Skip to content

Commit 01034aa

Browse files
Copilotlpcox
andauthored
fix: address review comments in PR #25948 integrity-reactions feature
- Move validateIntegrityReactions after MergeFeatures in both compiler_string_api.go and compiler_orchestrator_workflow.go so imported feature flags are visible during validation - Add semverutil.IsValid() guard in mcpgSupportsIntegrityReactions to safely handle non-semver strings (branch names, etc.) - Extend min-integrity requirement to all 4 integrity-reactions fields - Fix error message to show correct YAML multi-line format - Update tests to reflect new behavior Agent-Logs-Url: https://github.com/github/gh-aw/sessions/c9ae237b-f229-4918-98e7-7d057c6618ca Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
1 parent 1a75cd6 commit 01034aa

File tree

5 files changed

+47
-25
lines changed

5 files changed

+47
-25
lines changed

pkg/workflow/compiler_orchestrator_workflow.go

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -112,15 +112,6 @@ func (c *Compiler) ParseWorkflowFile(markdownPath string) (*WorkflowData, error)
112112
return nil, fmt.Errorf("%s: %w", cleanPath, err)
113113
}
114114

115-
// Validate integrity-reactions feature configuration
116-
var gatewayConfig *MCPGatewayRuntimeConfig
117-
if workflowData.SandboxConfig != nil {
118-
gatewayConfig = workflowData.SandboxConfig.MCP
119-
}
120-
if err := validateIntegrityReactions(workflowData.ParsedTools, workflowData.Name, workflowData, gatewayConfig); err != nil {
121-
return nil, fmt.Errorf("%s: %w", cleanPath, err)
122-
}
123-
124115
// Use shared action cache and resolver from the compiler
125116
actionCache, actionResolver := c.getSharedActionResolver()
126117
workflowData.ActionCache = actionCache
@@ -155,6 +146,15 @@ func (c *Compiler) ParseWorkflowFile(markdownPath string) (*WorkflowData, error)
155146
workflowData.Features = mergedFeatures
156147
}
157148

149+
// Validate integrity-reactions feature configuration (after features are merged so imports are visible)
150+
var gatewayConfig *MCPGatewayRuntimeConfig
151+
if workflowData.SandboxConfig != nil {
152+
gatewayConfig = workflowData.SandboxConfig.MCP
153+
}
154+
if err := validateIntegrityReactions(workflowData.ParsedTools, workflowData.Name, workflowData, gatewayConfig); err != nil {
155+
return nil, fmt.Errorf("%s: %w", cleanPath, err)
156+
}
157+
158158
// Process and merge custom steps with imported steps
159159
c.processAndMergeSteps(result.Frontmatter, workflowData, engineSetup.importsResult)
160160

pkg/workflow/compiler_string_api.go

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -150,15 +150,6 @@ func (c *Compiler) ParseWorkflowString(content string, virtualPath string) (*Wor
150150
return nil, fmt.Errorf("%s: %w", cleanPath, err)
151151
}
152152

153-
// Validate integrity-reactions feature configuration
154-
var gatewayConfig *MCPGatewayRuntimeConfig
155-
if workflowData.SandboxConfig != nil {
156-
gatewayConfig = workflowData.SandboxConfig.MCP
157-
}
158-
if err := validateIntegrityReactions(workflowData.ParsedTools, workflowData.Name, workflowData, gatewayConfig); err != nil {
159-
return nil, fmt.Errorf("%s: %w", cleanPath, err)
160-
}
161-
162153
// Setup action cache and resolver
163154
actionCache, actionResolver := c.getSharedActionResolver()
164155
workflowData.ActionCache = actionCache
@@ -178,6 +169,15 @@ func (c *Compiler) ParseWorkflowString(content string, virtualPath string) (*Wor
178169
workflowData.Features = mergedFeatures
179170
}
180171

172+
// Validate integrity-reactions feature configuration (after features are merged so imports are visible)
173+
var gatewayConfig *MCPGatewayRuntimeConfig
174+
if workflowData.SandboxConfig != nil {
175+
gatewayConfig = workflowData.SandboxConfig.MCP
176+
}
177+
if err := validateIntegrityReactions(workflowData.ParsedTools, workflowData.Name, workflowData, gatewayConfig); err != nil {
178+
return nil, fmt.Errorf("%s: %w", cleanPath, err)
179+
}
180+
181181
// Process and merge custom steps
182182
c.processAndMergeSteps(parseResult.frontmatterResult.Frontmatter, workflowData, engineSetup.importsResult)
183183

pkg/workflow/mcp_github_config.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -341,6 +341,11 @@ func mcpgSupportsIntegrityReactions(gatewayConfig *MCPGatewayRuntimeConfig) bool
341341
return true
342342
}
343343

