fix: ensure safe-outputs staged mode works for all handler types (#21414)

* fix: add staged support to all safe-output handlers in schema and compiler

- Add `staged` field to all 38 handler schemas in main_workflow_schema.json
  (previously only close-pull-request and push-to-pull-request-branch had it;
  all schemas have `additionalProperties: false` so missing staged caused parser rejection)
- Refactor compiler_safe_outputs_env.go: replace per-handler staged flag logic
  with a single hasSafeOutputWithoutTargetRepo() helper that covers all 40 handlers,
  fixing the bug where handlers like create-discussion, autofix-code-scanning-alert,
  noop, etc. never triggered the GH_AW_SAFE_OUTPUTS_STAGED env var
- Add TestStagedFlagForAllHandlerTypes covering previously untested handler types

Co-authored-by: pelikhan <[email protected]>

* fix: clean up comments per code review feedback

Co-authored-by: pelikhan <[email protected]>

* fix: staged mode is independent of target-repo, add test cases for all handler types

Co-authored-by: pelikhan <[email protected]>

* test: add integration tests and workflow files for staged safe-outputs

Co-authored-by: pelikhan <[email protected]>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <[email protected]>

* refactor: remove hasSafeOutputConfigured wrapper, drive test from safeOutputFieldMapping

Co-authored-by: pelikhan <[email protected]>

* Add changeset [skip-ci]

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: pelikhan <[email protected]>
Co-authored-by: Peli de Halleux <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: 4 people

.changeset/patch-fix-safe-outputs-staged-handlers.md

@@ -802,6 +802,240 @@ This workflow tests that invalid schedule strings in array format fail compilati
 	t.Logf("Integration test passed - invalid schedule in array format correctly failed compilation\nOutput: %s", outputStr)
 }
 
