[bug-hunter] Mention-in-PR guardrail allows `.github/` edits that safe-output push always blocks

[github-actions]

Impact

mention-in-pr workflows now instruct the agent to refuse only .github/workflows/ edits, but runtime safe-output push protection still blocks all .github/ paths. This creates deterministic failed runs for valid requests touching other .github/* files (for example .github/labeler.yml): the agent is not warned to refuse, attempts edits, then push is blocked.

Reproduction Steps

1. Run this new script locally:

import json
from pathlib import Path

frag_path = Path('.github/workflows/gh-aw-fragments/workflow-edit-guardrails.md')
lock_path = Path('.github/workflows/gh-aw-mention-in-pr.lock.yml')

frag = frag_path.read_text(encoding='utf-8')
lock_lines = lock_path.read_text(encoding='utf-8').splitlines()
config_line = next(line for line in lock_lines if 'GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG:' in line)
raw = config_line.split('GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "', 1)[1].rsplit('"', 1)[0]
cfg = json.loads(raw.encode('utf-8').decode('unicode_escape'))
protected = cfg['push_to_pull_request_branch']['protected_path_prefixes']

print('guardrail fragment line:', frag.splitlines()[2])
print('protected prefixes:', protected)

assert '.github/' in protected
assert '`.github/`' in frag, 'BUG: prompt only warns about .github/workflows/, but runtime blocks all .github/ edits'

2. Execute it with python3 repro_guardrail_mismatch.py.

Expected vs Actual

Expected: Guardrails should match runtime push protections (or be stricter), so users are immediately told .github/ edits cannot be pushed.

Actual: Guardrail text only mentions .github/workflows/, while runtime config blocks .github/ entirely.

Observed output:

guardrail fragment line: - If a requested change touches a workflow file under `.github/workflows/`, explain that the GitHub Actions token cannot push workflow changes and ask a maintainer to apply that change directly.
protected prefixes: ['.github/', '.agents/']
AssertionError: BUG: prompt only warns about .github/workflows/, but runtime blocks all .github/ edits

Failing Test

import json
from pathlib import Path

frag_path = Path('.github/workflows/gh-aw-fragments/workflow-edit-guardrails.md')
lock_path = Path('.github/workflows/gh-aw-mention-in-pr.lock.yml')

frag = frag_path.read_text(encoding='utf-8')
lock_lines = lock_path.read_text(encoding='utf-8').splitlines()
config_line = next(line for line in lock_lines if 'GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG:' in line)
raw = config_line.split('GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "', 1)[1].rsplit('"', 1)[0]
cfg = json.loads(raw.encode('utf-8').decode('unicode_escape'))
protected = cfg['push_to_pull_request_branch']['protected_path_prefixes']

assert '.github/' in protected
assert '`.github/`' in frag, 'BUG: prompt only warns about .github/workflows/, but runtime blocks all .github/ edits'

Evidence

• Guardrail narrowed to workflows only:
  • .github/workflows/gh-aw-fragments/workflow-edit-guardrails.md:3
  • narrowed in commit b2e20627ef5fbf758f84e2b0e59f0fdc1eba4bf3
• Runtime still blocks all .github/ paths:
  • .github/workflows/gh-aw-mention-in-pr.lock.yml:1938 ("protected_path_prefixes":[".github/",".agents/"])

Suggested Action

• Align the guardrail text with actual push protections (.github/) or relax safe-output protection if broader .github/ edits are intended to be allowed.

---

What is this? | From workflow: Trigger Bug Hunter

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

• expires on Mar 17, 2026, 11:27 AM UTC