rust-guard: replace magic integrity strings with constants; add security-tool label tests

[Copilot]

Two helper functions in helpers.rs used raw string literals "none" and "approved" as fallback defaults while every other reference in the codebase uses policy_integrity::NONE / policy_integrity::APPROVED. Additionally, the security-sensitive arms of apply_tool_labels (secret scanning, code scanning, Dependabot, job logs) lacked unit tests to enforce their always-private invariant.

Changes

labels/helpers.rs — eliminate magic strings

• effective_disapproval_integrity: "none" → super::constants::policy_integrity::NONE
• effective_endorser_min_integrity: "approved" → super::constants::policy_integrity::APPROVED

// Before
fn effective_disapproval_integrity<'a>(ctx: &'a PolicyContext) -> &'a str {
    let v = ctx.disapproval_integrity.trim();
    if v.is_empty() { "none" } else { v }
}

// After
fn effective_disapproval_integrity<'a>(ctx: &'a PolicyContext) -> &'a str {
    let v = ctx.disapproval_integrity.trim();
    if v.is_empty() { super::constants::policy_integrity::NONE } else { v }
}

labels/tool_rules.rs — security-tool label tests

Three new tests added to the #[cfg(test)] block, guarding against regressions where a refactor could silently apply visibility-inherited secrecy to these tools (leaking data on public repos):

Test	Tools covered
apply_tool_labels_secret_scanning_is_always_private	list_secret_scanning_alerts, get_secret_scanning_alert
apply_tool_labels_code_scanning_and_dependabot_are_always_private	list_code_scanning_alerts, get_code_scanning_alert, list_dependabot_alerts, get_dependabot_alert
apply_tool_labels_get_job_logs_is_always_private	get_job_logs

Each test asserts that secrecy contains a private: label and integrity contains an approved: label, regardless of repo visibility.

[Copilot]

Pull request overview

This PR tightens the Rust GitHub guard’s labeling consistency and strengthens regression protection for security-sensitive tools by removing hard-coded integrity tokens and adding unit tests that enforce always-private secrecy for security tooling outputs.

Changes:

• Replace fallback magic strings in labels/helpers.rs with canonical policy_integrity::{NONE,APPROVED} constants.
• Add unit tests in labels/tool_rules.rs ensuring secret scanning, code scanning, Dependabot alerts, and job logs always receive private secrecy and approved integrity labels.

Show a summary per file

File	Description
guards/github-guard/rust-guard/src/labels/helpers.rs	Replaces "none" / "approved" fallbacks with canonical integrity constants to avoid drift/typos.
guards/github-guard/rust-guard/src/labels/tool_rules.rs	Adds tests enforcing always-private secrecy + approved integrity for security-tool endpoints.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 0