rust-guard: remove dead params from issue_integrity + fix heap-allocating string comparison (#2152)

Two small cleanup items in the Rust guard: `issue_integrity` carried two
never-read parameters (`_owner`, `_repo`) that forced callers to perform
unnecessary string splits, and `tool_rules.rs` was heap-allocating a
`String` on every `actions_get` call just to do an equality check.

## Changes

- **`labels/helpers.rs`** — drop `_owner: &str` and `_repo: &str` from
`issue_integrity` signature
- **`labels/response_items.rs`** — remove `repo_owner` split (existed
solely to fill the dead arg)
- **`labels/response_paths.rs`** — remove `owner` split + stale `//
Extract owner from repo for owner check` comment
- **`labels/mod.rs`** — update all 10 test call sites to match new
signature
- **`labels/tool_rules.rs`** — replace heap-allocating comparison with
zero-allocation `.as_str()` idiom:

```rust
// Before — allocates on every actions_get call
tool_args.get("method") == Some(&Value::String("download_workflow_run_artifact".to_string()))

// After — allocation-free
tool_args.get("method").and_then(|v| v.as_str()) == Some("download_workflow_run_artifact")
```

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build1926788072/b332/launcher.test
/tmp/go-build1926788072/b332/launcher.test
-test.testlogfile=/tmp/go-build1926788072/b332/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build1926788072/b253/vet.cfg 64/src/runtime/cgo
erive-f8a9da973ea849b8.serde_dernet/http x86_64/as
erive-f8a9da973e/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
378038/b011/syma-unsafeptr=false erive-f8a9da973e-unreachable=false
_main.o eriv�� ache/go/1.25.8/x64/src/runtime/cgo1.25.8
CLzi/BTFciEBdHbS8DwRuCLzi x_amd64/vet
erive-f8a9da973e/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
erive-f8a9da973e-atomic -Wl,-Bstatic x_amd64/vet` (dns block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build1926788072/b317/config.test
/tmp/go-build1926788072/b317/config.test
-test.testlogfile=/tmp/go-build1926788072/b317/testlog.txt
-test.paniconexit0 -test.timeout=10m0s 2c9e�� 64/src/runtime/cgo
-gnu/lib/libstd-267b04dbd87607fbgithub.com/tetratelabs/wazero/internal/platform
x_amd64/compile
-gnu/lib/libobje/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
378038/b009/ -gnu/lib/libaddr-unreachable=false x_amd64/compile -gnu�� ;
then \
$GOPATH/bin/golangci-lint run --timeout=5m || echo &#34;��� Warning:
golangci-lint failed
/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
-gnu/lib/libstd_detect-3c01aa300-nolocalimports x_amd64/vet
-gnu/lib/librust/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
ry 64-REDACTED-linux-unreachable=false x_amd64/vet` (dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build1926788072/b332/launcher.test
/tmp/go-build1926788072/b332/launcher.test
-test.testlogfile=/tmp/go-build1926788072/b332/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build1926788072/b253/vet.cfg 64/src/runtime/cgo
erive-f8a9da973ea849b8.serde_dernet/http x86_64/as
erive-f8a9da973e/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
378038/b011/syma-unsafeptr=false erive-f8a9da973e-unreachable=false
_main.o eriv�� ache/go/1.25.8/x64/src/runtime/cgo1.25.8
CLzi/BTFciEBdHbS8DwRuCLzi x_amd64/vet
erive-f8a9da973e/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
erive-f8a9da973e-atomic -Wl,-Bstatic x_amd64/vet` (dns block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build1926788072/b332/launcher.test
/tmp/go-build1926788072/b332/launcher.test
-test.testlogfile=/tmp/go-build1926788072/b332/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build1926788072/b253/vet.cfg 64/src/runtime/cgo
erive-f8a9da973ea849b8.serde_dernet/http x86_64/as
erive-f8a9da973e/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
378038/b011/syma-unsafeptr=false erive-f8a9da973e-unreachable=false
_main.o eriv�� ache/go/1.25.8/x64/src/runtime/cgo1.25.8
CLzi/BTFciEBdHbS8DwRuCLzi x_amd64/vet
erive-f8a9da973e/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
erive-f8a9da973e-atomic -Wl,-Bstatic x_amd64/vet` (dns block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build1926788072/b341/mcp.test
/tmp/go-build1926788072/b341/mcp.test
-test.testlogfile=/tmp/go-build1926788072/b341/testlog.txt
-test.paniconexit0 -test.timeout=10m0s o_.o�� 64/src/net a/dsa.go
x_amd64/vet -p internal/runtime--version -lang=go1.25 x_amd64/vet -o
ew@v1.1.1/spew/bypass.go ew@v1.1.1/spew/common.go x_amd64/vet -p
378038/b107/_cgo-qE -lang=go1.25 x_amd64/vet` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>

<!-- START COPILOT CODING AGENT TIPS -->
---

📱 Kick off Copilot coding agent tasks wherever you are with [GitHub
Mobile](https://gh.io/cca-mobile-docs), available on iOS and Android.

