Fix on.bots/on.roles state leakage that corrupts workflow_run triggers (#41018)

* Initial plan

* Plan regression fix for workflow_run + bots/roles

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* Fix workflow_run trigger corruption with on bots and roles

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* Add regression coverage for workflow_run with bots and roles

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* docs(adr): add draft ADR-41018 for on: tracker reset

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Fix review feedback: inline reset into activateEventSection, expand coverage, revert smoke if

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: 4 people

docs/adr/41018-reset-on-section-array-trackers.md

@@ -0,0 +1,41 @@
+# ADR-41018: Reset `on:` Extension-Array Trackers at Event-Section Boundaries
+
+**Date**: 2026-06-23
+**Status**: Draft
+
+## Context
+
+`commentOutProcessedFieldsInOnSection` in `pkg/workflow/frontmatter_extraction_yaml.go` is a line-based state machine that walks the `on:` block and comments out compiler-processed extension fields (`bots`, `roles`, `labels`, `needs`, and their skip variants). It tracks "am I inside this array" with flat boolean flags (`inBotsArray`, `inRolesArray`, etc.). Because those flags were never reset when a new event section began, array state from one sibling key leaked into the next: when `bots:` or `roles:` appeared alongside `workflow_run:` in the same `on:` block, the stale array tracker caused the walker to comment out `workflow_run.workflows`/`types` list items. The stripped `workflows` then failed the non-empty-workflows compile-time validation, breaking an otherwise valid trigger composition.
+
+## Decision
+
+We will reset all top-level `on:` extension-array trackers at the start of every event section. A `resetOnArrayTrackers` closure clears `inSkipRolesArray`, `inSkipBotsArray`, `inRolesArray`, `inBotsArray`, `inLabelsArray`, and `inNeedsArray`, and it is invoked immediately before `activateEventSection` for each recognized section (`pull_request`, `issues`, `discussion`, `issue_comment`, `deployment_status`, `workflow_run`). This keeps the existing line-based scanner but makes its array state strictly section-local, so no sibling key can inherit a stale "inside array" flag.
+
+## Alternatives Considered
+
+### Alternative 1: Replace the line-based scanner with structured YAML scoping
+
+We could parse the `on:` block into a node tree and decide field-by-field which keys to comment out, eliminating flat boolean state entirely. This is the more robust long-term fix, but it is a substantial rewrite of a security-relevant code path and risks changing comment-out behavior for the many already-covered cases. Given the bug is a narrow state-leak, the targeted reset was preferred over a structural rewrite under this PR's scope.
+
+### Alternative 2: Reset only the bots/roles trackers, or only on entering `workflow_run`
+
+We could clear just the two flags implicated in the reported failure, or reset only when the walker enters `workflow_run:`. This was rejected because the leak is a general property of the flat-flag design — any extension array preceding any event section can leak — so a partial reset would leave latent corruption for other key orderings (e.g. `labels`/`needs` before `issues`). Resetting all trackers at every section boundary fixes the class of bug rather than the single reported instance.
+
+## Consequences
+
+### Positive
+- `workflow_run` triggers compose correctly with sibling `bots:`/`roles:` filters; `workflows`/`types` are no longer stripped, so the non-empty-workflows validation passes.
+- The fix is minimal and localized, preserving the existing, well-tested line-based comment-out behavior for all other cases.
+- Regression coverage is added at two levels: direct comment-out tests in `compiler_draft_test.go` (four key orderings) and strict-mode compile tests in `workflow_run_validation_test.go`.
+
+### Negative
+- The fragile flat-boolean state machine remains; the reset is a guard, not a structural fix, so similar state-leak bugs can recur if new trackers are added without being included in `resetOnArrayTrackers`.
+- The reset list must be kept in sync with the set of extension-array trackers — a future tracker omitted from the closure would silently reintroduce the leak.
+
+### Neutral
+- Behavior is unchanged for `on:` blocks that do not mix extension arrays with event sections; the reset is a no-op when no array flag is set.
+- The reset is tied to the fixed set of recognized event-section keys; adding a new event section requires adding the same `resetOnArrayTrackers()` call alongside its `activateEventSection` invocation.
+
+---
+
+*ADR created by [adr-writer agent]. Review and finalize before changing status from Draft to Accepted.*

