Skip to content

Fix false post-create repo validation in cross-repo create_pull_request workflows#36250

Merged
pelikhan merged 4 commits into
mainfrom
copilot/create-pull-request-validation-fix
Jun 1, 2026
Merged

Fix false post-create repo validation in cross-repo create_pull_request workflows#36250
pelikhan merged 4 commits into
mainfrom
copilot/create-pull-request-validation-fix

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Jun 1, 2026
edited by github-actions Bot
Loading

Cross-repo create_pull_request runs could successfully open a PR and then fail in a later validation path with ERR_VALIDATION (“repo not in allowed-repos”), because that second check only considered a global allowlist and ignored handler-level allowed_repos. This produced contradictory outcomes and marked successful runs as failed.

  • Invocation-context allowlist fallback

    • Updated checkAllowedRepo in actions/setup/js/invocation_context_helpers.cjs.
    • When GH_AW_ALLOWED_REPOS is empty, validation now falls back to GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG and aggregates handler allowed_repos entries before validating workflow_dispatch target_repo.
    • This aligns post-creation validation with the same effective allowlist used by create_pull_request.

  • Regression coverage for the failing path

    • Added test in actions/setup/js/invocation_context_helpers.test.cjs for workflow_dispatch with:
      • no global allowlist,
      • create_pull_request.allowed_repos containing target repo,
      • target_repo set to that repo.
    • Ensures invocation context resolves without throwing validation errors in this configuration.
// invocation_context_helpers.cjs (behavioral core)
const allowedRepos = parseAllowedRepos(process.env.GH_AW_ALLOWED_REPOS);
if (allowedRepos.size === 0) {
  const handlerConfig = JSON.parse(process.env.GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG || "{}");
  for (const value of Object.values(handlerConfig)) {
    for (const repo of parseAllowedRepos(value?.allowed_repos)) {
      allowedRepos.add(repo);
    }
  }
}

Generated by 👨‍🍳 PR Sous Chef · gpt54 12.3M ·

Copilot AI linked an issue Jun 1, 2026 that may be closed by this pull request
create_pull_request (cross-repo): PR is opened, then a second validation fails ERR_VALIDATION 'not in the allowed-repos list', marking the run failed #36242
Closed
@pelikhan
Fix workflow_dispatch target repo validation fallback
44fdd24 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix validation issue for cross-repo pull requests Fix false post-create repo validation in cross-repo create_pull_request workflows Jun 1, 2026
Copilot AI requested a review from pelikhan June 1, 2026 15:08
@pelikhan pelikhan marked this pull request as ready for review June 1, 2026 15:42
Copilot AI review requested due to automatic review settings June 1, 2026 15:42
Copilot AI reviewed Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a contradictory failure mode where cross-repo create_pull_request runs could open a PR successfully but later fail context validation with ERR_VALIDATION because the post-creation checkAllowedRepo only consulted the global GH_AW_ALLOWED_REPOS allowlist and ignored handler-level allowed_repos.

Changes:

  • In checkAllowedRepo, when the global allowlist is empty, parse GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG and aggregate each handler's allowed_repos into the effective allowlist before validating the target repo.
  • Wrap the JSON parse / shape checks defensively so malformed config silently falls back to the (empty) global allowlist.
  • Add a regression test asserting workflow_dispatch with no global allowlist but a matching create_pull_request.allowed_repos resolves successfully.
Show a summary per file
File Description
actions/setup/js/invocation_context_helpers.cjs Fallback to handler-config allowed_repos aggregation when global allowlist is empty.
actions/setup/js/invocation_context_helpers.test.cjs New test covering the handler-allowlist fallback path.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 0

@pelikhan pelikhan merged commit 1c3cf82 into main Jun 1, 2026
12 checks passed
@pelikhan pelikhan deleted the copilot/create-pull-request-validation-fix branch June 1, 2026 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

create_pull_request (cross-repo): PR is opened, then a second validation fails ERR_VALIDATION 'not in the allowed-repos list', marking the run failed

3 participants

@pelikhan