strict-mode validation for detecting secrets in env / engine.env.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

pkg/workflow/strict_mode_permissions_validation.go Outdated
Comment on lines +76 to +79
// validateStrictFirewall requires firewall to be enabled in strict mode for copilot and codex engines
// when network domains are provided (non-wildcard).
// In strict mode, ALL engines (regardless of LLM gateway support) require that network domains
// must be defaults or from known ecosystems, and sandbox.agent must be enabled.
@pelikhan
Copy link
Contributor

pelikhan commented Mar 18, 2026

@copilot review comments

@pelikhan
Fix misleading doc comment for validateStrictFirewall
a408003 
Custom domains are allowed in strict mode; only a warning is emitted
when an ecosystem-owned domain is not specified as an ecosystem identifier.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Mar 18, 2026

@copilot review comments

Fixed the misleading doc comment on validateStrictFirewall in a408003. The updated comment now accurately reflects that custom domains are permitted and only ecosystem-owned domains that aren't specified as ecosystem identifiers produce a warning.

@pelikhan pelikhan merged commit d28ee48 into main Mar 18, 2026
53 checks passed
@pelikhan pelikhan deleted the copilot/split-strict-mode-validation branch March 18, 2026 02:33
@github-actions github-actions bot mentioned this pull request Mar 18, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[plan] Split strict_mode_validation.go into focused concern-specific files

3 participants

@pelikhan