Skip to content

Allow on.roles single-string role values (not just all)#26789

Merged
pelikhan merged 2 commits intomainfrom
copilot/fix-misleading-compiler-error-roles
Apr 17, 2026
Merged

Allow on.roles single-string role values (not just all)#26789
pelikhan merged 2 commits intomainfrom
copilot/fix-misleading-compiler-error-roles

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 17, 2026
edited
Loading

on.roles validation previously accepted string form only for all, which produced misleading guidance when users set a single role like write. This change makes single-string role values first-class, aligning schema validation with runtime role handling and documented behavior.

  • Schema validation: accept single role strings

    • Updated main_workflow_schema.json so on.roles string form now accepts:
      • admin, maintainer, maintain, write, triage, read, all
    • Keeps array form unchanged.

  • Compiler coverage: single-string role path

    • Added focused test coverage to ensure workflows compile when on.roles is a single role string and role-gating logic is present in output.

  • Docs: explicitly document single-string form

    • Updated frontmatter reference to show that roles: write is supported in addition to roles: all and role arrays.
on:
  issues:
    types: [opened]
  roles: write

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw 3827311/b238/vetrev-parse ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git /tmp/go-build136git -trimpath e/git git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE cfg git rev-�� --show-toplevel go /usr/bin/git 2430-65372/test-git GO111MODULE ache/go/1.25.8/x--show-toplevel git (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json 1.5.0/jsonrpc/js-ifaceassert x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git /tmp/go-build413git -trimpath om/owner/repo.gi--show-toplevel git rev-�� --show-toplevel node /usr/bin/git /tmp/TestHashCon/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link -dwarf=false /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE ache/go/1.25.8/xGOMODCACHE GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --git-dir 64/pkg/tool/linu-importcfg /usr/bin/infocmp L5Pf2dzjr 64/src/time/formrev-parse 64/pkg/tool/linu--show-toplevel infocmp -1 xterm-color 64/pkg/tool/linu-extld=gcc /usr/bin/git 7749801/b058/_pkgit om/modelcontextprev-parse 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/link /usr/bin/infocmp y-frontmatter.mdgit GO111MODULE 64/bin/go infocmp -1 xterm-color sh /usr/bin/git "prettier" --chegit GOPROXY 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyMinIntegrityOnlyCompiledOutp-p config /usr/bin/git remote.origin.urgit GO111MODULE x_amd64/compile git rev-�� --show-toplevel sgM1d_TR1DWb /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv sistency_InlinedImports3517889198/001/inlined-b.md remote /usr/bin/infocmp '**/*.ts' '**/*.git GO111MODULE 8d519d9/node_mod--show-toplevel infocmp -1 xterm-color go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv t4053312510 YknE/_O2drKQQrICaTWjRYknE .yml -n1 --format=format:api --end-of-options--paginate ache/go/1.25.8/xrepos/{owner}/{repo}/actions/runs/2/artifacts -p or.md -trimpath ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -I /tmp/go-build136rev-parse -I ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 652298224 O8a-/w8uJjXynBhCrev-parse x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git 3827311/b070/_pkgit iMTA/2uapuyerpeirev-parse x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel 3827311/b411/importcfg /usr/bin/git 0506-34564/test-git k/gh-aw/gh-aw/pkrev-parse ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git 3827311/b434/_pkgit -trimpath ache/go/1.25.8/x--show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linu-importcfg /usr/bin/git 8zZK/4EO7K7RFjw7git pkg/mod/github.crev-parse ache/go/1.25.8/xHEAD git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linu/tmp/go-build4133827311/b111/vet.cfg /usr/bin/git Onlyrepos_only_wgit 3827311/b253/vetrev-parse ache/go/1.25.8/x--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.8/xHEAD git rev-�� --show-toplevel go /usr/bin/git 2430-65372/test-git GO111MODULE ache/go/1.25.8/x--show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json 1.5.0/internal/xcontext/xcontext.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json age/common.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile abi/�� -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv remove remote2 /usr/bin/git g_.a qtyQmI_fS x_amd64/compile git rev-�� --git-dir x_amd64/compile /opt/hostedtoolcache/node/24.14.1/x64/bin/node ortcfg .cfg 64/pkg/tool/linu--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv remove myorg /usr/bin/git repo1110267829/0git GO111MODULE 64/bin/go git rev-�� --show-toplevel go /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git /001 GO111MODULE x_amd64/vet git conf�� user.name Test User /opt/hostedtoolcache/node/24.14.1/x64/bin/node DseGpepMC .cfg 64/pkg/tool/linu--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv GOMODCACHE go /usr/bin/git ck 'scripts/**/*git GO111MODULE 64/bin/go git rev-�� --show-toplevel go /opt/hostedtoolcache/node/24.14.1/x64/bin/node m/workflows GO111MODULE 64/bin/go /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv -aw/git/ref/tags/v2.0.0 -tests ache/node/24.14.1/x64/bin/node -json GO111MODULE x_amd64/asm gh t-61�� bility_SameInputSameOutput518650061/001/stability-test.md --json /usr/bin/gh --repo owner/repo x_amd64/compile gh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --porcelain GOPROXY ache/node/24.14.1/x64/bin/node GOSUMDB GOWORK 64/bin/go git t-36�� sistency_GoAndJavaScript1368537400/001/test-inlined-imports-enabled-with-env-template-expressiongit /tmp/TestParseDefaultBranchFromLsRemoteWithRealGitcustom_branch1332146249/002/work /usr/bin/git -json GO111MODULE n-dir/sh git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv add myorg /usr/bin/git 24436360.go AmvwaUv3n x_amd64/vet git conf�� user.email test@example.com /opt/hostedtoolcache/node/24.14.1/x64/bin/node t5smDhwOz GO111MODULE 64/pkg/tool/linu--show-toplevel node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv remove remote2 /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-add-gitattributes-test4053312510/.github/workflows rev-parse /usr/bin/git -json GO111MODULE x_amd64/asm git rev-�� /ref/tags/v9 x_amd64/asm sv -json GO111MODULE x_amd64/compile git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv log.showsignature=false log /usr/bin/git -n1 --format=format:rev-parse --end-of-options--show-toplevel git init�� --bare --initial-branch=my-default /usr/bin/git -json GO111MODULE tions/setup/js/n--show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv --show-toplevel -tests 1/x64/bin/node -json GO111MODULE x_amd64/asm git t-ha�� ithub/workflows/api-consumption-report.md config /usr/bin/git remote.origin.urgit GO111MODULE x_amd64/compile git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv log.showsignature=false log 1/x64/bin/node --format=%H:%ct GOWORK 64/bin/go /bin/sh t-ha�� ithub/workflows/archie.md git-upload-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitcustom_branch1332146249/001' /usr/bin/git -json GO111MODULE ache/go/1.25.8/x--show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linu-nolocalimports GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env 2563473500 hxms/bWOB0OjYPOs06SIChxms .cfg GOINSECURE g/x/text/unicoderev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-tests (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env 7749801/b178/_pkg_.a V7o_/18xeupG6XnJInX8DV7o_ ck GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name Test User /usr/bin/git -v 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� 3723134810/.github/workflows git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE x_amd64/link GOINSECURE (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name infocmp /usr/bin/git xterm-color X2/LKPpO0EjZIaEYremote /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE 7749801/b078/ GOMODCACHE 64/pkg/tool/linux_amd64/vet env 7749801/b200/_pkg_.a GO111MODULE .cfg GOINSECURE GOMOD 7749801/b078/sym/home/REDACTED/work/gh-aw/gh-aw/.github/workflows/agentic-observability-kit.md ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 7749801/b211/_pkg_.a d2UJ/DbmGN00V4XBV3gqgd2UJ 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name infocmp /usr/bin/git xterm-color 64/pkg/tool/linuremote /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE 7749801/b092/ GOMODCACHE 64/pkg/tool/linux_amd64/vet env 2563473500 GO111MODULE .cfg GOINSECURE g/x/net/http2/hprev-parse 7749801/b092/sym--show-toplevel ache/go/1.25.8/x64/pkg/tool/linu-buildtags (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 7749801/b013/sym--show-toplevel 64/pkg/tool/linux_amd64/vet env 7749801/b241/_pkg_.a r73k/ZR15bOYtzO_sNGC5r73k ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE t/internal/langurev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name /usr/bin/git /usr/bin/git --get-regexp ^remote\..*\.gh-rev-parse /usr/bin/git git rev-�� 3723134810/.github/workflows git /usr/bin/git --show-toplevel S8eKncR/bXjFK1lrinit /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 2563473500 GO111MODULE x_amd64/compile GOINSECURE g/x/text/secure/rev-parse 7749801/b092/sym--show-toplevel x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env 7749801/b221/_pkg_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE g/x/net/http/httrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name Initial commit /usr/bin/git -v D7/90LsJdncQeTVLrev-parse /usr/bin/git git rev-�� 3723134810/.github/workflows git /usr/bin/git --show-toplevel 64/pkg/tool/linuremote /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE randutil GOMODCACHE 64/pkg/tool/linux_amd64/vet env 2563473500 go .cfg GOINSECURE able GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE hlite 7749801/b013/sym--git-dir 64/pkg/tool/linux_amd64/vet env 7749801/b242/_pkg_.a _zAe/m6K4S-499xrKjIdi_zAe ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE t/internal/tag GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name --auto /usr/bin/git --detach 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� 3723134810/.github/workflows git x_amd64/vet --show-toplevel 64/pkg/tool/linuconfig /usr/bin/git x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linu-importcfg GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/pkg/timeutil/format_test.go env 2563473500 aMu6/n6X7R7Av3bGkLZAPaMu6 64/pkg/tool/linux_amd64/compile GOINSECURE l GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 rg/x/text@v0.36.0/internal/language/common.go 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 7749801/b007/sym--show-toplevel 64/pkg/tool/linux_amd64/vet ache�� 3226848798/.github/workflows 7Ps3/Xuna8G_bMUX3GMM57Ps3 .cfg GOINSECURE t/internal/strinrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name /usr/bin/git /usr/bin/git --get-regexp ^remote\..