344+
if !semverutil.IsValid(version) {
345+
// Branch names and non-semver tags are treated conservatively as not supporting the feature.
346+
return false
347+
}
348+
344349
minVersion := string(constants.MCPGIntegrityReactionsMinVersion)
345350
return semverutil.Compare(version, minVersion) >= 0
346351
}

pkg/workflow/tools_validation.go

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -201,7 +201,7 @@ func validateIntegrityReactions(tools *Tools, workflowName string, data *Workflo
201201
// Reaction fields require the integrity-reactions feature flag
202202
if !isFeatureEnabled(constants.IntegrityReactionsFeatureFlag, data) {
203203
toolsValidationLog.Printf("Reaction fields present but integrity-reactions feature flag not enabled in workflow: %s", workflowName)
204-
return errors.New("invalid guard policy: 'endorsement-reactions', 'disapproval-reactions', 'disapproval-integrity', and 'endorser-min-integrity' require the 'integrity-reactions' feature flag to be enabled. Add 'features: integrity-reactions: true' to your workflow")
204+
return errors.New("invalid guard policy: 'tools.github.endorsement-reactions', 'tools.github.disapproval-reactions', 'tools.github.disapproval-integrity', and 'tools.github.endorser-min-integrity' require the 'integrity-reactions' feature flag to be enabled. Add the following to your workflow frontmatter:\nfeatures:\n integrity-reactions: true")
205205
}
206206

207207
// Reaction fields require MCPG >= v0.2.18
@@ -215,10 +215,10 @@ func validateIntegrityReactions(tools *Tools, workflowName string, data *Workflo
215215
constants.MCPGIntegrityReactionsMinVersion, version)
216216
}
217217

218-
// Reaction fields require min-integrity to be set
219-
if (hasEndorsementReactions || hasDisapprovalReactions) && github.MinIntegrity == "" {
220-
toolsValidationLog.Printf("endorsement-reactions/disapproval-reactions without min-integrity in workflow: %s", workflowName)
221-
return errors.New("invalid guard policy: 'endorsement-reactions' and 'disapproval-reactions' require 'github.min-integrity' to be set")
218+
// Integrity reaction fields require min-integrity to be set so the allow-only guard policy is rendered
219+
if (hasEndorsementReactions || hasDisapprovalReactions || hasDisapprovalIntegrity || hasEndorserMinIntegrity) && github.MinIntegrity == "" {
220+
toolsValidationLog.Printf("integrity reaction fields without min-integrity in workflow: %s", workflowName)
221+
return errors.New("invalid guard policy: 'endorsement-reactions', 'disapproval-reactions', 'disapproval-integrity', and 'endorser-min-integrity' require 'github.min-integrity' to be set")
222222
}
223223

224224
// Validate endorsement-reactions values

pkg/workflow/tools_validation_test.go

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -695,6 +695,22 @@ func TestMCPGSupportsIntegrityReactions(t *testing.T) {
695695
},
696696
want: true,
697697
},
698+
{
699+
name: "non-semver branch name returns false",
700+
gatewayConfig: &MCPGatewayRuntimeConfig{
701+
Container: "ghcr.io/test/mcpg",
702+
Version: "main",
703+
},
704+
want: false,
705+
},
706+
{
707+
name: "non-semver tag returns false",
708+
gatewayConfig: &MCPGatewayRuntimeConfig{
709+
Container: "ghcr.io/test/mcpg",
710+
Version: "feature-branch",
711+
},
712+
want: false,
713+
},
698714
}
699715

700716
for _, tt := range tests {
@@ -878,15 +894,16 @@ func TestValidateIntegrityReactions(t *testing.T) {
878894
errorContains: "none",
879895
},
880896
{
881-
name: "only disapproval-integrity (no reaction arrays) without min-integrity is OK",
897+
name: "only disapproval-integrity (no reaction arrays) without min-integrity fails",
882898
tools: &Tools{
883899
GitHub: &GitHubToolConfig{
884900
DisapprovalIntegrity: "none",
885901
},
886902
},
887903
data: makeDataWithFeature(true),
888904
gatewayConfig: newGatewayConfig,
889-
shouldError: false, // disapproval-integrity alone doesn't require min-integrity
905+
shouldError: true,
906+
errorContains: "min-integrity",
890907
},
891908
}
892909

0 commit comments

Comments
 (0)