fix: lenient temporary ID validation — support underscores, warn instead of fail

[Copilot]

An invalid temporary_id (e.g. aw_pr_testfix containing an underscore) caused the entire create_pull_request operation to fail. Invalid temp IDs are minor issues and should not abort the workflow.

Changes

• Underscore support in temp IDs: Updated isTemporaryId regex from [A-Za-z0-9]{3,12} to [A-Za-z0-9_]{3,12} — aw_pr_testfix is now a valid ID
• Warn + auto-generate instead of fail: getOrGenerateTemporaryId and the inline validation in create_pull_request.cjs now emit core.warning() and fall back to an auto-generated ID rather than returning { success: false }
• Consistent patterns: TEMPORARY_ID_PATTERN and TEMPORARY_ID_CANDIDATE_PATTERN updated to include _
• Updated error messages: All validation error strings now describe A-Za-z0-9_ as the valid character set with examples like aw_pr_fix
• update_project.cjs: Error messages updated for consistency (behavior unchanged — draft chaining references still reject truly malformed IDs)

// Before: fails the whole create_pull_request
Error: ✗ Message 2 (create_pull_request) failed: Invalid temporary_id format: 'aw_pr_testfix'. ...

// After: emits a warning, auto-generates a valid ID, and continues
Warning: Invalid temporary_id format: 'aw_pr_testfix'. ... Using auto-generated ID: 'aw_aB3xYz12'

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/github/gh-aw/contents/.github%2Fworkflows%2Faudit-workflows.md
  • Triggering command: /opt/hostedtoolcache/node/24.14.0/x64/bin/node /opt/hostedtoolcache/node/24.14.0/x64/bin/node --experimental-import-meta-resolve --require /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/suppress-warnings.cjs --conditions node --conditions development /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/dist/workers/forks.js D ode-gyp-bin/git git rev-�� --reverse origin/fallback-branch..HEAD node . git odules/npm/node_--count git (http block)
• invalid.example.invalid
  • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git git conf�� user.name Test User ode_modules/.bin/git . git ache/go/1.25.0/x-b git init�� --bare --initial-branch=main 0/x64/bin/git ranch test@test.com ode_modules/.binagent-change.txt git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

This PR makes temporary ID handling more permissive and resilient so that malformed temporary_id values no longer abort create_pull_request workflows, while also updating validation messaging and tests to reflect underscore support.

Changes:

• Expanded temporary ID validation to allow underscores (A-Za-z0-9_) across helper regexes and isTemporaryId.
• Updated create_pull_request and getOrGenerateTemporaryId to warn and fall back to an auto-generated ID instead of failing on invalid temp IDs.
• Updated validation/error message text (and corresponding tests) for consistency.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
actions/setup/js/temporary_id.cjs	Allows underscores in temp IDs; warns + auto-generates on invalid input; updates validation messages.
actions/setup/js/temporary_id.test.cjs	Adds/updates tests for underscore support and the new warn+fallback behavior.
actions/setup/js/create_pull_request.cjs	Changes invalid temp ID handling from hard-fail to warning + auto-generated fallback.
actions/setup/js/update_project.cjs	Updates validation error messages to reflect underscore support.
actions/setup/js/update_project.test.cjs	Updates expectations to match the new validation message wording.

Comments suppressed due to low confidence (2)

actions/setup/js/temporary_id.cjs:142

• getOrGenerateTemporaryId accepts an entityType parameter (documented as being for error messages) but it’s never used. Either incorporate entityType into the warning / error strings for clearer diagnostics, or remove the parameter to avoid dead API surface.

 * @param {Object} message - The message object that may contain a temporary_id field
 * @param {string} entityType - Type of entity (e.g., "issue", "discussion", "project") for error messages
 * @returns {{temporaryId: string, error: null} | {temporaryId: null, error: string}} Result with temporaryId or error
 */
function getOrGenerateTemporaryId(message, entityType = "item") {

actions/setup/js/create_pull_request.cjs:272

• In the invalid temporary_id path, temporaryId is set to generateTemporaryId() without the .toLowerCase() normalization applied in the valid-id path. For consistency with map lookups (which normalize to lowercase) and to keep returned IDs predictable, consider lowercasing (or using normalizeTemporaryId) on the auto-generated value too.

      if (!isTemporaryId(normalized)) {
        // Warn and auto-generate rather than failing - an invalid temporary_id is a minor issue
        const autoGenerated = generateTemporaryId();
        core.warning(
          `Invalid temporary_id format: '${pullRequestItem.temporary_id}'. Temporary IDs must be in format 'aw_' followed by 3 to 12 alphanumeric or underscore characters (A-Za-z0-9_). Example: 'aw_abc' or 'aw_pr_fix'. Using auto-generated ID: '${autoGenerated}'`
        );
        temporaryId = autoGenerated;
      } else {
        temporaryId = normalized.toLowerCase();
      }

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

TEMPORARY_ID_CANDIDATE_PATTERN only matches [A-Za-z0-9_]+ up to a \b, so references that include invalid characters after a valid prefix (e.g. #aw_test-id) will be partially matched as #aw_test and won’t trigger the malformed-reference warning. Consider capturing the full token after #aw_ (up to whitespace/end/punctuation) and then validating the entire candidate so truly malformed IDs get warned about consistently.

[Copilot]

This file now has a second copy of temporary_id validation + fallback generation logic that overlaps with getOrGenerateTemporaryId in temporary_id.cjs. To avoid future drift (e.g., message wording / normalization differences), consider using the shared helper here and relying on it to warn + generate when invalid.

This issue also appears on line 263 of the same file.

[pelikhan]

@copilot review comments

[Copilot]

@copilot review comments

Addressed both review comments in bf2a8a1:

1. TEMPORARY_ID_CANDIDATE_PATTERN: Changed from [A-Za-z0-9_]+\b to [A-Za-z0-9_-]+ (no word boundary). Now #aw_test-id captures the full token test-id, so aw_test-id correctly fails isTemporaryId and triggers a warning. Added a test to confirm.

2. Duplicate logic in create_pull_request.cjs: Replaced the inline validation block with a call to the shared getOrGenerateTemporaryId() helper, removing the local copies of isTemporaryId and generateTemporaryId from the import. The behavior is identical — non-string temporary_id still fails, invalid format warns + auto-generates.