feat: support multi-repo wildcard target-repo in safe_outputs job by dsyme · Pull Request #36657 · github/gh-aw

dsyme · 2026-06-03T14:34:59Z

feat: support multi-repo wildcard `target-repo` in `safe_outputs` job

Summary

Extends the safe_outputs job to support target-repo: "*" as a wildcard value in create_pull_request and push_to_pull_request_branch handlers. When the wildcard is used, the agent selects the target repository at runtime, and the safe_outputs job automatically checks out all configured checkout: repos into subdirectories — enabling PRs to multiple repositories within a single workflow run.

What changed and why

New wildcard checkout pipeline (`pkg/workflow/`)

File	Change
`compiler_safe_outputs_steps.go`	Added `buildMultiRepoCheckoutSteps()` — when `target-repo == "*"`, emits `actions/checkout` steps for each non-wiki cross-repo entry with `repository:`, `path:`, `token:`, `fetch-depth:`, sparse checkout, and per-subdirectory Git credential configuration. Also adds `buildSafeOutputsMultiRepoFetchRefsStep()` for fetch-refs steps via `git -C`.
`safe_outputs_patch_workspace.go`	New function. `injectCheckoutMapping()` builds a `map[string]string` (lowercase `repo/slug` → relative path) from `data.CheckoutConfigs` and injects it as `checkout_mapping` into the handler config when `target-repo == "*"`. Skips wiki entries and guards against empty fields.
`safe_outputs_config.go`	Calls `injectCheckoutMapping()` during config construction.
`safe_outputs_config_generation.go`	Calls `injectCheckoutMapping()` during config generation.

Fast-path checkout lookup in JS action (`actions/setup/js/`)

File	Change
`push_to_pull_request_branch.cjs`	When `target-repo` is set, first consults `config.checkout_mapping` (keyed by lowercase slug, resolved against `GITHUB_WORKSPACE`) before falling back to the existing `findRepoCheckout()` workspace scan.
`create_pull_request.cjs`	Added `finally` block to restore the original working directory (`process.chdir(originalCwd)`) after multi-repo subdirectory operations using `repoCwd`; includes related refactors for patch size validation and workflow-id marker injection.

Schema & docs

File	Change
`pkg/parser/schemas/main_workflow_schema.json`	Updated `target-repo` field descriptions in both handlers to document the `"*"` wildcard and its requirement for `checkout:` configs with `path:`.
`docs/.../safe-outputs-pull-requests.md`	Removed the "exactly one cross-repo target" restriction. Added explanation of `target-repo: "*"` wildcard semantics and multi-repo checkout behaviour.

Tests

compiler_safe_outputs_config_test.go: Added TestInjectCheckoutMappingForWildcardTargetRepo with four sub-tests covering wildcard injection, non-wildcard skip, wiki exclusion, and unrelated handler skip.

Behaviour before → after

Scenario	Before	After
`target-repo: "org/repo"`	Single cross-repo checkout, exactly one target	Unchanged
`target-repo: "*"`	Not supported	Agent picks target at runtime; all `checkout:` repos (non-wiki) checked out into subdirectories; `checkout_mapping` injected for fast resolution in JS actions
Multiple PRs in one run	Not possible	Supported via wildcard + multi-repo checkout steps

Testing notes

All four TestInjectCheckoutMappingForWildcardTargetRepo sub-tests cover the mapping construction logic including edge cases (wiki exclusion, wrong handler, non-wildcard target).
JS action changes should be validated with an end-to-end workflow run using target-repo: "*" with at least two checkout: entries with path: defined.

Generated by PR Description Updater for issue #36657 · sonnet46 4.5M · ◷

Copilot

Pull request overview

Adds wildcard ("*") support for target-repo in safe-outputs PR/push handlers by teaching the safe_outputs job to check out multiple repositories and by passing a compile-time checkout → path map down to JS handlers so they can operate in the correct subdirectory.

Changes:

Generate multi-repo checkout + per-directory git-remote configuration in safe_outputs when target-repo: "*" is used.
Inject checkout_mapping into safe-outputs handler config for wildcard runs and consume it in JS handlers (with workspace-scan fallbacks).
Update schema/docs and add a Go unit test for checkout mapping injection.

Show a summary per file

File	Description
pkg/workflow/safe_outputs_patch_workspace.go	Injects `checkout_mapping` into handler config for wildcard `target-repo`.
pkg/workflow/safe_outputs_config.go	Wires `injectCheckoutMapping` into compiled handler config env.
pkg/workflow/safe_outputs_config_generation.go	Wires `injectCheckoutMapping` into generated runtime config.
pkg/workflow/compiler_safe_outputs_steps.go	Adds multi-repo checkout / git credentialing / per-repo extra-ref fetching for wildcard targets.
pkg/workflow/compiler_safe_outputs_config_test.go	Adds test coverage for wildcard checkout mapping injection behavior.
pkg/parser/schemas/main_workflow_schema.json	Documents `target-repo: "*"` wildcard support in schema descriptions.
docs/src/content/docs/reference/safe-outputs-pull-requests.md	Documents cross-repo wildcard behavior and expectations.
actions/setup/js/push_to_pull_request_branch.cjs	Uses `checkout_mapping` to resolve repo checkout directory before scanning workspace.
actions/setup/js/create_pull_request.cjs	Uses `checkout_mapping` and `process.chdir()` (with restoration) to run git operations in the correct repo directory.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files reviewed: 9/9 changed files
Comments generated: 4

github-actions · 2026-06-03T16:46:06Z

@copilot review all comments and address unresolved review feedback.

pr-sous-chef: please resolve the active review feedback before merging.

