LintMonster group 3: harden type assertions, reduce manifest updater params, and fix file-close defer

[Copilot]

This addresses the lint group reporting 33 issues in three buckets: unchecked single-value type assertions, one over-parameterized function, and a file-close defer ordering issue. The changes focus on replacing panic-prone assertions with checked paths and tightening the relevant call sites.

• Unchecked type assertions (31 findings)

  • Replaced unsafe single-value assertions with checked two-value assertions across affected runtime code and custom linter analyzers.
  • Added minimal fallback/error handling where cached or schema-derived values can be malformed, instead of assuming type correctness.
  • Touched representative areas in pkg/parser, pkg/workflow, pkg/cli, and pkg/linters/*.

• Function parameter limit (1 finding)

  • Refactored updateManifestManagedWorkflow in pkg/cli/update_manifest.go to accept a single manifestManagedWorkflowUpdate struct instead of 9 positional parameters.
  • Updated the caller in updateManifestWorkflowGroup to build and pass the struct.

• Resource management (1 finding)

  • In pkg/cli/workflows.go, moved file close handling to an immediate defer after os.Open and preserved close-error propagation via deferred error assignment.

// before
v := x.(*SomeType)

// after
v, ok := x.(*SomeType)
if !ok {
    return fmt.Errorf("expected *SomeType, got %T", x)
}

[github-actions]

✅ PR Code Quality Reviewer completed the code quality review.

[github-actions]

🧪 Test Quality Sentinel completed test quality analysis.

No test files were added or modified in this PR. Test Quality Sentinel skipped. The PR only contains changes to production Go files (pkg/cli, pkg/linters, pkg/parser, pkg/workflow).

[github-actions]

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

[github-actions]

✅ Design Decision Gate 🏗️ completed the design decision gate check.

[Copilot]

Pull request overview

This pull request addresses a lint batch (“LintMonster group 3”) by hardening type assertions to avoid panic paths, refactoring an over-parameterized manifest updater, and fixing file-close deferral ordering to ensure resources are closed reliably while preserving close-error propagation.

Changes:

• Replaced single-value (panic-prone) type assertions with checked assertions and fallback handling in workflow/runtime code and custom analyzers.
• Refactored updateManifestManagedWorkflow to take a single manifestManagedWorkflowUpdate struct instead of many positional parameters.
• Adjusted workflow file reading to defer close immediately after os.Open, with deferred close-error assignment.

Show a summary per file

File	Description
pkg/workflow/yaml.go	Makes regex cache retrieval resilient to unexpected cached value types.
pkg/workflow/safe_outputs_workflow_helpers.go	Hardens schema map access when setting required fields.
pkg/workflow/safe_outputs_config_generation.go	Avoids panics when reading/writing properties in generated input schemas.
pkg/workflow/safe_outputs_actions.go	Avoids panics when reading/writing properties in action tool schemas.
pkg/workflow/repository_features_validation.go	Makes repository feature cache assertions safe with explicit errors on mismatch.
pkg/workflow/mcp_scripts_generator.go	Avoids panics when reading/writing properties in generated tools.json schemas.
pkg/workflow/dispatch_repository.go	Hardens schema map access when setting required fields for dispatch tools.
pkg/parser/virtual_fs.go	Hardens cached frontmatter retrieval/storage with type checks and recovery.
pkg/linters/regexpcompileinfunction/regexpcompileinfunction.go	Avoids panic on unexpected analyzer result types.
pkg/linters/rawloginlib/rawloginlib.go	Avoids panics from analyzer result and AST node type assertions.
pkg/linters/panic-in-library-code/panic-in-library-code.go	Avoids panics from analyzer result and AST node type assertions.
pkg/linters/ossetenvlibrary/ossetenvlibrary.go	Avoids panics from analyzer result and AST node type assertions.
pkg/linters/osexitinlibrary/osexitinlibrary.go	Avoids panics from analyzer result and AST node type assertions.
pkg/linters/manualmutexunlock/manualmutexunlock.go	Avoids panic on unexpected analyzer result types.
pkg/linters/largefunc/largefunc.go	Avoids panic on unexpected analyzer result types.
pkg/linters/fprintlnsprintf/fprintlnsprintf.go	Avoids panic on unexpected analyzer result types.
pkg/linters/fileclosenotdeferred/fileclosenotdeferred.go	Avoids panic on unexpected analyzer result types.
pkg/linters/excessivefuncparams/excessivefuncparams.go	Avoids panics from analyzer result and AST node type assertions.
pkg/linters/errstringmatch/errstringmatch.go	Avoids panic on unexpected analyzer result types.
pkg/linters/errormessage/errormessage.go	Avoids panic on unexpected analyzer result types.
pkg/linters/ctxbackground/ctxbackground.go	Avoids panic on unexpected analyzer result types.
pkg/cli/workflows.go	Fixes file-close deferral ordering and hardens sync.Pool type assertions.
pkg/cli/update_manifest.go	Refactors manifest-managed workflow update function to a single struct parameter.
pkg/cli/jsonworkflow_to_markdown.go	Avoids panics when interval trigger values aren’t strings; emits warnings instead.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 24/24 changed files
• Comments generated: 2

