Refactor safe-outputs max validation into dedicated module to enforce validator file size limit

[Copilot]

pkg/workflow/safe_outputs_validation.go exceeded the 300-line validator hard limit. This PR isolates max-value validation into a separate file without changing behavior, bringing the original validator file back under the limit.

• Scope

  • Moves max-validation logic into a dedicated module in the same package.
  • Keeps target/domain validation logic in safe_outputs_validation.go.

• Code reorganization

  • Added pkg/workflow/safe_outputs_max_validation.go containing:
    • validateSafeOutputsMax
    • isInvalidMaxValue
    • associated logger/constant used by max validation
  • Removed those definitions from pkg/workflow/safe_outputs_validation.go.

• Result

  • pkg/workflow/safe_outputs_validation.go is now below the 300-line hard limit.
  • Validation behavior remains unchanged (pure extraction/refactor).

// now in pkg/workflow/safe_outputs_max_validation.go
func validateSafeOutputsMax(config *SafeOutputsConfig) error {
    // existing max validation logic moved verbatim
}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw 5330436/b229/vetrev-parse ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuTest User /usr/bin/git 5417-32363/test-git -trimpath 5330436/b421/log--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 1/x64/bin/node git rev-�� --show-toplevel go /usr/bin/git SameOutput382550git GO111MODULE ache/go/1.25.8/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw efaultBranchFromrev-parse e_modules/.bin/n--show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git CompiledOutput24git GO111MODULE /opt/hostedtoolc--show-toplevel git (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE 6AWy9kr/rVG28oB_-buildtags env -json 1.5.0/internal/x-ifaceassert x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ath ../../../.pr**/*.json GO111MODULE modules/@npmcli/run-script/lib/node-gyp-bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linu-tests /usr/bin/gh ortcfg .cfg 64/pkg/tool/linu--show-toplevel gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts /usr/bin/git .artifacts[].namnode GO111MODULE 64/pkg/tool/linuinstall git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/gh -json GO111MODULE 64/bin/go gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts /usr/bin/git .artifacts[].namgit GO111MODULE ache/go/1.25.8/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git cli/install.sh..git GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git itcustom_branch3git itcustom_branch3rev-parse de_modules/.bin/--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_explicit_repo3100622236/0remote.origin.urgit remote /usr/bin/git -json sonschema/annotarev-parse x_amd64/compile git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/TestHashConsistency_GoAndJavaScript494446477/001/test-simple-frontmatter.md -tests /usr/bin/infocmp -json GO111MODULE (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows/archie.md -extld=gcc /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE de node /tmp�� /tmp/TestHashStability_SameInputSameOutput682024065/001/stability-test.md go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv t1040352592/.github/workflows 5330436/b109/vet.cfg x_amd64/link GOSUMDB GOWORK 64/bin/go x_amd64/link -o 5424055/b212/importcfg -trimpath ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -p crypto/internal/rev-parse -lang=go1.25 n2/iZ31c6N3UWAhfWKKjjpb/pnOHWmOW0VPsKVyXPZlC (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linu/tmp/go-build1225330436/b113/vet.cfg /usr/bin/git 5424055/b197/_pkgit g-gh/tcTLxKIFRzerev-parse ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 5330436/b010/vetrev-parse .cfg git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git licyTrustedUsersgit /tmp/go-build122rev-parse /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuremote.origin.url /usr/bin/git -bool -buildtags /opt/hostedtoolc--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 5330436/b073/vetcommit .cfg git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuorigin /usr/bin/git Onlymin-integritgit 5330436/b243/vetrev-parse ache/go/1.25.8/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a GO111MODULE /opt/hostedtoolc-m git rev-�� --show-toplevel go /usr/bin/git _v57HmpKq GO111MODULE 1/x64/bin/node git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json GO111MODULE 64/pkg/tool/linu-m git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json GO111MODULE .cfg git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv remove remote2 /usr/bin/git g_.a GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet 5330436/b457/vet.cfg l 2>&1; then \ git Kt0zQSK0W 64/pkg/tool/linu--show-toplevel node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 0590201/b458/workflow.test remote.origin.url 0590201/b458/importcfg.link matter-with-env-git GO111MODULE 64/bin/go kAGUJbi-WgeZ5/kfjJbQHFagbPelA5_lUE/-7heMZYHe52MQ3flDPY6/RQ2TqCVkAGUJbi-WgeZ5 rev-�� ry=1 go che/go-build/60/60d289db8d51cc632fe2c18d409dbcf44e4cd92ea1cc24bcdc313916916cd3bb-d -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git