github · pelikhan · Jun 6, 2026 · Jun 6, 2026 · Jun 6, 2026
diff --git a/pkg/constants/README.md b/pkg/constants/README.md
@@ -408,7 +408,7 @@ constants.PriorityWorkflowFields  // []string{"on","permissions","if","network",
 constants.IgnoredFrontmatterFields // []string{"user-invokable"}
 
 // Fields forbidden in shared/imported workflows (only valid in main workflows)
-constants.SharedWorkflowForbiddenFields // []string{"on","command","concurrency",...}
+constants.SharedWorkflowForbiddenFields // []string{"on","concurrency","container",...}
 
 // Events that do not require permission checks
 constants.SafeWorkflowEvents      // []string{"workflow_dispatch","schedule"}

diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go
@@ -322,30 +322,27 @@ var IgnoredFrontmatterFields = []string{"user-invokable"}
 //
 // Forbidden fields fall into these categories:
 //   - Workflow triggers: on (defines it as a main workflow)
-//   - Workflow execution: command, run-name, runs-on, concurrency, if, timeout-minutes, timeout_minutes
+//   - Workflow execution: run-name, runs-on, concurrency, if, timeout-minutes
 //   - Workflow metadata: name, tracker-id, strict
 //   - Workflow features: container, environment, sandbox, features
-//   - Access control: roles, github-token
+//   - Access control: github-token
 //
 // All other fields defined in main_workflow_schema.json can be used in shared workflows
 // and will be properly imported and merged when the shared workflow is imported.
 var SharedWorkflowForbiddenFields = []string{
 	"on",              // Trigger field - only for main workflows
-	"command",         // Command for workflow execution
 	"concurrency",     // Concurrency control
 	"container",       // Container configuration
 	"environment",     // Deployment environment
 	"features",        // Feature flags
 	"github-token",    // GitHub token configuration
 	"if",              // Conditional execution
 	"name",            // Workflow name
-	"roles",           // Role requirements
 	"run-name",        // Run display name
 	"runs-on",         // Runner specification
 	"sandbox",         // Sandbox configuration
 	"strict",          // Strict mode
 	"timeout-minutes", // Timeout in minutes
-	"timeout_minutes", // Timeout in minutes (underscore variant)
 	"tracker-id",      // Tracker ID
 }
 

diff --git a/pkg/workflow/forbidden_fields_import_test.go b/pkg/workflow/forbidden_fields_import_test.go
@@ -19,7 +19,6 @@ func TestForbiddenFieldsImportRejection(t *testing.T) {
 	// Use the SharedWorkflowForbiddenFields constant and create YAML examples for each
 	forbiddenFieldYAML := map[string]string{
 		"on":              `on: issues`,
-		"command":         `command: /help`,
 		"concurrency":     `concurrency: production`,
 		"container":       `container: node:lts`,
 		"env":             `env: {NODE_ENV: production}`,
@@ -28,13 +27,11 @@ func TestForbiddenFieldsImportRejection(t *testing.T) {
 		"github-token":    `github-token: ${{ secrets.TOKEN }}`,
 		"if":              `if: success()`,
 		"name":            `name: Test Workflow`,
-		"roles":           `roles: ["admin"]`,
 		"run-name":        `run-name: Test Run`,
 		"runs-on":         `runs-on: ubuntu-latest`,
 		"sandbox":         `sandbox: {enabled: true}`,
 		"strict":          `strict: true`,
 		"timeout-minutes": `timeout-minutes: 30`,
-		"timeout_minutes": `timeout_minutes: 30`,
 		"tracker-id":      `tracker-id: "12345"`,
 	}