feat: add first-class labels filter to eliminate red ❌ noise on unrelated label events

[Copilot]

pull_request_target (and other labeled events) had no native label-name filter — the only workaround was exit 1 in on.steps, which causes a red ❌ failure on every unrelated label add instead of a clean gray ⊘ skip.

Changes

• on.labels — new top-level on: field (mirrors roles:/bots: shape); accepts a string or array of label names
• Pre-activation job-level if: — when labels is set, buildPreActivationJob() injects a job-level condition that skips the entire pre_activation job when the triggering label doesn't match; events without a label payload (github.event.label == null) are always allowed through
• pre_activation always created with labels — hasLabelNames added to the buildPreActivationAndActivationJobs condition so a labels-only workflow (no roles, stop-time, etc.) correctly gets a pre_activation job
• hasSafeEventsOnly() — labels now excluded from event counting (same pattern as roles, bots)
• Schema — labels added to main_workflow_schema.json under on:
• trigger_label in agent context — buildAwContext() in aw_context.cjs now includes trigger_label: context.payload?.label?.name ?? "" so the AI agent receives the triggering label name as part of its context payload
• Single-quote escaping — StringLiteralNode.Render() now escapes embedded ' as '' (GitHub Actions doubling convention) so label names like can't-repro produce valid expressions

Example

on:
  pull_request_target:
    types: [labeled]
  labels: [panel-review]          # single string or array

Compiled output on pre_activation:

pre_activation:
  if: github.event.label == null || github.event.label.name == 'panel-review'

The condition uses github.event.label == null to pass through any event that doesn't carry a label object (workflow_dispatch, push, schedule, etc.), and only applies the label name check for events that actually have a label payload.

Unmatched label events now show as ⊘ Skipped across the whole workflow rather than ❌ Failed on pre_activation.

[pelikhan]

@copilot rename label-names to labels

[Copilot]

@copilot rename label-names to labels

Done — renamed label-names to labels throughout (frontmatter field, schema, extraction logic, and tests) in commit e893ffe.

[pelikhan]

@copilot label-names still in frontmatter full

[Copilot]

@copilot label-names still in frontmatter full

Fixed in 26f59a4 — docs/src/content/docs/reference/frontmatter-full.md still had label-names in both example snippets; updated to labels.

[pelikhan]

@copilot

• this filter should only apply to event that have a label information attached
• make sure the label is part of the agent context payload

[Copilot]

@copilot

• this filter should only apply to event that have a label information attached
• make sure the label is part of the agent context payload

Done in f6f919c:

1. Filter scoped to events with label data — buildLabelNamesCondition now generates github.event.label.name == '' || github.event.label.name == 'panel-review' instead of the previous ... || github.event_name == 'workflow_dispatch'. In GitHub Actions expressions, github.event.label.name evaluates to empty string for any event without a label payload (workflow_dispatch, push, schedule, etc.), so the == '' guard passes all non-labeled events through while still filtering on pull_request_target, issues, and pull_request labeled events.