Author: lpcox

guards/github-guard/rust-guard/src/labels/helpers.rs

@@ -812,8 +812,6 @@ pub fn pr_integrity(
 pub fn issue_integrity(
     item: &Value,
     repo_full_name: &str,
-    _owner: &str,
-    _repo: &str,
     repo_private: bool,
     ctx: &PolicyContext,
 ) -> Vec<String> {

guards/github-guard/rust-guard/src/labels/mod.rs

@@ -729,15 +729,13 @@ mod tests {
     fn test_issue_integrity() {
         let ctx = default_ctx();
         let repo = "github/copilot";
-        let owner = "github";
-        let repo_name = "copilot";
 
         // Private repo issues get approved integrity
         let bot_issue = json!({
             "user": {"login": "dependabot[bot]"}
         });
         assert_eq!(
-            issue_integrity(&bot_issue, repo, owner, repo_name, true, &ctx),
+            issue_integrity(&bot_issue, repo, true, &ctx),
             writer_integrity(repo, &ctx)
         );
 
@@ -746,7 +744,7 @@ mod tests {
             "user": {"login": "github"}
         });
         assert_eq!(
-            issue_integrity(&owner_issue, repo, owner, repo_name, false, &ctx),
+            issue_integrity(&owner_issue, repo, false, &ctx),
             none_integrity(repo, &ctx)
         );
 
@@ -755,28 +753,21 @@ mod tests {
             "user": {"login": "someone"}
         });
         assert_eq!(
-            issue_integrity(&issue, "", "", "", false, &ctx),
+            issue_integrity(&issue, "", false, &ctx),
             none_integrity("", &ctx)
         );
 
         // Public issue with OWNER association retains approved floor
         let owner_assoc_issue = json!({"author_association": "OWNER"});
         assert_eq!(
-            issue_integrity(&owner_assoc_issue, repo, owner, repo_name, false, &ctx),
+            issue_integrity(&owner_assoc_issue, repo, false, &ctx),
             writer_integrity(repo, &ctx)
         );
 
         // Public issue with CONTRIBUTOR association gets unapproved floor
         let contributor_assoc_issue = json!({"author_association": "CONTRIBUTOR"});
         assert_eq!(
-            issue_integrity(
-                &contributor_assoc_issue,
-                repo,
-                owner,
-                repo_name,
-                false,
-                &ctx
-            ),
+            issue_integrity(&contributor_assoc_issue, repo, false, &ctx),
             reader_integrity(repo, &ctx)
         );
     }
@@ -857,8 +848,6 @@ mod tests {
     fn test_trusted_bot_issue_integrity_public_repo() {
         let ctx = default_ctx();
         let repo = "github/copilot";
-        let owner = "github";
-        let repo_name = "copilot";
 
         // Trusted bot issue on public repo gets approved (writer) integrity
         // even though author_association is NONE
@@ -867,7 +856,7 @@ mod tests {
             "author_association": "NONE"
         });
         assert_eq!(
-            issue_integrity(&dependabot_issue, repo, owner, repo_name, false, &ctx),
+            issue_integrity(&dependabot_issue, repo, false, &ctx),
             writer_integrity(repo, &ctx)
         );
 
@@ -876,15 +865,15 @@ mod tests {
             "author_association": "NONE"
         });
         assert_eq!(
-            issue_integrity(&actions_issue, repo, owner, repo_name, false, &ctx),
+            issue_integrity(&actions_issue, repo, false, &ctx),
             writer_integrity(repo, &ctx)
         );
 
         let merge_queue_issue = json!({
             "user": {"login": "github-merge-queue[bot]"}
         });
         assert_eq!(
-            issue_integrity(&merge_queue_issue, repo, owner, repo_name, false, &ctx),
+            issue_integrity(&merge_queue_issue, repo, false, &ctx),
             writer_integrity(repo, &ctx)
         );
 
@@ -893,7 +882,7 @@ mod tests {
             "author_association": "NONE"
         });
         assert_eq!(
-            issue_integrity(&copilot_issue, repo, owner, repo_name, false, &ctx),
+            issue_integrity(&copilot_issue, repo, false, &ctx),
             writer_integrity(repo, &ctx)
         );
 
@@ -903,7 +892,7 @@ mod tests {
             "author_association": "NONE"
         });
         assert_eq!(
-            issue_integrity(&renovate_issue, repo, owner, repo_name, false, &ctx),
+            issue_integrity(&renovate_issue, repo, false, &ctx),
             none_integrity(repo, &ctx)
         );
     }

guards/github-guard/rust-guard/src/labels/response_items.rs

@@ -205,13 +205,10 @@ pub fn label_response_items(
 
                 let repo_private = repo_visibility_private_for_repo_id(&repo_full_name)
                     .unwrap_or(default_repo_private);
-                let repo_owner = repo_full_name.split('/').next().unwrap_or("");
                 let number = item.get("number").and_then(|v| v.as_i64()).unwrap_or(0);
                 let integrity = issue_integrity(
                     item,
                     &repo_full_name,
-                    repo_owner,
-                    &arg_repo,
                     repo_private,
                     ctx,
                 );

guards/github-guard/rust-guard/src/labels/response_paths.rs

@@ -221,17 +221,13 @@ pub fn label_response_paths(
                         &item_repo
                     };
 
-                    // Extract owner from repo for owner check
-                    let owner = repo_for_labels.split('/').next().unwrap_or("");
                     let item_repo_private = repo_visibility_private_for_repo_id(repo_for_labels)
                         .unwrap_or(default_repo_private);
 
                     let issue_number = item.get("number").and_then(|v| v.as_u64()).unwrap_or(0);
                     let integrity = issue_integrity(
                         item,
                         repo_for_labels,
-                        owner,
-                        &arg_repo,
                         item_repo_private,
                         ctx,
                     );

guards/github-guard/rust-guard/src/labels/tool_rules.rs

@@ -277,8 +277,10 @@ pub fn apply_tool_labels(
 
             // Additional secrecy checks for workflow files
             if tool_name == "actions_get"
-                && tool_args.get("method")
-                    == Some(&Value::String("download_workflow_run_artifact".to_string()))
+                && tool_args
+                    .get("method")
+                    .and_then(|v| v.as_str())
+                    == Some("download_workflow_run_artifact")
             {
                 // Artifacts may contain secrets
                 secrecy = secret_label();