chore: sync actions from gh-aw@v0.74.5 (#107)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: github-actions[bot]

setup/js/TESTING_LIVE_API.md

@@ -42,7 +42,7 @@ The standalone script provides more detailed output about the API interaction.
 
 The live API test:
 1. Fetches the `audit-workflows.md` workflow from the `github/gh-aw` repository
-2. Resolves and fetches all imported files (like `shared/mcp/gh-aw.md`)
+2. Resolves and fetches all imported files (like `shared/mcp/tavily.md`)
 3. Computes the frontmatter hash using the JavaScript implementation
 4. Verifies the hash is deterministic by computing it twice
 5. Confirms the hash format is a valid SHA-256 hex string
@@ -81,7 +81,7 @@ Workflow: .github/workflows/audit-workflows.md
 
 📊 Summary:
    - Successfully fetched workflow from live GitHub API
-   - Processed workflow with imports (shared/mcp/gh-aw.md, etc.)
+   - Processed workflow with imports (shared/mcp/tavily.md, etc.)
    - Computed deterministic SHA-256 hash
    - Verified hash consistency across multiple API calls
 

setup/js/add_comment.cjs

@@ -8,7 +8,7 @@
 const { generateFooterWithMessages, getDetectionCautionAlert, generateXMLMarker } = require("./messages_footer.cjs");
 const { generateWorkflowCallIdMarker, matchesWorkflowId } = require("./generate_footer.cjs");
 const { getRepositoryUrl } = require("./get_repository_url.cjs");
-const { replaceTemporaryIdReferences, loadTemporaryIdMapFromResolved, resolveRepoIssueTarget } = require("./temporary_id.cjs");
+const { replaceTemporaryIdReferences, resolveSafeOutputIssueTarget } = require("./temporary_id.cjs");
 const { getTrackerID } = require("./get_tracker_id.cjs");
 const { getErrorMessage } = require("./error_helpers.cjs");
 const { parseBoolTemplatable } = require("./templatable.cjs");
@@ -31,6 +31,21 @@ const { resolveInvocationContext } = require("./invocation_context_helpers.cjs")
 /** @type {string} Safe output type handled by this module */
 const HANDLER_TYPE = "add_comment";
 
+/**
+ * Deduplicate an array of strings using case-insensitive comparison, preserving original casing and order.
+ * @param {string[]} aliases
+ * @returns {string[]}
+ */
+function deduplicateCaseInsensitive(aliases) {
+  const seen = new Set();
+  return aliases.filter(alias => {
+    const key = alias.toLowerCase();
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}
+
 /**
  * Resolve effective event name/payload for native and forwarded contexts.
  * Supports:
@@ -448,33 +463,11 @@ async function main(config = {}) {
     // Check if item_number or issue_number was explicitly provided in the message.
     // item_number takes precedence over issue_number when both are present.
     // pr-number is accepted as an alias for item_number for robustness.
-    const explicitItemNumber = message.item_number ?? message.issue_number ?? message["pr-number"] ?? undefined;
-
-    if (explicitItemNumber !== undefined) {
-      // Resolve temporary IDs if present
-      const resolvedTarget = resolveRepoIssueTarget(explicitItemNumber, temporaryIdMap, repoParts.owner, repoParts.repo);
-
-      // Check if this is an unresolved temporary ID
-      if (resolvedTarget.wasTemporaryId && !resolvedTarget.resolved) {
-        core.info(`Deferring add_comment: unresolved temporary ID (${explicitItemNumber})`);
-        return {
-          success: false,
-          deferred: true,
-          error: resolvedTarget.errorMessage || `Unresolved temporary ID: ${explicitItemNumber}`,
-        };
-      }
+    const itemTargetResult = resolveSafeOutputIssueTarget({ message, tempIdMap: temporaryIdMap, repoParts, handlerType: HANDLER_TYPE, aliases: ["item_number", "issue_number", "pr-number"] });
+    if (!itemTargetResult.success) return itemTargetResult;
 
