fix(safeoutputs): enforce add-build-tag scope for build IDs > i32::MAX (#379)

Copilot · jamesadevine · web-flow · commit c53390002c8d · 2026-05-01T20:49:46.000+01:00
* fix(safeoutputs): enforce add-build-tag scope for build IDs > i32::MAX Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/dd6d4958-4570-4099-8fcc-bf3d38eb7aa9 Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com> * refactor: simplify u64 cast in add-build-tag scope check Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/dd6d4958-4570-4099-8fcc-bf3d38eb7aa9 Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>
diff --git a/src/safeoutputs/add_build_tag.rs b/src/safeoutputs/add_build_tag.rs
@@ -133,15 +133,15 @@ impl Executor for AddBuildTagResult {
         let config: AddBuildTagConfig = ctx.get_tool_config("add-build-tag");
         debug!("Config: {:?}", config);
 
-        // 2b. Scope check: by default only the current build can be tagged
+        // 2b. Scope check: by default only the current build can be tagged.
+        // Compare in u64 space so that ADO build IDs larger than i32::MAX are
+        // still enforced (the agent-supplied i32 simply cannot match such
+        // values, which is the desired behavior).
         if !config.allow_any_build {
-            // Pulled from ctx (sourced from BUILD_BUILDID); narrowed to i32 to
-            // match the agent-supplied build_id type.
-            let current_build_id: Option<i32> = ctx
-                .build_id
-                .and_then(|id| i32::try_from(id).ok());
-            if let Some(current_id) = current_build_id {
-                if self.build_id != current_id {
+            if let Some(current_id) = ctx.build_id {
+                // self.build_id is validated > 0, so the cast to u64 is exact;
+                // values that don't fit in i32 simply cannot match current_id.
+                if self.build_id as u64 != current_id {
                     return Ok(ExecutionResult::failure(format!(
                         "Build #{} cannot be tagged: only the current build (#{}) is \
                          allowed unless 'allow-any-build: true' is configured",
