Summary

The add-build-tag scope check in src/safeoutputs/add_build_tag.rs narrowed ctx.build_id (u64, sourced from BUILD_BUILDID) to i32 via i32::try_from(id).ok(). For any ADO build ID greater than i32::MAX (~2.1B), the conversion returned None, the if let Some(...) branch was skipped, and the scope check fell through silently — letting an agent tag arbitrary builds even when allow-any-build: false.

• Compare in u64 space: widen the validated-positive self.build_id: i32 with as u64 and compare directly against ctx.build_id: Option<u64>. Values that don't fit in i32 simply cannot match, so the scope check now correctly rejects them.

if let Some(current_id) = ctx.build_id {
    // self.build_id is validated > 0, so the cast to u64 is exact;
    // values that don't fit in i32 simply cannot match current_id.
    if self.build_id as u64 != current_id {
        return Ok(ExecutionResult::failure(/* … */));
    }
}

Test plan

• cargo test add_build_tag (existing tests pass)
• cargo build and cargo clippy --all-targets --all-features clean (only pre-existing warnings)