feat: support multi-repo wildcard target-repo in safe_outputs job#36657
Open
dsyme wants to merge 13 commits into
Open
feat: support multi-repo wildcard target-repo in safe_outputs job#36657dsyme wants to merge 13 commits into
dsyme wants to merge 13 commits into
Conversation
When target-repo is set to "*" for create-pull-request or push-to-pull-request-branch, the safe_outputs job now checks out ALL repositories declared in checkout: frontmatter into subdirectories (mirroring the agent job layout). Changes: - Add buildMultiRepoCheckoutSteps() to generate per-repo checkout, git-credential, and fetch-ref steps in safe_outputs - Add injectCheckoutMapping() to pass repo-to-path mapping in handler config - Update create_pull_request.cjs to use checkout_mapping for directory resolution with process.chdir() and try/finally restore - Enhance push_to_pull_request_branch.cjs to check checkout_mapping before falling back to workspace scan - Update schema descriptions to document wildcard support - Update docs to reflect multi-repo capability - Add tests for injectCheckoutMapping
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Contributor
There was a problem hiding this comment.
Pull request overview
Adds wildcard ("*") support for target-repo in safe-outputs PR/push handlers by teaching the safe_outputs job to check out multiple repositories and by passing a compile-time checkout → path map down to JS handlers so they can operate in the correct subdirectory.
Changes:
- Generate multi-repo checkout + per-directory git-remote configuration in
safe_outputswhentarget-repo: "*"is used. - Inject
checkout_mappinginto safe-outputs handler config for wildcard runs and consume it in JS handlers (with workspace-scan fallbacks). - Update schema/docs and add a Go unit test for checkout mapping injection.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/safe_outputs_patch_workspace.go | Injects checkout_mapping into handler config for wildcard target-repo. |
| pkg/workflow/safe_outputs_config.go | Wires injectCheckoutMapping into compiled handler config env. |
| pkg/workflow/safe_outputs_config_generation.go | Wires injectCheckoutMapping into generated runtime config. |
| pkg/workflow/compiler_safe_outputs_steps.go | Adds multi-repo checkout / git credentialing / per-repo extra-ref fetching for wildcard targets. |
| pkg/workflow/compiler_safe_outputs_config_test.go | Adds test coverage for wildcard checkout mapping injection behavior. |
| pkg/parser/schemas/main_workflow_schema.json | Documents target-repo: "*" wildcard support in schema descriptions. |
| docs/src/content/docs/reference/safe-outputs-pull-requests.md | Documents cross-repo wildcard behavior and expectations. |
| actions/setup/js/push_to_pull_request_branch.cjs | Uses checkout_mapping to resolve repo checkout directory before scanning workspace. |
| actions/setup/js/create_pull_request.cjs | Uses checkout_mapping and process.chdir() (with restoration) to run git operations in the correct repo directory. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 9/9 changed files
- Comments generated: 4
Comment on lines
1158
to
1161
| switch (ifNoChanges) { | ||
| case "error": | ||
| return { success: false, error: message }; | ||
| return { success: false, error: "No changes to push - failing as configured by if-no-changes: error" }; | ||
|
|
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This comment has been minimized.
This comment has been minimized.
* Initial plan * chore: start CI failure investigation Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * test: make checkout action pin expectations dynamic Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…36648) * Plan: fix false-positive extension upgrade success reporting Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * Verify extension version after self-upgrade before reporting success Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * Harden self-upgrade by validating installed version post-upgrade Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * initial plan Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * Replace custom version regex with semverutil token scanning in parseInstalledVersionOutput Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * Fix backup cleanup ordering in rename+retry path; fix lint issues Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Co-authored-by: Peli de Halleux <pelikhan@users.noreply.github.com>
…mas (#36636) * fix: add missing target/target-repo/allowed-repos to safe output schemas The JSON schema for several safe output types was missing properties that the Go code (SafeOutputTargetConfig) and CJS runtime already supported, causing 'Unknown properties' validation errors at compile time. Fixed safe outputs: - resolve-pull-request-review-thread: added target, target-repo, allowed-repos - assign-milestone: added target, allowed-repos - hide-comment: added target, allowed-repos - link-sub-issue: added target, allowed-repos - close-discussion: added allowed-repos - close-pull-request: added allowed-repos - update-discussion: added allowed-repos - update-pull-request: added allowed-repos - mark-pull-request-as-ready-for-review: added allowed-repos - add-reviewer: added allowed-repos - assign-to-agent: added allowed-repos Added comprehensive schema validation test that exercises target, target-repo, and allowed-repos for all 25 safe output types that embed SafeOutputTargetConfig, plus negative tests confirming unknown properties are still rejected. * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * docs(adr): add draft ADR-36636 for safe-output schema sync Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Peli de Halleux <pelikhan@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* Initial plan * Fix testifylint: remove unnecessary fmt.Sprintf in slog_adapter_test.go Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
When target-repo is "*" and no checkout_mapping is provided (legacy path), if neither findRepoCheckout nor checkoutManager can locate the target repository, proceed with a warning instead of failing. This allows allow_empty PRs to be created via API without requiring a local checkout of the target repo.
Contributor
|
✅ smoke-ci: safeoutputs CLI comment + comment-memory run (26892979103)
|
Closed
Contributor
|
pr-sous-chef: please resolve the active review feedback before merging.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When
target-repo: "*"is configured forcreate-pull-requestorpush-to-pull-request-branch, thesafe_outputsjob now checks out all repositories fromcheckout:frontmatter into subdirectories (mirroring the agent job layout), enabling pull requests to multiple repositories in a single run.Changes
Go compiler
compiler_safe_outputs_steps.go: AddedbuildMultiRepoCheckoutSteps()— when wildcard is detected, generates checkout steps for all repos, configures git credentials per-directory (git -C), and fetches additional refs per-repo.safe_outputs_patch_workspace.go: AddedinjectCheckoutMapping()— builds a map of repo slug → relative path fromcheckout:configs and injects it into handler config ascheckout_mapping.safe_outputs_config.go/safe_outputs_config_generation.go: Wire upinjectCheckoutMappingcall.JS handlers
create_pull_request.cjs: Usescheckout_mappingto resolve subdirectory,process.chdir()with try/finally restore. Falls back tofindRepoCheckout()workspace scan, then legacy dynamic remote switching.push_to_pull_request_branch.cjs: Checkscheckout_mappingbefore falling back tofindRepoCheckout()workspace scan.Docs & Schema
target-repoin bothcreate-pull-requestandpush-to-pull-request-branchto document wildcard support.safe-outputs-pull-requests.mdreference docs to explain multi-repo capability.Tests
TestInjectCheckoutMappingForWildcardTargetRepocovering injection, skip cases (non-wildcard, wiki, unrelated handlers).Verification
target-repo: "*"and two allowed repos — generated lock.yml is correctgit -C