feat: add disable_agentic_workflow label-triggered job to maintenance workflow#29269
Draft
feat: add disable_agentic_workflow label-triggered job to maintenance workflow#29269
Conversation
… workflow When an issue or PR is labeled with "agentic-workflows:disable": - A new maintenance job reads the body to find the workflow_id from XML comment markers (gh-aw-workflow-id) - Disables the corresponding agentic workflow via gh aw disable - Posts a comment confirming the action Changes: - pkg/workflow/maintenance_conditions.go: add buildLabeledDisableCondition() - pkg/workflow/maintenance_workflow_yaml.go: add issues/pull_request label triggers and disable_agentic_workflow job - actions/setup/js/disable_agentic_workflow.cjs: new JS implementation - actions/setup/js/disable_agentic_workflow.test.cjs: JS unit tests - pkg/workflow/maintenance_workflow_test.go: Go unit tests for new job - .github/workflows/agentics-maintenance.yml: regenerated Agent-Logs-Url: https://github.com/github/gh-aw/sessions/9713fb7c-1206-4aed-9d68-08edcfbc4394 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…olation - Restrict combined-marker regex to gh-aw-agentic-workflow comment blocks to prevent matching workflow_id: in user content - Add isValidWorkflowId() to validate extracted IDs against path traversal and shell-unsafe characters - Pass only required env vars (not ...process.env spread) to exec subprocess - Add test cases for security validation and outside-comment non-match Agent-Logs-Url: https://github.com/github/gh-aw/sessions/9713fb7c-1206-4aed-9d68-08edcfbc4394 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
pelikhan
April 30, 2026 06:17
View session
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new job to the agentic maintenance action that triggers when an issue or pull request is labeled with
agentic-workflows:disable.How it works
agentic-workflows:disablelabel to an issue or PR created by an agentic workflowdisable_agentic_workflowjob activates (label events on issues and PRs)check_team_member.cjs)workflow_idfrom XML comment markers (<!-- gh-aw-workflow-id: WORKFLOW_ID -->or the combined<!-- gh-aw-agentic-workflow: ... -->marker)gh aw disable <workflow_id>to disable the specific agentic workflowChanges
pkg/workflow/maintenance_conditions.gobuildLabeledDisableCondition()for the label-triggeredif:conditionpkg/workflow/maintenance_workflow_yaml.goissues: [labeled]+pull_request: [labeled]toon:, addsdisable_agentic_workflowjobactions/setup/js/disable_agentic_workflow.cjsactions/setup/js/disable_agentic_workflow.test.cjspkg/workflow/maintenance_workflow_test.go.github/workflows/agentics-maintenance.ymlSecurity
<!-- gh-aw-agentic-workflow: ... -->comment blocks to prevent user content injectionisValidWorkflowId()(alphanumeric +-_., max 100 chars, no..path traversal)...process.envspread)check_team_member.cjsgate)