Add allowed-github-references safe-output field to restrict markdown references

[Copilot]

Implementation: allowed-github-references ✅

Successfully implemented support for restricting GitHub markdown references (like #123 or owner/repo#456) to a set of allowed repositories.

Completed Tasks:

• Add AllowGitHubReferences field to SafeOutputsConfig struct in Go
• Parse allowed-github-references from YAML frontmatter in safe_outputs_config.go
• Pass allowed references to JavaScript via GH_AW_ALLOWED_GITHUB_REFS environment variable
• Implement neutralizeGitHubReferences() function in sanitize_content_core.cjs
• Integrate reference neutralization into sanitization pipeline
• Add comprehensive JavaScript tests for reference parsing and escaping (28 test cases)
• Add Go unit tests for configuration parsing (8 test cases)
• Update JSON schema to validate allowed-github-references field with pattern matching
• Add integration tests for environment variable passing (6 test cases)
• Fix test expectations to correctly allow same-repo references when "repo" is specified
• Support empty array to escape all references
• Update smoke-copilot-no-firewall workflow with empty array
• Fix setup.sh to include all required MCP handler files
• Fix JavaScript test expectations
• All tests passing ✓

Implementation Details:

Configuration Format:

safe-outputs:
  allowed-github-references: ["repo"]  # Current repo only
  # OR
  allowed-github-references: ["repo", "org/repo2", "org/repo3"]  # Multiple repos
  # OR
  allowed-github-references: []  # Escape all references

Behavior:

• Not specified: All references allowed (no escaping) - default behavior
• Empty array []: All references escaped with backticks
• With "repo": Current repo references allowed, others escaped
• With specific repos: Only listed repos allowed, others escaped
• Pattern matching: #123, owner/repo#456, case-insensitive
• "repo" keyword: Represents the current repository - both #123 and owner/repo#123 are allowed
• Environment variable: GH_AW_ALLOWED_GITHUB_REFS (comma-separated list, or empty string for escape-all)

Examples when "repo" is specified:

• ✅ #123 → NOT escaped (refers to current repo)
• ✅ myorg/myrepo#456 → NOT escaped (current repo, explicit format)
• ❌ other/repo#789 → escaped as `other/repo#789` (different repo)

Examples when empty array [] is specified:

• ❌ #123 → escaped as `#123`
• ❌ myorg/myrepo#456 → escaped as `myorg/myrepo#456`
• ❌ other/repo#789 → escaped as `other/repo#789`

Schema Validation:

• Pattern: ^(repo|[a-zA-Z0-9][-a-zA-Z0-9]{0,38}/[a-zA-Z0-9._-]+)$
• Validates repository name format (allows hyphens in owner names)
• Repository names can contain alphanumeric, hyphens, underscores, and dots
• Examples provided in schema

Test Coverage:

• ✅ JavaScript sanitization tests (28 cases including empty array test) - ALL PASSING
• ✅ Go configuration parsing tests (8 cases) - ALL PASSING
• ✅ Integration tests for env var passing (6 cases) - ALL PASSING
• ✅ All tests passing (42 total tests)

Bug Fixes:

• Fixed setup.sh to copy all required MCP handler files (go, javascript, python, shell) to both safe-inputs and safe-outputs directories
• Fixed JavaScript test expectations for default behavior (allow all references when no env var set)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login -json GO111MODULE 0.1-go1.25.0.linGOMODCACHE GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 0.1-go1.25.0.lin-nilfunc GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Add a safe-output field to support restricting github markdown references (like issue #number) to a set of repos. The default is all are allowed.

safe-outputs:
allow-github-references: ["repo"] # restrict to current repo only
allow-github-references: ["repo", "org/repo2"] # restrict to current repo, org/repo2 only

The javascript that redacts markdown must parse github references and applyes the restrictions. If a restricted referernce is foudn, it should be escaped using backticks.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

---

Changeset

• Type: patch
• Description: Add allowed-github-references safe-output field to restrict and escape unauthorized GitHub-style markdown references (e.g. #123, owner/repo#456). Includes backend parsing, JS sanitizer, schema validation, and tests.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

---

Changeset

• Type: patch
• Description: Add allowed-github-references safe-output field to restrict and escape unauthorized GitHub-style markdown references (e.g. #123, owner/repo#456). Includes backend parsing, JS sanitizer, schema validation, and tests.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

[pelikhan]

@copilot rename allow-github-references to allowed-github-references

[Copilot]

@copilot rename allow-github-references to allowed-github-references

Done. Renamed allow-github-references to allowed-github-references throughout the codebase (commit 4e3e0a0).

[pelikhan]

@copilot

same repo references (#123 → escaped as #123) are allowed if "repo" is specified

[Copilot]

@copilot

same repo references (#123 → escaped as #123) are allowed if "repo" is specified

Correct. Fixed the test expectations - same-repo references like #123 are now properly allowed (not escaped) when "repo" is specified. Updated PR description to reflect this behavior (commit 8204e5e).

