You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
PR #40368 added a new allowed-teams option to the safe-outputs.mentions configuration, letting workflows allow all members of named GitHub teams to be @mentioned without enumerating individual usernames. The feature is implemented and validated, but it is not surfaced in the agentic-facing docs under .github/aw/ that agents read when authoring/editing workflows. As a result, an agent generating a workflow will not discover this capability.
Feature
Feature ID:awf-feat-mentions-allowed-teams
Schema key:safe-outputs.mentions.allowed-teams (array of team-slug or org/team-slug)
Team members are resolved from the GitHub API at runtime; bots excluded. Requires read:org scope (not in default GITHUB_TOKEN).
❌ missing — the mentions: object example/prose lists only allow-team-members, allow-context, allowed, max
Follow-up tasks
[High] Add allowed-teams to the mentions: object example and prose in .github/aw/safe-outputs-runtime.md (around lines 135–149), including the read:org scope caveat and the org/team-slug vs bare team-slug resolution rule.
[Low] Cross-check other agentic docs that mention mentions: (e.g. .github/aw/report.md, .github/aw/messages.md) for whether a pointer to allowed-teams is warranted.
[Low] Confirm a frontmatter example or pattern doc shows a realistic allowed-teams usage so agents have a copyable snippet.
Notes
No duplicate issue exists for this feature.
User-facing reference docs already cover the feature; the gap is specifically the agentic .github/aw/ context surface.
Summary
PR #40368 added a new
allowed-teamsoption to thesafe-outputs.mentionsconfiguration, letting workflows allow all members of named GitHub teams to be@mentionedwithout enumerating individual usernames. The feature is implemented and validated, but it is not surfaced in the agentic-facing docs under.github/aw/that agents read when authoring/editing workflows. As a result, an agent generating a workflow will not discover this capability.Feature
awf-feat-mentions-allowed-teamssafe-outputs.mentions.allowed-teams(array ofteam-slugororg/team-slug)read:orgscope (not in defaultGITHUB_TOKEN).Evidence
b56f9a6— feat(safe-outputs): addallowed-teamsto mentions configuration (feat(safe-outputs): addallowed-teamsto mentions configuration #40368)pkg/parser/schemas/main_workflow_schema.json(allowed-teamsat line ~10224)pkg/workflow/safe_outputs_messages_config.go,pkg/workflow/safe_outputs_config.go,pkg/workflow/compiler_types.godocs/adr/40368-resolve-mentions-via-team-membership.mdCurrent surfacing status
read:orgscope note)docs/src/content/docs/reference/safe-outputs.mddocs/src/content/docs/reference/frontmatter-full.md40368-...md.github/aw/safe-outputs-runtime.mdmentions:object example/prose lists onlyallow-team-members,allow-context,allowed,maxFollow-up tasks
allowed-teamsto thementions:object example and prose in.github/aw/safe-outputs-runtime.md(around lines 135–149), including theread:orgscope caveat and theorg/team-slugvs bareteam-slugresolution rule.mentions:(e.g..github/aw/report.md,.github/aw/messages.md) for whether a pointer toallowed-teamsis warranted.allowed-teamsusage so agents have a copyable snippet.Notes
.github/aw/context surface.