Add bots field for workflow trigger authorization

[Copilot]

Plan: Add "bots" field for workflow trigger authorization

• 1. Update JSON schema to add "bots" field (sibling to "roles")
  • Add "bots" array field to main_workflow_schema.json
  • Remove examples field from bots schema per feedback
  • Rebuild binary to embed schema changes
• 2. Update Go code to extract and store bots field
  • Add Bots field to WorkflowData struct
  • Add extractBots function in role_checks.go
  • Call extractBots in compiler_parse.go
• 3. Update JavaScript validation logic
  • Create parseAllowedBots and checkBotStatus functions in check_permissions_utils.cjs
  • Update check_membership.cjs to handle bot authorization
  • Pass bots list via environment variable
• 4. Update Go code to pass bots to JavaScript
  • Update generateMembershipCheck to pass bots via env var
• 5. Add tests for bot authorization
  • Add unit tests for extractBots function
  • Add integration tests for bot workflows
  • Test bot environment variable generation
  • Test bots with default roles
  • Test bots with roles: all
• 6. Run validation (lint, build, test, recompile)
  • Build binary with embedded schema
  • Run bot-specific tests (all pass)
  • Recompile workflows
  • Format code
  • Manual testing with sample workflow

Summary

Successfully implemented the "bots" field for workflow trigger authorization with feedback addressed:

✅ Schema Changes: Added "bots" array field to main_workflow_schema.json with proper validation (examples removed per feedback)
✅ Go Implementation: Added Bots field to WorkflowData, extraction logic, and environment variable passing
✅ JavaScript Logic: Implemented bot validation that:

• Checks if actor is in allowed bots list
• Verifies bot is active/installed on repository via GitHub API
• Returns appropriate authorization status
  ✅ Tests: All bot-related tests pass (4/4)
  ✅ Manual Verification: Compiled test workflow correctly includes bot validation logic

Original prompt

Update front matter to specify an allow list of bots that can trigger a workflow (similar to "roles" field)

• add field "bots" (sibling to roles) that takes an array of bot identifier/name
• update JavaScript code that validate role access to handle bots if the permission level is too low.
  If the actor is part of the allowed bot list, validate that the bot is active on the repo, if so allow trigger.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

---

Changeset

• Type: patch
• Description: Add bots frontmatter field to allow listing GitHub Apps/bots allowed to trigger workflows. Includes schema, Go parsing/env passing, JavaScript validation updates, and tests.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

[github-actions]

📰 BREAKING: Smoke Copilot Playwright is now investigating this pull request. Sources say the story is developing...

[github-actions]

🔮 The ancient spirits stir... Smoke Codex awakens to divine this pull request...

[github-actions]

💥 WHOOSH! Smoke Claude springs into action on this pull request! [Panel 1 begins...]

[github-actions]

📰🚀🔍👀📡🕵️ https://github.com/githubnext/gh-aw/actions/runs/20101428282

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

https://github.com/githubnext/gh-aw/tree/copilot/update-bots-field-permissions

[github-actions]

Smoke Test Results (Run 20101428329)

Last 2 Merged PRs:

• Update go-fan workflow to prioritize recently updated dependencies in round-robin selection #6027: Update go-fan workflow to prioritize recently updated dependencies
• [docs] Update glossary - daily scan #6018: [docs] Update glossary - daily scan

Test Results:

• ✅ GitHub MCP Testing
• ✅ File Writing Testing
• ✅ Bash Tool Testing
• ✅ GitHub MCP Default Toolset Testing (get_me blocked as expected)
• ✅ Cache Memory Testing

Overall Status: PASS

📰 BREAKING: Report filed by Smoke Copilot fer issue #6029 🗺️

[github-actions]

Smoke Test Results - Claude Engine

Recent PRs:

• Update go-fan workflow to prioritize recently updated dependencies in round-robin selection #6027: Update go-fan workflow to prioritize recently updated dependencies
• [docs] Update glossary - daily scan #6018: [docs] Update glossary - daily scan

Test Results:
✅ GitHub MCP - Retrieved 2 merged PRs
✅ File Writing - Created test file successfully
✅ Bash Tool - Verified file contents
✅ Playwright MCP - Navigated to GitHub, title contains "GitHub"
✅ Cache Memory - Created and verified cache file
❌ Safe Input gh Tool - Tool not available in environment

Status: PASS (5/6 tests passed)

💥 [THE END] — Illustrated by Smoke Claude fer issue #6029 🗺️

[github-actions]

Smoke Test Results

✅ Playwright MCP: Successfully navigated to https://github.com - page title confirmed "GitHub · Change is constant. GitHub keeps you ahead. · GitHub"
✅ Cache Memory: Successfully created /tmp/gh-aw/cache-memory/smoke-test-20101428310.txt with test content
❌ Safe Input gh Tool: Failed - HTTPS client error when accessing GitHub API

Overall Status: ⚠️ PARTIAL PASS (2/3 tests passed)

📰 BREAKING: Report filed by Smoke Copilot Playwright fer issue #6029 🗺️

[github-actions]

Smoke Test Results

Tests:

• ✅ Bash Tool: File creation successful
• ❌ GitHub MCP: HTTP/HTTPS connection error
• ✅ Serena MCP: Listed classes (QualityIssue, FileStats, ActionPin, etc.)
• ❌ Safe Input gh: HTTP/HTTPS connection error

Status: FAIL (GitHub API connectivity issue)

📰🔥📋 https://github.com/githubnext/gh-aw/actions/runs/20101428282 fer issue #6029 🗺️

[github-actions]

PRs: Update go-fan workflow to prioritize recently updated dependencies in round-robin selection; [docs] Update glossary - daily scan
GitHub MCP merged PRs: ✅
File write/read (/tmp/gh-aw/agent): ✅
Cache memory write/read: ✅
Playwright title check: ✅
safeinputs-gh (gh issues list): ❌ missing tool
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex fer issue #6029 🗺️

[pelikhan]

@copilot add "[bot]" to name automatically (if not ending if [bot]). Update examples.

[pelikhan]

@copilot make sure bots and roles can be imported. They can be overrides by the main workflow (no merge).

[pelikhan]

@copilot log bots and roles in aw-info.json