Refactor workflow helper hotspots from semantic clustering audit (#34144)

Author: Copilot

docs/adr/34144-cluster-config-preprocessing-and-co-locate-workflow-helpers.md

@@ -0,0 +1,96 @@
+# ADR-34144: Cluster Config Preprocessing Helpers and Co-locate Workflow Helper Hotspots
+
+**Date**: 2026-05-23
+**Status**: Draft
+**Deciders**: pelikhan, Copilot
+
+---
+
+## Part 1 — Narrative (Human-Friendly)
+
+### Context
+
+A semantic clustering audit of `pkg/workflow` surfaced several organizational hotspots: three near-identical `addSafeOutput*GitHubTokenForConfig` methods on `Compiler` duplicated branching logic for GitHub App token resolution; generic raw-config normalizers (`preprocessBoolFieldAsString`, `preprocessIntFieldAsString`, `preprocessStringArrayFieldAsTemplatable`, `preprocessProtectedFilesField`, `preprocessExpiresField`) were scattered across `templatables.go`, `parse_helpers.go`, and `config_helpers.go`; the structural `runs-on` shape validator `validateRunsOnValue` lived in `frontmatter_parsing.go` rather than next to `validateRunsOn` in `runs_on_validation.go`; and `git_helpers_wasm.go` retained `RunGit` and `GetCurrentGitTag` stubs whose non-WASM counterparts no longer exist. Two call sites also shadowed the validator name `validateRunsOnValue` with a local variable, creating a small but real readability hazard. ADR-29336 established that `preprocessProtectedFilesField` belongs in `parse_helpers.go`, so any move away from that file is an explicit revision of that prior decision rather than an accidental drift.
+
+### Decision
+
+We will (1) extract a shared `addResolvedSafeOutputGitHubTokenForConfig` resolver and re-express the three per-target token methods as thin wrappers around it, preserving the behavioral split that only standard and Copilot handlers may use GitHub App tokens while assign-to-agent bypasses them; (2) introduce `pkg/workflow/config_preprocessing.go` as the single home for generic raw-config normalization helpers, superseding the relevant clause of ADR-29336 for `preprocessProtectedFilesField`; (3) move `validateRunsOnValue` into `runs_on_validation.go` so structural and semantic `runs-on` validation live together and rename the two shadowing local variables to `formattedRunsOn`; (4) delete the unused `RunGit` and `GetCurrentGitTag` WASM stubs and the matching stale doc references. The driving principle is the file-naming convention established in ADR-27325 and reinforced in ADR-28282/29336: a file's name should accurately communicate the semantic domain of every function inside it, and duplicate logic should be collapsed when the behavioral variation can be expressed as a parameter.
+
+### Alternatives Considered
+
+#### Alternative 1: Keep all preprocessors in `parse_helpers.go` (status quo per ADR-29336)
+
+Leave generic preprocessors where ADR-29336 placed them and only consolidate the safe-output token resolvers. This was rejected because `parse_helpers.go` had already accumulated a mix of pure coercion helpers (`coerceStringOrArrayField`, `parseStringSliceAny`) and stateful preprocessors that mutate `configData` in place — two distinguishable responsibilities. Splitting them gives each file a single clear charter: `parse_helpers.go` for coercion, `config_preprocessing.go` for normalization-with-side-effects. The cost of revising ADR-29336 is low because the prior decision was itself a relocation pass and inherits a "follow naming intent" rationale that this PR extends.
+
+#### Alternative 2: Pass a flag instead of a resolver function
+
+Replace the three safe-output token methods with a single method that accepts a token-target enum (`safeOutput`, `copilot`, `agent`) and switches internally. This was rejected because it pushes the per-target token resolver dispatch into the consolidated function, recreating the branching that the refactor is trying to eliminate. Passing the resolver function directly keeps `addResolvedSafeOutputGitHubTokenForConfig` agnostic of which token target it serves and lets each wrapper own its own resolver choice.
