[Repo Assist] refactor(rust-guard): consolidate check_file_secrecy into is_sensitive predicate

[github-actions]

🤖 This PR is from Repo Assist, an automated AI assistant for this repository.

Closes #7773

What

Two improvements to check_file_secrecy in guards/github-guard/rust-guard/src/labels/tool_rules.rs:

1. Single is_sensitive predicate (zero behavior change)

The function had four separate early-return paths, each calling policy_private_scope_label(owner, repo, repo_id, ctx) verbatim. This buries the single decision point ("is this file sensitive?") inside a chain of guarded returns.

Before: 4× return policy_private_scope_label(...), let filename defined mid-function
After: one is_sensitive boolean combining all four conditions with ||; single call to policy_private_scope_label at the end; let filename hoisted alongside let path_lower

The refactoring makes the invariant explicit and eliminates 3 duplicate calls.

2. Two new tests for the segment-starts-with branch

The second condition (path.split('/').any(|seg| seg.starts_with(pattern))) had zero test coverage — a regression there would be silent. Added:

• configs/.env.local — .env.local starts with .env but does not end with .env, so only the segment check fires
• keys/id_rsa.pub — id_rsa.pub starts with id_rsa but does not end with id_rsa, so only the segment check fires

Test Status

507 tests pass (up from 505; the 2 new tests are included):

test result: ok. 507 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.02s

⚠️ Infrastructure note: proxy.golang.org is blocked by the environment firewall, preventing Go build/test. The change is Rust-only; all Rust tests pass via cargo test.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"

See Network Configuration for more information.

Generated by Repo Assist · 2.1K AIC · ⊞ 50.2K · ◷
_{Comment /repo-assist to run again}

Add this agentic workflows to your repo

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@851905c06e905bf362a9f6cc54f912e3df747d55

[Copilot]

✅ Ready to approve

The refactor appears behavior-preserving and the added tests improve coverage for a previously untested sensitivity-detection path.

Note: this review does not count toward required approvals for merging.

Pull request overview

This PR refactors the Rust guard’s check_file_secrecy logic to make the “is this path sensitive?” decision explicit and non-duplicative, while also adding targeted tests to cover an otherwise untested branch of the sensitivity detection logic.

Changes:

• Consolidates multiple early-return branches in check_file_secrecy into a single is_sensitive predicate with one call site for policy_private_scope_label(...).
• Adds two unit tests to specifically exercise the path.split('/').any(|seg| seg.starts_with(pattern)) branch using realistic filenames (.env.local, id_rsa.pub).

File summaries

File	Description
guards/github-guard/rust-guard/src/labels/tool_rules.rs	Refactors check_file_secrecy into a single boolean predicate and adds tests for the segment-starts-with sensitivity branch.

Copilot's findings

• Files reviewed: 1/1 changed files
• Comments generated: 0

Note

Your feedback helps us improve the quality of this feature.
Please use 👍 or 👎 to tell us whether this assessment is correct.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[lpcox]

@copilot resolve the merge conflicts in this pull request

[Copilot]

@copilot resolve the merge conflicts in this pull request

Done. Merged main into the branch — the only conflict was in tool_rules.rs where both sides added new tests. Both sets of tests are now included (the PR's two check_file_secrecy coverage tests and main's apply_tool_labels_* tests for get_code_quality_finding, ui_get, add_gpg_key, and add_ssh_key). All 512 Rust tests pass.