feat: add body-header message type to safe outputs

[Copilot]

Summary

Adds a new body-header message type to the safe-outputs messages system. When configured, it prepends custom header text to every message body generated by safe outputs (issues, comments, pull requests, discussions).

The header is placed after any threat-detection caution alert and before the agent-generated content.

Usage

safe-outputs:
  create-issue:
  add-comment:
  messages:
    body-header: "> ⚠️ This content was generated by [{workflow_name}]({run_url})."

Available placeholders: {workflow_name}, {run_url} (both camelCase and snake_case supported)

Changes

Schema & Go

• Add body-header field to pkg/parser/schemas/main_workflow_schema.json with description and examples
• Add BodyHeader string field to SafeOutputMessagesConfig Go struct in compiler_types.go
• Add extractStringFromMap call for body-header in safe_outputs_messages_config.go

JavaScript

• Add bodyHeader to SafeOutputMessages typedef in messages_core.cjs
• Create messages_header.cjs with getBodyHeader() function — returns empty string when not configured
• Create messages_header.test.cjs with 6 tests covering default, custom, placeholder, and edge cases
• Update messages.cjs barrel file to re-export getBodyHeader

Consumer scripts

• create_issue.cjs — body header unshifted before caution so final order is: caution → header → user content
• add_comment.cjs — prefix built with caution + header + user content (string concat)
• create_discussion.cjs — same pattern as create_issue.cjs
• create_pull_request.cjs — same pattern as create_issue.cjs

Tests

• Added Go tests for body-header parsing and JSON serialization to safe_outputs_messages_test.go

[Copilot]

Pull request overview

Adds a new body-header safe-outputs message template that can be configured to prepend a rendered header (with workflow/run placeholders) to generated bodies across safe-output handlers.

Changes:

• Extend schema + Go config types/parsing/serialization to support messages.body-header.
• Add JS getBodyHeader() helper + unit tests; update messages barrel/types.
• Update safe-output consumer scripts to insert the header between threat-detection caution and the generated/user content.

Show a summary per file

File	Description
pkg/workflow/safe_outputs_messages_test.go	Adds Go tests for parsing and JSON serialization of BodyHeader.
pkg/workflow/safe_outputs_messages_config.go	Parses body-header from the frontmatter messages map.
pkg/workflow/compiler_types.go	Adds BodyHeader to SafeOutputMessagesConfig with YAML/JSON tags.
pkg/parser/schemas/main_workflow_schema.json	Documents messages.body-header in the workflow schema with description/examples.
actions/setup/js/messages_header.cjs	Introduces getBodyHeader() that reads config and renders placeholders.
actions/setup/js/messages_header.test.cjs	Adds Vitest coverage for default/custom and placeholder rendering behavior.
actions/setup/js/messages_core.cjs	Extends SafeOutputMessages typedef with bodyHeader.
actions/setup/js/messages.cjs	Re-exports getBodyHeader from the messages barrel.
actions/setup/js/create_issue.cjs	Prepends body header (after caution via unshift ordering) for created issues.
actions/setup/js/create_discussion.cjs	Prepends body header (after caution via unshift ordering) for created discussions.
actions/setup/js/create_pull_request.cjs	Prepends body header for PR bodies (caution/header/body ordering logic updated).
actions/setup/js/add_comment.cjs	Prepends caution + body header prefix before comment content (string concat).

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

actions/setup/js/create_pull_request.cjs:1143

• In the PR body builder, the caution insertion still adds two blank separator lines and the adjacent comment says this ensures the main body follows after a full empty line. With the new body header inserted between caution and the main body, those separator lines now separate the caution from the header instead, and the comment is no longer accurate. Consider adjusting the separator logic (e.g., number/placement of blank lines) and updating the comment so the final layout matches the intended caution → header → body ordering without unintended extra spacing.

    // Inject CAUTION at top of body (unshifted after header so it appears first in the final output)
    const detectionCaution = getDetectionCautionAlert(workflowName, runUrl);
    if (detectionCaution) {
      // unshift(caution, "", "") places the caution alert at index 0 and two blank
      // separator lines so the main body content follows after a full empty line.
      bodyLines.unshift(detectionCaution, "", "");
    }

• Files reviewed: 12/12 changed files
• Comments generated: 0

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 89/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	8
✅ Design tests (behavioral contracts)	8 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	5 (63%)
Duplicate test clusters	0
Test inflation detected	No (2:1 ratio, threshold >2:1)
🚨 Coding-guideline violations	None

---

Test Classification Details

View All Test Classifications (8 tests)

Test	File	Classification	Notes
returns empty string when no body-header is configured	messages_header.test.cjs	✅ Design	Edge case: empty config
returns rendered template when body-header is configured	messages_header.test.cjs	✅ Design	Happy path + template rendering
supports snake_case placeholders	messages_header.test.cjs	✅ Design	Placeholder variant edge case
supports camelCase placeholders	messages_header.test.cjs	✅ Design	Placeholder variant edge case
returns empty string when messages env is set but body-header is absent	messages_header.test.cjs	✅ Design	Edge case: key missing in config
leaves unknown placeholders unchanged	messages_header.test.cjs	✅ Design	Edge case: unknown placeholder passthrough
Should parse body-header message	safe_outputs_messages_test.go	✅ Design	Verifies Go struct parsing behavioral contract
Should serialize body-header to camelCase JSON key	safe_outputs_messages_test.go	✅ Design	Verifies camelCase serialization (positive + negative assertions)

---

Flagged Tests — Requires Review

✅ No tests flagged. All new tests enforce observable behavioral contracts.

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 2 new sub-tests — unit (//go:build !integration) ✅ build tag present, no mock libraries
• 🟨 JavaScript (*.test.cjs): 6 tests (vitest) in new file messages_header.test.cjs

---

Scoring Breakdown

Component	Score	Calculation
Behavioral Coverage (40 pts)	40	8/8 design tests = 100%
Error/Edge Case Coverage (30 pts)	19	5/8 tests with edge cases = 63%
Low Duplication (20 pts)	20	0 duplicate clusters
Proportional Growth (10 pts)	10	JS ratio = 2:1 (threshold is >2:1, no penalty)
Total	89

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). All 8 new tests verify observable behavioral contracts. The JavaScript test suite for messages_header.cjs covers the complete behavioral contract: empty config, template rendering with both placeholder styles ({snake_case} and {camelCase}), missing key in a populated config, and unknown placeholder passthrough. The Go sub-tests cover both the parsing and serialization contracts for the new body-header field.

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

---

References: §25238443803

🧪 Test quality analysis by Test Quality Sentinel · ● 710K · ◷

[github-actions]

✅ Test Quality Sentinel: 89/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All 8 new tests enforce observable behavioral contracts with no coding-guideline violations.