+
+#### Alternative 3: Leave the WASM stubs in place as future-proofing
+
+Keep `RunGit` and `GetCurrentGitTag` as WASM-only stubs in case future code paths need them. This was rejected because their non-WASM counterparts have already been removed, so the stubs are guaranteed-unreachable code that misleads readers about which Git surface area is supported. Reintroducing them later if needed is a one-line change.
+
+### Consequences
+
+#### Positive
+- The three safe-output token methods now share one resolver path, eliminating ~60 lines of duplicated branching and centralizing the GitHub App token precedence rule.
+- All generic raw-config preprocessors are co-located in `config_preprocessing.go`, making it obvious where to add a new templatable-or-literal preprocessor.
+- `validateRunsOnValue` is next to `validateRunsOn` in `runs_on_validation.go`, and a focused unit test (`TestValidateRunsOnValue`) now covers its shape-validation branches directly.
+- Removing the dead WASM stubs makes the WASM build surface match the non-WASM one — readers see only the Git operations actually available.
+- Renaming local `validateRunsOnValue` variables to `formattedRunsOn` removes the function-vs-variable shadowing hazard that made the two call sites harder to grep.
+
+#### Negative
+- Revises ADR-29336's normative requirement that `preprocessProtectedFilesField` reside in `parse_helpers.go`. Future contributors must consult this ADR alongside 29336 to know the current placement rule.
+- Adds one new file (`config_preprocessing.go`) to `pkg/workflow/`, marginally increasing file count in a directory that is already large.
+- The shared `addResolvedSafeOutputGitHubTokenForConfig` introduces an `allowGitHubApp bool` parameter; readers must trace into the function to see which wrappers pass which value, where previously the behavior was visible at each call site.
+
+#### Neutral
+- No public API surface changes; all moved functions retain their signatures and package-level visibility.
+- `git blame` for the moved functions will surface this PR rather than original authorship without `--follow`.
+- Header comments in `templatables.go`, `parse_helpers.go`, and `validation_helpers.go` are updated to point readers at `config_preprocessing.go`; this is documentation-only churn.
+
+---
+
+## Part 2 — Normative Specification (RFC 2119)
+
+> The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHALL**, **SHALL NOT**, **SHOULD**, **SHOULD NOT**, **RECOMMENDED**, **MAY**, and **OPTIONAL** in this section are to be interpreted as described in [RFC 2119](https://www.rfc-editor.org/rfc/rfc2119).
+
+### Config Preprocessing Helpers (`pkg/workflow`)
+
+1. The following functions **MUST** reside in `pkg/workflow/config_preprocessing.go`:
+   - `preprocessBoolFieldAsString`
+   - `preprocessIntFieldAsString`
+   - `preprocessStringArrayFieldAsTemplatable`
+   - `preprocessProtectedFilesField`
+   - `preprocessExpiresField`
+2. New generic raw-config normalization helpers that mutate a `map[string]any` in place before YAML unmarshaling **MUST** be added to `config_preprocessing.go` and **MUST NOT** be placed in `parse_helpers.go`, `templatables.go`, `config_helpers.go`, or `validation_helpers.go`.
+3. `parse_helpers.go` **MUST NOT** contain stateful preprocessors that mutate `configData`; its scope **MUST** be limited to pure coercion helpers that return new values without side effects.
+4. `templatables.go` **MUST NOT** contain raw-config preprocessors; its scope **MUST** be limited to templatable field types and their YAML-emission helpers.
+5. Schedule-specific preprocessing **MAY** remain in its existing file when it depends on schedule-specific types or context that would not naturally fit a generic preprocessor file.
+6. This section supersedes the clause in [ADR-29336](29336-relocate-misplaced-functions-to-semantic-homes.md) that placed `preprocessProtectedFilesField` in `parse_helpers.go`.
+
+### Safe-Output GitHub Token Resolution (`pkg/workflow`)
+
+1. The three per-target safe-output token methods (`addSafeOutputGitHubTokenForConfig`, `addSafeOutputCopilotGitHubTokenForConfig`, `addSafeOutputAgentGitHubTokenForConfig`) **MUST** delegate to a single shared resolver function rather than each duplicate the GitHub App token precedence logic.
