`allowed-repos` not accepted inline for `assign-to-user` and `remove-labels` safe outputs (schema gap)

[benvillalobos]

Summary

allowed-repos is accepted inline for add-labels and unassign-from-user, but rejected by the compiler for assign-to-user and remove-labels. This appears to be a schema validation gap — the field is missing from the JSON schema for these two types.

Reproduction

safe-outputs:
  add-labels:
    target: "*"
    target-repo: "microsoft/vscode"
    allowed-repos: ["microsoft/vscode", "microsoft/vscode-engineering"]
    max: 5
  remove-labels:
    target: "*"
    target-repo: "microsoft/vscode"
    allowed-repos: ["microsoft/vscode", "microsoft/vscode-engineering"]
    max: 2
  assign-to-user:
    target: "*"
    target-repo: "microsoft/vscode"
    allowed-repos: ["microsoft/vscode", "microsoft/vscode-engineering"]
    max: 1
  unassign-from-user:
    target: "*"
    target-repo: "microsoft/vscode"
    allowed-repos: ["microsoft/vscode", "microsoft/vscode-engineering"]
    max: 2

gh aw compile

Result:

- at '/safe-outputs/assign-to-user': Unknown property: allowed-repos. Valid fields are: allowed, blocked, github-token, max, target, target-repo, unassign-first
- at '/safe-outputs/remove-labels': Unknown property: allowed-repos. Valid fields are: allowed, blocked, github-token, max, target, target-repo

add-labels and unassign-from-user compile without error.

Consistency Table

Safe Output	Inline allowed-repos
add-labels	✅ Accepted
remove-labels	❌ Compile error
assign-to-user	❌ Compile error
unassign-from-user	✅ Accepted

Additional Question

For the two types that do compile (add-labels, unassign-from-user) — does allowed-repos actually get wired into config.json and GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG at runtime? In my earlier testing with the shared import path (#15238), the compiler accepted the field but didn't emit it into the runtime configs. If the same is true for inline, the field compiles but has no effect.

Use Case

Cross-repository triage workflow in microsoft/vscode-engineering operating on microsoft/vscode issues. We need allowed-repos on all safe-output types to validate that the agent only targets approved repositories — defense-in-depth beyond target-repo alone.

Related Issues

• allowed-repos does not work for add-labels and close-issue safe outputs (works for add-comment) #15238 — Original allowed-repos report (closed, but fix appears incomplete for these two types)
• remove_labels and assign_to_user safe output handlers do not support target-repo for cross-repository operations #15216 — remove_labels/assign_to_user handler cross-repo fix

Environment

• gh-aw: v0.50.0
• OS: Windows

---

repos drift apart —
some fields know allowed-repos,
two still don't compile