-      // Check for other resolution errors (including null resolved)
-      if (resolvedTarget.errorMessage || !resolvedTarget.resolved) {
-        core.warning(`Invalid explicit target number specified: ${explicitItemNumber}`);
-        return {
-          success: false,
-          error: `Invalid explicit target number specified: ${explicitItemNumber}`,
-        };
-      }
-
-      // Use the resolved issue number (safe to access because we checked above)
-      itemNumber = resolvedTarget.resolved.number;
+    if (itemTargetResult.number !== null) {
+      itemNumber = itemTargetResult.number;
       core.info(`Using explicitly provided target number (item_number/issue_number/pr-number): #${itemNumber}`);
     } else {
       // Check if this is a discussion context
@@ -536,7 +529,7 @@ async function main(config = {}) {
     const parentAuthors = [];
     if (!mentionsDisabled) {
       if (!isDiscussion) {
-        if (explicitItemNumber !== undefined) {
+        if (itemTargetResult.number !== null) {
           // Explicit item_number/issue_number: fetch the issue/PR to get its author
           try {
             const { data: issueData } = await githubClient.rest.issues.get({
@@ -566,24 +559,7 @@ async function main(config = {}) {
         }
       }
     }
-    const allowedMentionAliases = [];
-    const seenAllowedMentionAliases = new Set();
-    for (const alias of parentAuthors) {
-      const key = alias.toLowerCase();
-      if (seenAllowedMentionAliases.has(key)) {
-        continue;
-      }
-      seenAllowedMentionAliases.add(key);
-      allowedMentionAliases.push(alias);
-    }
-    for (const alias of configuredMentionAliases) {
-      const key = alias.toLowerCase();
-      if (seenAllowedMentionAliases.has(key)) {
-        continue;
-      }
-      seenAllowedMentionAliases.add(key);
-      allowedMentionAliases.push(alias);
-    }
+    const allowedMentionAliases = deduplicateCaseInsensitive([...parentAuthors, ...configuredMentionAliases]);
 
     if (allowedMentionAliases.length > 0) {
       core.info(`[MENTIONS] Allowing aliases in comment: ${allowedMentionAliases.join(", ")}`);
@@ -722,7 +698,7 @@ async function main(config = {}) {
         // reply as a threaded comment to the triggering comment instead of posting top-level.
         // GitHub Discussions only supports two nesting levels, so if the triggering comment is
         // itself a reply, we resolve the top-level parent's node ID to use as replyToId.
-        const hasExplicitItemNumber = explicitItemNumber !== undefined;
+        const hasExplicitItemNumber = itemTargetResult.number !== null;
         let replyToId;
         if (context.eventName === "discussion_comment" && !hasExplicitItemNumber) {
           // When triggered by a discussion_comment event, thread the reply under the triggering comment.
@@ -740,7 +716,7 @@ async function main(config = {}) {
         }
         comment = await commentOnDiscussion(githubClient, repoParts.owner, repoParts.repo, itemNumber, processedBody, replyToId);
       } else {
-        const shouldReplyToTriggeringPRReviewComment = effectiveContext.eventName === "pull_request_review_comment" && explicitItemNumber === undefined;
+        const shouldReplyToTriggeringPRReviewComment = effectiveContext.eventName === "pull_request_review_comment" && itemTargetResult.number === null;
         const triggeringReviewCommentId = Number(effectiveContext.payload?.comment?.id);
 
         if (shouldReplyToTriggeringPRReviewComment && Number.isInteger(triggeringReviewCommentId) && triggeringReviewCommentId > 0) {
@@ -778,7 +754,7 @@ async function main(config = {}) {
 
       // If 404 and item_number was explicitly provided and we tried as issue/PR,
       // retry as a discussion (the user may have provided a discussion number)
-      if (is404 && !isDiscussion && explicitItemNumber !== undefined) {
+      if (is404 && !isDiscussion && itemTargetResult.number !== null) {
         core.info(`Item #${itemNumber} not found as issue/PR, retrying as discussion...`);
 
         try {

setup/js/add_labels.cjs

@@ -8,7 +8,14 @@
  */
 
 /**
- * @typedef {{ item_number?: number|string, labels?: string[], repo?: string }} AddLabelsMessage
+ * @typedef {{
+ *   item_number?: number|string,
+ *   issue_number?: number|string,
+ *   pr_number?: number|string,
+ *   pull_number?: number|string,
+ *   labels?: string[],
+ *   repo?: string
+ * }} AddLabelsMessage
  */
 
 /** @type {string} Safe output type handled by this module */
@@ -20,7 +27,7 @@ const { resolveTargetRepoConfig, resolveAndValidateRepo } = require("./repo_help
 const { tryEnforceArrayLimit } = require("./limit_enforcement_helpers.cjs");
 const { logStagedPreviewInfo } = require("./staged_preview.cjs");
 const { createAuthenticatedGitHubClient } = require("./handler_auth.cjs");
-const { resolveRepoIssueTarget, loadTemporaryIdMapFromResolved } = require("./temporary_id.cjs");
+const { resolveSafeOutputIssueTarget } = require("./temporary_id.cjs");
 const { MAX_LABELS } = require("./constants.cjs");
 const { createCountGatedHandler } = require("./handler_scaffold.cjs");
 const { withRetry, RATE_LIMIT_RETRY_CONFIG } = require("./error_recovery.cjs");
@@ -63,35 +70,12 @@ const main = createCountGatedHandler({
       core.info(`Target repository: ${itemRepo}`);
 