+2. The shared resolver **MUST** accept an `allowGitHubApp` boolean (or equivalent) parameter that gates whether `data.SafeOutputs.GitHubApp` is considered.
+3. The assign-to-agent token method **MUST** pass `allowGitHubApp = false` so that GitHub App installation tokens are never used for the Copilot assignment API.
+4. New safe-output token resolution paths **SHOULD** be expressed as additional thin wrappers around the shared resolver rather than as new copies of the precedence logic.
+
+### `runs-on` Validation Co-location (`pkg/workflow`)
+
+1. `validateRunsOnValue` **MUST** reside in `pkg/workflow/runs_on_validation.go` alongside `validateRunsOn` and `extractRunnerLabels`.
+2. New `runs-on` shape or semantic validators **MUST** be added to `runs_on_validation.go` and **MUST NOT** be placed in `frontmatter_parsing.go`.
+3. Local variables holding a formatted `runs-on` string **MUST NOT** be named `validateRunsOnValue` (or any other name that shadows an exported validator); `formattedRunsOn` **SHOULD** be used instead.
+
+### WASM Git Surface (`pkg/workflow`)
+
+1. `git_helpers_wasm.go` **MUST NOT** export Git helper functions whose non-WASM counterparts do not exist.
+2. Doc comments in `git_helpers.go` **MUST NOT** reference Git helpers that have been removed.
+
+### Conformance
+
+An implementation is considered conformant with this ADR if it satisfies all **MUST** and **MUST NOT** requirements above. Failure to meet any **MUST** or **MUST NOT** requirement — in particular, adding a new generic preprocessor outside `config_preprocessing.go`, reintroducing duplicated safe-output token resolver branching, placing a `runs-on` validator outside `runs_on_validation.go`, or shipping a WASM Git stub without a matching non-WASM definition — constitutes non-conformance.
+
+---
+
+*This is a DRAFT ADR generated by the [Design Decision Gate](https://github.com/github/gh-aw/actions/runs/26319884249) workflow. The PR author must review, complete, and finalize this document before the PR can merge.*

pkg/workflow/config_helpers.go

@@ -139,40 +139,6 @@ func parseTargetRepoWithValidation(configMap map[string]any) (string, bool) {
 // to consolidate all time parsing logic in a single location. These functions are used
 // for parsing expiration configurations in safe output jobs.
 
-// preprocessExpiresField handles the common expires field preprocessing pattern.
-// This function:
-//  1. Parses the expires value through parseExpiresFromConfig (handles integers, strings, and boolean false)
-//  2. Handles explicit disablement when expires=false (returns -1)
-//  3. Normalizes the value to hours and updates configData["expires"] in place
-//  4. Logs the parsed value with the provided logger
-//
-// Returns true if expires was explicitly disabled with false, false otherwise.
-// This helper consolidates duplicate preprocessing logic used in parseCreateIssuesConfig and parseCreateDiscussionsConfig.
-func preprocessExpiresField(configData map[string]any, debugLog *logger.Logger) bool {
-	expiresDisabled := false
-	if configData != nil {
-		if expires, exists := configData["expires"]; exists {
-			// Always parse the expires value through parseExpiresFromConfig
-			// This handles: integers (days), strings (time specs like "48h"), and boolean false
-			expiresInt := parseExpiresFromConfig(configData)
-			if expiresInt == -1 {
-				// Explicitly disabled with false
-				expiresDisabled = true
-				configData["expires"] = 0
-			} else if expiresInt > 0 {
-				configData["expires"] = expiresInt
-			} else {
-				// Invalid or missing - set to 0
-				configData["expires"] = 0
-			}
-			if debugLog != nil {
-				debugLog.Printf("Parsed expires value %v to %d hours (disabled=%t)", expires, expiresInt, expiresDisabled)
-			}
-		}
-	}
-	return expiresDisabled
-}
-
 // ParseBoolFromConfig is a generic helper that extracts and validates a boolean value from a map.
 // Returns the boolean value, or false if not present or invalid.
