[Repo Assist] refactor(rust-guard): extract is_any_trusted_actor helper and collapse URL fallback loop (#4260)

🤖 *This is an automated pull request from Repo Assist.*

Closes #4252

## Root Cause

Two minor duplication issues in
`guards/github-guard/rust-guard/src/labels/`:

1. The three-predicate trust check `is_trusted_first_party_bot(x) ||
is_configured_trusted_bot(x, ctx) || is_trusted_user(x, ctx)` was
copy-pasted verbatim at **three call sites** (`helpers.rs:1282–1284`,
`helpers.rs:1479–1481`, `tool_rules.rs:98–100`). Adding a fourth trust
tier would require three matching edits.

2. `extract_repo_from_item` had three structurally identical `if let`
blocks differing only in the JSON field name (`repository_url`,
`html_url`, `url`). The same for-loop idiom is already used in
`extract_number_from_url` in the same file.

## Fix

**`helpers.rs`**
- Added `is_any_trusted_actor(username, ctx)` — a single helper that
combines the three predicates with a docstring explaining its semantics.
- Replaced both call sites in `helpers.rs` with one-liner
`is_any_trusted_actor` calls.
- Collapsed the three repeated `if let` URL-field blocks in
`extract_repo_from_item` into a `for field in &[...]` loop (same pattern
as `extract_number_from_url`).

**`tool_rules.rs`**
- Replaced the third call site with `is_any_trusted_actor`.
- Updated the import to use `is_any_trusted_actor` instead of the three
individual functions.

## Trade-offs

- Purely mechanical refactor; zero semantic change.
- `is_any_trusted_actor` is `pub(crate)` — callable within the crate but
not exported.

## Test Status

- ✅ `cargo build` — compiles without warnings
- ✅ `cargo test` — **317 / 317 tests pass**
- ⚠️ Go build/test skipped — `proxy.golang.org` blocked by network
firewall (pre-existing infrastructure limitation, unrelated to this
change)




> [!WARNING]
> <details>
> <summary><strong>⚠️ Firewall blocked 1 domain</strong></summary>
>
> The following domain was blocked by the firewall during workflow
execution:
>
> - `proxy.golang.org`
>
> To allow these domains, add them to the `network.allowed` list in your
workflow frontmatter:
>
> ```yaml
> network:
>   allowed:
>     - defaults
>     - "proxy.golang.org"
> ```
>
> See [Network
Configuration](https://github.github.com/gh-aw/reference/network/) for
more information.
>
> </details>


> Generated by [Repo
Assist](https://github.com/github/gh-aw-mcpg/actions/runs/24722841729/agentic_workflow)
· ● 4.8M ·
[◷](https://github.com/search?q=repo%3Agithub%2Fgh-aw-mcpg+%22gh-aw-workflow-id%3A+repo-assist%22&type=pullrequests)
>
> To install this [agentic
workflow](https://github.com/githubnext/agentics/blob/851905c06e905bf362a9f6cc54f912e3df747d55/workflows/repo-assist.md),
run
> ```
> gh aw add
githubnext/agentics@851905c
> ```

<!-- gh-aw-agentic-workflow: Repo Assist, engine: copilot, model: auto,
id: 24722841729, workflow_id: repo-assist, run:
https://github.com/github/gh-aw-mcpg/actions/runs/24722841729 -->

<!-- gh-aw-workflow-id: repo-assist -->

Author: lpcox

guards/github-guard/rust-guard/src/labels/helpers.rs

@@ -940,7 +940,8 @@ pub(crate) fn extract_repo_from_github_url(url: &str) -> Option<String> {
 
