[jsweep] Clean validate_lockdown_requirements.cjs

[github-actions]

Summary

Cleans validate_lockdown_requirements.cjs as part of the daily jsweep unbloat run.

Context type: github-script (uses core.info, core.setFailed, core.setOutput)

---

Changes

🗑️ Remove unused import

• Removed const { ERR_VALIDATION } = require("./error_codes.cjs") — ERR_VALIDATION was imported but never referenced in the file.

♻️ Extract failWithError helper (DRY)

The pattern core.setOutput("lockdown_check_failed", "true"); core.setFailed(msg); throw new Error(msg) was repeated verbatim three times. Extracted into a local failWithError(message) helper with a @returns {never} JSDoc annotation so TypeScript understands it never returns normally.

🧩 Refactor error text to template module + renderTemplate

• Moved the three lockdown validation error messages out of validate_lockdown_requirements.cjs into a dedicated template module:
  • actions/setup/js/validate_lockdown_requirements_templates.cjs
• Rendered those messages via shared renderTemplate from messages_core.cjs.
• Updated the validator to call message render helpers, preserving behavior and message content.

---

Test improvements

Added 6 new tests (24 → 30 total) across three new describe blocks:

Group	Tests added
setOutput side effects	Verify lockdown_check_failed output is NOT set on successful runs
multiple tokens	All three tokens configured simultaneously
error message formatting	Each error path contains actual \n newline characters

---

✅ Validation

• Formatting: npm run format:cjs ✓
• Linting: npm run lint:cjs ✓
• Type checking: npm run typecheck ✓
• Tests: All 30 tests pass (npm run test:js) ✓

> [!WARNING]
>

> Generated by 🧹 jsweep - JavaScript Unbloater · 710.2 AIC · ⌖ 41.8 AIC · ⊞ 18.7K · ◷
> - [x] expires on Jun 17, 2026, 9:46 PM UTC-08:00

[github-actions]

✅ Test Quality Sentinel completed test quality analysis.

[github-actions]

✅ PR Code Quality Reviewer completed the code quality review.

[github-actions]

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

[github-actions]

✅ Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR #39498 does not have the 'implementation' label (has_implementation_label=false) and has 0 new lines of code in business logic directories (requires_adr_by_default_volume=false, default_business_additions=0, threshold=100).

[Copilot]

Pull request overview

This PR performs a small cleanup/refactor of the actions/setup/js/validate_lockdown_requirements.cjs runtime validator (used from github-script), and strengthens its Vitest coverage to ensure behavior and error formatting remain correct.

Changes:

• Removed an unused ERR_VALIDATION import from validate_lockdown_requirements.cjs.
• Extracted a failWithError(message) helper to de-duplicate the repeated failure pattern (setOutput + setFailed + throw).
• Added additional tests to validate setOutput side effects, multi-token configurations, and newline formatting in error messages.

Show a summary per file

File	Description
actions/setup/js/validate_lockdown_requirements.cjs	Removes unused import, factors repeated failure logic into a helper, and switches error message construction to newline-containing strings.
actions/setup/js/validate_lockdown_requirements.test.cjs	Expands coverage to verify no success-path setOutput, multi-token success behavior, and newline presence in error messages.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 0

[github-actions]

Skills-Based Review 🧠

Applied /improve-codebase-architecture and /tdd — approving with two non-blocking suggestions.

📋 Key Themes & Highlights

Key Themes

• Template literal chaining: The \\n → \n semantic fix is real and correct, but the strings are still built by concatenating individual template literals. A single template literal (or a true multiline one) would complete the job.
• .toThrow() consistency: The three new formatting tests use bare .toThrow() while the existing suite already passes a message substring to .toThrow(...). Small gap worth closing.

Positive Highlights

• ✅ @returns {never} JSDoc on failWithError is precise — TypeScript will use this for control-flow narrowing.
• ✅ failWithError DRY extraction eliminates three identical three-liner blocks cleanly.
• ✅ The \\n → \n migration is a genuine semantic bug fix (old code emitted literal backslash-n text), and the new error message formatting describe block provides direct proof.
• ✅ Success-path setOutput side-effect tests (expect(mockCore.setOutput).not.toHaveBeenCalled()) are excellent regression guards.
• ✅ Dead ERR_VALIDATION import removed, eliminating an unnecessary coupling to error_codes.cjs.

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 217.6 AIC · ⌖ 14 AIC · ⊞ 29.4K

[github-actions]

[/tdd] .toThrow() without an argument does not verify which error is thrown — inconsistent with the existing suite (line 301 uses .toThrow("not compiled with strict mode")).

💡 Match the specificity of existing tests

The pre-existing test block uses:

}).toThrow("not compiled with strict mode");

Applying the same pattern here makes all three new formatting tests consistent and catches regressions in the thrown message, not just the fact that something was thrown:

// lockdown test
}).toThrow("no custom GitHub token is configured");

// strict mode test
}).toThrow("not compiled with strict mode");

// pull_request_target test
}).toThrow("pwn request");

[github-actions]

Review

Clean, correct refactor. No blocking issues.

What was examined

failWithError extraction — Correct DRY helper. core.setFailed does not throw in the Actions runtime, so the subsequent throw new Error(message) always executes. The @returns {never} JSDoc annotation is valid and aids TypeScript control-flow analysis under // @ts-check``.

