Skip to content

[Repo Assist] refactor(rust-guard): use policy_integrity constants and add security-tool label tests#6466

Merged
lpcox merged 3 commits into
mainfrom
repo-assist/fix-rust-guard-6458-5a4ba51b816212ae
May 25, 2026
Merged

[Repo Assist] refactor(rust-guard): use policy_integrity constants and add security-tool label tests#6466
lpcox merged 3 commits into
mainfrom
repo-assist/fix-rust-guard-6458-5a4ba51b816212ae

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented May 25, 2026

🤖 This is an automated pull request from Repo Assist, an AI assistant.

Closes #6458

Summary

Two improvements to the Rust guard as described in issue #6458:

1. Replace magic string literals with policy_integrity constants (helpers.rs)

Two private helpers — effective_disapproval_integrity and effective_endorser_min_integrity — used raw "none" and "approved" literals as fallback values. Every other part of the codebase uses policy_integrity::NONE and policy_integrity::APPROVED from constants.rs. This fix brings those two outliers in line.

2. Add unit tests for security-sensitive apply_tool_labels arms (tool_rules.rs)

Added three tests covering the arms that must unconditionally apply private: secrecy regardless of repository visibility:

  • apply_tool_labels_secret_scanning_is_always_private — covers list_secret_scanning_alerts, get_secret_scanning_alert
  • apply_tool_labels_code_scanning_and_dependabot_are_always_private — covers list_code_scanning_alerts, get_code_scanning_alert, list_dependabot_alerts, get_dependabot_alert
  • apply_tool_labels_get_job_logs_is_always_private — covers get_job_logs

These are the highest-risk arms in apply_tool_labels: a refactor accidentally using apply_repo_visibility_secrecy instead would silently expose secret-scanning alerts, Dependabot findings, and CI logs on public repos — with no test to catch it.

Test Status

Rust tests: All 435 tests pass (cargo test in guards/github-guard/rust-guard/), including the 3 new tests.

⚠️ Go build/test: Go toolchain v1.25.0 download was blocked by network firewall (infrastructure limitation, unrelated to this change). These changes only touch Rust files under guards/.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"

See Network Configuration for more information.

Generated by Repo Assist · ● 2M ·

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@851905c06e905bf362a9f6cc54f912e3df747d55

@github-actions
refactor(rust-guard): use policy_integrity constants and add security…
6415a01 
…-tool tests

Replace magic string literals in helpers.rs with policy_integrity::NONE
and policy_integrity::APPROVED constants from constants.rs, making the
defaults consistent with all other uses of these constants.

Add three new unit tests in tool_rules.rs covering the security-sensitive
apply_tool_labels arms (secret scanning, code scanning + Dependabot, job
logs) that must unconditionally produce private: secrecy regardless of
repo visibility. These arms had zero test coverage despite being
security-critical.

Closes #6458

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lpcox lpcox marked this pull request as ready for review May 25, 2026 14:13
Copilot AI review requested due to automatic review settings May 25, 2026 14:13
Copilot AI reviewed May 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Rust guard’s labeling logic to improve consistency and add regression coverage for security-sensitive tool labeling, addressing #6458.

Changes:

  • Refactors helpers.rs to use policy_integrity constants (NONE, APPROVED) instead of string literals for default integrity levels.
  • Adds unit tests in tool_rules.rs to ensure certain security-related tools always receive private secrecy labels and writer-level integrity.
Show a summary per file
File Description
guards/github-guard/rust-guard/src/labels/tool_rules.rs Adds new unit tests covering security-sensitive apply_tool_labels match arms (secret scanning, code scanning/Dependabot, job logs).
guards/github-guard/rust-guard/src/labels/helpers.rs Replaces magic default integrity strings with policy_integrity constants for consistency.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 3

Comment thread guards/github-guard/rust-guard/src/labels/tool_rules.rs Outdated
Comment on lines +982 to +989
assert!(
secrecy.iter().any(|s| s.starts_with("private:")),
"{tool}: expected private secrecy label, got {secrecy:?}",
);
assert!(
integrity.iter().any(|s| s.starts_with("approved:")),
"{tool}: expected writer-level (approved) integrity, got {integrity:?}",
);
Comment thread guards/github-guard/rust-guard/src/labels/tool_rules.rs Outdated
Comment on lines +1008 to +1015
assert!(
secrecy.iter().any(|s| s.starts_with("private:")),
"{tool}: expected private secrecy label, got {secrecy:?}",
);
assert!(
integrity.iter().any(|s| s.starts_with("approved:")),
"{tool}: expected writer-level (approved) integrity, got {integrity:?}",
);
Comment thread guards/github-guard/rust-guard/src/labels/tool_rules.rs Outdated
Comment on lines +1028 to +1035
assert!(
secrecy.iter().any(|s| s.starts_with("private:")),
"get_job_logs: expected private secrecy label (CI logs may contain tokens), got {secrecy:?}",
);
assert!(
integrity.iter().any(|s| s.starts_with("approved:")),
"get_job_logs: expected writer-level (approved) integrity, got {integrity:?}",
);
@lpcox
Copy link
Copy Markdown
Collaborator

lpcox commented May 25, 2026

@copilot address review feedback

Copy link
Copy Markdown
Contributor

Copilot AI commented May 25, 2026

@copilot address review feedback

Done. All three tests now assert equality against private_label(owner, repo, repo_id, ctx) (which delegates to policy_private_scope_label) and writer_integrity(repo_id, ctx) instead of using starts_with checks. This correctly verifies both the scope and the label value. All 435 Rust tests still pass.

Copilot finished work on behalf of lpcox May 25, 2026 14:21
Copilot AI requested a review from lpcox May 25, 2026 14:21
@lpcox
Copy link
Copy Markdown
Collaborator

lpcox commented May 25, 2026

@copilot resolve the merge conflicts in this pull request

Copy link
Copy Markdown
Contributor

Copilot AI commented May 25, 2026

@copilot resolve the merge conflicts in this pull request

Merge conflicts resolved. The two conflicting files were helpers.rs (import style for policy_integrity constants) and tool_rules.rs (our assert_eq! vs main's starts_with assertions). I kept our versions of both — helpers.rs uses the already-imported policy_integrity name, and tool_rules.rs retains the precise assert_eq! checks against private_label/writer_integrity as requested in the review. All tests pass.

Copilot finished work on behalf of lpcox May 25, 2026 14:32
@lpcox lpcox merged commit 282c86d into main May 25, 2026
14 checks passed
@lpcox lpcox deleted the repo-assist/fix-rust-guard-6458-5a4ba51b816212ae branch May 25, 2026 14:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lpcox lpcox Awaiting requested review from lpcox

Assignees

No one assigned

Labels

automation repo-assist

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[rust-guard] Rust Guard: Replace magic integrity strings with constants + add security-tool label tests

3 participants

@lpcox