[spec-review] Update Safe Outputs conformance checker for recent spec changes

[github-actions]

Summary

Updates the Safe Outputs conformance checker script to align with specification changes in versions 1.17.0, 1.18.0, and 1.19.0.

Specification Changes Reviewed

The spec file docs/src/content/docs/reference/safe-outputs-specification.md was added at v1.19.0 (commit ff0acb2). The conformance script was previously at version 1.16.0. Three versions of spec changes required new checks:

• v1.17.0 (2026-04-19): Added merge_pull_request safe output type
• v1.18.0 (2026-04-21): Added comment_memory safe output type
• v1.19.0 (2026-04-30): Added create-issue auto-injection when no safe-outputs: section present

📋 Script Updates & Testing Details

Script Updates

New Checks Added

• TYPE-001: merge_pull_request handler existence and default branch protection (spec Section 7.3, v1.17.0) — verifies handler exists, checks isDefault for default branch refusal, validates policy gate checks, and mergeability verification
• TYPE-002: comment_memory memory ID validation (spec Section 7.3, v1.18.0) — verifies [A-Za-z0-9_-]+ pattern enforcement, scan page bounding, and body sanitization before upsert
• TYPE-003: comment_memory not exposed as agent MCP tool (spec Section 7.3, v1.18.0) — verifies the type is not registered as an agent-editable tool (file-based sync must be used instead)
• TYPE-004: create-issue auto-injection for workflows without safe-outputs: (spec Section 4.3, v1.19.0) — verifies auto-injection logic exists in compiler and suppression logic for non-builtin outputs

Checks Modified

• Script version comment updated from 1.16.0 to 1.19.0

Testing

All 4 new checks pass:

Running TYPE-001: merge_pull_request Handler Existence and Default Branch Protection...
[PASS] TYPE-001: merge_pull_request handler exists with default branch protection and policy gates
Running TYPE-002: comment_memory Memory ID Validation...
[PASS] TYPE-002: comment_memory handler validates memory_id, bounds scanning, and sanitizes body
Running TYPE-003: comment_memory Not Exposed as Agent MCP Tool...
[PASS] TYPE-003: comment_memory is not registered as an agent-editable MCP tool
Running TYPE-004: create-issue Auto-Injection...
[PASS] TYPE-004: create-issue auto-injection is implemented and suppression logic exists

Script syntax validated: bash -n scripts/check-safe-outputs-conformance.sh passes.

Related Files

• Specification: docs/src/content/docs/reference/safe-outputs-specification.md
• Conformance Script: scripts/check-safe-outputs-conformance.sh

Generated by Weekly Safe Outputs Specification Review · ● 1.4M · ◷

• expires on May 11, 2026, 5:36 AM UTC

[github-actions]

Hey @app/github-actions 👋 — great work keeping the Safe Outputs conformance checker in sync with the spec changes across v1.17.0, v1.18.0, and v1.19.0! The PR is well-scoped, touches a single file, and the description thoroughly documents each new check and the reasoning behind it.

One thing that would strengthen this further:

• Add tests — scripts/check-safe-outputs-conformance.sh gains several new checks (TYPE-001 for merge_pull_request, comment_memory handling, and auto-injection for create-issue) but there are no corresponding test fixtures or test-runner updates in the diff. Even lightweight shell-based tests (e.g., a fixture workflow that should pass/fail each new check) would give reviewers confidence that the new logic behaves as expected.

If you'd like a hand, you can assign this prompt to your coding agent:

Add shell-based tests for the new conformance checks introduced in scripts/check-safe-outputs-conformance.sh:
1. TYPE-001 — merge_pull_request handler: one fixture that passes (handler present with correct isDefault/policy gate/mergeability checks) and one that fails (handler missing).
2. comment_memory safe output type: fixture that passes and one that fails.
3. create-issue auto-injection: fixture where no safe-outputs: section is present — verify the check detects the missing auto-injection and raises the expected error.
Place fixtures under a tests/ or test-fixtures/ directory consistent with the project's existing test layout.

Generated by Contribution Check · ● 1.6M · ◷