Skip to content

fix: rename --safe-update to --approve and improve safe update UX #26160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dsyme wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix: rename --safe-update to --approve and improve safe update UX #26160

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4ed95e0
fix: rename --safe-update to --approve and improve safe update UX
dsyme Apr 14, 2026
d0bd501
fix: enforce safe update on first compilation (treat nil manifest as …
Copilot Apr 14, 2026
b2562f0
fix: rename --approve to --approve-updates
Copilot Apr 14, 2026
0603b45
fix: add approve=%v to upgradeLog and fix manifest version consistency
Copilot Apr 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions cmd/gh-aw/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -286,7 +286,7 @@ Examples:
failFast, _ := cmd.Flags().GetBool("fail-fast")
noCheckUpdate, _ := cmd.Flags().GetBool("no-check-update")
scheduleSeed, _ := cmd.Flags().GetString("schedule-seed")
safeUpdate, _ := cmd.Flags().GetBool("safe-update")
approve, _ := cmd.Flags().GetBool("approve-updates")
validateImages, _ := cmd.Flags().GetBool("validate-images")
priorManifestFile, _ := cmd.Flags().GetString("prior-manifest-file")
verbose, _ := cmd.Flags().GetBool("verbose")
Expand Down Expand Up @@ -343,7 +343,7 @@ Examples:
Stats: stats,
FailFast: failFast,
ScheduleSeed: scheduleSeed,
SafeUpdate: safeUpdate,
Approve: approve,
ValidateImages: validateImages,
PriorManifestFile: priorManifestFile,
}
Expand Down Expand Up @@ -399,6 +399,7 @@ Examples:
push, _ := cmd.Flags().GetBool("push")
dryRun, _ := cmd.Flags().GetBool("dry-run")
jsonOutput, _ := cmd.Flags().GetBool("json")
approveRun, _ := cmd.Flags().GetBool("approve-updates")

if err := validateEngine(engineOverride); err != nil {
return err
Expand Down Expand Up @@ -437,6 +438,7 @@ Examples:
Verbose: verboseFlag,
DryRun: dryRun,
JSON: jsonOutput,
Approve: approveRun,
})
},
}
Expand Down Expand Up @@ -692,7 +694,7 @@ Use "` + string(constants.CLIExtensionPrefix) + ` help all" to show help for all
compileCmd.Flags().Bool("fail-fast", false, "Stop at the first validation error instead of collecting all errors")
compileCmd.Flags().Bool("no-check-update", false, "Skip checking for gh-aw updates")
compileCmd.Flags().String("schedule-seed", "", "Override the repository slug (owner/repo) used as seed for fuzzy schedule scattering (e.g. 'github/gh-aw'). Bypasses git remote detection entirely. Use this when your git remote is not named 'origin' and you have multiple remotes configured")
compileCmd.Flags().Bool("safe-update", false, "Force-enable safe update mode independently of strict mode. Safe update mode is normally equivalent to strict mode: it emits a warning prompt when compilations introduce new restricted secrets or unapproved action additions/removals not present in the existing gh-aw-manifest. Use this flag to enable safe update enforcement on a workflow that has strict: false in its frontmatter")
compileCmd.Flags().Bool("approve-updates", false, "Approve all safe update changes. When strict mode is active (the default), the compiler emits warnings for new restricted secrets or unapproved action additions/removals not present in the existing gh-aw-manifest. Use this flag to approve and skip safe update enforcement")
compileCmd.Flags().Bool("validate-images", false, "Require Docker to be available for container image validation. Without this flag, container image validation is silently skipped when Docker is not installed or the daemon is not running")
compileCmd.Flags().String("prior-manifest-file", "", "Path to a JSON file containing pre-cached gh-aw-manifests (map[lockFile]*GHAWManifest); used by the MCP server to supply a tamper-proof manifest baseline captured at startup")
if err := compileCmd.Flags().MarkHidden("prior-manifest-file"); err != nil {
Expand Down Expand Up @@ -733,6 +735,7 @@ Use "` + string(constants.CLIExtensionPrefix) + ` help all" to show help for all
runCmd.Flags().Bool("push", false, "Commit and push workflow files (including transitive imports) before running")
runCmd.Flags().Bool("dry-run", false, "Validate workflow without actually triggering execution on GitHub Actions")
runCmd.Flags().BoolP("json", "j", false, "Output results in JSON format")
runCmd.Flags().Bool("approve-updates", false, "Approve all safe update changes during compilation (skip safe update enforcement)")
// Register completions for run command
runCmd.ValidArgsFunction = cli.CompleteWorkflowNames
cli.RegisterEngineFlagCompletion(runCmd)
Expand Down
10 changes: 5 additions & 5 deletions pkg/cli/compile_compiler_setup.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,11 +156,11 @@ func configureCompilerFlags(compiler *workflow.Compiler, config CompileConfig) {
compileCompilerSetupLog.Print("Force refresh action pins enabled: will clear cache and resolve all actions from GitHub API")
}

// Set safe update flag: when set via CLI it force-enables safe update enforcement
// independently of the workflow's strict mode setting.
compiler.SetSafeUpdate(config.SafeUpdate)
if config.SafeUpdate {
compileCompilerSetupLog.Print("Safe update mode force-enabled via --safe-update flag: compilations introducing new restricted secrets or unapproved action additions/removals will emit a warning prompt requesting agent review and a PR security note")
// Set safe update flag: when set via CLI it disables/skips safe update enforcement
// regardless of the workflow's strict mode setting.
compiler.SetApprove(config.Approve)
if config.Approve {
compileCompilerSetupLog.Print("Safe update changes approved via --approve-updates flag: skipping safe update enforcement for new restricted secrets or unapproved action additions/removals")
}

// Set require docker flag: when set, container image validation fails instead of
Expand Down
2 changes: 1 addition & 1 deletion pkg/cli/compile_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ type CompileConfig struct {
Stats bool // Display statistics table sorted by file size
FailFast bool // Stop at first error instead of collecting all errors
ScheduleSeed string // Override repository slug used for fuzzy schedule scattering (e.g. owner/repo)
SafeUpdate bool // Force-enable safe update mode regardless of strict mode setting. Safe update mode is normally equivalent to strict mode (active whenever strict mode is active).
Approve bool // Approve all safe update changes, skipping safe update enforcement regardless of strict mode setting.
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 Smoke test review comment — Run 24408518985. The updated field comment is more precise — "skipping safe update enforcement" is actionable guidance for the caller compared to the previous "force-enable safe update mode" which described the old inverted semantics.

ValidateImages bool // Require Docker to be available for container image validation (fail instead of skipping when Docker is unavailable)
PriorManifestFile string // Path to a JSON file containing pre-cached manifests (map[lockFile]*GHAWManifest) collected at MCP server startup; takes precedence over git HEAD / filesystem reads for safe update enforcement
}
Expand Down
Loading
Loading