From 004a4ba9f4d3d751f448bd96f3298a1d90d44aca Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 1 May 2026 19:42:49 +0000 Subject: [PATCH 1/2] fix(safeoutputs): enforce add-build-tag scope for build IDs > i32::MAX Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/dd6d4958-4570-4099-8fcc-bf3d38eb7aa9 Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com> --- src/safeoutputs/add_build_tag.rs | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/src/safeoutputs/add_build_tag.rs b/src/safeoutputs/add_build_tag.rs index 335e001f..765f883e 100644 --- a/src/safeoutputs/add_build_tag.rs +++ b/src/safeoutputs/add_build_tag.rs @@ -133,15 +133,14 @@ impl Executor for AddBuildTagResult { let config: AddBuildTagConfig = ctx.get_tool_config("add-build-tag"); debug!("Config: {:?}", config); - // 2b. Scope check: by default only the current build can be tagged + // 2b. Scope check: by default only the current build can be tagged. + // Compare in u64 space so that ADO build IDs larger than i32::MAX are + // still enforced (the agent-supplied i32 simply cannot match such + // values, which is the desired behavior). if !config.allow_any_build { - // Pulled from ctx (sourced from BUILD_BUILDID); narrowed to i32 to - // match the agent-supplied build_id type. - let current_build_id: Option = ctx - .build_id - .and_then(|id| i32::try_from(id).ok()); - if let Some(current_id) = current_build_id { - if self.build_id != current_id { + if let Some(current_id) = ctx.build_id { + let agent_id_u64 = u64::try_from(self.build_id).ok(); + if agent_id_u64 != Some(current_id) { return Ok(ExecutionResult::failure(format!( "Build #{} cannot be tagged: only the current build (#{}) is \ allowed unless 'allow-any-build: true' is configured", From 6e0dce711d0b309b018c2af1af1a75c9d3d2fc88 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 1 May 2026 19:47:43 +0000 Subject: [PATCH 2/2] refactor: simplify u64 cast in add-build-tag scope check Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/dd6d4958-4570-4099-8fcc-bf3d38eb7aa9 Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com> --- src/safeoutputs/add_build_tag.rs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/safeoutputs/add_build_tag.rs b/src/safeoutputs/add_build_tag.rs index 765f883e..65e35bfa 100644 --- a/src/safeoutputs/add_build_tag.rs +++ b/src/safeoutputs/add_build_tag.rs @@ -139,8 +139,9 @@ impl Executor for AddBuildTagResult { // values, which is the desired behavior). if !config.allow_any_build { if let Some(current_id) = ctx.build_id { - let agent_id_u64 = u64::try_from(self.build_id).ok(); - if agent_id_u64 != Some(current_id) { + // self.build_id is validated > 0, so the cast to u64 is exact; + // values that don't fit in i32 simply cannot match current_id. + if self.build_id as u64 != current_id { return Ok(ExecutionResult::failure(format!( "Build #{} cannot be tagged: only the current build (#{}) is \ allowed unless 'allow-any-build: true' is configured",