[rust-guard] Consolidate identical repo-scoped match arms and extract approval-label promotion helper by Copilot · Pull Request #2508 · github/gh-aw-mcpg

Copilot · 2026-03-25T14:58:11Z

Two refactors to reduce duplication in the Rust guard with no behavior changes.

`tool_rules.rs`: Consolidate 11 identical match arms

11 arms across 17 tool names all shared the same two-line body. Collapsed into one arm:

// Before: 11 separate arms (~90 lines total)
"actions_get" | "actions_list" => {
    secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx);
    integrity = writer_integrity(repo_id, ctx);
}
// ... 10 more identical blocks scattered through the file

// After: one arm (~22 lines)
"actions_get" | "actions_list" | "get_discussion" | "get_discussion_comments"
| "get_job_logs" | "get_label" | "get_repository" | "get_repository_tree"
| "get_tag" | "list_branches" | "list_discussion_categories" | "list_discussions"
| "list_label" | "list_releases" | "get_latest_release" | "get_release_by_tag"
| "list_tags" => {
    secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx);
    integrity = writer_integrity(repo_id, ctx);
}

`helpers.rs`: Extract `apply_approval_label_promotion`

pr_integrity and issue_integrity ended with an identical 13-line approval-label promotion block, differing only in the log prefix ("pr:" vs "issue:"). Extracted into a shared helper:

fn apply_approval_label_promotion(
    item: &Value,
    resource_type: &str,  // "pr" or "issue"
    repo_full_name: &str,
    integrity: Vec<String>,
    ctx: &PolicyContext,
) -> Vec<String>

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

example.com
- Triggering command: /tmp/go-build861487278/b333/launcher.test /tmp/go-build861487278/b333/launcher.test -test.testlogfile=/tmp/go-build861487278/b333/testlog.txt -test.paniconexit0 -test.timeout=10m0s 64/s�� ache/go/1.25.8/x64/src/runtime/c-c=4 erive-f8a9da973ea849b8.serde_der-nolocalimports x_amd64/vet erive-f8a9da973e/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet terpreter /home/REDACTED/.ru-unreachable=false x_amd64/vet go_.�� --noprofile /home/REDACTED/.rustup/toolchains/stable-x86_64-un--64 x_amd64/vet /home/REDACTED/.ru/tmp/go-build861487278/b315/cmd.test 2979575/b136/ bug/deps/rustcxy-test.paniconexit0 x_amd64/vet (dns block)
invalid-host-that-does-not-exist-12345.com
- Triggering command: /tmp/go-build861487278/b318/config.test /tmp/go-build861487278/b318/config.test -test.testlogfile=/tmp/go-build861487278/b318/testlog.txt -test.paniconexit0 -test.timeout=10m0s eriv�� 64/src/runtime/cgo erive-f8a9da973ea849b8.serde_dergithub.com/tetratelabs/wazero/internal/wasmdebug x_amd64/compile erive-f8a9da973e/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet abis erive-f8a9da973e-unreachable=false x_amd64/compile eriv�� ortcfg erive-f8a9da973ea849b8.serde_der-nolocalimports x_amd64/vet erive-f8a9da973e/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet erive-f8a9da973e-unsafeptr=false 64-REDACTED-linux-unreachable=false x_amd64/vet (dns block)
nonexistent.local
- Triggering command: /tmp/go-build861487278/b333/launcher.test /tmp/go-build861487278/b333/launcher.test -test.testlogfile=/tmp/go-build861487278/b333/testlog.txt -test.paniconexit0 -test.timeout=10m0s 64/s�� ache/go/1.25.8/x64/src/runtime/c-c=4 erive-f8a9da973ea849b8.serde_der-nolocalimports x_amd64/vet erive-f8a9da973e/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet terpreter /home/REDACTED/.ru-unreachable=false x_amd64/vet go_.�� --noprofile /home/REDACTED/.rustup/toolchains/stable-x86_64-un--64 x_amd64/vet /home/REDACTED/.ru/tmp/go-build861487278/b315/cmd.test 2979575/b136/ bug/deps/rustcxy-test.paniconexit0 x_amd64/vet (dns block)
slow.example.com
- Triggering command: /tmp/go-build861487278/b333/launcher.test /tmp/go-build861487278/b333/launcher.test -test.testlogfile=/tmp/go-build861487278/b333/testlog.txt -test.paniconexit0 -test.timeout=10m0s 64/s�� ache/go/1.25.8/x64/src/runtime/c-c=4 erive-f8a9da973ea849b8.serde_der-nolocalimports x_amd64/vet erive-f8a9da973e/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet terpreter /home/REDACTED/.ru-unreachable=false x_amd64/vet go_.�� --noprofile /home/REDACTED/.rustup/toolchains/stable-x86_64-un--64 x_amd64/vet /home/REDACTED/.ru/tmp/go-build861487278/b315/cmd.test 2979575/b136/ bug/deps/rustcxy-test.paniconexit0 x_amd64/vet (dns block)
this-host-does-not-exist-12345.com
- Triggering command: /tmp/go-build861487278/b342/mcp.test /tmp/go-build861487278/b342/mcp.test -test.testlogfile=/tmp/go-build861487278/b342/testlog.txt -test.paniconexit0 -test.timeout=10m0s go_.�� v0.12.18/builtin-p v0.12.18/code.gogithub.com/github/gh-aw-mcpg/internal/config/rules x_amd64/vet -p github.com/segme-qE -lang=go1.17 x_amd64/vet -I g_.a 2979575/b151/ x_amd64/vet -o go-sdk/internal/docker-cli-plugin-metadata /tmp/cc6Vi6PM.s x_amd64/vet (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