+// TestCompileStagedSafeOutputsCreateIssue verifies that a workflow with staged: true
+// and a create-issue handler compiles without error and emits GH_AW_SAFE_OUTPUTS_STAGED.
+// Prior to the schema fix, staged was not listed in the create-issue schema
+// (additionalProperties: false), so the frontmatter validator would reject the workflow.
+func TestCompileStagedSafeOutputsCreateIssue(t *testing.T) {
+	setup := setupIntegrationTest(t)
+	defer setup.cleanup()
+
+	testWorkflow := `---
+name: Staged Create Issue
+on:
+  workflow_dispatch:
+permissions: read-all
+engine: copilot
+safe-outputs:
+  staged: true
+  create-issue:
+    title-prefix: "[staged] "
+    max: 1
+---
+
+Verify staged safe-outputs with create-issue.
+`
+	testWorkflowPath := filepath.Join(setup.workflowsDir, "staged-create-issue.md")
+	if err := os.WriteFile(testWorkflowPath, []byte(testWorkflow), 0644); err != nil {
+		t.Fatalf("Failed to write test workflow file: %v", err)
+	}
+
+	cmd := exec.Command(setup.binaryPath, "compile", testWorkflowPath)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatalf("CLI compile command failed: %v\nOutput: %s", err, string(output))
+	}
+
+	lockFilePath := filepath.Join(setup.workflowsDir, "staged-create-issue.lock.yml")
+	lockContent, err := os.ReadFile(lockFilePath)
+	if err != nil {
+		t.Fatalf("Failed to read lock file: %v", err)
+	}
+	lockContentStr := string(lockContent)
+
+	if !strings.Contains(lockContentStr, `GH_AW_SAFE_OUTPUTS_STAGED: "true"`) {
+		t.Errorf("Lock file should contain GH_AW_SAFE_OUTPUTS_STAGED: \"true\"\nLock file content:\n%s", lockContentStr)
+	}
+}
+
+// TestCompileStagedSafeOutputsAddComment verifies that a workflow with staged: true
+// and an add-comment handler compiles and emits GH_AW_SAFE_OUTPUTS_STAGED.
+// Prior to the schema fix, staged was not listed in the add-comment handler schema.
+func TestCompileStagedSafeOutputsAddComment(t *testing.T) {
+	setup := setupIntegrationTest(t)
+	defer setup.cleanup()
+
+	testWorkflow := `---
+name: Staged Add Comment
+on:
+  workflow_dispatch:
+permissions: read-all
+engine: copilot
+safe-outputs:
+  staged: true
+  add-comment:
+    max: 1
+---
+
+Verify staged safe-outputs with add-comment.
+`
+	testWorkflowPath := filepath.Join(setup.workflowsDir, "staged-add-comment.md")
+	if err := os.WriteFile(testWorkflowPath, []byte(testWorkflow), 0644); err != nil {
+		t.Fatalf("Failed to write test workflow file: %v", err)
+	}
+
+	cmd := exec.Command(setup.binaryPath, "compile", testWorkflowPath)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatalf("CLI compile command failed: %v\nOutput: %s", err, string(output))
+	}
+
+	lockFilePath := filepath.Join(setup.workflowsDir, "staged-add-comment.lock.yml")
+	lockContent, err := os.ReadFile(lockFilePath)
+	if err != nil {
+		t.Fatalf("Failed to read lock file: %v", err)
+	}
+	lockContentStr := string(lockContent)
+
+	if !strings.Contains(lockContentStr, `GH_AW_SAFE_OUTPUTS_STAGED: "true"`) {
+		t.Errorf("Lock file should contain GH_AW_SAFE_OUTPUTS_STAGED: \"true\"\nLock file content:\n%s", lockContentStr)
+	}
+}
+
+// TestCompileStagedSafeOutputsCreateDiscussion verifies that a workflow with staged: true
+// and a create-discussion handler compiles and emits GH_AW_SAFE_OUTPUTS_STAGED.
+// Prior to the schema fix, staged was not listed in the create-discussion handler schema.
+func TestCompileStagedSafeOutputsCreateDiscussion(t *testing.T) {
+	setup := setupIntegrationTest(t)
+	defer setup.cleanup()
+
+	testWorkflow := `---
+name: Staged Create Discussion
+on:
+  workflow_dispatch:
+permissions:
+  contents: read
+engine: copilot
+safe-outputs:
+  staged: true
+  create-discussion:
+    max: 1
+    category: general
+---
+
+Verify staged safe-outputs with create-discussion.
+`
+	testWorkflowPath := filepath.Join(setup.workflowsDir, "staged-create-discussion.md")
+	if err := os.WriteFile(testWorkflowPath, []byte(testWorkflow), 0644); err != nil {
+		t.Fatalf("Failed to write test workflow file: %v", err)
+	}
+
+	cmd := exec.Command(setup.binaryPath, "compile", testWorkflowPath)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatalf("CLI compile command failed: %v\nOutput: %s", err, string(output))
+	}
+
+	lockFilePath := filepath.Join(setup.workflowsDir, "staged-create-discussion.lock.yml")
+	lockContent, err := os.ReadFile(lockFilePath)
+	if err != nil {
+		t.Fatalf("Failed to read lock file: %v", err)
+	}
+	lockContentStr := string(lockContent)
+
+	if !strings.Contains(lockContentStr, `GH_AW_SAFE_OUTPUTS_STAGED: "true"`) {
+		t.Errorf("Lock file should contain GH_AW_SAFE_OUTPUTS_STAGED: \"true\"\nLock file content:\n%s", lockContentStr)
+	}
+}
+
+// TestCompileStagedSafeOutputsWithTargetRepo verifies that staged: true emits
+// GH_AW_SAFE_OUTPUTS_STAGED even when a target-repo is specified on the handler.
+// Staged mode is independent of target-repo.
+func TestCompileStagedSafeOutputsWithTargetRepo(t *testing.T) {
+	setup := setupIntegrationTest(t)
+	defer setup.cleanup()
+
+	testWorkflow := `---
+name: Staged Cross-Repo
+on:
+  workflow_dispatch:
+permissions: read-all
+engine: copilot
+safe-outputs:
+  staged: true
+  create-issue:
+    title-prefix: "[cross-repo staged] "
+    max: 1
+    target-repo: org/other-repo
+---
+
+Verify that staged mode is independent of target-repo.
+`
+	testWorkflowPath := filepath.Join(setup.workflowsDir, "staged-cross-repo.md")
+	if err := os.WriteFile(testWorkflowPath, []byte(testWorkflow), 0644); err != nil {
+		t.Fatalf("Failed to write test workflow file: %v", err)
+	}
+
+	cmd := exec.Command(setup.binaryPath, "compile", testWorkflowPath)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatalf("CLI compile command failed: %v\nOutput: %s", err, string(output))
+	}
+
+	lockFilePath := filepath.Join(setup.workflowsDir, "staged-cross-repo.lock.yml")
+	lockContent, err := os.ReadFile(lockFilePath)
+	if err != nil {
+		t.Fatalf("Failed to read lock file: %v", err)
+	}
+	lockContentStr := string(lockContent)
+
+	// staged is independent of target-repo: env var must be present
+	if !strings.Contains(lockContentStr, `GH_AW_SAFE_OUTPUTS_STAGED: "true"`) {
+		t.Errorf("Lock file should contain GH_AW_SAFE_OUTPUTS_STAGED: \"true\" even with target-repo set\nLock file content:\n%s", lockContentStr)
+	}
+}
+
+// TestCompileStagedSafeOutputsMultipleHandlers verifies that staged: true with
+// multiple handler types compiles and emits GH_AW_SAFE_OUTPUTS_STAGED exactly once.
+// Previously, adding staged to most handler types caused a schema validation error.
+func TestCompileStagedSafeOutputsMultipleHandlers(t *testing.T) {
+	setup := setupIntegrationTest(t)
+	defer setup.cleanup()
+
+	testWorkflow := `---
+name: Staged Multiple Handlers
+on:
+  workflow_dispatch:
+permissions: read-all
+engine: copilot
+safe-outputs:
+  staged: true
+  create-issue:
+    title-prefix: "[staged] "
+    max: 1
+  add-comment:
+    max: 2
+  add-labels:
+    allowed:
+      - bug
+  update-issue:
+---
+
+Verify staged safe-outputs with multiple handler types.
+`
+	testWorkflowPath := filepath.Join(setup.workflowsDir, "staged-multi-handler.md")
+	if err := os.WriteFile(testWorkflowPath, []byte(testWorkflow), 0644); err != nil {
+		t.Fatalf("Failed to write test workflow file: %v", err)
+	}
+
+	cmd := exec.Command(setup.binaryPath, "compile", testWorkflowPath)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatalf("CLI compile command failed: %v\nOutput: %s", err, string(output))
+	}
+
+	lockFilePath := filepath.Join(setup.workflowsDir, "staged-multi-handler.lock.yml")
+	lockContent, err := os.ReadFile(lockFilePath)
+	if err != nil {
+		t.Fatalf("Failed to read lock file: %v", err)
+	}
+	lockContentStr := string(lockContent)
+
+	if !strings.Contains(lockContentStr, `GH_AW_SAFE_OUTPUTS_STAGED: "true"`) {
+		t.Errorf("Lock file should contain GH_AW_SAFE_OUTPUTS_STAGED: \"true\"\nLock file content:\n%s", lockContentStr)
+	}
+}
+
 // TestCompileFromSubdirectoryCreatesActionsLockAtRoot tests that actions-lock.json
 // is created at the repository root when compiling from a subdirectory
 func TestCompileFromSubdirectoryCreatesActionsLockAtRoot(t *testing.T) {

