Implement lock-for-agent feature for issues

[Copilot]

Implements the lock-for-agent optional boolean field for the on.issues trigger in workflow frontmatter. When enabled, issues are automatically locked during agent workflow execution and unlocked upon completion to prevent concurrent modifications.

Implementation

Frontmatter Configuration

on:
  issues:
    types: [opened]
    lock-for-agent: true

Key Features

• Lock Step: Added to activation job, locks the issue before agent execution

  • Only runs in issue context (checks github.event.issue.number)
  • Uses embedded lock-issue.cjs JavaScript (already registered with bundler)
  • Does not provide a lock reason as specified
  • Checks lock status first: Skips lock operation if issue is already locked to avoid unnecessary API calls
  • Sets output: Sets locked output to "true" when successfully locked, "false" otherwise
  • Exposes job output: issue_locked output exposed from activation job for downstream use

• Unlock Step: Added to conclusion job, unlocks the issue after completion

  • Uses always() condition to run even on workflow failure
  • Uses embedded unlock-issue.cjs JavaScript (already registered with bundler)
  • Checks lock status first: Skips unlock operation if issue is not locked to ensure idempotent behavior
  • Output-based condition: Only unlocks if needs.activation.outputs.issue_locked == 'true', ensuring we only unlock issues we locked

• Reaction Message: When reactions are enabled, adds a 🔒 lock notification to the activation comment indicating the issue has been locked

• Event Compatibility: Fully compatible with other event types (pull_request, discussion, etc.) - lock steps only execute in issue context

Changes Made

• Compiler:

  • Added LockForAgent field to WorkflowData struct
  • Parse lock-for-agent from on.issues configuration in parseOnSection
  • Generate lock step in activation job with issue context condition
  • Generate unlock step in conclusion job with always() condition and output-based check
  • Add issue_locked output to activation job

• JavaScript:

  • Enhanced add_reaction_and_edit_comment.cjs to display lock notification when GH_AW_LOCK_FOR_AGENT environment variable is set
  • Smart lock checking: Both lock-issue.cjs and unlock-issue.cjs now check the issue's lock status using github.rest.issues.get() before performing operations
  • Output tracking: lock-issue.cjs sets locked output to track whether the issue was successfully locked
  • Prevents errors and unnecessary API calls when issue is already in the desired state

• Tests:

  • Go Tests (lock_for_agent_test.go): 4 comprehensive test cases
    • Lock-for-agent enabled with reaction
    • Lock-for-agent enabled without reaction
    • Lock-for-agent disabled (default)
    • Compatibility with pull_request events
  • JavaScript Tests: Added comprehensive test suites for the lock/unlock scripts
    • lock-issue.test.cjs: 7 test cases covering successful operations, error handling, validation, skip-when-already-locked behavior, and output verification
    • unlock-issue.test.cjs: 8 test cases covering successful operations, error handling, edge cases, and skip-when-not-locked behavior

• Enabled in Production: Added lock-for-agent: true to .github/workflows/ai-moderator.md to prevent concurrent modifications during AI moderation

Testing

• ✅ All lock-for-agent Go tests pass (4 tests)
• ✅ All JavaScript tests pass (15 tests: 7 for lock-issue, 8 for unlock-issue)
• ✅ Code formatted successfully
• ✅ All workflows recompiled (25 lock files updated, including ai-moderator)
• ✅ Lock/unlock steps properly conditional on issue context
• ✅ Unlock step runs on failure via always() condition
• ✅ Smart status checking prevents unnecessary operations and errors
• ✅ Output tracking provides visibility into lock operations and enables precise unlock control

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Locking of issues</issue_title>
<issue_description>Add a "lock-for-agent" optional boolean field to the on.issue field in the front matter.

on:
issue:
lock-for-agent: true

When enabled, the issue is locked while the agent job runs and unlocked in the conclusion. This prevents concurrent updates to the issue while it is being analyzed.

If enabled, the compiler should emit a step in the activation job to lock the issue in context . Use a JavaScript script, from an embedded file registered with the bundler. Do not provide a reason.

If reaction is enabled, add a message that the issue is locked.

If enabled, the conclusion job should unlock the issue even on failure. Use JavaScript, separate file, registered with bundle.</issue_description>

Comments on the Issue (you are @copilot in this section)

@pelikhan /plan @pelikhan copilot finish this feature, including sub issues.