2. Label in agent context payload — Added trigger_label: context.payload?.label?.name ?? "" to buildAwContext() in aw_context.cjs. The field is empty for events without label data and contains the label name for labeled/unlabeled events.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw .go _test.go .go atte�� *.json' '!../../../pkg/workflow/-f atting_test.go ache/go/1.25.8/x64/bin/gofmt (http block)
  • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name kflows/metrics-collector.lock.ym-nolocalimports (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --noprofile (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git k/gh-aw/gh-aw show kflows/pdf-summa--show-toplevel git rev-�� --show-toplevel /usr/bin/gh /usr/bin/git 1/001/test-frontnode -f ow.lock.yml git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq /usr/bin/git ithub/workflows (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv 0647-10841/test-2349598119/.github/workflows XU/nxHITBaOmDtKhrev-parse ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile on' --ignore-patinfocmp --local bash ortcfg api 0647-10841/test-248003812 g/semverutil/semverutil_test.go 1/x64/bin/node -f b/gh-aw/pkg/actirev-parse -f git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel ortcfg /usr/bin/git tions/setup/js/ntr show /usr/bin/docker git rev-�� --show-toplevel docker /usr/bin/git 724686413 mcp/notion flow.lock.yml git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git xterm-color bash 8786015/b443/vet--show-toplevel git rev-�� --show-toplevel git /usr/bin/git s/test.md erignore 8786015/b461/vet--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --noprofile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv fbITvfT-w -f ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -f owner=github -f ortcfg -C g/stats/statvar.go g/stats/spec_test.go 8786015/b431=> --noprofile (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/xremote /usr/bin/git 0647-10841/test-git show 8786015/b419=> git rev-�� --show-toplevel git /usr/bin/git '/tmp/TestParseDgit '/tmp/TestParseDrev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv --noprofile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv label\|trigger_l-f /home/REDACTED/worowner=github repository(owne-f nore (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv .github/workflows (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --git-dir bash /usr/bin/gh ithub/workflows 53 /usr/bin/gh gh run download 4 /usr/bin/infocmp test-logs/run-4 -f x_amd64/compile infocmp (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyTrustedUsersRequiresMinIntegrity2538059152/001 config /usr/bin/git remote.origin.urgit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel runc /usr/bin/gh (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --noprofile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv P9ch/sR1tjYVSqOEP82kiP9ch rev-parse /usr/bin/git --abbrev-ref HEAD p/bin/bash git 8786�� licyMinIntegrityOnlymin-integrity_with_repos_array_c658669533/001 8786015/b420/_testmain.go 64/pkg/tool/linux_amd64/vet remote.origin.urgit (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260427-150647-10841/test-1664416032/.github/workflows config .test remote.origin.urgit (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv re --log-level=error (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch .js' --ignore-paremote.origin.url (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv -4057481520/base.md -4057481520/new.md /usr/bin/git ithub/workflows -f kflows/deep-repo--show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git 1724893457/.githgit rev-parse 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyMinIntegrityOnlymin-integrittest-logs/run-4 config /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile remote.origin.urgit (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/pkg/cli bash /tmp/go-build2488786015/b435/repoutil.test --noprofile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-20 ../../../.pretticonfig DiscussionsEnabl--get x_amd64/compile rev-�� ithub/workflows (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-03-28 ../../../.prettiremote DiscussionsEnabladd infocmp estl�� k/gh-aw/gh-aw :latest kflows/daily-skill-optimizer.loc-nilfunc (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-01-27 ../../../.pretti/tmp/js-hash-test-1006794187/test-hash.js it B8/9jqmIb_xHSyedtdfdHCz/1kOrrzYpKSakC4_PiuU2 -C ed-imports-enabled-with-body-content.md show me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name rev-parse 64/pkg/tool/linu-nolocalimports (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 config er: String!, $name: String!) { repository(owne-buildmode=exe remote.origin.urgit (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name :latest 64/pkg/tool/linux_amd64/link l (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 config 64/pkg/tool/linux_amd64/vet remote.origin.urgit (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name show 64/pkg/tool/linux_amd64/vet h ../../../.pretgit (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 -f ntdrain.test l owner=github -f ntdrain.test 4887�� k/gh-aw/gh-aw/.github/workflows show /home/REDACTED/work/_temp/uv-python-dir/node l (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 show fe-outputs-spec-review.lock.yml (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name config 64/pkg/tool/linux_amd64/link remote.origin.urgit (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 rev-parse 64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name show 64/pkg/tool/linux_amd64/vet l (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 -f x_amd64/compile -f owner=github ed } } x_amd64/compile imag�� inspect ghcr.io/github/serena-mcp-server:latest /usr/bin/git js/**/*.json' --git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name -f 64/pkg/tool/linux_amd64/vet -f owner=github DiscussionsEnabl--git-dir 64/pkg/tool/linux_amd64/vet -C e-analyzer.md config /usr/bin/git remote.origin.urgit (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --noprofile (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 erignore 1/x64/bin/git sh -c ithub/workflows (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
  • Triggering command: /tmp/go-build2488786015/b404/cli.test /tmp/go-build2488786015/b404/cli.test -test.testlogfile=/tmp/go-build2488786015/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git OnlyCompiledOutpgit show ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git /home/REDACTED/wordu rev-parse /usr/bin/gh git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv 1/001/test-simple-frontmatter.md (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv ithub/workflows (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv --noprofile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv ithub/workflows (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv i/install.sh (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv ility-kit.md config kflows/semantic-function-refactor.lock.yml remote.origin.urgit (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion re --log-level=egit (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo k/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/sh (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo me: String!) { repository(owner: $owner, name:-f (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state ortcfg.link remote.origin.urgit r k/_temp/uv-pytho--show-toplevel b4L7Ikj7IChhS-MVF4/opxEl9d6gxDxhg-XZsIZ/B--vCgKY--auto -C k/gh-aw/gh-aw/.github/workflows rev-parse g_.a l --local k/gh-aw/gh-aw/.g--paginate git (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name ithub/workflows (http block)
• https://api.github.com/repos/test/repo
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch /home/REDACTED/work/gh-aw/gh-aw show er: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabl-v js/**/*.json' --git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 80/100