.github/workflows/daily-choice-test.lock.yml

@@ -0,0 +1,16 @@
+---
+on:
+  workflow_dispatch:
+permissions: read-all
+engine: copilot
+safe-outputs:
+  staged: true
+  add-comment:
+    max: 1
+---
+
+# Test Staged Add Comment
+
+Verify that `staged: true` works together with the `add-comment` handler.
+
+Add a comment to issue #1 saying "Staged test comment."

pkg/cli/compile_integration_test.go

@@ -0,0 +1,18 @@
+---
+on:
+  workflow_dispatch:
+permissions:
+  contents: read
+engine: copilot
+safe-outputs:
+  staged: true
+  create-discussion:
+    max: 1
+    category: general
+---
+
+# Test Staged Create Discussion
+
+Verify that `staged: true` works together with the `create-discussion` handler.
+
+Create a discussion titled "Staged test discussion" with the body "This discussion was created in staged mode."

pkg/cli/workflows/test-staged-add-comment.md

@@ -0,0 +1,17 @@
+---
+on:
+  workflow_dispatch:
+permissions: read-all
+engine: copilot
+safe-outputs:
+  staged: true
+  create-issue:
+    title-prefix: "[staged] "
+    max: 1
+---
+
+# Test Staged Create Issue
+
+Verify that `staged: true` works together with the `create-issue` handler.
+
+Create an issue titled "Staged test issue" with the body "This issue was created in staged mode."

pkg/cli/workflows/test-staged-create-discussion.md

@@ -0,0 +1,19 @@
+---
+on:
+  workflow_dispatch:
+permissions: read-all
+engine: copilot
+safe-outputs:
+  staged: true
+  create-issue:
+    title-prefix: "[cross-repo staged] "
+    max: 1
+    target-repo: org/other-repo
+---
+
+# Test Staged Create Issue Cross-Repo
+
+Verify that `staged: true` is emitted even when a `target-repo` is configured.
+`staged` mode is independent of the `target-repo` setting.
+
+Create an issue in the target repository titled "Cross-repo staged test issue."