[pelikhan]

Add more tests

[pelikhan]

@copilot add more tests

[Copilot]

@copilot add more tests

Added comprehensive test coverage (commit f900bd4):

JavaScript tests (27 total):

• 14 new tests covering edge cases: empty allowed-refs list, current repo not in list, special characters in repo names, multiple references, mixed case, long issue numbers, missing GITHUB_REPOSITORY, spacing preservation

Go tests (14 total):

• 4 new config parsing tests: repos with hyphens, underscores/dots, single specific repo, mix of 'repo' keyword and specific repos
• 3 new integration tests: special characters in repo names, mixed configurations, specific repos only

Also updated schema pattern to ^(repo|[a-zA-Z0-9][-a-zA-Z0-9]{0,38}/[a-zA-Z0-9._-]+)$ to properly support hyphens in owner names.

Total: 41 tests covering all major scenarios and edge cases.

[pelikhan]

@copilot update smoke-no-firewall agentic workflow with allowed-github-references: []

[github-actions]

✅ Firewall validation complete... Smoke Codex Firewall confirmed network sandboxing is operational. 🛡️

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🤖 DIAGNOSTIC COMPLETE: Smoke Copilot No Firewall STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS.

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

🎉 Yo ho ho! Smoke Copilot Safe Inputs found the treasure and completed successfully! ⚓💰

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[github-actions]

📰 VERDICT: Smoke Copilot Playwright has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

PRs: #9036 Add debugging-workflows Agent Skill | #9035 Add fix tool to MCP server
OpenAI curl blocked: ✅
example.com blocked: ✅
GitHub MCP last 2 merged PRs fetched: ✅
File write/read /tmp/gh-aw/agent/smoke-test-codex-firewall-20732827216.txt: ✅
Network: SANDBOXED
Overall: PASS

AI generated by Smoke Codex Firewall

[github-actions]

Smoke Test Results

❌ Playwright MCP Testing: Missing playwright MCP server tool
❌ Safe Input gh Tool Testing: Missing safeinputs-gh tool
✅ Cache Memory Testing: Successfully wrote and verified file

Overall Status: ❌ FAIL (2/3 tests failed - required tools not available)

AI generated by Smoke Copilot Playwright

[github-actions]

✅ Smoke test complete - all tests passed!

Test Results:

• ✅ Reviewed last 2 merged PRs (#9036, #9035)
• ✅ Created test file at /tmp/gh-aw/agent/smoke-test-copilot-20732827247.txt
• ✅ Navigated to GitHub homepage with Playwright (title verified)
• ✅ Listed 3 open issues using safeinputs-gh tool

AI generated by Smoke Copilot No Firewall

[github-actions]

Smoke Test Results - Claude Engine

Recent PRs:

• Add debugging-workflows Agent Skill #9036: Add debugging-workflows Agent Skill
• Add fix tool to MCP server #9035: Add fix tool to MCP server

Test Results:
✅ GitHub MCP - Retrieved 2 merged PRs
✅ File Writing - Created /tmp/gh-aw/agent/smoke-test-claude-20732827225.txt
✅ Bash Tool - Verified file contents successfully
✅ Playwright MCP - Navigated to GitHub, title contains "GitHub"
✅ Cache Memory - Created /tmp/gh-aw/cache-memory/smoke-test-20732827225.txt
❌ Safe Input gh Tool - Tool not available (not configured)

Status: PASS (5/6 tests passed, gh tool unavailable by design)

AI generated by Smoke Claude

[github-actions]

Smoke Test Results

✅ File Writing: Created /tmp/gh-aw/agent/smoke-test-copilot-20732827207.txt
✅ Bash Tool: Verified file content successfully
✅ Safe Input gh Tool: Accessed GitHub data (2 merged PRs)

Overall Status: PASS 🎉

AI generated by Smoke Copilot Safe Inputs

[github-actions]

PRs: Add debugging-workflows Agent Skill; Add fix tool to MCP server
GitHub MCP: ✅
File write: ✅
File readback: ✅
Playwright title check: ✅
Cache memory write/read: ✅
safeinputs-gh issues list: ❌ (tool unavailable in toolset)
Overall: FAIL

AI generated by Smoke Codex

[pelikhan]

@copilot format, fix js tests

[Copilot]

@copilot format, fix js tests

Fixed in commit d61a21f.

Formatting: Already passing - all JavaScript files properly formatted with Prettier.

JavaScript tests: Fixed 2 failing tests in sanitize_content.test.cjs by correcting test expectations:

1. "should allow all references by default" - Now correctly expects #123 to NOT be escaped when no env var is set (default behavior allows all references)
2. "should handle no GITHUB_REPOSITORY env var with 'repo' keyword" - Now correctly expects #123 to NOT be escaped when GITHUB_REPOSITORY is missing

All 122 JavaScript test files now pass (2462 tests total).
All 14 Go tests for allowed-github-references also pass.