github · pelikhan · Apr 22, 2026 · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026
diff --git a/actions/setup/js/comment_memory.cjs b/actions/setup/js/comment_memory.cjs
@@ -4,6 +4,7 @@ require("./shim.cjs");
 
 const { sanitizeContent } = require("./sanitize_content.cjs");
 const { getErrorMessage } = require("./error_helpers.cjs");
+const { SAFE_OUTPUT_E001 } = require("./error_codes.cjs");
 const { resolveTarget, isStagedMode } = require("./safe_output_helpers.cjs");
 const { resolveTargetRepoConfig, resolveAndValidateRepo } = require("./repo_helpers.cjs");
 const { createAuthenticatedGitHubClient } = require("./handler_auth.cjs");
@@ -30,7 +31,7 @@ function sanitizeMemoryID(memoryID) {
 function buildManagedMemoryBody(rawBody, memoryID, options) {
   const { includeFooter, runUrl, workflowName, workflowSource, workflowSourceURL, historyUrl, triggeringIssueNumber, triggeringPRNumber } = options;
   if (!/^[a-zA-Z0-9_-]+$/.test(memoryID)) {
-    throw new Error("memory_id must contain only alphanumeric characters, hyphens, and underscores");
+    throw new Error(`${SAFE_OUTPUT_E001}: memory_id must contain only alphanumeric characters, hyphens, and underscores`);
   }
   const openingTag = `<${COMMENT_MEMORY_TAG} id="${memoryID}">`;
   const closingTag = `</${COMMENT_MEMORY_TAG}>`;

diff --git a/actions/setup/js/comment_memory.test.cjs b/actions/setup/js/comment_memory.test.cjs
@@ -50,6 +50,22 @@ describe("comment_memory", () => {
     expect(body).toContain("Generated by");
   });
 
+  it("throws E001 for invalid memory ID in managed body builder", async () => {
+    const module = await import("./comment_memory.cjs");
+    expect(() =>
+      module.buildManagedMemoryBody("Persist me", "bad id", {
+        includeFooter: false,
+        runUrl: "https://example.com/run/3",
+        workflowName: "Workflow",
+        workflowSource: "",
+        workflowSourceURL: "",
+        historyUrl: undefined,
+        triggeringIssueNumber: undefined,
+        triggeringPRNumber: undefined,
+      })
+    ).toThrow("E001:");
+  });
+
   it("finds only managed comments with provenance marker", async () => {
     const module = await import("./comment_memory.cjs");
     const github = {

diff --git a/actions/setup/js/error_codes.cjs b/actions/setup/js/error_codes.cjs
@@ -42,6 +42,12 @@ const ERR_PARSE = "ERR_PARSE";
 /** @type {string} System and I/O errors */
 const ERR_SYSTEM = "ERR_SYSTEM";
 
+/** @type {string} Safe output validation/input errors (legacy numeric taxonomy) */
+const SAFE_OUTPUT_E001 = "E001";
+
+/** @type {string} Safe output operation/runtime failures (legacy numeric taxonomy) */
+const SAFE_OUTPUT_E099 = "E099";
+
 module.exports = {
   ERR_VALIDATION,
   ERR_PERMISSION,
@@ -50,4 +56,6 @@ module.exports = {
   ERR_NOT_FOUND,
   ERR_PARSE,
   ERR_SYSTEM,
+  SAFE_OUTPUT_E001,
+  SAFE_OUTPUT_E099,
 };
diff --git a/actions/setup/js/merge_pull_request.cjs b/actions/setup/js/merge_pull_request.cjs
@@ -10,7 +10,9 @@ const { selectLatestRelevantChecks } = require("./check_runs_helpers.cjs");
 const { withRetry, isTransientError } = require("./error_recovery.cjs");
 const { normalizeBranchName } = require("./normalize_branch_name.cjs");
 const { resolveNumberFromTemporaryId } = require("./temporary_id.cjs");
+const { SAFE_OUTPUT_E001, SAFE_OUTPUT_E099 } = require("./error_codes.cjs");
 const MERGEABILITY_PENDING_ERROR = "pull request mergeability is still being computed";
+const MERGEABILITY_PENDING_ERROR_CODED = `${SAFE_OUTPUT_E099}: ${MERGEABILITY_PENDING_ERROR}`;
 