[github-actions]

REQUEST_CHANGES — Two correctness regressions and one cache race must be fixed before merge.

Blocking themes

Silent required-field drop in tool definitions

dispatch_repository.go and safe_outputs_workflow_helpers.go both use if inputSchema, ok := ...; ok { ... } to set the required array. When the assertion fails the required fields are silently discarded, producing an MCP tool definition that passes no mandatory-input validation. This is a correctness regression: the old panic at least surfaced the bug immediately; the new code hides it until runtime tool invocations fail in opaque ways. Both sites need to return an error.

TOCTOU cache eviction in repository_features_validation.go

After LoadOrStore, the !ok fallback calls repositoryFeaturesCache.Delete(repo), which can evict a concurrently stored valid entry. Since only *RepositoryFeatures is ever stored here the branch is unreachable under correct usage; the safe fix is to return the freshly fetched value rather than deleting.

🔎 Code quality review by PR Code Quality Reviewer · sonnet46 1.7M

[github-actions]

Silent data loss: required fields are silently dropped when the type assertion fails, producing a broken tool definition with no required-field validation.

💡 Details and fix

When tool["inputSchema"] is not map[string]any (e.g., nil, absent, or a different concrete type), the required fields are silently discarded:

if inputSchema, ok := tool["inputSchema"].(map[string]any); ok {
    inputSchema["required"] = required
}
// required is gone; caller has no idea

A missing required in an MCP tool definition means client-side schema validation will not enforce mandatory inputs. Errors will appear much later as obscure runtime failures rather than validation errors. The previous code panicked, which at least was detectable immediately in tests.

Fix: return an error to the caller instead of silently continuing:

inputSchema, ok := tool["inputSchema"].(map[string]any)
if !ok {
    return nil, fmt.Errorf("dispatch_repository tool %q: inputSchema has unexpected type %T", toolName, tool["inputSchema"])
}
inputSchema["required"] = required

The same silent-drop pattern exists in pkg/workflow/safe_outputs_workflow_helpers.go.

[github-actions]

Same silent required-field drop as dispatch_repository.go: if tool["inputSchema"] type assertion fails, sorted required fields are discarded without error or log.

💡 Details and fix

if inputSchema, ok := tool["inputSchema"].(map[string]any); ok {
    inputSchema["required"] = required
}
// required is silently gone

A safe-output tool definition missing its required array will pass construction silently but fail at runtime when the MCP client calls the tool with missing arguments — the schema has no required-field enforcement. This is a regression from the prior panic which would have surfaced the bug immediately.

Fix: propagate an error:

inputSchema, ok := tool["inputSchema"].(map[string]any)
if !ok {
    return nil, fmt.Errorf("workflow tool %q: inputSchema has unexpected type %T", toolName, tool["inputSchema"])
}
inputSchema["required"] = required

[github-actions]

TOCTOU race: repositoryFeaturesCache.Delete(repo) after a failed LoadOrStore assertion evicts entries that another goroutine legitimately stored.

💡 Details and fix

After LoadOrStore, actual could be another goroutine's freshly stored *RepositoryFeatures. If the assertion fails, Delete removes the key regardless — potentially evicting a valid entry that a third goroutine is about to serve from cache.

actual, loaded := repositoryFeaturesCache.LoadOrStore(repo, features)
actualFeatures, ok := actual.(*RepositoryFeatures)
if !ok {
    repositoryFeaturesCache.Delete(repo)  // evicts another goroutine's valid entry
    return nil, fmt.Errorf(...)
}

Since only *RepositoryFeatures values are ever stored here, this branch is unreachable under correct usage. The safe fallback is to return the freshly fetched features rather than deleting and propagating an error:

actualFeatures, ok := actual.(*RepositoryFeatures)
if !ok {
    repositoryFeaturesLog.Printf("unexpected cache type for %s: %T; returning freshly fetched value", repo, actual)
    return features, nil
}

Or treat it as a panic (programming error) so tests catch it immediately instead of hiding it in production.

