Conversation
Add documentation for `target-repo: "*"` wildcard that allows agents to dynamically target any repository at runtime. List the five safe-output types that do not support it. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
github-actions
bot
added
automation
documentation
pelikhan
deleted the
doc-healer/target-repo-wildcard-2026-03-20-6ca92462f66b65b6
branch
There was a problem hiding this comment.
Pull request overview
Documentation update to reflect the newly-supported target-repo: "*" wildcard behavior for cross-repository safe-output handlers, including usage guidance and limitations.
Changes:
- Updated the Safe Outputs reference to describe
target-repo: "*"wildcard usage and clarifyallowed-reposbehavior. - Added a new “Wildcard Target Repository” subsection to the Cross-Repository Operations reference with an example and caution callout.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| docs/src/content/docs/reference/safe-outputs.md | Updates cross-repo overview to document target-repo: "*" wildcard and notes unsupported types. |
| docs/src/content/docs/reference/cross-repository.md | Adds a dedicated wildcard section and guidance for runtime repo selection. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - **`allowed-repos`**: Allow the agent to dynamically choose from an allowlist of repositories (supports glob patterns, e.g. `org/*`). | ||
|
|
||
| See [Cross-Repository Operations](/gh-aw/reference/cross-repository/) technical details. | ||
| Using `target-repo: "*"` enables fully dynamic routing — the agent provides the `repo` field in each tool call. Note that `create-pull-request-review-comment`, `reply-to-pull-request-review-comment`, `submit-pull-request-review`, `create-agent-session`, and `manage-project-items` do not support the wildcard; use an explicit repository or `allowed-repos` for those types. |
There was a problem hiding this comment.
manage-project-items appears to be an invalid/nonexistent safe-output type name in this repo (no other references in code or docs). This makes the wildcard support guidance misleading. Consider replacing it with update-project (which explicitly disallows target-repo: "*" in the Update Project section) or removing it if it’s not a safe output type.
| Using `target-repo: "*"` enables fully dynamic routing — the agent provides the `repo` field in each tool call. Note that `create-pull-request-review-comment`, `reply-to-pull-request-review-comment`, `submit-pull-request-review`, `create-agent-session`, and `manage-project-items` do not support the wildcard; use an explicit repository or `allowed-repos` for those types. | |
| Using `target-repo: "*"` enables fully dynamic routing — the agent provides the `repo` field in each tool call. Note that `create-pull-request-review-comment`, `reply-to-pull-request-review-comment`, `submit-pull-request-review`, `create-agent-session`, and `update-project` do not support the wildcard; use an explicit repository or `allowed-repos` for those types. |
| Use this when the target repository is not known at workflow authoring time — for example, when building a workflow that routes issues to different repositories based on labels or content. | ||
|
|
||
| :::caution | ||
| The following safe-output types do **not** support `target-repo: "*"`: `create-pull-request-review-comment`, `reply-to-pull-request-review-comment`, `submit-pull-request-review`, `create-agent-session`, and `manage-project-items`. Use an explicit `owner/repo` value or `allowed-repos` for these types. |
There was a problem hiding this comment.
manage-project-items is referenced here as a safe-output type that doesn’t support target-repo: "*", but it doesn’t appear to exist anywhere else in the repository (no code/docs/schema matches). This likely should refer to an actual safe output type that rejects wildcards (e.g., update-project uses wildcard-disallowing parsing) or the item should be removed to avoid documenting a non-existent feature.
| The following safe-output types do **not** support `target-repo: "*"`: `create-pull-request-review-comment`, `reply-to-pull-request-review-comment`, `submit-pull-request-review`, `create-agent-session`, and `manage-project-items`. Use an explicit `owner/repo` value or `allowed-repos` for these types. | |
| The following safe-output types do **not** support `target-repo: "*"`: `create-pull-request-review-comment`, `reply-to-pull-request-review-comment`, and `submit-pull-request-review`, and `create-agent-session`. Use an explicit `owner/repo` value or `allowed-repos` for these types. |
Self-Healing Documentation Fixes
This PR was automatically created by the Daily Documentation Healer workflow.
Gaps Fixed
target-repo: "*"in safe-output handlers #21877 ("fix: allow wildcardtarget-repo: \"*\"in safe-output handlers") — documented thetarget-repo: "*"wildcard feature that allows agents to dynamically target any repository at runtime. Added to bothcross-repository.md(new subsection with example and caution callout) andsafe-outputs.md(updated Cross-Repository Operations overview).Root Cause
DDUw scans merged PRs and commits for new features but focuses on user-facing behaviors described in PR titles and bodies. The commit #21877 was a bug-fix commit — its title ("fix: allow wildcard…") signaled a correction to existing behavior, not a new feature addition. DDUw's heuristics for bug-fix commits tend to treat them as internal corrections that don't require documentation updates, so this cross-repository feature addition was skipped.
💡 DDUw Improvement Suggestions
DDUw Improvement Suggestions
Step 2 (Analyze Changes) should include a check for commits whose messages reference frontmatter fields or safe-output configuration options. Even when the commit prefix is
fix:, changes to parser logic or schema handling for fields liketarget-repomay surface new documented behavior (e.g., newly-allowed values). A heuristic to flag fix-commits that touchpkg/workflow/safe_outputs_*.goorpkg/parser/schemas/*.jsonfor a documentation cross-check would help catch these cases.Specifically, add to the analysis step:
Related Issues
target-repo: "*"in safe-output handlers #21877 (fix: allow wildcard target-repo: "*" in safe-output handlers)References:
Note
🔒 Integrity filtering filtered 4 items
Integrity filtering activated and filtered the following items during workflow execution.
This happens when a tool call accesses a resource that does not meet the required integrity or secrecy level of the workflow.
issue_read: Resource 'issue:[instructions] Sync github-agentic-workflows.md with v0.40.1 #21138' has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)issue_read: Resource 'issue:GHES: Create prerequisites guide and troubleshooting runbook for Copilot engine #20968' has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)pull_request_read: Resource 'pr:[docs] Update GHES docs: auto GH_HOST in custom jobs and Copilot GHES troubleshooting guide #21528' has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)pull_request_read: Resource 'pr:[docs] Self-healing documentation fixes from issue analysis - 2026-03-19 #21847' has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)