docs/src/content/docs/reference/triggers.md

@@ -209,6 +209,16 @@ on:
       - develop
 ```
 
+You can also combine `workflow_run` with top-level authorization filters such as `bots:` or `roles:`:
+
+```yaml wrap
+on:
+  workflow_run:
+    workflows: ["CI"]
+    types: [completed]
+  bots: ["dependabot[bot]"]
+```
+
 Workflows with `workflow_run` triggers include automatic security protections: `workflows` must list at least one non-empty entry (empty or missing values are rejected at compile time, since GitHub silently disables such triggers); the compiler injects repository ID and fork checks to reject cross-repository or fork-triggered runs; and `branches` is recommended to limit triggering branches (the compiler warns when omitted, or errors in strict mode). See the [Security Architecture](/gh-aw/introduction/architecture/) for details.
 
 #### Conclusion Filtering (`conclusion:`)

pkg/workflow/compiler_draft_test.go

@@ -352,6 +352,120 @@ func TestCommentOutProcessedFieldsInOnSection(t *testing.T) {
   workflow_dispatch:`,
 			description: "Should reset workflow_run conclusion tracker when entering a new event section",
 		},
+		{
+			name: "workflow_run followed by bots keeps workflows and types uncommented",
+			input: `on:
+  workflow_run:
+    workflows: ["CI"]
+    types: [completed]
+  bots:
+    - dependabot
+  workflow_dispatch:`,
+			expected: `on:
+  workflow_run:
+    workflows: ["CI"]
+    types: [completed]
+  # bots: # Bots processed as bot check in pre-activation job
+    # - dependabot # Bots processed as bot check in pre-activation job
+  workflow_dispatch:`,
+			description: "Should not let bots array state leak into workflow_run fields",
+		},
+		{
+			name: "bots before workflow_run do not comment workflow_run list items",
+			input: `on:
+  bots:
+    - dependabot
+  workflow_run:
+    workflows: ["CI"]
+    types: [completed]
+  workflow_dispatch:`,
+			expected: `on:
+  # bots: # Bots processed as bot check in pre-activation job
+    # - dependabot # Bots processed as bot check in pre-activation job
+  workflow_run:
+    workflows: ["CI"]
+    types: [completed]
+  workflow_dispatch:`,
+			description: "Should reset bots array tracker before entering workflow_run section",
+		},
+		{
+			name: "bots before workflow_run with multi-line arrays do not comment workflow_run list items",
+			input: `on:
+  bots:
+    - dependabot
+  workflow_run:
+    workflows:
+      - CI
+    types:
+      - completed
+  workflow_dispatch:`,
+			expected: `on:
+  # bots: # Bots processed as bot check in pre-activation job
+    # - dependabot # Bots processed as bot check in pre-activation job
+  workflow_run:
+    workflows:
+      - CI
+    types:
+      - completed
+  workflow_dispatch:`,
+			description: "Should not comment out multi-line workflow_run.workflows/types items when bots precedes workflow_run",
+		},
+		{
+			name: "skip-if-check-failing before workflow_run does not corrupt workflow_run list items",
+			input: `on:
+  skip-if-check-failing:
+    - build
+  workflow_run:
+    workflows:
+      - CI
+    types:
+      - completed
+  workflow_dispatch:`,
+			expected: `on:
+  # skip-if-check-failing: # Skip-if-check-failing processed as check status gate in pre-activation job
+    # - build
+  workflow_run:
+    workflows:
+      - CI
+    types:
+      - completed
+  workflow_dispatch:`,
+			description: "Should reset inSkipIfCheckFailing before entering workflow_run to prevent list-item corruption",
+		},
+		{
+			name: "roles before workflow_run do not comment workflow_run list items",
+			input: `on:
+  roles:
+    - write
+  workflow_run:
+    workflows: ["CI"]
+    types: [completed]
+  workflow_dispatch:`,