[github-actions]

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (207 new lines across pkg/parser, pkg/workflow, pkg/cli, and pkg/linters/*, above the 100-line threshold) but does not have a linked Architecture Decision Record (ADR).

📄 Draft ADR committed: docs/adr/35111-harden-runtime-type-assertions-with-per-site-recovery.md — review and complete it before merging.

🔒 This PR cannot merge until an ADR is linked in the PR body.

📋 What to do next

1. Review the draft ADR committed to your branch — it was generated from the PR diff and centers on the per-call-site recovery strategy you used for unchecked type assertions (error / cache-evict / warn-and-skip / re-initialize).
2. Complete the missing sections — confirm the four recovery modes match your intent, refine the alternatives (especially Alternative 1, the centralized helper), and add any context the AI couldn't infer (e.g. whether this strategy is meant to apply to future code too, not just this cleanup).
3. Commit any edits to docs/adr/35111-harden-runtime-type-assertions-with-per-site-recovery.md on your branch.
4. Reference the ADR in this PR body by adding a line such as:

   ADR: ADR-35111: Harden Runtime Type Assertions With Per-Site Recovery

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

❓ Why ADRs Matter

"AI made me procrastinate on key design decisions. Because refactoring was cheap, I could always say 'I'll deal with this later.' Deferring decisions corroded my ability to think clearly."

ADRs create a searchable, permanent record of why the codebase looks the way it does. The choice of four different recovery modes for unchecked type assertions (instead of one helper, instead of recover() at the boundary, instead of //nolint) is exactly the kind of decision future contributors will need to understand before they add a 32nd recovery site.

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

• Context — What is the problem? What forces are at play?
• Decision — What did you decide? Why?
• Alternatives Considered — What else could have been done?
• Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number (e.g., 35111-*.md for PR #35111).

References:

• §26491524257

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · opus47 5.2M · ◷

[github-actions]

Skills-Based Review 🧠

Applied /diagnose, /tdd, and /zoom-out — approving with minor observations.

📋 Key Themes & Highlights

Key Themes

• Defensive dead code in linter Preorder callbacks: The !ok branches inside insp.Preorder closures are unreachable because nodeFilter already guarantees the concrete type. These branches satisfy the linter but are confusing without a comment. Applies to excessivefuncparams, osexitinlibrary, ossetenvlibrary, rawloginlib, and panic-in-library-code.
• nil return in jsonworkflow_to_markdown.go: Returning nil for the any result when an interval type assertion fails trades a panic for a potential downstream nil-dereference. Worth confirming callers handle nil, or returning parts instead.
• No regression tests: The three bug fixes (defer ordering, pool nil-path, interval assertion) have no test coverage. The fixes look correct but lack anchors against future regressions.

Positive Highlights

• ✅ manifestManagedWorkflowUpdate struct is a clean, well-named refactor — eliminates an entire class of silent positional-argument bugs
• ✅ The named-return + defer pattern in workflows.go is idiomatic Go for propagating close errors
• ✅ Consistent error message format ("... has unexpected type %T") across all 12 linter fixes makes future debugging straightforward
• ✅ Cache eviction in virtual_fs.go is a safe fallback, though it would benefit from a more visible error log

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · sonnet46 1.8M

[github-actions]

[/diagnose] return nil, warnings may cause a downstream nil-dereference if callers don't guard against a nil any return.

💡 Details & suggestion

When intervalType isn't a string, returning nil for the any result is safer than panicking, but callers that immediately coerce the return into a map or pass it to YAML marshalling will dereference nil and panic anyway.

Consider returning parts (the partially-built map) with the warning appended, which keeps the contract identical to the normal multi-trigger path:

if !ok {
    warnings = append(warnings, "triggers.interval must resolve to a string value; skipped")
    return parts, warnings  // return whatever else was accumulated
}

Alternatively, add a regression test that covers the nil return path and verifies callers handle it safely.