 /**
  * @typedef {import('./types/handler-factory').HandlerFactoryFunction} HandlerFactoryFunction
@@ -41,7 +43,7 @@ async function getPullRequestWithMergeability(githubClient, owner, repo, pullNum
         pull_number: pullNumber,
       });
       if (data && data.mergeable === null) {
-        throw new Error(MERGEABILITY_PENDING_ERROR);
+        throw new Error(MERGEABILITY_PENDING_ERROR_CODED);
       }
       return data;
     },
@@ -50,7 +52,7 @@ async function getPullRequestWithMergeability(githubClient, owner, repo, pullNum
       initialDelayMs: 1000,
       shouldRetry: error => {
         const msg = getErrorMessage(error).toLowerCase();
-        return isTransientError(error) || msg === MERGEABILITY_PENDING_ERROR;
+        return isTransientError(error) || msg === MERGEABILITY_PENDING_ERROR_CODED.toLowerCase();
       },
     },
     `fetch pull request #${pullNumber}`
@@ -66,7 +68,7 @@ async function getPullRequestWithMergeability(githubClient, owner, repo, pullNum
         return fallback.data;
       }
     } catch (fallbackError) {
-      throw new Error(`Failed to fetch pull request #${pullNumber} after retry and fallback attempts. Retry error: ${getErrorMessage(error)}. Fallback error: ${getErrorMessage(fallbackError)}`);
+      throw new Error(`${SAFE_OUTPUT_E099}: Failed to fetch pull request #${pullNumber} after retry and fallback attempts. Retry error: ${getErrorMessage(error)}. Fallback error: ${getErrorMessage(fallbackError)}`);
     }
     throw error;
   });
@@ -141,7 +143,7 @@ async function getReviewSummary(githubClient, owner, repo, pullNumber) {
 async function getBranchPolicy(githubClient, owner, repo, baseBranch) {
   const baseBranchValidation = sanitizeBranchName(baseBranch, "target base");
   if (!baseBranchValidation.valid || !baseBranchValidation.value) {
-    throw new Error(`Invalid target base branch for policy evaluation: ${baseBranchValidation.error} (original: ${JSON.stringify(baseBranch)}, normalized: ${JSON.stringify(baseBranchValidation.normalized || "")})`);
+    throw new Error(`${SAFE_OUTPUT_E001}: Invalid target base branch for policy evaluation: ${baseBranchValidation.error} (original: ${JSON.stringify(baseBranch)}, normalized: ${JSON.stringify(baseBranchValidation.normalized || "")})`);
   }
   const sanitizedBaseBranch = baseBranchValidation.value;
 

diff --git a/actions/setup/js/merge_pull_request.test.cjs b/actions/setup/js/merge_pull_request.test.cjs
@@ -96,7 +96,7 @@ describe("merge_pull_request branch validation", () => {
       },
     };
 
-    await expect(__testables.getBranchPolicy(githubClient, "github", "gh-aw", "main;rm -rf /")).rejects.toThrow("Invalid target base branch for policy evaluation");
+    await expect(__testables.getBranchPolicy(githubClient, "github", "gh-aw", "main;rm -rf /")).rejects.toThrow("E001: Invalid target base branch for policy evaluation");
     expect(githubClient.rest.repos.getBranch).not.toHaveBeenCalled();
   });
-Original file line number
+Diff line change
@@ Expand Up / @@ -96,7 +96,7 @@ describe("merge_pull_request branch validation", () => { @@
           },
         };
-        await expect(__testables.getBranchPolicy(githubClient, "github", "gh-aw", "main;rm -rf /")).rejects.toThrow("Invalid target base branch for policy evaluation");
+        await expect(__testables.getBranchPolicy(githubClient, "github", "gh-aw", "main;rm -rf /")).rejects.toThrow("E001: Invalid target base branch for policy evaluation");
         expect(githubClient.rest.repos.getBranch).not.toHaveBeenCalled();
       });
@@ Expand Down @@