       // Determine target issue/PR number
-      let itemNumber;
-      if (message.item_number !== undefined) {
-        // Resolve temporary IDs if present
-        const tempIdMap = loadTemporaryIdMapFromResolved(resolvedTemporaryIds);
-        const resolvedTarget = resolveRepoIssueTarget(message.item_number, tempIdMap, repoParts.owner, repoParts.repo);
-
-        // Check if this is an unresolved temporary ID
-        if (resolvedTarget.wasTemporaryId && !resolvedTarget.resolved) {
-          core.info(`Deferring add_labels: unresolved temporary ID (${message.item_number})`);
-          return {
-            success: false,
-            deferred: true,
-            error: resolvedTarget.errorMessage || `Unresolved temporary ID: ${message.item_number}`,
-          };
-        }
-
-        // Check for other resolution errors
-        if (resolvedTarget.errorMessage || !resolvedTarget.resolved) {
-          const error = `Invalid item number: ${message.item_number}`;
-          core.warning(error);
-          return { success: false, error };
-        }
+      // Accept common aliases: issue_number, pr_number, and pull_number are normalised to item_number
+      const targetResult = resolveSafeOutputIssueTarget({ message, resolvedTemporaryIds, repoParts, handlerType: HANDLER_TYPE });
+      if (!targetResult.success) return targetResult;
+      const itemNumber = targetResult.number ?? context.payload?.issue?.number ?? context.payload?.pull_request?.number;
 
-        itemNumber = resolvedTarget.resolved.number;
-      } else {
-        itemNumber = context.payload?.issue?.number ?? context.payload?.pull_request?.number;
-      }
-
-      if (!itemNumber || isNaN(itemNumber)) {
+      if (!itemNumber || Number.isNaN(Number(itemNumber))) {
         const error = "No issue/PR number available";
         core.warning(error);
         return { success: false, error };
@@ -118,6 +102,7 @@ const main = createCountGatedHandler({
 
       // Use validation helper to sanitize and validate labels
       const labelsResult = validateLabels(requestedLabels, allowedLabels, maxCount, blockedPatterns);
+
       if (!labelsResult.valid) {
         // If no valid labels, log info and return gracefully
         if (labelsResult.error?.includes("No valid labels")) {
@@ -129,6 +114,7 @@ const main = createCountGatedHandler({
             message: "No valid labels found",
           };
         }
+
         // For other validation errors, return error
         core.warning(`Label validation failed: ${labelsResult.error}`);
         return {

setup/js/claude_harness.cjs

@@ -66,6 +66,7 @@ const OVERLOADED_ERROR_PATTERN = /overloaded_error|"overloaded"/i;
 //   - embedded stream-json result fields (e.g. "api_error_status":429)
 //   - human-readable message text ("rate limit")
 const RATE_LIMIT_ERROR_PATTERN = /rate_limit_error|429 Too Many Requests|"api_error_status"\s*:\s*429|request rejected \(429\)|rate limit/i;
+const AUTHENTICATION_FAILED_PATTERN = /Authentication failed(?:\s*\(Request ID:[^)]+\))?/i;
 
 // Pattern to detect a clean max-turns exit from Claude Code.
 // Claude Code emits a JSON result object with "subtype":"error_max_turns" when the
@@ -112,6 +113,15 @@ function isRateLimitError(output) {
   return RATE_LIMIT_ERROR_PATTERN.test(output);
 }
 
+/**
+ * Determines if the collected output contains an authentication failed error.
+ * @param {string} output - Collected stdout+stderr from the process
+ * @returns {boolean}
+ */
+function isAuthenticationFailedError(output) {
+  return AUTHENTICATION_FAILED_PATTERN.test(output);
+}
+
 /**
  * Determines if the collected output signals a clean max-turns exit.
  * When Claude Code hits its turn limit it emits a result object with
@@ -441,6 +451,7 @@ async function main() {
 
