Honor global mention allowlists in add-comment sanitization

[Copilot]

add_comment was re-sanitizing comment bodies with a narrower allowlist than the one resolved earlier in the safe-outputs pipeline. As a result, mentions allowed via global safe-outputs.mentions settings—especially allowed-teams and collaborator/context-derived aliases—were being escaped before posting.

• Bug fix: preserve resolved mention aliases in add_comment

  • Include handler-manager allowedMentionAliases in the final add_comment sanitization pass
  • Keep existing parent-author and explicit mentions.allowed behavior intact
  • This aligns add_comment with the global mention resolution already used earlier in the run

• Regression coverage

  • Add a focused JS test proving that a pre-resolved alias passed from the handler manager survives the final sanitizer and is posted as a real @mention

• Effective behavior

  // before final sanitize in add_comment
  const allowedMentionAliases = deduplicateCaseInsensitive([
    ...parentAuthors,
    ...preResolvedMentionAliases,
    ...configuredMentionAliases,
  ]);

This keeps the final sanitizer consistent with the resolved global mentions policy instead of collapsing back to comment-local aliases only.

[Copilot]

Pull request overview

Fixes a safe-outputs mention-sanitization regression where add_comment was re-sanitizing bodies with a narrower allowlist than the one already resolved earlier in the pipeline, causing globally-allowed mentions (e.g., from teams/collaborators) to be escaped before posting.

Changes:

• Extend add_comment’s final sanitization pass to include handler-manager-provided allowedMentionAliases (in addition to parent author + mentions.allowed).
• Add a regression test ensuring a pre-resolved alias survives the final sanitizer and is posted as a real @mention.
• Minor readability-only refactor in the dashboard CLI child-process buffering logic (expanded single-line if blocks).

Show a summary per file

File	Description
actions/setup/js/add_comment.cjs	Threads pre-resolved allowedMentionAliases into the final sanitizeContent() allowlist used when posting comments.
actions/setup/js/add_comment.test.cjs	Adds regression coverage verifying pre-resolved aliases are not neutralized during the final sanitize pass.
.github/extensions/agentic-workflows-dashboard/dashboard-cli.mjs	Expands overflow checks into block form for clearer control flow; no functional change intended.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 1
• Review effort level: Low

[github-actions]

🔍 PR Triage — §28395315609

Field	Value
Category	bug
Risk	low
Score	56 / 100
Action	fast_track
Batch	bug-fixes-ready (#41830 · #42318 · #42313 · #42317)

Score breakdown: impact 25 + urgency 15 + quality 16

Fixes add_comment silently dropping @mentions that were resolved globally earlier in the pipeline. 2 files (+39/-1), regression test included. CI in progress. Small, well-described, focused correction.

Generated by 🔧 PR Triage Agent · 99.1 AIC · ⌖ 11.6 AIC · ⊞ 5.4K · ◷

[pelikhan]

@copilot run pr-finisher skill

[gh-aw-bot]

@copilot Please run the pr-finisher skill to drive this PR to a mergeable state — all CI checks are passing and the branch is clean. Address any outstanding review feedback, confirm all checks pass, and prepare this PR for merge.

Run skill: pr-finisher

Generated by 👨‍🍳 PR Sous Chef · 141.7 AIC · ⌖ 10.1 AIC · ⊞ 6.7K · ◷