• add tests
• must be compatible with other events, not sure run within issue context </comment_new>

• Fixes Locking of issues #6201

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[pelikhan]

@copilot restart

[pelikhan]

@copilot add tests for JavaScript files

[Copilot]

@copilot restart

I've completed the lock-for-agent feature implementation:

What was implemented:

• Added lock-for-agent boolean field parsing from on.issues frontmatter
• Lock step added to activation job (only runs in issue context)
• Unlock step added to conclusion job (runs always, even on failure)
• Lock notification added to reaction messages when enabled
• Comprehensive test suite with 4 test cases

Key features:

• Lock step uses github.event.issue.number condition to only run on issues
• Unlock step has always() condition to ensure issues are unlocked even on workflow failure
• Works seamlessly with reactions - adds a 🔒 message to the activation comment
• Fully compatible with other event types (pull_request, discussion, etc.)

Testing:

• All lock-for-agent tests pass ✓
• Workflows recompiled successfully ✓
• Code formatted ✓

Commit: 5b16f9b

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login it/ref/tags/v5 GO111MODULE ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile GOINSECURE k/pty GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linu/var/run/docker/runtime-runc/moby env d-artifact.git d-artifact.git 2621828/b357=> GOINSECURE GOMOD GOMODCACHE 2621828/b339/importcfg (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login e-github-app-token.git e-github-app-token.git /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env tags/v5 GO111MODULE e/git GOINSECURE /" + .name GOMODCACHE e/git (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login b-script.git b-script.git b5c7b1ea66e5aafde94ae9659014d3abcf3/log.json GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linutest@example.com env yYG2/x0NfzuPN1kAbisUKyYG2 GO111MODULE (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot If the issue is already locked, do not lock/unlock.

[Copilot]

@copilot add tests for JavaScript files

Added comprehensive JavaScript tests:

lock-issue.test.cjs (6 tests):

• ✅ Successful lock operation
• ✅ Missing issue number handling
• ✅ API error handling (rate limits)
• ✅ Non-Error exception handling
• ✅ Different issue numbers
• ✅ Verifies no lock_reason parameter

unlock-issue.test.cjs (7 tests):

• ✅ Successful unlock operation
• ✅ Missing issue number handling
• ✅ API error handling
• ✅ Non-Error exception handling
• ✅ Different issue numbers
• ✅ Permission errors
• ✅ Already unlocked handling

All 13 JavaScript tests pass. Commit: b16861e

[pelikhan]

@copilot enable for ai-moderator agentic workflow

[Copilot]

@copilot enable for ai-moderator agentic workflow

Enabled lock-for-agent: true in ai-moderator workflow:

on:
  issues:
    types: [opened]
    lock-for-agent: true

The workflow now locks issues during moderation to prevent concurrent modifications. The compiled workflow includes both lock and unlock steps with the new smart status checking. Commit: 9b68f8f

@copilot If the issue is already locked, do not lock/unlock.

Updated both scripts to check lock status before taking action:

lock-issue.cjs:

• Calls github.rest.issues.get() to check issue.locked status
• Skips lock operation if already locked with info message
• Prevents unnecessary API calls and potential errors

unlock-issue.cjs:

• Checks issue.locked status first
• Skips unlock operation if not locked
• Ensures idempotent behavior

All tests updated to verify the new behavior. Commit: 9b68f8f

[pelikhan]

@copilot

• set output to indicate that the issue needs to be unlocked (expose as job output too)
• use the output in unlock step in conclusion job as if condition

[Copilot]

Implemented output tracking and conditional unlock:

Lock Step Output:

• Sets locked output: "true" when successfully locked, "false" otherwise
• Exposed as job output: issue_locked: ${{ steps.lock-issue.outputs.locked }}

Unlock Condition:

• Checks needs.activation.outputs.issue_locked == 'true'
• Three-part condition: always() && github.event.issue.number && needs.activation.outputs.issue_locked == 'true'
• Only unlocks if activation job successfully locked the issue

Benefits:

• Prevents unlock attempts when issue was already locked
• Provides visibility into lock operations
• Maintains precise control over unlock behavior

Commit: 3962c98