ub/workflows GO111MODULE 64/bin/go git rev-�� --show-toplevel h-aw.wasm; \ AFconfig /usr/bin/git th .prettierignogit GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 5330436/b458/_pkg_.a x_amd64/vet 5330436/b458=> g_.a n.go x_amd64/vet git rev-�� r92o/MOnXGBEYub-2Hgbqr92o x_amd64/vet /usr/bin/git ortcfg NG8R67gve 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv image:v1.0.0 go /usr/bin/git ub/workflows GO111MODULE node git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE x_amd64/link git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git json' --ignore-pgit GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git th .prettierignogit GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv -aw/git/ref/tags/v2.0.0 -importcfg bject.type] | @tsv -s -w -buildmode=exe /usr/lib/git-core/git main�� run --auto /usr/bin/git --detach GO111MODULE x_amd64/compile git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 node bject.type] | @tsv prettier --write 64/bin/go /bin/sh -c git-upload-pack '/tmp/TestParseDefaultBranchFrom-errorsas l e/git -json GO111MODULE 64/bin/go e/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv runs/20260416-081418-88714/test-2121888892/.github/workflows GOMOD /usr/lib/git-core/git-upload-pack tierignore git 64/bin/go git-upload-pack /tmp�� /usr/bin/git go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git g_.a GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet 5330436/b464/vet.cfg g_.a Bzwz7Kv-X 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260416-080605-73810/test-938125040 rev-parse /usr/bin/git @{u} GO111MODULE 64/bin/go git rev-�� --show-toplevel h-aw.wasm; \ AFrev-parse /usr/bin/git th .prettierignogit GO111MODULE x_amd64/vet git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git e-frontmatter.mdgit GO111MODULE sh git rev-�� --show-toplevel go /usr/bin/git th .prettierignogit GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE x_amd64/compile git init�� GOMODCACHE x_amd64/compile /usr/bin/git 297380034/001' 297380034/001' x_amd64/compile git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv sistency_WithImports1521841752/001/main.md blob /usr/bin/git "prettier" --wrigit go 64/bin/go git init�� --bare l /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv sistency_WithImports3805354673/001/main.md node /usr/bin/git prettier --write 64/bin/go git ls-r�� --symref origin /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go node (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv g0Bc/tPF8yqw6FqeS_Zczg0Bc test@example.com ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -json GO111MODULE x_amd64/compile ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile 5330�� 5330436/b449/_pkg_.a 5330436/b425/_testmain.go 5330436/b449=> --repo b/gh-aw/pkg/timerev-parse x_amd64/compile git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 --merged=4bb75b685d20e4ad1fa9d904fd9ec28c6829ff11 bject.type] | @tsv "prettier" --wrigit go 64/bin/go /bin/sh -c git-upload-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmaster_branch1696123858/001' git-upload-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmaster_branch1696123858/001' /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv runs/20260416-081418-88714/test-3921918632/.github/workflows c /usr/lib/git-core/git - --write 64/bin/go /usr/lib/git-core/git --gi�� for-each-ref l /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 3722846735 GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 5424055/b007/sym--show-toplevel 64/pkg/tool/linux_amd64/vet ache�� 389868748/.github/workflows r73k/ZR15bOYtzO_sNGC5r73k 64/pkg/tool/linux_amd64/compile GOINSECURE t/internal/strinrev-parse GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name itbranch_with_hyphen2726807777/002/work bin/node GOINSECURE GOMOD GOMODCACHE go tion�� ut2535318615/001 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linu-importcfg GOINSECURE b/gh-aw/pkg/slicrev-parse GOMODCACHE 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/pkg/styles/theme.go env 5424055/b193/_pkg_.a .cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 5424055/b205/_pkg_.a O8a-/w8uJjXynBhCHi02xO8a- 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/tls13 GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 7/001/test-inlined-imports-enablremote.origin.url GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 5424055/b196/_pkg_.a TJ4J/EoB_P8I8HxwDW6KATJ4J ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/link GOINSECURE (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE int is not installed. Run 'make remote env */*.ts' '**/*.json' --ignore-path ../../../.prettierignore GO111MODULE 64/pkg/tool/linux_amd64/compile hen \ echo "JSOgit GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/tmp/go-build1225330436/b111/vet.cfg env 3722846735 d2UJ/DbmGN00V4XBV3gqgd2UJ .cfg GOINSECURE g/x/text/unicodeinit GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 dE5S/nPvk3w7LQzW_3ywvdE5S 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 5424055/b242/_pkg_.a taK6/ikh7gQ1RReQdq87ptaK6 k GOINSECURE t/internal/tag GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name