✅ Excellent

Metric	Value
New/modified tests analyzed	3
✅ Design tests (behavioral contracts)	3 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	2 (67%)
Duplicate test clusters	0
Test inflation detected	⚠️ Yes (3.3:1 ratio)
🚨 Coding-guideline violations	None

---

Test Classification Details

Test	File	Classification	Issues Detected
TestExtractLabelNames	pkg/workflow/label_names_test.go:16	✅ Design	4 table cases incl. nil/missing-key edge cases
TestBuildLabelNamesCondition	pkg/workflow/label_names_test.go:74	✅ Design	Happy-path only; missing empty/nil input cases
TestLabelNamesPreActivationFilter	pkg/workflow/label_names_test.go:103	✅ Design	End-to-end compilation test; 4 scenarios incl. negative case

---

Flagged Tests — Requires Review

⚠️ TestBuildLabelNamesCondition (pkg/workflow/label_names_test.go:74)

Classification: Design test (minor gap)
Issue: Only covers single-label and multi-label happy paths. No test for an empty []string{} or nil input.
What design invariant does this test enforce? The condition string format used in GitHub Actions if: expressions — important for preventing regressions in the emitted YAML.
What would break if deleted? A change to the condition string template would go undetected.
Suggested improvement: Add table rows for nil and []string{} inputs to verify the function handles degenerate inputs gracefully (or explicitly documents that callers must not pass empty slices).

i️ Test Inflation Note

Test file adds 225 lines vs ~68 production lines (3.3:1 ratio), exceeding the 2:1 guideline. However, the inflation is largely explained by embedded YAML frontmatter strings inside table-driven end-to-end test cases — this is a known and accepted pattern for workflow compiler tests. The test quality is not meaningfully harmed.

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 3 tests — unit (//go:build !integration)
• 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). All three tests verify observable behavioral contracts. Build tag is present. No mock libraries used.

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References:

• §25006216129

🧪 Test quality analysis by Test Quality Sentinel · ● 452.6K · ◷

[github-actions]

✅ Test Quality Sentinel: 80/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All three table-driven tests verify observable behavioral contracts, the required build tag is present, and no mock libraries are used.

[Copilot]

Pull request overview

Adds a first-class on.labels frontmatter filter so workflows triggered by labeled/unlabeled events can be cleanly skipped (instead of failing) when an unrelated label is applied.

Changes:

• Adds on.labels parsing and plumbs LabelNames through compiler workflow data.
• Injects a job-level if: into the pre_activation job to skip when the triggering label doesn’t match.
• Updates schema/docs and extends agent context with trigger_label; adds unit tests.

Show a summary per file

File	Description
pkg/workflow/role_checks.go	Extracts on.labels and excludes labels from safe-event counting.
pkg/workflow/label_names_test.go	Adds tests for label extraction and compiled pre_activation condition behavior.
pkg/workflow/compiler_types.go	Adds LabelNames to WorkflowData.
pkg/workflow/compiler_pre_activation_job.go	Builds the label-based job-level if: and label condition rendering.
pkg/workflow/compiler_orchestrator_workflow.go	Wires extracted label names into WorkflowData.
pkg/parser/schemas/main_workflow_schema.json	Documents/validates on.labels in the frontmatter schema.
docs/src/content/docs/reference/frontmatter-full.md	Documents the new on.labels option.
actions/setup/js/aw_context.cjs	Adds trigger_label into the action’s context payload.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 8/8 changed files
• Comments generated: 6

[Copilot]

This negative test case sets expectedIf to the very broad substring "github.event.label.name" and then asserts it is not present. That’s fragile because the generated workflow could legitimately include github.event.label.name elsewhere (e.g., concurrency grouping or other label-related features), causing unrelated failures. Prefer asserting the absence of the specific label-filter expression (e.g., "github.event.label.name == ''" / "github.event.label.name == '...'") or scoping the search to the pre_activation` job section.

Suggested change

	expectedIf: "github.event.label.name",
	expectedIf: "github.event.label.name == ''",

[Copilot]

Documentation uses the skip symbol ⦸ here, but other new/updated comments in this PR use ⊘ (e.g. compiler_pre_activation_job.go). Please standardize on one symbol across docs/schema/code to avoid confusion.