*\.gh-rev-parse /usr/bin/git git rev-�� 3723134810/.github/workflows git /usr/bin/git --show-toplevel 64/pkg/tool/linuconfig /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path 69521618/001' 69521618/001' x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 g/x/crypto/interrev-parse GOMODCACHE -MlvCPy/t6M8s7Cm2xpu7MOJIw7R env 7749801/b164/_pkg_.a vMoO/r1c5PlYHcFDLvhFNvMoO 64/pkg/tool/linux_amd64/link GOINSECURE boring/bbig GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel ntdrain.test /usr/bin/git se 3827311/b014/vetrev-parse x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git sRemoteWithRealGls sRemoteWithRealG-lh ache/go/1.25.8/x/tmp/gh-aw/aw-feature-branch.patch git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git 1081288264/custogit GO111MODULE ck git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.8/x/tmp/gh-aw/aw-feature-branch.patch git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv 7749801/b138/_pkg_.a bft1/1yO0RzBmJIVi0dFibft1 64/pkg/tool/linux_amd64/compile GOINSECURE e/jsonschema-go/rev-parse GOMODCACHE 64/pkg/tool/linux_amd64/compile estl�� verutil.go verutil_test.go x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv y_with_explicit_repo1529942468/0remote.origin.url node 64/bin/go run format:pkg-json 64/bin/go go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json irent.go x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv --show-toplevel node /usr/bin/git /tmp/TestHashStagit-upload-pack x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env lGitmain_branch969521618/001' lGitmain_branch969521618/001' x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv --show-toplevel node /usr/bin/git k/gh-aw/gh-aw/.ggit -goversion (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env Gitmain_branch969521618/001' Gitmain_branch969521618/001' x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv --show-toplevel node /usr/bin/git /tmp/TestHashStagit-upload-pack x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv 7749801/b164/_pkg_.a vMoO/r1c5PlYHcFDLvhFNvMoO 64/pkg/tool/linux_amd64/link GOINSECURE boring/bbig GOMODCACHE 64/pkg/tool/linux_amd64/link estl�� stants.test 3827311/b025/vet.cfg x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv y_with_repos=public_3613058448/001 node 64/bin/go tierignore format:pkg-json 64/bin/go go env -json GO111MODULE k GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE boring GOMODCACHE 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/pkg/typeutil/convert_test.go env 7749801/b194/_pkg_.a 3NxN/fOrMapTM_SttVIFB3NxN ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-goversion (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion origin REDACTED /usr/bin/git git rev-�� y_with_repos_array_c1240737213/001 git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion **/*.json --ignore-path ../../../.pretti--show-toplevel go env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json age/common.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json o x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo ache/node/24.14.1/x64/bin/npm /tmp/gh-aw-test-git config om/owner/repo.gi--show-toplevel ache/node/24.14.1/x64/bin/npm rev-�� nly git /usr/bin/git --show-toplevel x_amd64/compile /usr/bin/infocmp/tmp/go-build3309514343/b400/cli.test git (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build4133827311/b400/cli.test /tmp/go-build4133827311/b400/cli.test -test.testlogfile=/tmp/go-build4133827311/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile -Oz --enable-bu/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /tmp/go-build3309514343/b400/cli.test /tmp/go-build3309514343/b400/cli.test -test.testlogfile=/tmp/go-build3309514343/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true ithub/workflows/git config /usr/bin/git git rev-�� --show-toplevel git ache/node/24.14.1/x64/bin/node /tmp/gh-aw-test-git remote om/other/repo.gi--show-toplevel git (http block)
    • Triggering command: /tmp/go-build516214149/b400/cli.test /tmp/go-build516214149/b400/cli.test -test.testlogfile=/tmp/go-build516214149/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go 1/x6�� -json GO111MODULE n-dir/sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name 9521618/001' 9521618/001' -nolocalimports -importcfg /tmp/go-build4133827311/b400/importcfg -pack /tmp/go-build4133827311/b400/_testmain.go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --show-toplevel gh ache/go/1.25.8/x64/bin/node /repos/actions/ggit l /opt/hostedtoolc--show-toplevel git ache�� --show-toplevel nly /usr/bin/git /tmp/TestHashCon/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet x_amd64/compile /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE ode GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 17, 2026 that may be closed by this pull request
Misleading compiler error when 'roles' is set to a string instead of an array #26788
Closed
@pelikhan
fix: allow single string values for on.roles
0848534 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/f5382026-a67a-4085-bc57-1668bc13cead

