Skip to content

Commit 93a8784

Browse files
authored
config: add promotion-label/demotion-label to Go AllowOnlyPolicy (#4942)
The Rust WASM guard added `promotion_label`/`demotion_label` fields to `AllowOnlyPolicy` (commit `662a784`), but the Go config layer never mirrored them — causing the gateway to reject any policy JSON containing these fields with `allow-only contains unsupported field "promotion-label"`. ## Changes - **`AllowOnlyPolicy` struct** — added `PromotionLabel`/`DemotionLabel` string fields with `toml` and `json` tags (`promotion-label,omitempty` / `demotion-label,omitempty`) - **`UnmarshalJSON`** — added `case "promotion-label"` and `case "demotion-label"` switch arms; unknown-field error no longer trips on these - **`MarshalJSON`** — included both fields in `serializedAllowOnly` so they round-trip to the WASM guard - **`NormalizedGuardPolicy`** — added both fields for observability/caching consistency - **`NormalizeGuardPolicy`** — passes both fields through with whitespace trimming (semantic validation deferred to the Rust guard) - **Tests** — added `TestNormalizeGuardPolicyPromotionDemotionLabels` covering individual round-trips, combined usage, absent-field behavior, JSON marshal/unmarshal, and `ParseGuardPolicyJSON` acceptance **Example policy that now works end-to-end:** ```json { "allow-only": { "repos": "public", "min-integrity": "unapproved", "promotion-label": "agent-approved", "demotion-label": "agent-blocked" } } ``` > [!WARNING] > > <details> > <summary>Firewall rules blocked me from connecting to one or more addresses (expand for details)</summary> > > #### I tried to connect to the following addresses, but was blocked by firewall rules: > > - `example.com` > - Triggering command: `/tmp/go-build398432025/b509/launcher.test /tmp/go-build398432025/b509/launcher.test -test.testlogfile=/tmp/go-build398432025/b509/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true 4/arm64.go VkJy/yyRkcbD_VVVgoogle.golang.org/grpc/internal/metadata x_amd64/compile` (dns block) > - Triggering command: `/tmp/go-build921235762/b513/launcher.test /tmp/go-build921235762/b513/launcher.test -test.testlogfile=/tmp/go-build921235762/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build921235762/b491/vet.cfg ml-C/FGsrpattnkKSKZMLml-C /tmp/go-build398432025/b346/ ache/go/1.25.9/x64/pkg/tool/linux_amd64/vet . --gdwarf2 --64 DHaMYkFHKUkt -I o t.go 27d059209fb0df2f-d --gdwarf-5 --64 -o x_amd64/compile` (dns block) > - `invalid-host-that-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build398432025/b491/config.test /tmp/go-build398432025/b491/config.test -test.testlogfile=/tmp/go-build398432025/b491/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true ktype/networktype.go o x_amd64/asm` (dns block) > - Triggering command: `/tmp/go-build921235762/b495/config.test /tmp/go-build921235762/b495/config.test -test.testlogfile=/tmp/go-build921235762/b495/testlog.txt -test.paniconexit0 -test.timeout=10m0s swit�� olang.org/grpc@v1.80.0/health/grpc_health_v1/health.pb.go olang.org/grpc@v1.80.0/health/grpc_health_v1/health_grpc.pb.go cfg 432025/b346/_x00/opt/hostedtoolcache/go/1.25.9/x64/pkg/tool/linux_amd64/vet g/protobuf/types/tmp/go-build2843280890/b293/vet.cfg 432025/b346/_x003.o ache/go/1.25.9/x64/pkg/tool/linux_amd64/vet -W AHtg/B5FET1EKR-ItmppRAHtg /tmp/go-build398432025/b346/ 64/pkg/tool/linux_amd64/compile . --gdwarf2 --64 64/pkg/tool/linux_amd64/compile` (dns block) > - `nonexistent.local` > - Triggering command: `/tmp/go-build398432025/b509/launcher.test /tmp/go-build398432025/b509/launcher.test -test.testlogfile=/tmp/go-build398432025/b509/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true 4/arm64.go VkJy/yyRkcbD_VVVgoogle.golang.org/grpc/internal/metadata x_amd64/compile` (dns block) > - Triggering command: `/tmp/go-build921235762/b513/launcher.test /tmp/go-build921235762/b513/launcher.test -test.testlogfile=/tmp/go-build921235762/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build921235762/b491/vet.cfg ml-C/FGsrpattnkKSKZMLml-C /tmp/go-build398432025/b346/ ache/go/1.25.9/x64/pkg/tool/linux_amd64/vet . --gdwarf2 --64 DHaMYkFHKUkt -I o t.go 27d059209fb0df2f-d --gdwarf-5 --64 -o x_amd64/compile` (dns block) > - `slow.example.com` > - Triggering command: `/tmp/go-build398432025/b509/launcher.test /tmp/go-build398432025/b509/launcher.test -test.testlogfile=/tmp/go-build398432025/b509/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true 4/arm64.go VkJy/yyRkcbD_VVVgoogle.golang.org/grpc/internal/metadata x_amd64/compile` (dns block) > - Triggering command: `/tmp/go-build921235762/b513/launcher.test /tmp/go-build921235762/b513/launcher.test -test.testlogfile=/tmp/go-build921235762/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build921235762/b491/vet.cfg ml-C/FGsrpattnkKSKZMLml-C /tmp/go-build398432025/b346/ ache/go/1.25.9/x64/pkg/tool/linux_amd64/vet . --gdwarf2 --64 DHaMYkFHKUkt -I o t.go 27d059209fb0df2f-d --gdwarf-5 --64 -o x_amd64/compile` (dns block) > - `this-host-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build398432025/b518/mcp.test /tmp/go-build398432025/b518/mcp.test -test.testlogfile=/tmp/go-build398432025/b518/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true envconfig/envcon-errorsas envconfig/observ-ifaceassert x_amd64/compile -p runtime/trace -lang=go1.25 x_amd64/compile -I /trace@v1.43.0/internal/telemetr-p /trace@v1.43.0/internal/telemetrgoogle.golang.org/protobuf/protoadapt x_amd64/vet --gdwarf-5 --64 432025/b168/ x_amd64/vet` (dns block) > - Triggering command: `/tmp/go-build921235762/b522/mcp.test /tmp/go-build921235762/b522/mcp.test -test.testlogfile=/tmp/go-build921235762/b522/testlog.txt -test.paniconexit0 -test.timeout=10m0s -o _.a -trimpath x_amd64/vet -p google.golang.or-qE -lang=go1.23 x_amd64/vet n-me�� gxsKMXzGg -trimpath x_amd64/vet -p google.golang.or/usr/bin/runc -lang=go1.24 x_amd64/vet` (dns block) > > If you need me to access, download, or install something from one of these locations, you can either: > > - Configure [Actions setup steps](https://gh.io/copilot/actions-setup-steps) to set up my environment, which run before the firewall is enabled > - Add the appropriate URLs or hosts to the custom allowlist in this repository's [Copilot coding agent settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent) (admins only) > > </details>
2 parents afefb30 + 42f4a81 commit 93a8784

0 file changed

File tree

    0 commit comments

    Comments
     (0)