refactor: use ExpressionBuilder for all if expressions in maintenance_workflow.go

[Copilot]

Summary

Audits pkg/workflow/maintenance_workflow.go and ensures every job-level if: expression is built with the ExpressionBuilder API rather than written as a raw string literal. Also removes the zizmor-scan job from the maintenance workflow.

Changes

New helper functions

• buildNotForkAndScheduled() — builds !fork && (event_name != 'workflow_dispatch' || operation == "") for jobs that run on any non-dispatch event (schedule, push, etc.) or workflow_dispatch with empty operation.
• buildDispatchOperationCondition(operation string) — builds dispatch && operation == op && !fork for jobs triggered by a specific dispatch operation.

Replaced hardcoded if: expressions (6 jobs)

Job	Before	After
close-expired-entities	raw string	buildNotForkAndScheduled()
apply_safe_outputs	raw string	buildDispatchOperationCondition("safe_outputs")
create_labels	raw string	buildDispatchOperationCondition("create_labels")
validate_workflows	raw string	buildDispatchOperationCondition("validate")
compile-workflows	raw string	buildNotForkAndScheduled()
secret-validation	raw string	buildNotForkAndScheduled()

Removed job

• zizmor-scan job has been removed from the maintenance workflow generator.

Updated generated file

• agentics-maintenance.yml regenerated via make recompile — all if: conditions now use (!(github.event.repository.fork)) form consistent with other ExpressionBuilder-generated jobs, and the zizmor-scan job is no longer present.

Testing

All existing TestGenerateMaintenanceWorkflow_* tests pass. The tests use strings.Contains to check for condition substrings, which remain present in the newly rendered expressions.

[pelikhan]

@copilot remove zizmor scan job

[Copilot]

@copilot remove zizmor scan job

Done — removed the zizmor-scan job from the maintenance workflow generator and regenerated agentics-maintenance.yml in commit 5929552.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw 8danb25/uwqeOZ8q-unsafeptr=false (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw olden (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/docker/build-push-action/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v7 --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Refactors the maintenance workflow generator to consistently build all job-level if: expressions via the ExpressionBuilder API, and removes the zizmor-scan job from the generated maintenance workflow.

Changes:

• Replaced remaining raw string job if: conditions in pkg/workflow/maintenance_workflow.go with RenderCondition(...) using new helper builders.
• Removed the zizmor-scan job from both the generator and the generated workflow YAML.
• Updated the maintenance workflow test to stop expecting the removed job.

Show a summary per file

File	Description
pkg/workflow/maintenance_workflow.go	Uses ExpressionBuilder-based helpers for all job if: expressions; removes zizmor-scan job from generation.
pkg/workflow/maintenance_workflow_test.go	Updates operation-condition expectations to reflect removal of zizmor-scan.
.github/workflows/agentics-maintenance.yml	Regenerated workflow reflecting builder-rendered conditions and removal of zizmor-scan.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 1

[Copilot]

The comment above this dev-mode block still mentions adding a zizmor-scan job, but that job has been removed. Please update the comment to reflect the current jobs included in dev mode (e.g., compile-workflows / secret-validation) so future readers aren’t misled.

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 90/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	1
✅ Design tests (behavioral contracts)	1 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	1 (100%)
Duplicate test clusters	0
Test inflation detected	No (test:prod line ratio ≈ 0.03:1)
🚨 Coding-guideline violations	None

---

Test Classification Details

Test	File	Classification	Issues Detected
TestGenerateMaintenanceWorkflow_OperationJobConditions	pkg/workflow/maintenance_workflow_test.go:260	✅ Design	None — appropriate maintenance removal

---

Change Summary

The PR removes the zizmor-scan job from the maintenance workflow template and replaces all raw !github.event.repository.fork expressions with ExpressionBuilder-constructed equivalents. The single test change removes "zizmor-scan:" from the disabledJobs slice in TestGenerateMaintenanceWorkflow_OperationJobConditions to match the deleted job.

Design test classification rationale: The test calls GenerateMaintenanceWorkflow(...) and reads the resulting YAML file from disk, then asserts that each job's if: block contains the exact expected condition strings (e.g., operationSkipCondition, applySafeOutputsCondition). This is a behavioral contract test: it verifies the observable output of the workflow generator — the precise GitHub Actions condition expressions that control job execution at runtime. Any regression in the ExpressionBuilder logic that changes these expressions would be caught immediately.

The test also handles edge cases: it checks for job-not-found (jobIdx == -1) with a descriptive t.Errorf, and all assertions include context messages.

No new tests for buildNotForkAndScheduled() / buildDispatchOperationCondition(): The two new helper functions added to maintenance_workflow.go are not tested in isolation. Their correctness is implicitly validated through the existing end-to-end TestGenerateMaintenanceWorkflow_OperationJobConditions test, which asserts the exact rendered condition strings. This is acceptable given the project's preference for testing real component interactions over unit-testing internals.

Score deduction (-10): The score is 90 rather than 100 because no new test coverage was added for the two new builder functions (buildNotForkAndScheduled, buildDispatchOperationCondition). Direct tests verifying these functions' rendered output for edge cases (e.g., RenderCondition(buildDispatchOperationCondition(""))) would add value, but the existing end-to-end coverage mitigates the risk.

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 1 test — unit (//go:build !integration)
• 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). Build tag present. No mock libraries. No guideline violations.

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

🧪 Test quality analysis by Test Quality Sentinel · ● 745.6K · ◷

[github-actions]

✅ Test Quality Sentinel: 90/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). The single test modification correctly removes a stale reference to the deleted zizmor-scan job. No guideline violations detected.