Add gated merge-pull-request safe-output with policy-driven merge enforcement

.github/workflows/requirements.txt

@@ -1,3 +1,4 @@
+"mempalace==3.2.0"
 markitdown-mcp
 numpy
 scikit-learn

.github/workflows/smoke-create-cross-repo-pr.md

@@ -1,6 +1,6 @@
 ---
 name: Smoke Create Cross-Repo PR
-description: Smoke test validating cross-repo pull request creation in githubnext/gh-aw-side-repo
+description: Smoke test validating cross-repo pull request creation in github/gh-aw-side-repo
 on:
   workflow_dispatch:
   pull_request:
@@ -19,7 +19,7 @@ network:
     - github
 
 checkout:
-  - repository: githubnext/gh-aw-side-repo
+  - repository: github/gh-aw-side-repo
     github-token: ${{ secrets.GH_AW_SIDE_REPO_PAT }}
 
 tools:
@@ -33,7 +33,7 @@ tools:
 safe-outputs:
   allowed-domains: [default-safe-outputs]
   create-pull-request:
-    target-repo: "githubnext/gh-aw-side-repo"
+    target-repo: "github/gh-aw-side-repo"
     github-token: ${{ secrets.GH_AW_SIDE_REPO_PAT }}
     title-prefix: "[smoke] "
     labels: [smoke-test]
@@ -50,8 +50,8 @@ safe-outputs:
     max: 2
   messages:
     footer: "> 🔬 *Cross-repo smoke test by [{workflow_name}]({run_url})*{effective_tokens_suffix}{history_link}"
-    run-started: "🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in githubnext/gh-aw-side-repo..."
-    run-success: "✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in githubnext/gh-aw-side-repo!"
+    run-started: "🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in github/gh-aw-side-repo..."
+    run-success: "✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in github/gh-aw-side-repo!"
     run-failure: "❌ [{workflow_name}]({run_url}) failed to create a cross-repo PR: {status}"
 
 timeout-minutes: 10

.github/workflows/smoke-update-cross-repo-pr.md

@@ -1,6 +1,6 @@
 ---
 name: Smoke Update Cross-Repo PR
-description: Smoke test validating cross-repo pull request updates in githubnext/gh-aw-side-repo by adding lines from Homer's Odyssey to the README
+description: Smoke test validating cross-repo pull request updates in github/gh-aw-side-repo by adding lines from Homer's Odyssey to the README
 
 on:
   workflow_dispatch:
@@ -20,7 +20,7 @@ network:
     - github
 
 checkout:
-  - repository: githubnext/gh-aw-side-repo
+  - repository: github/gh-aw-side-repo
     github-token: ${{ secrets.GH_AW_SIDE_REPO_PAT }}
     fetch: ["main", "refs/pulls/open/*"]      # fetch all open PR refs after checkout
     fetch-depth: 0               # fetch full history to ensure we can see all commits and PR details
@@ -44,13 +44,13 @@ safe-outputs:
     hide-older-comments: true
     max: 2
   push-to-pull-request-branch:
-    target-repo: "githubnext/gh-aw-side-repo"
+    target-repo: "github/gh-aw-side-repo"
     github-token: ${{ secrets.GH_AW_SIDE_REPO_PAT }}
     if-no-changes: "error"
     target: "1" # PR #1
   messages:
     footer: "> 📜 *Cross-repo PR update smoke test by [{workflow_name}]({run_url})*{effective_tokens_suffix}{history_link}"
-    run-started: "📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to githubnext/gh-aw-side-repo PR #1..."
+    run-started: "📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to github/gh-aw-side-repo PR #1..."
     run-success: "✅ [{workflow_name}]({run_url}) successfully updated the cross-repo PR with a new Odyssey line!"
     run-failure: "❌ [{workflow_name}]({run_url}) failed to update the cross-repo PR: {status}"
 

actions/setup/js/check_runs_helpers.cjs

@@ -0,0 +1,83 @@
+// @ts-check
+
+/**
+ * Returns true for check runs that represent deployment environment gates rather
+ * than CI checks.
+ * @param {any} run
+ * @returns {boolean}
+ */
+function isDeploymentCheck(run) {
+  return run?.app?.slug === "github-deployments";
+}
+
+/**
+ * Select latest check run per name and apply standard filtering.
+ * @param {any[]} checkRuns
+ * @param {{
+ *   includeList?: string[]|null,
+ *   excludeList?: string[]|null,
+ *   excludedCheckRunIds?: Set<number>,
+ * }} [options]
+ * @returns {{relevant: any[], deploymentCheckCount: number, currentRunFilterCount: number}}
+ */
+function selectLatestRelevantChecks(checkRuns, options = {}) {
+  const includeList = options.includeList || null;
+  const excludeList = options.excludeList || null;
+  const excludedCheckRunIds = options.excludedCheckRunIds || new Set();
+
+  /** @type {Map<string, any>} */
+  const latestByName = new Map();
+  let deploymentCheckCount = 0;
+  let currentRunFilterCount = 0;
+
+  for (const run of checkRuns) {
+    if (isDeploymentCheck(run)) {
+      deploymentCheckCount++;
+      continue;
+    }
+    if (excludedCheckRunIds.has(run.id)) {
+      currentRunFilterCount++;
+      continue;
+    }
+    const existing = latestByName.get(run.name);
+    if (!existing || new Date(run.started_at ?? 0) > new Date(existing.started_at ?? 0)) {
+      latestByName.set(run.name, run);
+    }
+  }
+
+  const relevant = [];
+  for (const [name, run] of latestByName) {
+    if (includeList && includeList.length > 0 && !includeList.includes(name)) {
+      continue;
+    }
+    if (excludeList && excludeList.length > 0 && excludeList.includes(name)) {
+      continue;
+    }
+    relevant.push(run);
+  }
+
+  return { relevant, deploymentCheckCount, currentRunFilterCount };
+}
+
+/**
+ * Computes failing checks with shared semantics.
+ * @param {any[]} checkRuns
+ * @param {{allowPending?: boolean}} [options]
+ * @returns {any[]}
+ */
+function getFailingChecks(checkRuns, options = {}) {
+  const allowPending = options.allowPending === true;
+  const failedConclusions = new Set(["failure", "cancelled", "timed_out"]);
+  return checkRuns.filter(run => {
+    if (run.status === "completed") {
+      return run.conclusion != null && failedConclusions.has(run.conclusion);
+    }
+    return !allowPending;
+  });
+}
+
+module.exports = {
+  isDeploymentCheck,
+  selectLatestRelevantChecks,
+  getFailingChecks,
+};