Generated by 👨‍🍳 PR Sous Chef · gpt54mini 3M · ◷

github-actions · 2026-06-03T21:52:36Z

@copilot review all comments and address unresolved review feedback.
Please refresh the branch and re-run the relevant checks after resolving the threads.

Generated by 👨‍🍳 PR Sous Chef · gpt54mini 6M · ◷

github-actions · 2026-06-03T22:43:43Z

@copilot review all comments and address unresolved review feedback.

Generated by 👨‍🍳 PR Sous Chef · gpt54mini 8.9M · ◷

github-actions · 2026-06-03T22:43:44Z

@copilot refresh the branch and rerun the relevant checks after landing the review fixes.

Generated by 👨‍🍳 PR Sous Chef · gpt54mini 8.9M · ◷

github-actions · 2026-06-03T23:16:15Z

🧪 Smoke Multi PR is now testing multiple PR creation...

github-actions · 2026-06-03T23:21:49Z

Pull request created: #36750

🧪 Multi PR smoke test by Smoke Multi PR · sonnet46 856.6K

github-actions · 2026-06-03T23:22:00Z

Pull request created: #36751

🧪 Multi PR smoke test by Smoke Multi PR · sonnet46 856.6K

github-actions · 2026-06-03T23:22:01Z

Smoke Test: Multi-PR Creation — Run 26919046997

Both pull requests were created successfully:

PR 1: branch smoke-multi-pr-doc-26919046997-1 — "PR 1: Documentation smoke test"
PR 2: branch smoke-multi-pr-crlf-26919046997-2 — "PR 2: CRLF line endings smoke test"

✅ Multi-PR creation is working correctly.
✅ CRLF line endings were handled correctly in PR 2 (verified with cat -A, each line ends with ^M$).

🧪 Multi PR smoke test by Smoke Multi PR · sonnet46 856.6K · ◷

github-actions · 2026-06-03T23:22:35Z

✅ Smoke Multi PR successfully created multiple PRs.

Enable target-repo: "*" to support creating pull requests and pushing to branches across multiple repositories within a single workflow. Changes: - Add buildMultiRepoCheckoutSteps() to generate checkout steps for all repos - Add buildSafeOutputsMultiRepoFetchRefsStep() for multi-repo ref fetching - Add injectCheckoutMapping() to pass repo->path mapping to handlers - Update create_pull_request.cjs with process.chdir() for subdirectory repos - Update push_to_pull_request_branch.cjs with cwd option for git operations - Add findRepoCheckout utility for discovering repo checkouts in workspace - Add wildcard support documentation and schema updates

github-actions · 2026-06-03T23:43:27Z

✅ smoke-ci: safeoutputs CLI comment + comment-memory run (26920077843)

Generated by 🧪 Smoke CI for issue #36657 · ◷

Copilot AI review requested due to automatic review settings June 3, 2026 14:35

Copilot started reviewing on behalf of dsyme June 3, 2026 14:35 View session

This comment has been minimized.

Sign in to view

Copilot AI reviewed Jun 3, 2026

View reviewed changes

Comment thread actions/setup/js/create_pull_request.cjs

Comment thread pkg/workflow/safe_outputs_patch_workspace.go Outdated

Comment thread actions/setup/js/create_pull_request.cjs

Comment thread pkg/workflow/compiler_safe_outputs_steps.go Outdated

This comment has been minimized.

Sign in to view

github-actions Bot mentioned this pull request Jun 3, 2026

[aw] No-Op Runs #36156

Closed

dsyme force-pushed the multi-repo-wildcard-safe-outputs branch 2 times, most recently from 20b788d to a37790d Compare June 3, 2026 23:10

This comment has been minimized.

Sign in to view

dsyme added the smoke-multi-pr label Jun 3, 2026

dsyme added the smoke-test-pr Trigger smoke tests on PR label Jun 3, 2026

dsyme force-pushed the multi-repo-wildcard-safe-outputs branch from a37790d to b6f0a91 Compare June 3, 2026 23:40

dsyme merged commit bb1fdb3 into main Jun 3, 2026
32 checks passed

dsyme deleted the multi-repo-wildcard-safe-outputs branch June 3, 2026 23:54

This was referenced Jun 4, 2026

[aw] No-Op Runs #36711

Closed

Smoke Test: Codex - 26921903180 #36771

Closed

Conversation

dsyme commented Jun 3, 2026 • edited by github-actions Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!