Move stop-time safety checks to dedicated job with actions:write permission (#1156)

* Initial plan

* Move stop-time safety checks to dedicated job with actions:write permission

- Created buildStopTimeCheckJob() function to create dedicated job for stop-time checks
- Updated buildJobs() to create stop_time_check job before main job
- Main job now depends on stop_time_check job (if it exists)
- stop_time_check job has actions:write permission for gh workflow disable
- stop_time_check job depends on activation job (if it exists)
- Removed generateStopTimeChecks() call from main job steps
- Added comprehensive tests for stop-time check job creation
- All tests passing and linter clean

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* Remove agent job dependency on stop_time_check job

Per user feedback, the agent job should not have a "needs" dependency on the
stop_time_check job. Both jobs now run independently (or both depend on activation
if it exists), allowing the agent to start without waiting for stop-time checks.

Changes:
- Removed stopTimeCheckJobCreated parameter from buildMainJob
- Reverted buildMainJob to only depend on activation job (if exists)
- Updated tests to reflect that agent no longer depends on stop_time_check
- stop_time_check job still created and runs, just not as blocking dependency

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* Format, lint, and recompile workflows

- Formatted JavaScript files with prettier (indentation fixes)
- All lint checks passing
- Recompiled all workflow files to include formatting updates

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* Add stop-time test workflows and update dev.md with stop-after

- Added test-claude-stop-time.md and test-copilot-stop-time.md test workflows
- Both test workflows use stop-after configuration (+24h and +48h respectively)
- Updated dev.md with stop-after: "2026-01-01 00:00:00" as requested
- Recompiled all workflows to include stop_time_check jobs
- Test workflows verify stop-time safety check job creation with actions:write permission

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* Remove test workflow lock files, format, lint, and recompile

- Removed pkg/cli/workflows/test-claude-stop-time.lock.yml from git tracking
- Removed pkg/cli/workflows/test-copilot-stop-time.lock.yml from git tracking
- Lock files are now ignored by .gitignore (only .md files tracked for tests)
- Formatted JavaScript files with prettier
- All lint checks passing
- Recompiled all workflows

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Author: Copilot

.github/workflows/dev.lock.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - copilot*
+  stop-after: "2026-01-01 00:00:00"
 engine: copilot
 tools:
   github:

.github/workflows/dev.md

@@ -0,0 +1,17 @@
+---
+on:
+  workflow_dispatch:
+  stop-after: "+24h"
+permissions:
+  contents: read
+engine: claude
+---
+
+# Test Claude Stop-Time
+
+This is a test workflow to verify stop-time safety checks with Claude engine.
+
+The workflow has a stop-after configuration that should create a dedicated stop_time_check job
+with actions:write permission to disable the workflow if the deadline is reached.
+
+Please analyze the current repository state and provide a brief summary.

pkg/cli/workflows/test-claude-stop-time.md

@@ -0,0 +1,17 @@
+---
+on:
+  workflow_dispatch:
+  stop-after: "+48h"
+permissions:
+  contents: read
+engine: copilot
+---
+
+# Test Copilot Stop-Time
+
+This is a test workflow to verify stop-time safety checks with Copilot engine.
+
+The workflow has a stop-after configuration that should create a dedicated stop_time_check job
+with actions:write permission to disable the workflow if the deadline is reached.
+
+Please analyze the current repository state and provide a brief summary.

pkg/cli/workflows/test-copilot-stop-time.md

@@ -1329,6 +1329,17 @@ func (c *Compiler) buildJobs(data *WorkflowData, markdownPath string) error {
 		}
 	}
 
+	// Build stop-time check job if stop-time is configured
+	if data.StopTime != "" {
+		stopTimeCheckJob, err := c.buildStopTimeCheckJob(data, activationJobCreated)
+		if err != nil {
+			return fmt.Errorf("failed to build stop_time_check job: %w", err)
+		}
+		if err := c.jobManager.AddJob(stopTimeCheckJob); err != nil {
+			return fmt.Errorf("failed to add stop_time_check job: %w", err)
+		}
+	}
+
 	// Build main workflow job
 	mainJob, err := c.buildMainJob(data, activationJobCreated)
 	if err != nil {
@@ -1720,8 +1731,8 @@ func (c *Compiler) generateMainJobSteps(yaml *strings.Builder, data *WorkflowDat
 	// Add MCP setup
 	c.generateMCPSetup(yaml, data.Tools, engine, data)
 
-	// Add safety checks before executing agentic tools
-	c.generateStopTimeChecks(yaml, data)
+	// Stop-time safety checks are now handled by a dedicated job (stop_time_check)
+	// No longer generated in the main job steps
 
 	// Add prompt creation step
 	c.generatePrompt(yaml, data)

pkg/workflow/compiler.go

@@ -2,7 +2,6 @@ package workflow
 
 import (
 	"fmt"
-	"strings"
 	"time"
 
 	"github.com/githubnext/gh-aw/pkg/console"
@@ -91,48 +90,61 @@ func resolveStopTime(stopTime string, compilationTime time.Time) (string, error)
 	return parseAbsoluteDateTime(stopTime)
 }
 
-// generateStopTimeChecks generates safety checks for stop-time before executing agentic tools
-func (c *Compiler) generateStopTimeChecks(yaml *strings.Builder, data *WorkflowData) {
-	// If no safety settings, skip generating safety checks
+// buildStopTimeCheckJob creates the stop-time check job that validates workflow time limits
+func (c *Compiler) buildStopTimeCheckJob(data *WorkflowData, activationJobCreated bool) (*Job, error) {
 	if data.StopTime == "" {
-		return
+		return nil, fmt.Errorf("stop-time configuration is required")
 	}
 
