Commit 93a8784
authored
config: add promotion-label/demotion-label to Go AllowOnlyPolicy (#4942)
The Rust WASM guard added `promotion_label`/`demotion_label` fields to
`AllowOnlyPolicy` (commit `662a784`), but the Go config layer never
mirrored them — causing the gateway to reject any policy JSON containing
these fields with `allow-only contains unsupported field
"promotion-label"`.
## Changes
- **`AllowOnlyPolicy` struct** — added `PromotionLabel`/`DemotionLabel`
string fields with `toml` and `json` tags (`promotion-label,omitempty` /
`demotion-label,omitempty`)
- **`UnmarshalJSON`** — added `case "promotion-label"` and `case
"demotion-label"` switch arms; unknown-field error no longer trips on
these
- **`MarshalJSON`** — included both fields in `serializedAllowOnly` so
they round-trip to the WASM guard
- **`NormalizedGuardPolicy`** — added both fields for
observability/caching consistency
- **`NormalizeGuardPolicy`** — passes both fields through with
whitespace trimming (semantic validation deferred to the Rust guard)
- **Tests** — added `TestNormalizeGuardPolicyPromotionDemotionLabels`
covering individual round-trips, combined usage, absent-field behavior,
JSON marshal/unmarshal, and `ParseGuardPolicyJSON` acceptance
**Example policy that now works end-to-end:**
```json
{
"allow-only": {
"repos": "public",
"min-integrity": "unapproved",
"promotion-label": "agent-approved",
"demotion-label": "agent-blocked"
}
}
```
> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build398432025/b509/launcher.test
/tmp/go-build398432025/b509/launcher.test
-test.testlogfile=/tmp/go-build398432025/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true 4/arm64.go
VkJy/yyRkcbD_VVVgoogle.golang.org/grpc/internal/metadata
x_amd64/compile` (dns block)
> - Triggering command: `/tmp/go-build921235762/b513/launcher.test
/tmp/go-build921235762/b513/launcher.test
-test.testlogfile=/tmp/go-build921235762/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build921235762/b491/vet.cfg ml-C/FGsrpattnkKSKZMLml-C
/tmp/go-build398432025/b346/ ache/go/1.25.9/x64/pkg/tool/linux_amd64/vet
. --gdwarf2 --64 DHaMYkFHKUkt -I o t.go 27d059209fb0df2f-d --gdwarf-5
--64 -o x_amd64/compile` (dns block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build398432025/b491/config.test
/tmp/go-build398432025/b491/config.test
-test.testlogfile=/tmp/go-build398432025/b491/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true ktype/networktype.go
o x_amd64/asm` (dns block)
> - Triggering command: `/tmp/go-build921235762/b495/config.test
/tmp/go-build921235762/b495/config.test
-test.testlogfile=/tmp/go-build921235762/b495/testlog.txt
-test.paniconexit0 -test.timeout=10m0s swit��
olang.org/grpc@v1.80.0/health/grpc_health_v1/health.pb.go
olang.org/grpc@v1.80.0/health/grpc_health_v1/health_grpc.pb.go cfg
432025/b346/_x00/opt/hostedtoolcache/go/1.25.9/x64/pkg/tool/linux_amd64/vet
g/protobuf/types/tmp/go-build2843280890/b293/vet.cfg 432025/b346/_x003.o
ache/go/1.25.9/x64/pkg/tool/linux_amd64/vet -W AHtg/B5FET1EKR-ItmppRAHtg
/tmp/go-build398432025/b346/ 64/pkg/tool/linux_amd64/compile . --gdwarf2
--64 64/pkg/tool/linux_amd64/compile` (dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build398432025/b509/launcher.test
/tmp/go-build398432025/b509/launcher.test
-test.testlogfile=/tmp/go-build398432025/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true 4/arm64.go
VkJy/yyRkcbD_VVVgoogle.golang.org/grpc/internal/metadata
x_amd64/compile` (dns block)
> - Triggering command: `/tmp/go-build921235762/b513/launcher.test
/tmp/go-build921235762/b513/launcher.test
-test.testlogfile=/tmp/go-build921235762/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build921235762/b491/vet.cfg ml-C/FGsrpattnkKSKZMLml-C
/tmp/go-build398432025/b346/ ache/go/1.25.9/x64/pkg/tool/linux_amd64/vet
. --gdwarf2 --64 DHaMYkFHKUkt -I o t.go 27d059209fb0df2f-d --gdwarf-5
--64 -o x_amd64/compile` (dns block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build398432025/b509/launcher.test
/tmp/go-build398432025/b509/launcher.test
-test.testlogfile=/tmp/go-build398432025/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true 4/arm64.go
VkJy/yyRkcbD_VVVgoogle.golang.org/grpc/internal/metadata
x_amd64/compile` (dns block)
> - Triggering command: `/tmp/go-build921235762/b513/launcher.test
/tmp/go-build921235762/b513/launcher.test
-test.testlogfile=/tmp/go-build921235762/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build921235762/b491/vet.cfg ml-C/FGsrpattnkKSKZMLml-C
/tmp/go-build398432025/b346/ ache/go/1.25.9/x64/pkg/tool/linux_amd64/vet
. --gdwarf2 --64 DHaMYkFHKUkt -I o t.go 27d059209fb0df2f-d --gdwarf-5
--64 -o x_amd64/compile` (dns block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build398432025/b518/mcp.test
/tmp/go-build398432025/b518/mcp.test
-test.testlogfile=/tmp/go-build398432025/b518/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
envconfig/envcon-errorsas envconfig/observ-ifaceassert x_amd64/compile
-p runtime/trace -lang=go1.25 x_amd64/compile -I
/trace@v1.43.0/internal/telemetr-p
/trace@v1.43.0/internal/telemetrgoogle.golang.org/protobuf/protoadapt
x_amd64/vet --gdwarf-5 --64 432025/b168/ x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build921235762/b522/mcp.test
/tmp/go-build921235762/b522/mcp.test
-test.testlogfile=/tmp/go-build921235762/b522/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -o _.a -trimpath x_amd64/vet -p
google.golang.or-qE -lang=go1.23 x_amd64/vet n-me�� gxsKMXzGg -trimpath
x_amd64/vet -p google.golang.or/usr/bin/runc -lang=go1.24 x_amd64/vet`
(dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>0 file changed
0 commit comments