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix misleading compiler error for roles property Allow on.roles single-string role values (not just all) Apr 17, 2026
Copilot AI requested a review from pelikhan April 17, 2026 03:37
@pelikhan pelikhan marked this pull request as ready for review April 17, 2026 03:41
Copilot AI review requested due to automatic review settings April 17, 2026 03:41
@pelikhan pelikhan merged commit ebcb6b4 into main Apr 17, 2026
69 checks passed
@pelikhan pelikhan deleted the copilot/fix-misleading-compiler-error-roles branch April 17, 2026 03:42
jeffhandley
jeffhandley reviewed Apr 17, 2026
View reviewed changes
Comment thread pkg/workflow/role_checks_test.go

compiledStr := string(compiledContent)
assert.Contains(t, compiledStr, "id: check_membership", "Compiled workflow should include membership checks for role-gated triggers")
assert.Contains(t, compiledStr, "write", "Compiled workflow should require the single role provided as a string")
Copy link
Copy Markdown

@jeffhandley jeffhandley Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot I suspect this assert is likely to have a false-positive match on "write" somewhere else in the compiled workflow. Can the assert look more specifically for: GH_AW_REQUIRED_ROLES: "write"?

Copilot AI reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates workflow frontmatter handling so on.roles can be specified as a single role string (not just all), aligning schema validation, compiler behavior, and docs.