actions/setup/js/check_skip_if_check_failing.cjs

@@ -5,6 +5,7 @@ const { getErrorMessage, isRateLimitError } = require("./error_helpers.cjs");
 const { ERR_API } = require("./error_codes.cjs");
 const { getBaseBranch } = require("./get_base_branch.cjs");
 const { writeDenialSummary } = require("./pre_activation_summary.cjs");
+const { selectLatestRelevantChecks, getFailingChecks } = require("./check_runs_helpers.cjs");
 
 /**
  * Determines the ref to check for CI status.
@@ -52,22 +53,6 @@ function parseListEnv(envValue) {
   }
 }
 
-/**
- * Returns true for check runs that represent deployment environment gates rather
- * than CI checks. These should be ignored by default so that a pending deployment
- * approval does not falsely block the agentic workflow.
- *
- * Deployment gate checks are identified by the GitHub App that created them:
- *   - "github-deployments" – the built-in GitHub Deployments service
- *
- * @param {object} run - A check run object from the GitHub API
- * @returns {boolean}
- */
-function isDeploymentCheck(run) {
-  const slug = run.app?.slug;
-  return slug === "github-deployments";
-}
-
 /**
  * Fetches the check run IDs for all jobs in the current workflow run.
  * These IDs are used to filter out the current workflow's own checks
@@ -149,25 +134,11 @@ async function main() {
     // Filter to the latest run per check name (GitHub may have multiple runs per name).
     // Deployment gate checks and the current run's own checks are silently skipped here
     // so they never influence the gate.
-    /** @type {Map<string, object>} */
-    const latestByName = new Map();
-    let deploymentCheckCount = 0;
-    let currentRunFilterCount = 0;
-    for (const run of checkRuns) {
-      if (isDeploymentCheck(run)) {
-        deploymentCheckCount++;
-        continue;
-      }
-      if (currentRunCheckRunIds.has(run.id)) {
-        currentRunFilterCount++;
-        continue;
-      }
-      const name = run.name;
-      const existing = latestByName.get(name);
-      if (!existing || new Date(run.started_at ?? 0) > new Date(existing.started_at ?? 0)) {
-        latestByName.set(name, run);
-      }
-    }
+    const { relevant, deploymentCheckCount, currentRunFilterCount } = selectLatestRelevantChecks(checkRuns, {
+      includeList,
+      excludeList,
+      excludedCheckRunIds: currentRunCheckRunIds,
+    });
 
     if (deploymentCheckCount > 0) {
       core.info(`Skipping ${deploymentCheckCount} deployment gate check(s) (app: github-deployments)`);
@@ -176,32 +147,9 @@ async function main() {
       core.info(`Skipping ${currentRunFilterCount} check run(s) from the current workflow run`);
     }
 
-    // Apply user-defined include/exclude filtering
-    const relevant = [];
-    for (const [name, run] of latestByName) {
-      if (includeList && includeList.length > 0 && !includeList.includes(name)) {
-        continue;
-      }
-      if (excludeList && excludeList.length > 0 && excludeList.includes(name)) {
-        continue;
-      }
-      relevant.push(run);
-    }
-
     core.info(`Evaluating ${relevant.length} check run(s) after filtering`);
 
-    // A check is "failing" if it either:
-    //   1. Completed with a non-success conclusion (failure, cancelled, timed_out), OR
-    //   2. Is still pending/in-progress — unless allow-pending is set
-    const failedConclusions = new Set(["failure", "cancelled", "timed_out"]);
-
-    const failingChecks = relevant.filter(run => {
-      if (run.status === "completed") {
-        return run.conclusion != null && failedConclusions.has(run.conclusion);
-      }
-      // Pending/queued/in_progress: treat as failing unless allow-pending is true
-      return !allowPending;
-    });
+    const failingChecks = getFailingChecks(relevant, { allowPending });
 
     if (failingChecks.length > 0) {
       const names = failingChecks.map(r => (r.status === "completed" ? `${r.name} (${r.conclusion})` : `${r.name} (${r.status})`)).join(", ");