…promotion helper Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/c372969c-97ba-4f22-a304-c3483b5d3ba2

Copilot

Pull request overview

Refactors Rust GitHub guard labeling logic to reduce duplication while keeping labeling behavior unchanged, improving maintainability of tool-to-label mappings and integrity promotion logic.

Changes:

Consolidates multiple identical repo-scoped match arms in apply_tool_labels into a single combined arm.
Extracts shared approval-label integrity promotion logic from pr_integrity and issue_integrity into a new helper.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
guards/github-guard/rust-guard/src/labels/tool_rules.rs	Collapses identical repo-scoped tool match arms into one arm that applies repo-visibility secrecy and writer-level integrity.
guards/github-guard/rust-guard/src/labels/helpers.rs	Introduces `apply_approval_label_promotion` and uses it from PR/issue integrity computation to remove duplicated logic.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Initial plan

d368e18

Copilot AI assigned Copilot and lpcox Mar 25, 2026

Copilot AI linked an issue Mar 25, 2026 that may be closed by this pull request

[rust-guard] Rust Guard: Consolidate 11 identical repo-scoped writer arms in tool_rules.rs #2501

Closed

Copilot started work on behalf of lpcox March 25, 2026 14:58 View session

Consolidate 11 identical repo-scoped arms and extract approval-label …

9a7e1af

…promotion helper Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/c372969c-97ba-4f22-a304-c3483b5d3ba2

Copilot AI changed the title ~~[WIP] Consolidate identical match arms in tool_rules.rs~~ [rust-guard] Consolidate identical repo-scoped match arms and extract approval-label promotion helper Mar 25, 2026

Copilot AI requested a review from lpcox March 25, 2026 15:07

Copilot finished work on behalf of lpcox March 25, 2026 15:07

lpcox marked this pull request as ready for review March 25, 2026 15:09

Copilot AI review requested due to automatic review settings March 25, 2026 15:09

Copilot started reviewing on behalf of lpcox March 25, 2026 15:10 View session

lpcox merged commit 6ac3011 into main Mar 25, 2026
17 checks passed

lpcox deleted the copilot/rust-guard-consolidate-match-arms branch March 25, 2026 15:10

Copilot AI reviewed Mar 25, 2026

View reviewed changes

This was referenced Mar 25, 2026

Smoke Test: Copilot - 23548403714 #2512

Closed

Smoke Test: Copilot - 23551056676 #2515

Closed

Smoke Test: Copilot - 23551194574 #2516

Closed

Smoke Test: Copilot - 23552684437 #2519

Closed

Guards and Integrity: tracking issue #1711

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[rust-guard] Consolidate identical repo-scoped match arms and extract approval-label promotion helper#2508

[rust-guard] Consolidate identical repo-scoped match arms and extract approval-label promotion helper#2508
lpcox merged 2 commits intomainfrom
copilot/rust-guard-consolidate-match-arms

Copilot AI commented Mar 25, 2026 •

edited

Loading

Uh oh!

Uh oh!

Copilot AI left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Copilot AI commented Mar 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

tool_rules.rs: Consolidate 11 identical match arms

helpers.rs: Extract apply_approval_label_promotion

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented Mar 25, 2026 •

edited

Loading

`tool_rules.rs`: Consolidate 11 identical match arms

`helpers.rs`: Extract `apply_approval_label_promotion`