+			expected: `on:
+  # roles: # Roles processed as role check in pre-activation job
+    # - write # Roles processed as role check in pre-activation job
+  workflow_run:
+    workflows: ["CI"]
+    types: [completed]
+  workflow_dispatch:`,
+			description: "Should reset roles array tracker before entering workflow_run section",
+		},
+		{
+			name: "roles all before workflow_run keeps workflow_run intact",
+			input: `on:
+  roles: all
+  workflow_run:
+    workflows: ["CI"]
+    types: [completed]
+  workflow_dispatch:`,
+			expected: `on:
+  # roles: all # Roles processed as role check in pre-activation job
+  workflow_run:
+    workflows: ["CI"]
+    types: [completed]
+  workflow_dispatch:`,
+			description: "Should handle inline roles value without affecting workflow_run fields",
+		},
 		{
 			name: "top-level on needs array",
 			input: `on:

pkg/workflow/frontmatter_extraction_yaml.go

@@ -164,7 +164,28 @@ func (c *Compiler) commentOutProcessedFieldsInOnSection(yamlStr string, frontmat
 	deploymentStatusIndent := -1
 	workflowRunIndent := -1
 	// activateEventSection resets all event-section flags and then activates the selected section.
+	// It also clears every top-level on: extension-array tracker (inBotsArray, inRolesArray,
+	// inSkipIfCheckFailing, etc.) before entering the new section.  This reset is required
+	// because each activateEventSection call ends with "continue", which bypasses the
+	// indent-based deactivation logic further down the loop.  Without the explicit reset here,
+	// a stale flag from a preceding bots:/roles:/skip-if-check-failing: block would cause that
+	// section's list items (e.g. "workflow_run.workflows: - CI") to be incorrectly commented out.
 	activateEventSection := func(section string, indent int) {
+		// Clear all top-level on: extension-array state so no sibling section leaks in.
+		inSkipRolesArray = false
+		inSkipBotsArray = false
+		inRolesArray = false
+		inBotsArray = false
+		inLabelsArray = false
+		inNeedsArray = false
+		// These trackers share the same exit-check-ordering issue: their deactivation
+		// logic runs after the "continue" that terminates each activateEventSection call,
+		// so they must also be reset here explicitly.
+		inSkipIfMatch = false
+		inSkipIfNoMatch = false
+		inSkipIfCheckFailing = false
+		inSkipAuthorAssociations = false
+
 		inPullRequest = section == "pull_request"
 		inIssues = section == "issues"
 		inDiscussion = section == "discussion"

pkg/workflow/workflow_run_validation_test.go

@@ -119,6 +119,57 @@ Test workflow content.`,
 			expectWarning: false,
 			warningCount:  0,
 		},
+		{
+			name: "workflow_run with sibling bots - strict mode - should pass",
+			frontmatter: `---
+on:
+  bots:
+    - dependabot
+  workflow_run:
+    workflows:
+      - build
+    types:
+      - completed
+    branches:
+      - main
+tools:
+  github:
+    toolsets: [repos]
+---
+
+# Workflow Run With Bots
+Test workflow content.`,
+			filename:      "workflow-run-with-bots-strict.md",
+			strictMode:    true,
+			expectError:   false,
+			expectWarning: false,
+			warningCount:  0,
+		},
+		{
+			name: "workflow_run with sibling roles all - strict mode - should pass",
+			frontmatter: `---
+on:
+  roles: all
+  workflow_run:
+    workflows:
+      - build
+    types:
+      - completed
+    branches:
+      - main
+tools:
+  github:
+    toolsets: [repos]
+---
+
+# Workflow Run With Roles
+Test workflow content.`,
+			filename:      "workflow-run-with-roles-strict.md",
+			strictMode:    true,
+			expectError:   false,
+			expectWarning: false,
+			warningCount:  0,
+		},
 		{
 			name: "workflow_run without workflows - should error",
 			frontmatter: `---