LsRemoteWithRealGitbranch_with_hyphen2726807777/001' ode GOINSECURE GOMOD GOMODCACHE go tion�� ut2535318615/001 n.go 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 3722846735 go .cfg GOINSECURE g/x/net/http2/hprev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-tests (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env d aMu6/n6X7R7Av3bGkLZAPaMu6 .cfg GOINSECURE contextprotocol/rev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linushow (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 3722846735 hxms/bWOB0OjYPOs06SIChxms 64/pkg/tool/linux_amd64/compile GOINSECURE g/x/text/unicoderev-parse GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 om/modelcontextprotocol/go-sdk@v1.5.0/jsonrpc/js-ifaceassert 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 5424055/b234/_pkg_.a oYmy/n_pwg_VDfKQLamLkoYmy .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go tion�� mpiledOutput702073899/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linu-buildmode=exe GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu-extld=gcc env 3722846735 3cxW/IBlaqeSprCJhOYFQ3cxW 64/pkg/tool/linux_amd64/compile GOINSECURE g/x/text/secure//tmp/js-hash-test-3551227065/test-hash.js GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 .cfg 64/pkg/tool/linu-importcfg GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/pkg/timeutil/format_test.go env 389868748 til_test.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE /semver GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 1/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node GOINSECURE GOMOD GOMODCACHE go tion�� mpiledOutput702073899/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 b/gh-aw/pkg/typerev-parse GOMODCACHE 64/pkg/tool/linux_amd64/vet env rity3279006716/001 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE b/gh-aw/pkg/strirev-parse GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/vet /usr/bin/git se 5330436/b009/vetrev-parse ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuInitial commit /usr/bin/git 14/001/test-inlils 5330436/b116/vet-lh .cfg git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git 7660/001/stabiligit GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 1/x64/bin/node git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git .js' --ignore-pagit GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE k/gh-aw/node_mod/tmp/gh-aw/aw-feature-branch.patch git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv tants.go ne_constants.go 64/pkg/tool/linux_amd64/vet GOINSECURE e/jsonschema-go/remote GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv */*.ts' '**/*.json' --ignore-path ../../../.prettierignore GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json 4fd9ec28c6829ff11 ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv ub/workflows GO111MODULE ules/.bin/prettier GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ode_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE node GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet sm); \ wasm-optgit GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE _modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv 5424055/b142/_pkg_.a .cfg x_amd64/vet GOINSECURE contextprotocol/rev-parse GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv 3006635221/.github/workflows GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 6829ff11:go.mod GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv lic_1295007057/001 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE fips140only GOMODCACHE 64/pkg/tool/linux_amd64/vet env 5424055/b235/_pkg_.a wyMD/ZnqvKWWFy1YdeRMpwyMD ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE osh-tekuri/jsonsrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env .js' --ignore-path .prettierignore GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE e/git env -json GO111MODULE /home/REDACTED/node_modules/.bin/sh =receive GOMOD layTitle (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json gset/set.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -importcfg /tmp/go-build1400590201/b398/importcfg -embedcfg /tmp/go-build1400590201/b398/embedcfg -pack env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build1225330436/b400/cli.test /tmp/go-build1225330436/b400/cli.test -test.testlogfile=/tmp/go-build1225330436/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /tmp/go-build1400590201/b400/cli.test /tmp/go-build1400590201/b400/cli.test -test.testlogfile=/tmp/go-build1400590201/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true .json --ignore-psh GO111MODULE 64/bin/go go env -json GO111MODULE /sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /tmp/go-build3289741204/b400/cli.test /tmp/go-build3289741204/b400/cli.test -test.testlogfile=/tmp/go-build3289741204/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true --ignore-path ../../../.prettienv (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json 0 x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE modules/@npmcli/run-script/lib/node-gyp-bin/sh GOINSECURE GOMOD GOMODCACHE go env ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