-	yaml.WriteString("      - name: Safety checks\n")
-	yaml.WriteString("        run: |\n")
-	yaml.WriteString("          set -e\n")
-	yaml.WriteString("          echo \"Performing safety checks before executing agentic tools...\"\n")
+	var steps []string
+
+	steps = append(steps, "      - name: Safety checks\n")
+	steps = append(steps, "        run: |\n")
+	steps = append(steps, "          set -e\n")
+	steps = append(steps, "          echo \"Performing safety checks before executing agentic tools...\"\n")
 
 	// Extract workflow name for gh workflow commands
 	workflowName := data.Name
-	fmt.Fprintf(yaml, "          WORKFLOW_NAME=\"%s\"\n", workflowName)
+	steps = append(steps, fmt.Sprintf("          WORKFLOW_NAME=\"%s\"\n", workflowName))
 
 	// Add stop-time check
-	if data.StopTime != "" {
-		yaml.WriteString("          \n")
-		yaml.WriteString("          # Check stop-time limit\n")
-		fmt.Fprintf(yaml, "          STOP_TIME=\"%s\"\n", data.StopTime)
-		yaml.WriteString("          echo \"Checking stop-time limit: $STOP_TIME\"\n")
-		yaml.WriteString("          \n")
-		yaml.WriteString("          # Convert stop time to epoch seconds\n")
-		yaml.WriteString("          STOP_EPOCH=$(date -d \"$STOP_TIME\" +%s 2>/dev/null || echo \"invalid\")\n")
-		yaml.WriteString("          if [ \"$STOP_EPOCH\" = \"invalid\" ]; then\n")
-		yaml.WriteString("            echo \"Warning: Invalid stop-time format: $STOP_TIME. Expected format: YYYY-MM-DD HH:MM:SS\"\n")
-		yaml.WriteString("          else\n")
-		yaml.WriteString("            CURRENT_EPOCH=$(date +%s)\n")
-		yaml.WriteString("            echo \"Current time: $(date)\"\n")
-		yaml.WriteString("            echo \"Stop time: $STOP_TIME\"\n")
-		yaml.WriteString("            \n")
-		yaml.WriteString("            if [ \"$CURRENT_EPOCH\" -ge \"$STOP_EPOCH\" ]; then\n")
-		yaml.WriteString("              echo \"Stop time reached. Attempting to disable workflow to prevent cost overrun, then exiting.\"\n")
-		yaml.WriteString("              gh workflow disable \"$WORKFLOW_NAME\"\n")
-		yaml.WriteString("              echo \"Workflow disabled. No future runs will be triggered.\"\n")
-		yaml.WriteString("              exit 1\n")
-		yaml.WriteString("            fi\n")
-		yaml.WriteString("          fi\n")
+	steps = append(steps, "          \n")
+	steps = append(steps, "          # Check stop-time limit\n")
+	steps = append(steps, fmt.Sprintf("          STOP_TIME=\"%s\"\n", data.StopTime))
+	steps = append(steps, "          echo \"Checking stop-time limit: $STOP_TIME\"\n")
+	steps = append(steps, "          \n")
+	steps = append(steps, "          # Convert stop time to epoch seconds\n")
+	steps = append(steps, "          STOP_EPOCH=$(date -d \"$STOP_TIME\" +%s 2>/dev/null || echo \"invalid\")\n")
+	steps = append(steps, "          if [ \"$STOP_EPOCH\" = \"invalid\" ]; then\n")
+	steps = append(steps, "            echo \"Warning: Invalid stop-time format: $STOP_TIME. Expected format: YYYY-MM-DD HH:MM:SS\"\n")
+	steps = append(steps, "          else\n")
+	steps = append(steps, "            CURRENT_EPOCH=$(date +%s)\n")
+	steps = append(steps, "            echo \"Current time: $(date)\"\n")
+	steps = append(steps, "            echo \"Stop time: $STOP_TIME\"\n")
+	steps = append(steps, "            \n")
+	steps = append(steps, "            if [ \"$CURRENT_EPOCH\" -ge \"$STOP_EPOCH\" ]; then\n")
+	steps = append(steps, "              echo \"Stop time reached. Attempting to disable workflow to prevent cost overrun, then exiting.\"\n")
+	steps = append(steps, "              gh workflow disable \"$WORKFLOW_NAME\"\n")
+	steps = append(steps, "              echo \"Workflow disabled. No future runs will be triggered.\"\n")
+	steps = append(steps, "              exit 1\n")
+	steps = append(steps, "            fi\n")
+	steps = append(steps, "          fi\n")
+	steps = append(steps, "          echo \"All safety checks passed. Proceeding with agentic tool execution.\"\n")
+	steps = append(steps, "        env:\n")
+	steps = append(steps, "          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n")
+
+	var depends []string
+	if activationJobCreated {
+		depends = []string{"activation"} // Depend on the activation job only if it exists
+	}
+
+	job := &Job{
+		Name:        "stop_time_check",
+		RunsOn:      "runs-on: ubuntu-latest",
+		Permissions: "permissions:\n      actions: write  # Required for gh workflow disable",
+		Steps:       steps,
+		Needs:       depends,
 	}
 
-	yaml.WriteString("          echo \"All safety checks passed. Proceeding with agentic tool execution.\"\n")
-	yaml.WriteString("        env:\n")
-	yaml.WriteString("          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n")
+	return job, nil
 }