Fix empty guard alert blocks in Workflow Health Dashboard issue output

[Copilot]

The Workflow Health Dashboard report was rendering blank GitHub alert blocks ([!WARNING] / [!NOTE]) in generated issue bodies, reducing readability of critical guard signals. This PR adjusts guard-section markdown generation so alert content renders consistently in GitHub issues.

• Footer guard rendering (runtime output)

  • Updated the firewall guard section to avoid nesting <details> inside a GitHub warning alert, using an inline alert-safe header so warning content is visible.
  • Restored the integrity NOTE section to use a collapsible <details>/<summary> block (per review feedback), while keeping the section content properly rendered.

• Message quality

  • Kept the integrity-filter summary text explicit and simplified singular/plural grammar selection (verb/pronoun) for maintainability.

• Focused expectations update

  • Updated guard-section tests to match final behavior:
    • WARNING section uses alert + inline header.
    • NOTE section keeps <details>/<summary>.

let section = "\n\n> [!WARNING]\n";
section += `> **⚠️ Firewall blocked ${domainCount} ${domainWord}**\n`;
section += `>\n`;
section += `> The following ${domainWord} ${domainCount === 1 ? "was" : "were"} blocked by the firewall during workflow execution:\n`;

[pelikhan]

@copilot keep details for NOTE

[Copilot]

Updated to keep the NOTE section collapsible with <details>/<summary> in gateway_difc_filtered.cjs, and adjusted tests accordingly in commit 05a15ac.

Screenshot: /tmp/gh-aw-note-details-preview.png (preview of the restored NOTE details block).

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• accounts.google.com
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=network --no-sandbox --use-angle=swiftshader-webgl --crashpad-handler-pid=24804 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/org.chromium.Chromium.scoped_dir.P7IaNX --change-stack-guard-on-fork=enable --shared-files=network_parent_dirs_pipe:100,v8_context_snapshot_data:101 --field-trial-handle=3,i,16570447436443953886,16924406320485714423,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,5397830917114391749,10771960922169937545,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • Triggering command: /usr/bin/chromium chromium --headless --disable-gpu --no-sandbox --screenshot=/tmp/gh-aw-note-details-preview.png --window-size=1400,900 file:///tmp/gh-aw-note-preview.html (dns block)
• clients2.google.com
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=network --no-sandbox --use-angle=swiftshader-webgl --crashpad-handler-pid=24804 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/org.chromium.Chromium.scoped_dir.P7IaNX --change-stack-guard-on-fork=enable --shared-files=network_parent_dirs_pipe:100,v8_context_snapshot_data:101 --field-trial-handle=3,i,16570447436443953886,16924406320485714423,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,5397830917114391749,10771960922169937545,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • Triggering command: /usr/bin/chromium chromium --headless --disable-gpu --no-sandbox --screenshot=/tmp/gh-aw-note-details-preview.png --window-size=1400,900 file:///tmp/gh-aw-note-preview.html (dns block)
• redirector.gvt1.com
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=network --no-sandbox --use-angle=swiftshader-webgl --crashpad-handler-pid=24804 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/org.chromium.Chromium.scoped_dir.P7IaNX --change-stack-guard-on-fork=enable --shared-files=network_parent_dirs_pipe:100,v8_context_snapshot_data:101 --field-trial-handle=3,i,16570447436443953886,16924406320485714423,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,5397830917114391749,10771960922169937545,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • Triggering command: /usr/bin/chromium chromium --headless --disable-gpu --no-sandbox --screenshot=/tmp/gh-aw-note-details-preview.png --window-size=1400,900 file:///tmp/gh-aw-note-preview.html (dns block)
• www.google.com
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=network --no-sandbox --use-angle=swiftshader-webgl --crashpad-handler-pid=24804 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/org.chromium.Chromium.scoped_dir.P7IaNX --change-stack-guard-on-fork=enable --shared-files=network_parent_dirs_pipe:100,v8_context_snapshot_data:101 --field-trial-handle=3,i,16570447436443953886,16924406320485714423,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,5397830917114391749,10771960922169937545,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • Triggering command: /usr/bin/chromium chromium --headless --disable-gpu --no-sandbox --screenshot=/tmp/gh-aw-note-details-preview.png --window-size=1400,900 file:///tmp/gh-aw-note-preview.html (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

This PR fixes blank GitHub alert blocks in the Workflow Health Dashboard issue output by adjusting how guard sections render markdown inside [!WARNING] / [!NOTE] alerts.

Changes:

• Updated the firewall “blocked domains” WARNING section to use an inline header instead of a <details>/<summary> block.
• Refactored the integrity-filter NOTE section message to use clearer singular/plural grammar selection.
• Updated unit tests to match the new rendered markdown expectations.

