Add schema and integration coverage for safe-outputs.create-pull-request.allowed-base-branches

pkg/cli/compile_integration_test.go

@@ -865,6 +865,56 @@ Verify staged safe-outputs with create-issue.
 	}
 }
 
+func TestCompileSafeOutputsCreatePullRequestAllowedBaseBranches(t *testing.T) {
+	setup := setupIntegrationTest(t)
+	defer setup.cleanup()
+
+	testWorkflow := `---
+name: Allowed Base Branches
+on:
+  workflow_dispatch:
+permissions: read-all
+engine: copilot
+safe-outputs:
+  create-pull-request:
+    allowed-base-branches:
+      - main
+      - release/*
+---
+
+Verify allowed base branches in create-pull-request safe output.
+`
+	testWorkflowPath := filepath.Join(setup.workflowsDir, "allowed-base-branches.md")
+	if err := os.WriteFile(testWorkflowPath, []byte(testWorkflow), 0644); err != nil {
+		t.Fatalf("Failed to write test workflow file: %v", err)
+	}
+
+	cmd := exec.Command(setup.binaryPath, "compile", testWorkflowPath)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatalf("CLI compile command failed: %v\nOutput: %s", err, string(output))
+	}
+
+	lockFilePath := filepath.Join(setup.workflowsDir, "allowed-base-branches.lock.yml")
+	lockContent, err := os.ReadFile(lockFilePath)
+	if err != nil {
+		t.Fatalf("Failed to read lock file: %v", err)
+	}
+	lockContentStr := string(lockContent)
+
+	if !strings.Contains(lockContentStr, "GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG") {
+		t.Fatalf("Expected handler config env var in lock file, got:\n%s", lockContentStr)
+	}
+
+	if !strings.Contains(lockContentStr, "allowed_base_branches") {
+		t.Fatalf("Expected allowed_base_branches in handler config, got:\n%s", lockContentStr)
+	}
+
+	if !strings.Contains(lockContentStr, "release/*") {
+		t.Fatalf("Expected release/* pattern in lock file handler config, got:\n%s", lockContentStr)
+	}
+}
+
 // TestCompileStagedSafeOutputsAddComment verifies that a workflow with staged: true
 // and an add-comment handler compiles and emits GH_AW_SAFE_OUTPUTS_STAGED.
 // Prior to the schema fix, staged was not listed in the add-comment handler schema.

pkg/parser/schema_location_test.go

@@ -274,3 +274,36 @@ func TestValidateMainWorkflowFrontmatterWithSchemaAndLocation_AdditionalProperti
 		})
 	}
 }
+
+func TestValidateMainWorkflowFrontmatterWithSchemaAndLocation_AcceptsAllowedBaseBranchesInCreatePullRequest(t *testing.T) {
+	frontmatter := map[string]any{
+		"on": map[string]any{
+			"workflow_dispatch": map[string]any{},
+		},
+		"permissions": map[string]any{
+			"contents":      "read",
+			"pull-requests": "read",
+		},
+		"engine": map[string]any{
+			"id":    "copilot",
+			"model": "gpt-5.4",
+		},
+		"network": map[string]any{
+			"allowed": []any{"defaults"},
+		},
+		"tools": map[string]any{
+			"edit": map[string]any{},
+			"bash": true,
+		},
+		"safe-outputs": map[string]any{
+			"create-pull-request": map[string]any{
+				"allowed-base-branches": []any{"main", "release/*"},
+			},
+		},
+	}
+
+	err := ValidateMainWorkflowFrontmatterWithSchemaAndLocation(frontmatter, "/test/workflow.md")
+	if err != nil {
+		t.Fatalf("expected allowed-base-branches to be accepted under safe-outputs.create-pull-request, got error: %v", err)
+	}
+}

pkg/parser/schema_test.go

@@ -437,6 +437,83 @@ func TestMainWorkflowSchema_WorkflowDispatchNumberTypeDocumentation(t *testing.T
 	}
 }
 
+func TestMainWorkflowSchema_CreatePullRequestAllowedBaseBranches(t *testing.T) {
+	t.Parallel()
+
+	schemaPath := "schemas/main_workflow_schema.json"
+	schemaContent, err := os.ReadFile(schemaPath)
+	if err != nil {
+		t.Fatalf("failed to read schema: %v", err)
+	}
+
+	var schema map[string]any
+	if err := json.Unmarshal(schemaContent, &schema); err != nil {
+		t.Fatalf("failed to parse schema json: %v", err)
+	}
+
+	properties, ok := schema["properties"].(map[string]any)
+	if !ok {
+		t.Fatal("schema properties section not found")
+	}
+
+	safeOutputs, ok := properties["safe-outputs"].(map[string]any)
+	if !ok {
+		t.Fatal("'safe-outputs' field not found in schema")
+	}
+
+	safeOutputsProperties, ok := safeOutputs["properties"].(map[string]any)
+	if !ok {
+		t.Fatal("'safe-outputs.properties' not found in schema")
+	}
+
+	createPullRequest, ok := safeOutputsProperties["create-pull-request"].(map[string]any)
+	if !ok {
+		t.Fatal("'safe-outputs.create-pull-request' not found in schema")
+	}
+
+	createPullRequestOneOf, ok := createPullRequest["oneOf"].([]any)
+	if !ok {
+		t.Fatal("'safe-outputs.create-pull-request.oneOf' not found in schema")
+	}
+
+	var createPullRequestProperties map[string]any
+	for _, candidate := range createPullRequestOneOf {
+		candidateMap, ok := candidate.(map[string]any)
+		if !ok {
+			continue
+		}
+
+		properties, ok := candidateMap["properties"].(map[string]any)
+		if !ok {
+			continue
+		}
+
+		createPullRequestProperties = properties
+		break
+	}
+	if createPullRequestProperties == nil {
+		t.Fatal("'safe-outputs.create-pull-request' object schema with properties not found")
+	}
+
+	allowedBaseBranches, ok := createPullRequestProperties["allowed-base-branches"].(map[string]any)
+	if !ok {
+		t.Fatal("'allowed-base-branches' not found under safe-outputs.create-pull-request")
+	}
+
+	if gotType, _ := allowedBaseBranches["type"].(string); gotType != "array" {
+		t.Fatalf("'allowed-base-branches' should be type array, got: %v", allowedBaseBranches["type"])
+	}
+
+	items, ok := allowedBaseBranches["items"].(map[string]any)
+	if !ok {
+		t.Fatal("'allowed-base-branches.items' not found in schema")
+	}
+
+	if gotItemType, _ := items["type"].(string); gotItemType != "string" {
+		t.Fatalf("'allowed-base-branches.items' should be type string, got: %v", items["type"])
+	}
+}
+
 func TestGetSafeOutputTypeKeys(t *testing.T) {
 	keys, err := GetSafeOutputTypeKeys()
 	if err != nil {