 /// Extract repository full name from a response item
 /// Tries multiple fields in order: full_name, repository.full_name,
-/// base.repo.full_name, head.repo.full_name, html_url parsing
+/// base.repo.full_name, head.repo.full_name, then URL parsing from
+/// repository_url, html_url, and url.
 /// Returns empty string if no repo info found
 pub fn extract_repo_from_item(item: &Value) -> String {
     // Direct full_name (repositories)
@@ -973,23 +974,12 @@ pub fn extract_repo_from_item(item: &Value) -> String {
     {
         return name.to_string();
     }
-    // repository_url parsing for search endpoints
-    if let Some(url) = item.get("repository_url").and_then(|v| v.as_str()) {
-        if let Some(repo_id) = extract_repo_from_github_url(url) {
-            return repo_id;
-        }
-    }
-    // html_url parsing as last resort - extract owner/repo from URLs like:
-    // https://github.com/owner/repo/pull/123 or https://github.com/owner/repo/issues/456
-    if let Some(url) = item.get("html_url").and_then(|v| v.as_str()) {
-        if let Some(repo_id) = extract_repo_from_github_url(url) {
-            return repo_id;
-        }
-    }
-    // Generic URL field fallback
-    if let Some(url) = item.get("url").and_then(|v| v.as_str()) {
-        if let Some(repo_id) = extract_repo_from_github_url(url) {
-            return repo_id;
+    // URL field fallback (repository_url for search results, html_url / url as generic fallbacks)
+    for field in &["repository_url", "html_url", "url"] {
+        if let Some(url) = item.get(field).and_then(|v| v.as_str()) {
+            if let Some(repo_id) = extract_repo_from_github_url(url) {
+                return repo_id;
+            }
         }
     }
     String::new()
@@ -1278,11 +1268,7 @@ pub fn has_author_association(item: &Value) -> bool {
 /// Users in the trusted_users list are also elevated to approved integrity.
 pub fn author_association_floor(item: &Value, scope: &str, ctx: &PolicyContext) -> Vec<String> {
     let author_login = extract_author_login(item);
-    if !author_login.is_empty()
-        && (is_trusted_first_party_bot(author_login)
-            || is_configured_trusted_bot(author_login, ctx)
-            || is_trusted_user(author_login, ctx))
-    {
+    if !author_login.is_empty() && is_any_trusted_actor(author_login, ctx) {
         return writer_integrity(scope, ctx);
     }
 
@@ -1476,10 +1462,7 @@ pub fn pr_integrity(
                     );
                     // Elevate trusted bots and trusted users
                     let enriched_floor = if let Some(ref login) = facts.author_login {
-                        if is_trusted_first_party_bot(login)
-                            || is_configured_trusted_bot(login, ctx)
-                            || is_trusted_user(login, ctx)
-                        {
+                        if is_any_trusted_actor(login, ctx) {
                             max_integrity(
                                 repo_full_name,
                                 enriched_floor,
@@ -1772,6 +1755,14 @@ pub fn is_trusted_user(username: &str, ctx: &PolicyContext) -> bool {
     username_in_list(username, &ctx.trusted_users)
 }
 
+/// Returns `true` if `username` belongs to any trusted actor tier:
+/// first-party bots, gateway-configured bots, or trusted users.
+pub(crate) fn is_any_trusted_actor(username: &str, ctx: &PolicyContext) -> bool {
+    is_trusted_first_party_bot(username)
+        || is_configured_trusted_bot(username, ctx)
+        || is_trusted_user(username, ctx)
+}
+
 
 #[cfg(test)]
 mod tests {
@@ -1781,6 +1772,20 @@ mod tests {
         PolicyContext::default()
     }
 
+    #[test]
+    fn test_is_any_trusted_actor_tiers_and_negative() {
+        let ctx = PolicyContext {
+            trusted_bots: vec!["custom-bot".to_string()],
+            trusted_users: vec!["trusted-human".to_string()],
+            ..Default::default()
+        };
+
+        assert!(is_any_trusted_actor("github-actions[bot]", &ctx));
+        assert!(is_any_trusted_actor("custom-bot", &ctx));
+        assert!(is_any_trusted_actor("trusted-human", &ctx));
+        assert!(!is_any_trusted_actor("random-user", &ctx));
+    }
+
     #[test]
     fn test_collaborator_permission_floor_admin() {
         let ctx = test_ctx();

guards/github-guard/rust-guard/src/labels/tool_rules.rs

@@ -10,8 +10,8 @@ use super::helpers::{
     author_association_floor_from_str,
     elevate_via_collaborator_permission, ensure_integrity_baseline,
     extract_number_as_string, extract_repo_info, extract_repo_info_from_search_query,
-    format_repo_id, is_configured_trusted_bot, is_default_branch_commit_context,
-    is_default_branch_ref, is_trusted_first_party_bot, is_trusted_user, max_integrity,
+    format_repo_id, is_any_trusted_actor, is_default_branch_commit_context,
+    is_default_branch_ref, max_integrity,
     merged_integrity, policy_private_scope_label, private_user_label, project_github_label,
     reader_integrity, writer_integrity, PolicyContext,
 };
@@ -95,10 +95,7 @@ fn resolve_author_integrity(
     let mut floor = author_association_floor_from_str(repo_id, author_association, ctx);
 
     if let Some(login) = author_login {
-        if is_trusted_first_party_bot(login)
-            || is_configured_trusted_bot(login, ctx)
-            || is_trusted_user(login, ctx)
-        {
+        if is_any_trusted_actor(login, ctx) {
             floor = max_integrity(repo_id, floor, writer_integrity(repo_id, ctx), ctx);
         }
         let resource_id = format!("{}/{}#{}", owner, repo, resource_num);