refactor(rust-guard): extract is_any_trusted_actor helper and collapse URL fallback loop

github-actions[bot] · Copilot · web-flow · commit 930f48cd6a46 · 2026-04-21T12:49:21.000Z
- Add is_any_trusted_actor(username, ctx) helper combining the three constituent trust predicates (first-party bot, configured bot, trusted user); replaces copy-pasted triple-OR at three call sites in helpers.rs and tool_rules.rs - Replace three structurally identical if-let blocks in extract_repo_from_item with a for-field loop over ["repository_url", "html_url", "url"], matching the idiom already used in extract_number_from_url All 317 Rust guard tests pass. Closes #4252 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/guards/github-guard/rust-guard/src/labels/helpers.rs b/guards/github-guard/rust-guard/src/labels/helpers.rs
@@ -973,23 +973,12 @@ pub fn extract_repo_from_item(item: &Value) -> String {
     {
         return name.to_string();
     }
-    // repository_url parsing for search endpoints
-    if let Some(url) = item.get("repository_url").and_then(|v| v.as_str()) {
-        if let Some(repo_id) = extract_repo_from_github_url(url) {
-            return repo_id;
-        }
-    }
-    // html_url parsing as last resort - extract owner/repo from URLs like:
-    // https://github.com/owner/repo/pull/123 or https://github.com/owner/repo/issues/456
-    if let Some(url) = item.get("html_url").and_then(|v| v.as_str()) {
-        if let Some(repo_id) = extract_repo_from_github_url(url) {
-            return repo_id;
-        }
-    }
-    // Generic URL field fallback
-    if let Some(url) = item.get("url").and_then(|v| v.as_str()) {
-        if let Some(repo_id) = extract_repo_from_github_url(url) {
-            return repo_id;
+    // URL field fallback (repository_url for search results, html_url / url as generic fallbacks)
+    for field in &["repository_url", "html_url", "url"] {
+        if let Some(url) = item.get(*field).and_then(|v| v.as_str()) {
+            if let Some(repo_id) = extract_repo_from_github_url(url) {
+                return repo_id;
+            }
         }
     }
     String::new()
@@ -1278,11 +1267,7 @@ pub fn has_author_association(item: &Value) -> bool {
 /// Users in the trusted_users list are also elevated to approved integrity.
 pub fn author_association_floor(item: &Value, scope: &str, ctx: &PolicyContext) -> Vec<String> {
     let author_login = extract_author_login(item);
-    if !author_login.is_empty()
-        && (is_trusted_first_party_bot(author_login)
-            || is_configured_trusted_bot(author_login, ctx)
-            || is_trusted_user(author_login, ctx))
-    {
+    if !author_login.is_empty() && is_any_trusted_actor(author_login, ctx) {
         return writer_integrity(scope, ctx);
     }
 
@@ -1476,10 +1461,7 @@ pub fn pr_integrity(
                     );
                     // Elevate trusted bots and trusted users
                     let enriched_floor = if let Some(ref login) = facts.author_login {
-                        if is_trusted_first_party_bot(login)
-                            || is_configured_trusted_bot(login, ctx)
-                            || is_trusted_user(login, ctx)
-                        {
+                        if is_any_trusted_actor(login, ctx) {
                             max_integrity(
                                 repo_full_name,
                                 enriched_floor,
@@ -1772,6 +1754,14 @@ pub fn is_trusted_user(username: &str, ctx: &PolicyContext) -> bool {
     username_in_list(username, &ctx.trusted_users)
 }
 
+/// Returns `true` if `username` belongs to any trusted actor tier:
+/// first-party bots, gateway-configured bots, or trusted users.
+pub(crate) fn is_any_trusted_actor(username: &str, ctx: &PolicyContext) -> bool {
+    is_trusted_first_party_bot(username)
+        || is_configured_trusted_bot(username, ctx)
+        || is_trusted_user(username, ctx)
+}
+
 
 #[cfg(test)]
 mod tests {
diff --git a/guards/github-guard/rust-guard/src/labels/tool_rules.rs b/guards/github-guard/rust-guard/src/labels/tool_rules.rs
@@ -10,8 +10,8 @@ use super::helpers::{
     author_association_floor_from_str,
     elevate_via_collaborator_permission, ensure_integrity_baseline,
     extract_number_as_string, extract_repo_info, extract_repo_info_from_search_query,
-    format_repo_id, is_configured_trusted_bot, is_default_branch_commit_context,
-    is_default_branch_ref, is_trusted_first_party_bot, is_trusted_user, max_integrity,
+    format_repo_id, is_any_trusted_actor, is_default_branch_commit_context,
+    is_default_branch_ref, max_integrity,
     merged_integrity, policy_private_scope_label, private_user_label, project_github_label,
     reader_integrity, writer_integrity, PolicyContext,
 };
@@ -95,10 +95,7 @@ fn resolve_author_integrity(
     let mut floor = author_association_floor_from_str(repo_id, author_association, ctx);
 
     if let Some(login) = author_login {
-        if is_trusted_first_party_bot(login)
-            || is_configured_trusted_bot(login, ctx)
-            || is_trusted_user(login, ctx)
-        {
+        if is_any_trusted_actor(login, ctx) {
             floor = max_integrity(repo_id, floor, writer_integrity(repo_id, ctx), ctx);
         }
         let resource_id = format!("{}/{}#{}", owner, repo, resource_num);