Suggested change

	# as Skipped (⦸) rather than Failed (❌).
	# as Skipped (⊘) rather than Failed (❌).

[Copilot]

Schema description uses the skip symbol \u29b8 (⦸), while other new/updated comments in this PR use ⊘. For consistency with the docs and code comments, consider standardizing on a single symbol (and update both this schema description and the docs text together).

Suggested change

	"description": "Filter workflows triggered by pull_request_target (or other labeled events) to only fire when the triggering label matches one of these names. Generates a job-level if: condition on the pre-activation job so unmatched label events show as Skipped (\u29b8) rather than Failed (\u274c).",
	"description": "Filter workflows triggered by pull_request_target (or other labeled events) to only fire when the triggering label matches one of these names. Generates a job-level if: condition on the pre-activation job so unmatched label events show as Skipped (⊘) rather than Failed (\u274c).",

[Copilot]

on.labels filtering is implemented as a job-level if: on pre_activation, but pre_activation is only created when other checks are present. If a workflow sets on.labels on an otherwise “safe” trigger (no role check, stop-time, on.steps, etc.), pre_activation may not be generated at all, so the label filter would never apply and unrelated label events would still run. Consider treating LabelNames as a reason to create pre_activation (see buildPreActivationAndActivationJobs in compiler_jobs.go) or moving the label condition to a job that is always present (e.g., activation).

[Copilot]

The “no label data” branch relies on github.event.label.name == '', but GitHub Actions missing context properties commonly evaluate to null (this repo already uses == null checks in other generated expressions). If github.event.label/.name is null on non-labeled events (push, schedule, workflow_dispatch, etc.), this condition will be false and the job would be skipped unexpectedly. Suggest expanding the pass-through guard to handle null (e.g., github.event.label == null / github.event.label.name == null) or guarding on github.event.action not being labeled/unlabeled.

Suggested change

	// - the event has no label data (github.event.label.name is empty, which covers
	// workflow_dispatch, push, schedule, and any other non-labeled events), OR
	// - the triggering label name matches any of the specified names.
	//
	// This ensures the filter only acts on events that actually carry label information,
	// leaving all other events (e.g. workflow_dispatch, push) unaffected.
	func buildLabelNamesCondition(labelNames []string) string {
	// Pass through events without label data: github.event.label.name is empty
	// for workflow_dispatch, push, and any event that does not carry a label payload.
	noLabelEvent := BuildEquals(
	BuildPropertyAccess("github.event.label.name"),
	BuildStringLiteral(""),
	// - the event has no label data (github.event.label is null, github.event.label.name
	// is null, or github.event.label.name is empty, which covers workflow_dispatch,
	// push, schedule, and any other non-labeled events), OR
	// - the triggering label name matches any of the specified names.
	//
	// This ensures the filter only acts on events that actually carry label information,
	// leaving all other events (e.g. workflow_dispatch, push) unaffected.
	func buildLabelNamesCondition(labelNames []string) string {
	// Pass through events without label data: non-labeled events may expose
	// github.event.label or github.event.label.name as null, and some contexts may
	// normalize the missing label name to an empty string.
	noLabelEvent := BuildOr(
	ConditionNode(BuildEquals(
	BuildPropertyAccess("github.event.label"),
	BuildLiteral("null"),
	)),
	BuildOr(
	ConditionNode(BuildEquals(
	BuildPropertyAccess("github.event.label.name"),
	BuildLiteral("null"),
	)),
	BuildEquals(
	BuildPropertyAccess("github.event.label.name"),
	BuildStringLiteral(""),
	),
	),

[Copilot]

Label names are rendered into single-quoted GitHub Actions string literals, but the string literal renderer doesn’t escape embedded ' characters. A label like can't-repro would generate an invalid expression (or change the expression meaning). Consider escaping single quotes in name before calling BuildStringLiteral (GitHub Actions uses doubled quotes inside single-quoted strings) or centralizing escaping in the string literal renderer.

[github-actions]

Commit pushed: 45204ea

🏗️ ADR gate enforced by Design Decision Gate 🏗️

[github-actions]

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (314 new lines in pkg/, exceeding the 100-line threshold) but does not have a linked Architecture Decision Record (ADR).

