[code-simplifier] refactor: simplify guard policy setOutput, footer logic, and comment clarity

[github-actions]

This PR simplifies recently modified code (2026-03-20) to improve clarity and reduce duplication while preserving all functionality.

Files Simplified

• actions/setup/js/determine_automatic_lockdown.cjs — eliminate duplicate core.setOutput() calls
• actions/setup/js/pr_review_buffer.cjs — simplify shouldAddFooter initialization logic
• pkg/workflow/mcp_environment.go — clarify misleading duplicate comment

Improvements Made

1. Reduced Code Duplication (determine_automatic_lockdown.cjs)

The setOutput() call was duplicated in both branches of an if/else (once for the "not configured" case, once for the "already configured" case). Since both branches set the exact same computed value (resolvedMinIntegrity / resolvedRepos), the call is now moved outside the conditional — keeping only the distinct core.info() messages inside.

Before:

if (!configuredMinIntegrity) {
  core.info(`...`);
  core.setOutput("min_integrity", defaultMinIntegrity);
} else {
  core.info(`...`);
  core.setOutput("min_integrity", configuredMinIntegrity);
}

After:

if (!configuredMinIntegrity) {
  core.info(`...`);
} else {
  core.info(`...`);
}
core.setOutput("min_integrity", resolvedMinIntegrity);

2. Simplified Boolean Logic (pr_review_buffer.cjs)

shouldAddFooter was initialized to false with a redundant else if (footerMode === "none") { shouldAddFooter = false; } branch. Now initialized directly from the "always" check:

Before:

let shouldAddFooter = false;
if (footerMode === "always") { shouldAddFooter = true; }
else if (footerMode === "none") { shouldAddFooter = false; }
else if (footerMode === "if-body") { ... }

After:

let shouldAddFooter = footerMode === "always";
if (footerMode === "if-body") { ... }

3. Clarified Comment (mcp_environment.go)

The comment // Check for safe-outputs env vars appeared twice in collectMCPEnvironmentVariables. The second occurrence was misleading — that block adds the safe-outputs server connection details (port and API key), not the GH_AW_SAFE_OUTPUTS passthrough above it. Clarified to // Add safe-outputs server connection env vars.

Changes Based On

Recent merged PRs:

• fix: skipped code-push should not trigger fail-fast; retry PR review on unresolvable line #21976 — pr_review_buffer.cjs and safe_output_handler_manager.cjs (skipped code-push, unresolvable line retry)
• fix: remove GitHub App auth exemption from automatic public-repo min-integrity guard policy #21969 — determine_automatic_lockdown.cjs (remove GitHub App auth exemption)
• fix: validate safe-output names in gh aw new against JSON schema; fix create-project oneOf #21981 — commands.go + mcp_environment.go (validate safe-output names)

Testing

• ✅ JS tests pass — 53/53 (determine_automatic_lockdown.test.cjs, pr_review_buffer.test.cjs)
• ✅ Go build succeeds (make build)
• ✅ Go tests pass (TestCollectMCPEnvironmentVariables_*, TestBuildSafeOutputsSection, TestCreateWorkflowTemplateContainsOnlyValidSafeOutputs)
• ✅ make fmt — no formatting changes needed
• ✅ No functional changes — behavior is identical

References: §23357917108

Note

🔒 Integrity filtering filtered 4 items

Integrity filtering activated and filtered the following items during workflow execution.
This happens when a tool call accesses a resource that does not meet the required integrity or secrecy level of the workflow.

• pr:fix: validate safe-output names in gh aw new against JSON schema; fix create-project oneOf #21981 (pull_request_read: Resource 'pr:fix: validate safe-output names in gh aw new against JSON schema; fix create-project oneOf #21981' has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• pr:fix(codex): align execute step name to "Execute Codex CLI" #21972 (pull_request_read: Resource 'pr:fix(codex): align execute step name to "Execute Codex CLI" #21972' has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• pr:fix: skipped code-push should not trigger fail-fast; retry PR review on unresolvable line #21976 (pull_request_read: Resource 'pr:fix: skipped code-push should not trigger fail-fast; retry PR review on unresolvable line #21976' has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• pr:security: remove Trivy action due to supply chain compromise #22007 (pull_request_read: Resource 'pr:security: remove Trivy action due to supply chain compromise #22007' has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)

Generated by Code Simplifier · ◷

• expires on Mar 21, 2026, 7:02 PM UTC

[Copilot]

Pull request overview

This PR performs small refactors to simplify control flow and reduce duplication while keeping behavior unchanged across guard-policy output computation, PR review footer logic, and safe-outputs environment variable comments.

Changes:

• Deduplicates core.setOutput() calls in automatic guard policy resolution by computing resolved values once and emitting outputs after branch-specific logging.
• Simplifies shouldAddFooter initialization in PR review submission logic by deriving the default from footerMode === "always".
• Clarifies a misleading duplicated comment in MCP environment variable collection related to safe-outputs server connection variables.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
actions/setup/js/determine_automatic_lockdown.cjs	Moves repeated setOutput calls outside conditionals while preserving resolved values and logging.
actions/setup/js/pr_review_buffer.cjs	Simplifies footer inclusion boolean initialization without changing supported modes.
pkg/workflow/mcp_environment.go	Updates comment text to accurately describe the safe-outputs server env vars being added.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.