     const isOverloaded = isOverloadedError(result.output);
     const isRateLimit = isRateLimitError(result.output);
+    const isAuthenticationFailed = isAuthenticationFailedError(result.output);
     const isMaxTurns = isMaxTurnsExit(result.output);
     const isNoDeferredMarker = isNoDeferredMarkerError(result.output);
     const permissionDeniedCount = countPermissionDeniedIssues(result.output);
@@ -450,6 +461,7 @@ async function main() {
         ` exitCode=${result.exitCode}` +
         ` isOverloadedError=${isOverloaded}` +
         ` isRateLimitError=${isRateLimit}` +
+        ` isAuthenticationFailedError=${isAuthenticationFailed}` +
         ` isMaxTurnsExit=${isMaxTurns}` +
         ` isNoDeferredMarkerError=${isNoDeferredMarker}` +
         ` permissionDeniedCount=${permissionDeniedCount}` +
@@ -458,6 +470,11 @@ async function main() {
         ` retriesRemaining=${MAX_RETRIES - attempt}`
     );
 
+    if (attempt === 0 && isAuthenticationFailed) {
+      log(`attempt ${attempt + 1}: authentication failed — not retrying (first-attempt auth failure is non-retryable)`);
+      break;
+    }
+
     if (hasNumerousPermissionDenied) {
       const deniedCommands = extractDeniedCommands(result.output);
       emitMissingToolPermissionIssue({ deniedCommands });
@@ -538,6 +555,7 @@ if (typeof module !== "undefined" && module.exports) {
     resolveClaudePromptFileArgs,
     stripPromptFileArgs,
     isRateLimitError,
+    isAuthenticationFailedError,
     isMaxTurnsExit,
     isNoDeferredMarkerError,
     isSignalTerminationExitCode,

setup/js/codex_harness.cjs

@@ -58,6 +58,7 @@ const MAX_DELAY_MS = 60000;
 // Matches "rate_limit_exceeded" from the OpenAI error type field and the "429" status code
 // that Codex emits when the API rate limit is hit.
 const RATE_LIMIT_ERROR_PATTERN = /rate_limit_exceeded|429 Too Many Requests|RateLimitError/i;
+const AUTHENTICATION_FAILED_PATTERN = /Authentication failed(?:\s*\(Request ID:[^)]+\))?/i;
 
 // Pattern to detect OpenAI server-side errors (HTTP 500, 503).
 // These are transient infrastructure failures that may resolve on retry.
@@ -85,6 +86,15 @@ function isRateLimitError(output) {
   return RATE_LIMIT_ERROR_PATTERN.test(output);
 }
 
+/**
+ * Determines if the collected output contains an authentication failed error.
+ * @param {string} output - Collected stdout+stderr from the process
+ * @returns {boolean}
+ */
+function isAuthenticationFailedError(output) {
+  return AUTHENTICATION_FAILED_PATTERN.test(output);
+}
+
 /**
  * Determines if the collected output contains an OpenAI server error.
  * @param {string} output - Collected stdout+stderr from the process
@@ -297,20 +307,27 @@ async function main() {
     }
 
     const isRateLimit = isRateLimitError(result.output);
+    const isAuthenticationFailed = isAuthenticationFailedError(result.output);
     const isServer = isServerError(result.output);
     const permissionDeniedCount = countPermissionDeniedIssues(result.output);
     const hasNumerousPermissionDenied = hasNumerousPermissionDeniedIssues(result.output);
     log(
       `attempt ${attempt + 1} failed:` +
         ` exitCode=${result.exitCode}` +
         ` isRateLimitError=${isRateLimit}` +
+        ` isAuthenticationFailedError=${isAuthenticationFailed}` +
         ` isServerError=${isServer}` +
         ` permissionDeniedCount=${permissionDeniedCount}` +
         ` hasNumerousPermissionDenied=${hasNumerousPermissionDenied}` +
         ` hasOutput=${result.hasOutput}` +
         ` retriesRemaining=${MAX_RETRIES - attempt}`
     );
 
+    if (attempt === 0 && isAuthenticationFailed) {
+      log(`attempt ${attempt + 1}: authentication failed — not retrying (first-attempt auth failure is non-retryable)`);
+      break;
+    }
+
     if (hasNumerousPermissionDenied) {
       const deniedCommands = extractDeniedCommands(result.output);
       emitMissingToolPermissionIssue({ deniedCommands });
@@ -347,6 +364,7 @@ if (typeof module !== "undefined" && module.exports) {
   module.exports = {
     resolveCodexPromptFileArgs,
     isRateLimitError,
+    isAuthenticationFailedError,
     isServerError,
     countPermissionDeniedIssues,
     hasNumerousPermissionDeniedIssues,