AI has analyzed the PR diff and generated a draft ADR to help you get started:

📄 Draft ADR: docs/adr/28737-first-class-labels-filter-for-labeled-events.md

What to do next

1. Review the draft ADR committed to your branch — it was generated from the PR diff
2. Complete the missing sections — add context the AI couldn't infer, refine the decision rationale, and list real alternatives you considered
3. Commit the finalized ADR to docs/adr/ on your branch
4. Reference the ADR in this PR body by adding a line such as:

   ADR: ADR-28737: First-Class on.labels Filter for Label-Triggered Workflow Events

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

📋 Draft ADR Summary

The draft captures the following decision framework inferred from the diff:

Decision: Add a first-class on.labels frontmatter field that the compiler translates into a job-level if: condition on pre_activation, causing unmatched label events to show as ⊘ Skipped rather than ❌ Failed.

Driver: GitHub Actions provides no native label-name filter for pull_request_target and other labeled events; the only prior workaround was exit 1 in a step, which produces red failures for every unrelated label add.

Alternatives documented:

• Step-level exit 1 guard (current workaround — rejected: marks job failed, not skipped)
• Step-level if: conditions on each step (rejected: job still shows as running, not cleanly skipped)
• Native GitHub Actions event filtering (not feasible: no native label-name filter exists)

Key consequences:

• Positive: CI dashboard noise eliminated; consistent with roles/bots compiler pattern
• Negative: on.labels is gh-aw-specific with no GitHub Actions native counterpart; github.event.label.name == '' pass-through is non-obvious in compiled output

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

• Context — What is the problem? What forces are at play?
• Decision — What did you decide? Why?
• Alternatives Considered — What else could have been done?
• Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number (e.g., 28737-first-class-labels-filter-for-labeled-events.md for PR #28737).

🔒 This PR cannot merge until an ADR is linked in the PR body.

References: §25006216146

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · ● 187.5K · ◷

[pelikhan]

@copilot review all comments.

Only apply with event has label info

[Copilot]

@copilot review all comments.

Only apply with event has label info

Addressed all review comments in e57b589 and 109e7dd:

1. github.event.label == null guard — replaced the == '' guard with github.event.label == null so the pass-through only fires when the event genuinely has no label object, not just an empty string. Generated condition: github.event.label == null || github.event.label.name == 'panel-review'

2. pre_activation always created with labels — added hasLabelNames to the buildPreActivationAndActivationJobs condition so a labels-only workflow (no roles, stop-time, etc.) correctly gets a pre_activation job.

3. Single-quote escaping — fixed StringLiteralNode.Render() to escape ' as '' (GitHub Actions doubling convention) so label names like can't-repro produce valid expressions.

4. Negative test case clarity — renamed the test to "pull_request_target without labels has no label-filter if condition", set expectedIf to "github.event.label == null" (the specific filter substring), and added a comment explaining the assertion.