Changes:

  • Expanded on.roles JSON schema to accept single-string role values (admin, maintainer, maintain, write, triage, read, all).
  • Added a compiler test that compiles a workflow using on.roles: write and checks that role-gating output is generated.
  • Updated docs to explicitly mention the single-string form.
Show a summary per file
File Description
pkg/workflow/role_checks_test.go Adds a test for compiling workflows with on.roles as a single string.
pkg/parser/schemas/main_workflow_schema.json Expands schema enum for on.roles string form beyond all.
docs/src/content/docs/reference/frontmatter.md Documents roles: write as a supported single-string form under on:.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 3/3 changed files
  • Comments generated: 2

Comment thread pkg/workflow/role_checks_test.go

compiledStr := string(compiledContent)
assert.Contains(t, compiledStr, "id: check_membership", "Compiled workflow should include membership checks for role-gated triggers")
assert.Contains(t, compiledStr, "write", "Compiled workflow should require the single role provided as a string")
Comment thread docs/src/content/docs/reference/frontmatter.md
roles: all # Allow any user (⚠️ use with caution)
```

You can also use a single role string, for example `roles: write`.
@github-actions github-actions bot mentioned this pull request Apr 17, 2026
Closed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 17, 2026

🧪 Test Quality Sentinel Report

Test Quality Score: 90/100

Excellent test quality

Metric Value
New/modified tests analyzed 1
✅ Design tests (behavioral contracts) 1 (100%)
⚠️ Implementation tests (low value) 0 (0%)
Tests with error/edge cases 1 (100%)
Duplicate test clusters 0
Test inflation detected ⚠️ Yes (37 test lines added, 0 corresponding production Go lines; fix was in JSON schema)
🚨 Coding-guideline violations None

Test Classification Details

Test File Classification Issues Detected
TestRoleMembershipSupportsSingleRoleString pkg/workflow/role_checks_test.go:148 ✅ Design One weak assertion (see below)

Analysis

TestRoleMembershipSupportsSingleRoleString (pkg/workflow/role_checks_test.go:148)

Classification: Design test — behavioral contract

What design invariant does this test enforce? The feature contract that on.roles accepts a single string value (e.g., roles: write) in addition to an array form. This is directly the behavioral change introduced by this PR.

What would break if deleted? A regression where single-string roles fail to compile (or silently drop the membership check) would go undetected. High value.

Assertions: 5 (2 assert.Contains with descriptive messages, 3 t.Fatalf for infrastructure errors)

Build tag: ✅ //go:build !integration present on line 1

Minor observation — weak substring assertion: assert.Contains(t, compiledStr, "write", ...) checks for the bare string "write", which is common enough in YAML to match incidentally (e.g., contents: write, comments, etc.). A stronger assertion would check for the role in its structural context — for example roles:\n - write or the specific membership check step name alongside the permission value. This does not affect the score but is worth tightening.

Test Inflation Note

role_checks_test.go grew by 37 lines while no corresponding production Go file changed. The actual fix was a 4-line change to pkg/parser/schemas/main_workflow_schema.json (JSON schema type widening). The 2:1 inflation rule is intended to catch test padding; here the test is genuinely exercising the new behavior end-to-end via compiler.CompileWorkflow(). The -10 pt inflation penalty is applied per the scoring formula but is contextually benign.

Language Support

Tests analyzed:

  • 🐹 Go (*_test.go): 1 test — unit (//go:build !integration)
  • 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

Verdict

Check passed. 0% of new tests are implementation tests (threshold: 30%). The single new test is a well-structured behavioral contract test with proper assertions, build tags, and assertion messages.

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

  • Assert on observable outputs, return values, or state changes
  • Cover error paths and boundary conditions
  • Would catch a behavioral regression if deleted
  • Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

  • Assert on internal function calls (mocking internals)
  • Only test the happy path with typical inputs
  • Break during legitimate refactoring even when behavior is correct
  • Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §24546479671

🧪 Test quality analysis by Test Quality Sentinel · ● 398.1K ·

github-actions[bot]
github-actions bot approved these changes Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 90/100. Test quality is acceptable — 0% of new tests are implementation tests (threshold: 30%). The single new test TestRoleMembershipSupportsSingleRoleString is a well-structured behavioral contract test with proper build tag, assertion messages, and end-to-end coverage of the PR's core behavioral change.

@jeffhandley jeffhandley mentioned this pull request Apr 17, 2026
Closed
@github-actions github-actions bot mentioned this pull request Apr 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@github-actions github-actions[bot] github-actions[bot] approved these changes

+2 more reviewers

@jeffhandley jeffhandley jeffhandley left review comments

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Misleading compiler error when 'roles' is set to a string instead of an array

4 participants

@jeffhandley @pelikhan