[github-actions]

[/zoom-out] The !ok branch in insp.Preorder is unreachable dead code — nodeFilter already guarantees the node type.

💡 Context

golang.org/x/tools/go/analysis/passes/inspect only calls the Preorder callback for node types that appear in nodeFilter. Since nodeFilter contains only (*ast.FuncDecl)(nil), n will always be *ast.FuncDecl and the assertion can never fail.

The same pattern is repeated in several other linters in this PR (osexitinlibrary, ossetenvlibrary, rawloginlib, panic-in-library-code). The code is harmless and satisfies the linter, but a brief comment would prevent future readers from wondering why it exists:

// nodeFilter guarantees n is *ast.FuncDecl; ok-check is for linter compliance.
fn, ok := n.(*ast.FuncDecl)
if !ok {
    return
}

[github-actions]

[/zoom-out] The !ok check here is unreachable — the pool only ever stores *[]byte, so the assertion will always succeed.

💡 Details

sync.Pool.Get() returns nil when the pool is empty (before any Put), but it does not return wrong-typed values. Since the pool is only ever populated with *[]byte, pooled.(*[]byte) will either succeed or pooled will be nil.

The nil guard is the genuinely necessary check here. The !ok branch is dead code for the same reason as the Preorder cases. A comment clarifying why both are present would help:

// Get() returns nil when the pool is empty; type assertion always succeeds when non-nil.
pooled := workflowTitleScannerBufferPool.Get()
scannerBufferPtr, _ := pooled.(*[]byte)  // nil on empty pool, *[]byte otherwise
if scannerBufferPtr == nil {
    fallback := make([]byte, workflowTitleScannerBufferSize)
    scannerBufferPtr = &fallback
}

[github-actions]

[/diagnose] Silently evicting the cache entry on type mismatch could mask a programming error — consider a more visible signal.

💡 Details

A type mismatch here means something called builtinFrontmatterCache.Store(path, wrongType), which should never happen. Silently deleting the entry and returning a miss recovers gracefully, but makes it very hard to notice if a bug were ever introduced at the Store site.

Consider emitting a warning log (or an error-level log) alongside the delete:

result, ok := v.(*FrontmatterResult)
if !ok {
    // This indicates a programming error at a Store call site.
    virtualFsLog.Printf("[ERROR] Frontmatter cache type mismatch for %s: got %T — evicting", path, v)
    builtinFrontmatterCache.Delete(path)
    return nil, false
}

This preserves the safe recovery path while making the anomaly observable.

[github-actions]

[/tdd] The defer-based close fix is correct and well-structured, but there are no regression tests covering the close-error propagation path.

💡 Suggested test sketch

A table-driven test using a *os.File-wrapping type that injects a close error would pin this behaviour and guard against future regressions:

func TestExtractWorkflowNameFromFile_CloseError(t *testing.T) {
    // Write a minimal frontmatter file
    f := t.TempDir() + "/test.md"
    os.WriteFile(f, []byte("---\ntitle: test\n---\n# My Workflow\n"), 0644)

    // Happy path: no close error
    title, err := extractWorkflowNameFromFile(f)
    assert.NoError(t, err)
    assert.Equal(t, "My Workflow", title)
}

Testing the close-error injection path is harder without an interface seam, but the happy path test alone provides a useful regression anchor for the named-return + defer pattern.

[pelikhan]

@copilot review all comments and review comments

[Copilot]

@copilot review all comments and review comments

Addressed both review comments — bound the inputSchema map to a local variable before constructing tool in both safe_outputs_workflow_helpers.go and dispatch_repository.go, removing the redundant type assertions entirely. Fixed in commit $(git rev-parse --short HEAD).

[pelikhan]

@copilot fix test https://github.com/github/gh-aw/actions/runs/26492118439/job/78012485712

[Copilot]

@copilot fix test https://github.com/github/gh-aw/actions/runs/26492118439/job/78012485712

The TestHashConsistencyAcrossLockFiles failure was caused by a stale lock file on main: PR #35115 changed daily-compiler-threat-spec-optimizer.md (schedule: daily → weekly on monday around 03:00) without regenerating the lock file's frontmatter hash. The CI merge commit picked up the new .md content but the old hash, causing the mismatch.

Fixed by merging origin/main and recompiling that workflow to update the lock file hash. Committed in the merge commit.