From 22e3c489abf5d05f007b85f0e4e7d7f6c1cefcda Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 20 Mar 2026 19:01:17 +0000 Subject: [PATCH] refactor: simplify guard policy setOutput, footer logic, and comment clarity MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - determine_automatic_lockdown.cjs: eliminate duplicate core.setOutput() calls in if/else branches by moving them after the conditional, using the already-computed resolvedMinIntegrity/resolvedRepos variables - pr_review_buffer.cjs: simplify shouldAddFooter initialization — derive directly from footerMode === 'always' and remove the redundant shouldAddFooter = false branch for 'none' - mcp_environment.go: clarify the second 'Check for safe-outputs env vars' comment that was identical to the one above; this block adds server connection details (port/API key), not the GH_AW_SAFE_OUTPUTS passthrough Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- actions/setup/js/determine_automatic_lockdown.cjs | 6 ++---- actions/setup/js/pr_review_buffer.cjs | 8 ++------ pkg/workflow/mcp_environment.go | 6 +++--- 3 files changed, 7 insertions(+), 13 deletions(-) diff --git a/actions/setup/js/determine_automatic_lockdown.cjs b/actions/setup/js/determine_automatic_lockdown.cjs index 33ea82843c..8dadd637ee 100644 --- a/actions/setup/js/determine_automatic_lockdown.cjs +++ b/actions/setup/js/determine_automatic_lockdown.cjs @@ -60,21 +60,19 @@ async function determineAutomaticLockdown(github, context, core) { const resolvedMinIntegrity = configuredMinIntegrity || defaultMinIntegrity; if (!configuredMinIntegrity) { core.info(`min-integrity not configured — automatically setting to '${defaultMinIntegrity}' for ${visibility} repository`); - core.setOutput("min_integrity", defaultMinIntegrity); } else { core.info(`min-integrity already configured as '${configuredMinIntegrity}' — not overriding`); - core.setOutput("min_integrity", configuredMinIntegrity); } + core.setOutput("min_integrity", resolvedMinIntegrity); // Set repos if not already configured const resolvedRepos = configuredRepos || defaultRepos; if (!configuredRepos) { core.info(`repos not configured — automatically setting to '${defaultRepos}' for ${visibility} repository`); - core.setOutput("repos", defaultRepos); } else { core.info(`repos already configured as '${configuredRepos}' — not overriding`); - core.setOutput("repos", configuredRepos); } + core.setOutput("repos", resolvedRepos); if (isPrivate) { core.info("Automatic guard policy determination complete for private/internal repository"); diff --git a/actions/setup/js/pr_review_buffer.cjs b/actions/setup/js/pr_review_buffer.cjs index 07852b7a3a..e208d705c6 100644 --- a/actions/setup/js/pr_review_buffer.cjs +++ b/actions/setup/js/pr_review_buffer.cjs @@ -211,12 +211,8 @@ function createReviewBuffer() { let body = reviewMetadata ? reviewMetadata.body : ""; // Determine if we should add footer based on footer mode - let shouldAddFooter = false; - if (footerMode === "always") { - shouldAddFooter = true; - } else if (footerMode === "none") { - shouldAddFooter = false; - } else if (footerMode === "if-body") { + let shouldAddFooter = footerMode === "always"; + if (footerMode === "if-body") { // Only add footer if body is non-empty (has meaningful content) shouldAddFooter = body.trim().length > 0; core.info(`Footer mode "if-body": body is ${body.trim().length > 0 ? "non-empty" : "empty"}, ${shouldAddFooter ? "adding" : "skipping"} footer`); diff --git a/pkg/workflow/mcp_environment.go b/pkg/workflow/mcp_environment.go index dfa58c2afa..e14216e763 100644 --- a/pkg/workflow/mcp_environment.go +++ b/pkg/workflow/mcp_environment.go @@ -115,9 +115,9 @@ func collectMCPEnvironmentVariables(tools map[string]any, mcpTools []string, wor maps.Copy(envVars, mcpScriptsSecrets) } - // Check for safe-outputs env vars - // Only add env vars if safe-outputs is actually enabled - // This prevents referencing step outputs that don't exist when safe-outputs isn't used + // Add safe-outputs server connection env vars (port and API key for MCP tools) + // Only add if safe-outputs is actually enabled — avoids referencing step outputs + // that don't exist when safe-outputs isn't used. if workflowData != nil && HasSafeOutputsEnabled(workflowData.SafeOutputs) { // Add server configuration env vars from step outputs envVars["GH_AW_SAFE_OUTPUTS_PORT"] = "${{ steps.safe-outputs-start.outputs.port }}"