Show a summary per file

File	Description
actions/setup/js/firewall_blocked_domains.cjs	Removes <details>/<summary> from WARNING output and uses an inline bold header to ensure content renders in GitHub issues.
actions/setup/js/firewall_blocked_domains.test.cjs	Updates expectations for the new WARNING format (no <details>).
actions/setup/js/gateway_difc_filtered.cjs	Introduces verb/pronoun selection for singular/plural integrity-filter explanation text.
actions/setup/js/gateway_difc_filtered.test.cjs	Adjusts assertion for integrity-filter explanation text to accommodate singular/plural output.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

actions/setup/js/firewall_blocked_domains.test.cjs:325

• This test title still refers to generating a "details section" even though the WARNING output no longer uses
  /

  . Rename the test to reflect the current inline-header warning format to keep the suite self-describing.

    it("should generate details section for multiple blocked domains", () => {
      const domains = ["alpha.example.com", "beta.example.com", "gamma.example.com"];
      const result = generateBlockedDomainsSection(domains);

      expect(result).toContain("> [!WARNING]");
      expect(result).toContain("> **⚠️ Firewall blocked 3 domains**");
      expect(result).toContain("> - `alpha.example.com`");

• Files reviewed: 4/4 changed files
• Comments generated: 3

[Copilot]

In this test case the input contains a single event, so the output should always use the singular phrasing ("it doesn't"). Using a regex that allows both singular and plural makes the test permissive and could miss regressions; assert the singular phrase explicitly for this 1-item scenario (and add/keep a separate test that asserts the plural phrasing for 2+ items).

Suggested change

	expect(result).toMatch(/blocked because (it doesn't|they don't) meet/);
	expect(result).toContain("blocked because it doesn't meet");

[Copilot]

The variable name pronoun is misleading here because the value includes more than a pronoun (it also includes the negated auxiliary verb: "it doesn't" / "they don't"). Rename it to something that reflects the full phrase (e.g., subject/negation phrase) or split into subject and auxVerb to keep the sentence assembly clear.

See below for a potential fix:

  const subjectNegationPhrase = count === 1 ? "it doesn't" : "they don't";

  let section = "\n\n> [!NOTE]\n";
  section += `> <details>\n`;
  section += `> <summary>🔒 Integrity filter blocked ${count} ${itemWord}</summary>\n`;
  section += `>\n`;
  section += `> The following ${itemWord} ${verb} blocked because ${subjectNegationPhrase} meet the GitHub integrity level.\n`;

[Copilot]

This test title still says it "generate[s] details section", but the implementation no longer uses a

/

wrapper for the WARNING block. Update the test description to match the new behavior to avoid confusion when reading failures.

This issue also appears on line 319 of the same file.

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 90/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	3
✅ Design tests (behavioral contracts)	3 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	2 (67%)
Duplicate test clusters	0
Test inflation detected	No
🚨 Coding-guideline violations	None

---

Test Classification Details

View All Test Classifications (3 tests)

Test	File	Classification	Notes
generates blocked domains section for 1 domain	firewall_blocked_domains.test.cjs:309	✅ Design	Verifies exact output format — bold heading replaces <details> wrapper; tests singular form
generates blocked domains section for 3 domains	firewall_blocked_domains.test.cjs:321	✅ Design	Same output format for plural form; tests domain list rendering
generates DIFC filtered section (single event)	gateway_difc_filtered.test.cjs:259	✅ Design	Tightened to regex to cover both it doesn't/they don't grammar variants

---

Analysis

These three test modifications cleanly track the production code changes in this PR:

1. firewall_blocked_domains.test.cjs — Two tests updated to reflect the removal of the <details>/<summary> HTML wrapper inside the [!WARNING] block. Old assertions for <details>, </details>, and <summary> are replaced with an assertion for the new bold-text heading (**⚠️ Firewall blocked N domain(s)**). Remaining assertions (warning marker, domain list, description text, YAML snippet) are retained — these continue to verify the complete output contract.

2. gateway_difc_filtered.test.cjs — One test updated from an exact string match to a regex: toMatch(/blocked because (it doesn't|they don't) meet/). This correctly captures the new singular/plural grammar introduced in the production code and is an improvement over the previous exact-match assertion, which would have failed only for the plural form.

All changes are behavioral contracts — they verify the exact rendered text that users see in GitHub issue comments, not internal implementation details. The tests would catch any regression in the output format immediately.

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 0 tests — no Go test files modified
• 🟨 JavaScript (*.test.cjs): 3 tests (vitest)

---

Verdict

✅ Check passed. 0% of modified tests are implementation tests (threshold: 30%). All three test modifications enforce behavioral output contracts and accurately reflect the production code changes in this PR.

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

---

References: §24633251487

🧪 Test quality analysis by Test Quality Sentinel · ● 492.7K · ◷

[github-actions]

✅ Test Quality Sentinel: 90/100. Test quality is excellent — 0% of modified tests are implementation tests (threshold: 30%). All three test modifications are behavioral contracts that accurately track the output format changes introduced by this PR.

[pelikhan]

@copilot review all comments