Hey @Copilot 👋 — great work keeping the codebase tidy! Enforcing the 300-line hard limit on safe_outputs_validation.go via a clean code-move is exactly the kind of maintenance that keeps the project healthy.

One small gap to address before this lands:

• Add or confirm test coverage — the extracted functions (validateSafeOutputsMax, isInvalidMaxValue) have no test-file changes in this PR. Even though the logic is a verbatim move, adding (or explicitly confirming that existing tests cover) the new file location would make it easier for reviewers to verify that the refactor didn't break anything silently. If tests already exist in a _test.go file that exercises these functions, a brief note in the PR body would suffice; otherwise, a small test file alongside the new module would be ideal.

If you'd like a hand with that:

Add unit tests for the extracted max-validation logic in pkg/workflow/safe_outputs_max_validation.go.
Create pkg/workflow/safe_outputs_max_validation_test.go covering:
1. isInvalidMaxValue — valid cases: positive integer (e.g. 1, 5) and -1 (unlimited); invalid cases: 0 and negative integers other than -1.
2. validateSafeOutputsMax — nil config returns nil; config with a valid max passes; config with max=0 returns an error; config with a DispatchRepository tool with an invalid max returns an error; GitHub Actions expression strings (e.g. "$\{\{ inputs.max }}") are skipped.

Generated by Contribution Check · ● 2.4M · ◷

[Copilot]

Pull request overview

Refactors safe-outputs max field validation into a dedicated module to keep safe_outputs_validation.go under the validator file-size limit, without changing validation behavior.

Changes:

• Extracted validateSafeOutputsMax, isInvalidMaxValue, and the shared error suffix/logger into pkg/workflow/safe_outputs_max_validation.go.
• Removed the extracted max-validation code (and now-unused imports) from pkg/workflow/safe_outputs_validation.go.

Show a summary per file

File	Description
pkg/workflow/safe_outputs_validation.go	Removes max-validation logic and associated imports, leaving target/domain-related validation.
pkg/workflow/safe_outputs_max_validation.go	New file containing the extracted safe-outputs max validation logic and related helpers.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 0

[github-actions]

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (118 new lines in pkg/workflow/) but does not have a linked Architecture Decision Record (ADR).

⚠️ The PR has already merged and the source branch was deleted. The draft ADR could not be pushed automatically. Please add it manually by committing the file below to main.

AI has analyzed the PR diff and generated a draft ADR to get started:

📄 Draft ADR: docs/adr/26581-enforce-300-line-file-size-limit-with-same-package-extraction.md

📋 View full draft ADR content

# ADR-26581: Enforce 300-Line File Size Limit via Same-Package Extraction

**Date**: 2026-04-16
**Status**: Draft
**Deciders**: pelikhan, Copilot

---

## Part 1 — Narrative (Human-Friendly)

### Context

The `pkg/workflow/safe_outputs_validation.go` file hosts validation logic for the safe-outputs subsystem. After adding max-value validation (the `validateSafeOutputsMax` family of functions), the file exceeded the repository's 300-line hard limit on Go source files. This limit exists to keep individual files reviewable and each validation concern navigable. A mechanism was needed to bring the file back under the limit without changing observable validation behavior or breaking package-level API contracts.