 // If log is provided, it will log the extracted value for debugging.

pkg/workflow/config_preprocessing.go

@@ -0,0 +1,193 @@
+package workflow
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/github/gh-aw/pkg/logger"
+)
+
+// preprocessBoolFieldAsString converts the value of a boolean config field
+// to a string before YAML unmarshaling. This lets struct fields typed as
+// *string accept both literal boolean values (true/false) and GitHub Actions
+// expression strings (e.g. "${{ inputs.draft-prs }}").
+//
+// If the value is a bool it is converted to "true" or "false".
+// If the value is a string it must be a GitHub Actions expression (starts
+// with "${{" and ends with "}}"); any other free-form string is rejected
+// and an error is returned.
+func preprocessBoolFieldAsString(configData map[string]any, fieldName string, debugLog *logger.Logger) error {
+	if configData == nil {
+		return nil
+	}
+	if val, exists := configData[fieldName]; exists {
+		switch v := val.(type) {
+		case bool:
+			if v {
+				configData[fieldName] = "true"
+			} else {
+				configData[fieldName] = "false"
+			}
+			if debugLog != nil {
+				debugLog.Printf("Converted %s bool to string before unmarshaling", fieldName)
+			}
+		case string:
+			if !isExpression(v) {
+				return fmt.Errorf("field %q must be a boolean or a GitHub Actions expression (e.g. '${{ inputs.flag }}'), got string %q", fieldName, v)
+			}
+		}
+	}
+	return nil
+}
+
+// preprocessIntFieldAsString converts the value of an integer config field
+// to a string before YAML unmarshaling. This lets struct fields typed as
+// *string accept both literal integer values and GitHub Actions expression
+// strings (e.g. "${{ inputs.max-issues }}").
+//
+// If the value is an int, int64, float64, or uint64 it is converted to its
+// decimal string representation.
+// If the value is a string it must be a GitHub Actions expression (starts
+// with "${{" and ends with "}}"); any other free-form string is rejected
+// and an error is returned.
+func preprocessIntFieldAsString(configData map[string]any, fieldName string, debugLog *logger.Logger) error {
+	if configData == nil {
+		return nil
+	}
+	if val, exists := configData[fieldName]; exists {
+		switch v := val.(type) {
+		case int:
+			configData[fieldName] = strconv.Itoa(v)
+			if debugLog != nil {
+				debugLog.Printf("Converted %s int to string before unmarshaling", fieldName)
+			}
+		case int64:
+			configData[fieldName] = strconv.FormatInt(v, 10)
+			if debugLog != nil {
+				debugLog.Printf("Converted %s int64 to string before unmarshaling", fieldName)
+			}
+		case float64:
+			configData[fieldName] = strconv.Itoa(int(v))
+			if debugLog != nil {
+				debugLog.Printf("Converted %s float64 to string before unmarshaling", fieldName)
+			}
+		case uint64:
+			configData[fieldName] = strconv.FormatUint(v, 10)
+			if debugLog != nil {
+				debugLog.Printf("Converted %s uint64 to string before unmarshaling", fieldName)
+			}
+		case string:
+			if !isExpression(v) {
+				return fmt.Errorf("field %q must be an integer or a GitHub Actions expression (e.g. '${{ inputs.max }}'), got string %q", fieldName, v)
+			}
+		}
+	}
+	return nil
+}
+
+// preprocessStringArrayFieldAsTemplatable handles a string-array config field that also
+// accepts a GitHub Actions expression string (e.g. "${{ inputs.labels }}").
+//
+// When the field value is an expression string it is wrapped in a single-element []string
+// so that existing YAML struct-unmarshal code (which expects []string) continues to work
+// unchanged. The handler config builder then detects this single-element expression slice
+// and stores it as a JSON string rather than a JSON array, allowing GitHub Actions to
+// evaluate the expression at runtime before the config.json file is written.
+//
+// Free-form strings that are not GitHub Actions expressions are rejected with an error.
+// Array values ([]string, []any) are left untouched for the normal YAML unmarshal path.
