github · pelikhan · Feb 13, 2026 · Feb 13, 2026 · Feb 13, 2026 · Feb 13, 2026
diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml
diff --git a/docs/src/content/docs/agent-factory-status.mdx b/docs/src/content/docs/agent-factory-status.mdx
@@ -32,6 +32,7 @@ These are experimental agentic workflows used by the GitHub Next team to learn,
 | [Claude Code User Documentation Review](https://github.com/github/gh-aw/blob/main/.github/workflows/claude-code-user-docs-review.md) | claude | [![Claude Code User Documentation Review](https://github.com/github/gh-aw/actions/workflows/claude-code-user-docs-review.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/claude-code-user-docs-review.lock.yml) | - | - |
 | [CLI Consistency Checker](https://github.com/github/gh-aw/blob/main/.github/workflows/cli-consistency-checker.md) | copilot | [![CLI Consistency Checker](https://github.com/github/gh-aw/actions/workflows/cli-consistency-checker.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/cli-consistency-checker.lock.yml) | `0 13 * * 1-5` | - |
 | [CLI Version Checker](https://github.com/github/gh-aw/blob/main/.github/workflows/cli-version-checker.md) | claude | [![CLI Version Checker](https://github.com/github/gh-aw/actions/workflows/cli-version-checker.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/cli-version-checker.lock.yml) | - | - |
+| [Code Refiner](https://github.com/github/gh-aw/blob/main/.github/workflows/refiner.md) | copilot | [![Code Refiner](https://github.com/github/gh-aw/actions/workflows/refiner.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/refiner.lock.yml) | - | - |
 | [Code Scanning Fixer](https://github.com/github/gh-aw/blob/main/.github/workflows/code-scanning-fixer.md) | copilot | [![Code Scanning Fixer](https://github.com/github/gh-aw/actions/workflows/code-scanning-fixer.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/code-scanning-fixer.lock.yml) | - | - |
 | [Code Simplifier](https://github.com/github/gh-aw/blob/main/.github/workflows/code-simplifier.md) | copilot | [![Code Simplifier](https://github.com/github/gh-aw/actions/workflows/code-simplifier.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/code-simplifier.lock.yml) | - | - |
 | [Codex GitHub Remote MCP Test](https://github.com/github/gh-aw/blob/main/.github/workflows/codex-github-remote-mcp-test.md) | codex | [![Codex GitHub Remote MCP Test](https://github.com/github/gh-aw/actions/workflows/codex-github-remote-mcp-test.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/codex-github-remote-mcp-test.lock.yml) | - | - |

diff --git a/docs/src/content/docs/reference/frontmatter-full.md b/docs/src/content/docs/reference/frontmatter-full.md
@@ -1784,10 +1784,7 @@ cache: []
 
 # Safe output processing configuration that automatically creates GitHub issues,
 # comments, and pull requests from AI workflow output without requiring write
-# permissions in the main job. When using GitHub App tokens (app:), permissions
-# are automatically narrowed per-job to match only what's needed, and tokens are
-# auto-revoked at job end. Multiple safe outputs in the same workflow receive the
-# union of their required permissions.
+# permissions in the main job
 # (optional)
 safe-outputs:
   # List of allowed domains for URI filtering in AI workflow output. URLs from other
@@ -3438,10 +3435,8 @@ safe-outputs:
   github-token: "${{ secrets.GITHUB_TOKEN }}"
 
   # GitHub App credentials for minting installation access tokens. When configured,
-  # tokens are automatically minted per-job with permissions narrowed to match the
-  # job's permissions block. Tokens are auto-revoked at job end. This enables safe
-  # use of a broadly-permissioned GitHub App because each job only receives the
-  # specific permissions it needs.
+  # a token will be generated using the app credentials and used for all safe output
+  # operations.
   # (optional)
   app:
     # GitHub App ID. Should reference a variable (e.g., ${{ vars.APP_ID }}).

diff --git a/pkg/workflow/label_trigger_parser.go b/pkg/workflow/label_trigger_parser.go
@@ -79,8 +79,8 @@ func parseLabelTriggerShorthand(input string) (entityType string, labelNames []s
 
 // expandLabelTriggerShorthand takes an entity type and label names and returns a map that represents
 // the expanded label trigger + workflow_dispatch configuration with item_number input.
-// Note: For discussion events, GitHub Actions doesn't support the `names` field,
-// so we use the native label filter marker but the names will be filtered via job conditions.
+// Note: For discussion events, GitHub Actions doesn't support the `labels` field,
+// so we use the native label filter marker but the labels will be filtered via job conditions.
 func expandLabelTriggerShorthand(entityType string, labelNames []string) map[string]any {
 	// Create the trigger configuration based on entity type
 	var triggerKey string
@@ -104,11 +104,19 @@ func expandLabelTriggerShorthand(entityType string, labelNames []string) map[str
 		"types": []any{"labeled"},
 	}
 
-	// Only add names field for issues and pull_request (GitHub Actions supports it)
-	// For discussions, names field is not supported by GitHub Actions
-	if entityType == "issues" || entityType == "pull_request" {
+	// Add label names for filtering
+	// For issues: GitHub Actions supports native `labels` field - use it with marker
+	// For pull_request & discussion: Use `names` field for job condition filtering (no marker)
+	//   Note: The `names` field is an internal representation for job condition generation
+	//   and won't be rendered in the final GitHub Actions YAML for these event types
+	switch entityType {
+	case "issues":
+		triggerConfig["labels"] = labelNames
+		triggerConfig["__gh_aw_native_label_filter__"] = true // Marker to use native filtering
+	case "pull_request", "discussion":
+		// For pull_request and discussion: add names field for job condition filtering
 		triggerConfig["names"] = labelNames
-		triggerConfig["__gh_aw_native_label_filter__"] = true // Marker to prevent commenting out names
+		// No marker - this will be filtered via job conditions
 	}
 
 	// Create workflow_dispatch with item_number input

diff --git a/pkg/workflow/label_trigger_parser_test.go b/pkg/workflow/label_trigger_parser_test.go
@@ -329,21 +329,26 @@ func TestExpandLabelTriggerShorthand(t *testing.T) {
 				t.Errorf("expandLabelTriggerShorthand() types = %v, want [labeled]", types)
 			}
 
-			// Check names field (only for issues and pull_request, not discussion)
+			// Check labels/names field:
+			// - For issues: uses native 'labels' field
+			// - For pull_request & discussion: uses 'names' field for job condition filtering
 			switch tt.entityType {
-			case "issues", "pull_request":
+			case "issues":
+				labels, ok := triggerConfig["labels"].([]string)
+				if !ok {
+					t.Fatalf("expandLabelTriggerShorthand() labels is not a string array for issues")
+				}
+				if !slicesEqual(labels, tt.labelNames) {
+					t.Errorf("expandLabelTriggerShorthand() labels = %v, want %v", labels, tt.labelNames)
+				}
+			case "pull_request", "discussion":
 				names, ok := triggerConfig["names"].([]string)
 				if !ok {
 					t.Fatalf("expandLabelTriggerShorthand() names is not a string array for %s", tt.entityType)
 				}
 				if !slicesEqual(names, tt.labelNames) {
 					t.Errorf("expandLabelTriggerShorthand() names = %v, want %v", names, tt.labelNames)
 				}
-			case "discussion":
-				// Discussion should not have names field (GitHub Actions doesn't support it)
-				if _, hasNames := triggerConfig["names"]; hasNames {
-					t.Errorf("expandLabelTriggerShorthand() discussion should not have names field")
-				}
 			}
 
 			// Check workflow_dispatch