\\n → \n behavioral fix — Old code used "text\\\\n" in regular string literals, producing literal backslash-n in the string value. New code uses `text\n` in template literals, producing real newline characters. @actions/core properly URL-encodes \n → %0A in ::error:: annotations. This is a genuine bug fix that improves log readability.

New tests — The three added describe blocks (setOutput side effects, multiple tokens, error message formatting) validate concrete behaviors: no false-positive output on success paths, correct || token logic, and the \n fix round-trip. Scope is appropriate for unit tests.

🔎 Code quality review by PR Code Quality Reviewer · 340.5 AIC · ⌖ 13.4 AIC · ⊞ 17.3K

[pelikhan]

@copilot refactor to template file and renderTemplate

[Copilot]

Addressed in commit 6c9ce2b. I moved the lockdown/strict/pull_request_target error text into a dedicated template module and render it via renderTemplate.

[pelikhan]

@copilot refactor to template file

[Copilot]

Addressed in commit 6c9ce2b. The strict-mode public-repo failure message now comes from the new template module and is rendered through renderTemplate.

[pelikhan]

@copilot refactor to template file

[Copilot]

Addressed in commit 6c9ce2b. The pull_request_target public-repo failure message was moved to the template module and rendered through renderTemplate.

[github-actions]

🧪 Test Quality Sentinel Report

⚠️ Test Quality Score: 60/100 — Acceptable

Analyzed 6 test(s): 3 design, 3 implementation, 0 guideline violations.

📊 Metrics & Test Classification (6 tests analyzed)

Metric	Value
New/modified tests analyzed	6
✅ Design tests (behavioral contracts)	3 (50%)
⚠️ Implementation tests (low value)	3 (50%)
Tests with error/edge cases	3 (50%)
Duplicate test clusters	1
Test inflation detected	No (1.82:1 ratio)
🚨 Coding-guideline violations	0

Test	File	Classification	Issues Detected
should not set lockdown_check_failed output on a fully successful run	validate_lockdown_requirements.test.cjs	✅ Design	—
should not set lockdown_check_failed when lockdown is enabled with token and repo is private	validate_lockdown_requirements.test.cjs	✅ Design	—
should pass when all three tokens are configured simultaneously	validate_lockdown_requirements.test.cjs	✅ Design	⚠️ info-log assertions are implementation-level
should include newlines in lockdown error message for readability	validate_lockdown_requirements.test.cjs	⚠️ Implementation	Asserts exact message wording and \n formatting
should include newlines in strict mode error message for readability	validate_lockdown_requirements.test.cjs	⚠️ Implementation	Asserts exact message wording and \n formatting
should include newlines in pull_request_target error message for readability	validate_lockdown_requirements.test.cjs	⚠️ Implementation	Asserts exact message wording and \n formatting

Go: 0; JavaScript: 6 (*.test.cjs). No other languages detected.

⚠️ Flagged Tests — Requires Review (3 issues)

should include newlines in lockdown error message for readability (actions/setup/js/validate_lockdown_requirements.test.cjs) — ⚠️ Implementation: asserts toContain("\n") plus exact option strings. The newline check tests internal message formatting, not a user-facing behavioral contract — it breaks on any whitespace refactoring even when validation behavior is unchanged. Suggested fix: remove the toContain("\n") assertion; retain toContain("GH_AW_GITHUB_TOKEN (recommended)") and toContain("GH_AW_GITHUB_MCP_SERVER_TOKEN (alternative)") as actionable-guidance contracts.

should include newlines in strict mode error message for readability (actions/setup/js/validate_lockdown_requirements.test.cjs) — ⚠️ Implementation: same pattern. toContain("\n") is a formatting assertion with no behavioral value. Suggested fix: drop the newline assertion, keep toContain("gh aw compile --strict") which genuinely tests that the actionable command appears in the error.

should include newlines in pull_request_target error message for readability (actions/setup/js/validate_lockdown_requirements.test.cjs) — ⚠️ Implementation + Duplication: same setFailed.mock.calls[0][0] + toContain("\n") pattern as the two tests above, forming a 3-test duplicate cluster. Suggested fix: remove the \n assertions across all three; if verifying multi-error-path message content is the goal, a parameterised helper (e.g. test.each) would eliminate the duplication and make behavioral intent clearer.

Verdict

❌ Check failed. 50% implementation tests (threshold: 30%). The three error message formatting tests verify internal \n presence and exact message wording rather than behavioral contracts. The content assertions (toContain("gh aw compile --strict"), etc.) do carry real behavioral value — removing only the newline assertions and de-duplicating the pattern would be sufficient to bring this PR above the threshold.

References: §27623742541

🧪 Test quality analysis by Test Quality Sentinel · 414.3 AIC · ⌖ 19.1 AIC · ⊞ 26.5K · ◷

[github-actions]

❌ Test Quality Sentinel: 60/100. 50% of new tests are classified as low-value implementation tests, exceeding the 30% threshold. The three error message formatting tests assert on \n presence and exact message wording (internal formatting) rather than behavioral contracts. Please review the flagged tests in the comment above and remove the newline assertions — the content assertions are valuable and should be kept.