+func preprocessStringArrayFieldAsTemplatable(configData map[string]any, fieldName string, debugLog *logger.Logger) error {
+	if configData == nil {
+		return nil
+	}
+	if val, exists := configData[fieldName]; exists {
+		if s, ok := val.(string); ok {
+			if !isExpression(s) {
+				var exampleExpr string
+				if strings.Contains(fieldName, "-") {
+					exampleExpr = fmt.Sprintf("${{ inputs['%s'] }}", fieldName)
+				} else {
+					exampleExpr = fmt.Sprintf("${{ inputs.%s }}", fieldName)
+				}
+				return fmt.Errorf("field %q must be an array of strings or a GitHub Actions expression (e.g. '%s'), got string %q", fieldName, exampleExpr, s)
+			}
+			configData[fieldName] = []string{s}
+			if debugLog != nil {
+				debugLog.Printf("Wrapped %s expression string in single-element array before unmarshaling", fieldName)
+			}
+		}
+	}
+	return nil
+}
+
+// preprocessProtectedFilesField preprocesses the "protected-files" field in configData,
+// handling both the legacy string-enum form and the new object form.
+//
+// String form (unchanged): "blocked", "allowed", or "fallback-to-issue".
+// Object form: { policy: "blocked", exclude: ["AGENTS.md"] }
+//   - policy is optional; when missing or empty, this preprocessing step treats it as absent
+//     and leaves downstream default handling to apply (the "protected-files" key is deleted)
+//   - exclude is a list of filenames/path-prefixes to remove from the default protected set
+//
+// When the object form is encountered the field is normalised in-place:
+//   - "protected-files" is replaced with the extracted policy string, or deleted when policy is absent/empty
+//   - The extracted exclude slice is returned so callers can store it in the config struct
+//
+// When the string form is encountered the field is left unchanged and nil is returned.
+// The debugLog parameter is optional; pass nil to suppress debug output.
+func preprocessProtectedFilesField(configData map[string]any, debugLog *logger.Logger) []string {
+	if configData == nil {
+		return nil
+	}
+	raw, exists := configData["protected-files"]
+	if !exists || raw == nil {
+		return nil
+	}
+	pfMap, ok := raw.(map[string]any)
+	if !ok {
+		return nil
+	}
+	if policy, ok := pfMap["policy"].(string); ok && policy != "" {
+		configData["protected-files"] = policy
+		if debugLog != nil {
+			debugLog.Printf("protected-files object form: policy=%s", policy)
+		}
+	} else {
+		delete(configData, "protected-files")
+		if debugLog != nil {
+			debugLog.Print("protected-files object form: no policy, using default")
+		}
+	}
+	return parseStringSliceAny(pfMap["exclude"], debugLog)
+}
+
+// preprocessExpiresField handles the common expires field preprocessing pattern.
+// This function:
+//  1. Parses the expires value through parseExpiresFromConfig (handles integers, strings, and boolean false)
+//  2. Handles explicit disablement when expires=false (returns -1)
+//  3. Normalizes the value to hours and updates configData["expires"] in place
+//  4. Logs the parsed value with the provided logger
+//
+// Returns true if expires was explicitly disabled with false, false otherwise.
+// This helper consolidates duplicate preprocessing logic used in parseCreateIssuesConfig and parseCreateDiscussionsConfig.
+func preprocessExpiresField(configData map[string]any, debugLog *logger.Logger) bool {
+	expiresDisabled := false
+	if configData != nil {
+		if expires, exists := configData["expires"]; exists {
+			expiresInt := parseExpiresFromConfig(configData)
+			if expiresInt == -1 {
+				expiresDisabled = true
+				configData["expires"] = 0
+			} else if expiresInt > 0 {
+				configData["expires"] = expiresInt
+			} else {
+				configData["expires"] = 0
+			}
+			if debugLog != nil {
+				debugLog.Printf("Parsed expires value %v to %d hours (disabled=%t)", expires, expiresInt, expiresDisabled)
+			}
+		}
+	}
+	return expiresDisabled
+}