5. Symbol ⦸ → ⊘ — standardized on ⊘ in both the schema description and the docs comment.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -pack /home/REDACTED/work/gh-aw/gh-aw/cmd/gh-aw/main.go (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw pT/XbKndr6IKHZeF-C nux-x86_64 bash --no�� */*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name rite '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git xterm-color (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/go-build251241776/b447/stringutil.test -importcfg /usr/bin/git -s -w -buildmode=exe git rev-�� --show-toplevel -extld=gcc /usr/bin/git ithub/workflows --write /bin/sh git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv 2838-10275/test-2142418807/.github/workflows config ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile l --local p/bin/bash ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile rtcf�� 2838-10275/test-2938906374 tmain.go 1/x64/bin/node --local b/gh-aw/pkg/agenrev-parse $name) { has--show-toplevel /usr/bin/gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel /usr/bin/gh /usr/bin/git ons/secrets -f cfg git rev-�� --show-toplevel ache/go/1.25.8/xorigin /usr/bin/git 079940836 config 1/x64/bin/node git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git 241776/b462/_pkggit --json 241776/b462=> git rev-�� --show-toplevel git /usr/bin/git runs/20260427-16git git /tmp/go-build251--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv */*.ts' '**/*.jsremote.origin.url (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv _.a rev-parse /usr/bin/git copilot/feature-git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/xremote /usr/bin/git 2838-10275/test-git -f e/git-upload-pacHEAD git rev-�� --show-toplevel infocmp /usr/bin/git Y6rm/lQPve2iiN0sgit git /usr/bin/gh git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv *.json' '!../../remote.origin.url (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv *.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv --noprofile (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel bash /usr/bin/infocmp --version (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyTrustedUsersRequiresMinIntegrity3204331938/001 config ache/node/24.14.1/x64/bin/node remote.origin.urgit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv */*.ts' '**/*.js-f (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv L0nF/R3iUEqf5PFeb3NCkL0nF show /usr/bin/gh _.a (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260427-162838-10275/test-172600137/.github/workflows remote test ithub/workflows (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch first-class-laberemote.origin.url (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv -1752629663/base.md -1752629663/new.md /usr/bin/git /home/REDACTED/worgit rev-parse me: String!) { --show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git 2631998179/.githgit show test git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/pkg/cli config /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile remote.origin.urgit --others ache/node/24.14.--show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -o /tmp/go-build251241776/b443/_pkg_.a -trimpath om/myorg/myrepo.git -p github.com/githurev-parse -lang=go1.25 git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv 241776/b472/scripts.test git 241776/b472/importcfg.link ithub/workflows --others r: $owner, name:--show-toplevel 7D8RXanEmFBss/sX9FX53sm1OTZ6jdpoJ_/CWrYu2czG7Ca7ylQP4Z8/vCNYLdc7D8RXanEmFBss -tes�� ry=1 -test.v=true 241776/b472/_pkg_.a -test.timeout=10git -test.run=^Test layTitle node (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-20 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-03-28 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-01-27 (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name config 64/pkg/tool/linux_amd64/vet remote.origin.urgit (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 show fe-outputs-spec-review.lock.yml h ../../../.pretgit (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name config 64/pkg/tool/linux_amd64/vet remote.origin.urgit (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 -f 64/pkg/tool/linux_amd64/vet l owner=github -f 64/pkg/tool/linuTest User -C 334564027 show /home/REDACTED/work/_temp/uv-python-dir/node l (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name erena-mcp-server:latest 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name -f 64/pkg/tool/linux_amd64/vet -f owner=github DiscussionsEnabled } } 64/pkg/tool/linux_amd64/vet -C 3966549072/.github/workflows config k remote.origin.urgit (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 config x_amd64/vet remote.origin.urgit (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name show 64/pkg/tool/linux_amd64/link l (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 -f (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name rev-parse 64/pkg/tool/linux_amd64/vet h ../../../.pretgit (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 config x_amd64/compile l (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path rite '**/*.cjs' '**/*.ts' '**/*.json' --ignore-premote.origin.url pkg/workflow/activation_checkout_test.go me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
  • Triggering command: /tmp/go-build251241776/b404/cli.test /tmp/go-build251241776/b404/cli.test -test.testlogfile=/tmp/go-build251241776/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true son (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git OnlyCompiledOutpgit config ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linutest@example.com /usr/bin/git ithub/workflows show 241776/b426=> git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv 0/001/test-simple-frontmatter.md-s config kflows/semantic-function-refacto-buildmode=exe remote.origin.urgit --global 1/x64/bin/bash infocmp -1 xterm-color erena-mcp-server:latest cal/bin/bash get --local 64/bin/sh docker (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv /tmp/go-build2409063872/b001/workflow.test on n-dir/node /../../.prettierinfocmp erignore -buildmode=exe sh 1/x6�� npx prettier --write '**/*.cjs' -f -extld=gcc repository(owner: $owner, name:-f (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv ithub/workflows on (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv ithub/workflows (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv ithub/workflows (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv tion-kit.md -f k -f owner=github -f git sRem�� /home/REDACTED/work/gh-aw/gh-aw/.g-p config rgo/bin/bash remote.origin.urgit --local k/_temp/uv-pytho--show-toplevel node (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion d -n 10 (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo ptimization-kit.lock.yml (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state kflows/python-data-charts.lock.yml w/js/**/*.json' git (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name ithub/workflows (http block)
• https://api.github.com/repos/test/repo
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch k/gh-aw/gh-aw/.github/workflows -f /usr/bin/gh -f owner=github -f /usr/bin/gh api graphql -f er: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnablxterm-color -f owner=github -f git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot merge main and recompile

[Copilot]

@copilot merge main and recompile

Done in fd3f8f4 — merged origin/main (resolved one conflict in WorkflowData struct, keeping our LabelNames field alongside the new CachedConcurrencyGroupExprErr/Set and CachedParsedToolsets fields from main) and recompiled all 204 workflow lock files successfully.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw _value"]."\n"; (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw vmeorf1 (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv -main/dist/index.js (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot define a non-empty string type and use it here to avoid labels: ['']

[Copilot]

Done in 0a70bdc — added a non_empty_string $def ({ "type": "string", "minLength": 1 }) to the schema's $defs section and updated the on.labels field to use $ref: "#/$defs/non_empty_string" for both the scalar and array-item forms, preventing labels: [''].