### Decision

We will extract max-value validation logic (`validateSafeOutputsMax`, `isInvalidMaxValue`, the `maxInvalidErrSuffix` constant, and the dedicated `safeOutputsMaxValidationLog` logger) into a new file `pkg/workflow/safe_outputs_max_validation.go` within the same `workflow` package. The extracted functions are moved verbatim — no logic changes, no new abstraction boundaries, no new package dependencies. The original file remains the home of target/domain validation; the new file owns max-value validation exclusively.

### Alternatives Considered

#### Alternative 1: Raise or Remove the 300-Line Limit
The 300-line limit could be increased or abolished. This was rejected because the limit exists to enforce readability discipline and to make code review tractable. Relaxing the limit whenever a file exceeds it defeats its purpose and creates a precedent for unbounded file growth.

#### Alternative 2: Move Max-Value Validation to a New Sub-Package
Max-value validation could be extracted to a dedicated sub-package (e.g., `pkg/workflow/maxvalidation`). This was rejected because the functions are tightly coupled to package-internal types (`SafeOutputsConfig`, `safeOutputFieldMapping`, `BaseSafeOutputConfig`) and `isExpressionString`. Introducing a sub-package boundary would require exporting these internals or duplicating them, adding unnecessary API surface for what is a purely internal concern.

#### Alternative 3: Inline Validation at Call Sites
The max-value validation could be inlined at each call site instead of being a named function. This was rejected because it would scatter the validation logic, reduce testability, and make future changes to the validation semantics harder to locate and reason about.

### Consequences

#### Positive
- `safe_outputs_validation.go` is back under the 300-line hard limit, satisfying the repository's readability policy.
- Max-value validation is now co-located in a single file, making the concern easier to find and modify.
- No behavioral change — existing tests continue to cover the logic through the same package-level entry points.

#### Negative
- The `workflow` package now has an additional file, slightly increasing directory navigational overhead.
- Shared package-level state (e.g., `safeOutputFieldMapping`) remains spread across files, which requires developers to search across files to understand the full data-flow.

#### Neutral
- The `go` compiler treats all files in a package as a single compilation unit, so the split introduces no visibility or import changes.
- Test files require no updates because the package-level function signatures are identical.

---

## Part 2 — Normative Specification (RFC 2119)

> The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHALL**, **SHALL NOT**, **SHOULD**, **SHOULD NOT**, **RECOMMENDED**, **MAY**, and **OPTIONAL** in this section are to be interpreted as described in [RFC 2119]((www.rfceditor.org/redacted)

### File Size Enforcement

1. Go source files in `pkg/workflow/` **MUST NOT** exceed 300 lines.
2. When a file would exceed this limit, authors **MUST** extract logically cohesive functionality into a new file within the same package before merging.
3. The extracted file **MUST** be named after the concern it implements (e.g., `safe_outputs_max_validation.go` for max-value validation), not after the source file it was extracted from.
4. Extractions **MUST NOT** change observable behavior; the extracted code **SHOULD** be moved verbatim unless a simultaneous refactor is explicitly scoped and documented.

### Package Boundary Preservation

1. Extracted validation helpers that depend on package-internal types **MUST** remain in the same Go package as their callers.
2. Implementations **MUST NOT** export package-internal types solely to enable extraction into a sub-package.
3. Implementations **MAY** introduce a sub-package when the extracted logic is genuinely self-contained and has no dependency on unexported package symbols.

### Conformance

An implementation is considered conformant with this ADR if it satisfies all **MUST** and **MUST NOT** requirements above. Specifically: any extraction that keeps the originating file under 300 lines, places the new file in the same package, names it after the extracted concern, and introduces no behavioral change is conformant.

---

*This is a DRAFT ADR generated by the [Design Decision Gate](https://github.com/github/gh-aw/actions/runs/24514507835) workflow.*

What to do next

1. Copy the draft ADR above into docs/adr/26581-enforce-300-line-file-size-limit-with-same-package-extraction.md on main
2. Review and complete the draft — fill in any context the AI couldn't infer, and verify the alternatives and consequences are accurate
3. Change status from Draft to Accepted once the team is satisfied

Why ADRs Matter

ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you.

---

References: §24514507835

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

• Refactor safe-outputs max validation into dedicated module to enforce validator file size limit #26581 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · ● 196.6K · ◷