Duplicate Code: Version feature-gate checks in workflow helpers

[github-actions]

Summary

Recent commit 06ae01f8e10698a239a930f7ff69df3592ec9d72 extracted awfVersionAtLeast to remove repeated AWF version checks. The same feature-gate pattern still appears across production workflow helpers for AWF, Copilot, and MCP Gateway support checks. Each helper resolves an effective version, treats latest as supported, and compares the value against a minimum semver threshold.

This is now a cross-helper duplication pattern rather than AWF-local duplication. A small shared helper would keep future feature gates consistent and avoid subtle drift in latest, default-version, and non-semver behavior.

Duplication Details

• Severity: Medium
• Occurrences: 3 production helpers
• Locations:
  • pkg/workflow/awf_helpers.go lines 646-656: awfVersionAtLeast
  • pkg/workflow/copilot_engine_execution.go lines 544-560: copilotSupportsNoAskUser
  • pkg/workflow/mcp_github_config.go lines 390-406: mcpgSupportsIntegrityReactions

Code Samples

func awfVersionAtLeast(firewallConfig *FirewallConfig, minVersion constants.Version) bool {
	var versionStr string
	if firewallConfig != nil && firewallConfig.Version != "" {
		versionStr = firewallConfig.Version
	} else {
		versionStr = string(constants.DefaultFirewallVersion)
	}
	if strings.EqualFold(versionStr, "latest") {
		return true
	}
	return semverutil.Compare(versionStr, string(minVersion)) >= 0
}

func copilotSupportsNoAskUser(engineConfig *EngineConfig) bool {
	var versionStr string
	if engineConfig != nil && engineConfig.Version != "" {
		versionStr = engineConfig.Version
	} else {
		// No override -> use the default, which is always >= the minimum.
		return true
	}

	// "latest" means the newest release - always supports the flag.
	if strings.EqualFold(versionStr, "latest") {
		return true
	}

	minVersion := string(constants.CopilotNoAskUserMinVersion)
	return semverutil.Compare(versionStr, minVersion) >= 0
}

func mcpgSupportsIntegrityReactions(gatewayConfig *MCPGatewayRuntimeConfig) bool {
	var version string
	if gatewayConfig != nil && gatewayConfig.Version != "" {
		version = gatewayConfig.Version
	} else {
		// No override -> use the default version for comparison.
		version = string(constants.DefaultMCPGatewayVersion)
	}

	// "latest" means the newest release - always supports the field.
	if strings.EqualFold(version, "latest") {
		return true
	}

	minVersion := string(constants.MCPGIntegrityReactionsMinVersion)
	return semverutil.Compare(version, minVersion) >= 0
}

Impact Analysis

• Maintainability: Every new version-gated feature may copy and slightly alter the same latest plus semver comparison logic.
• Bug Risk: Default-version behavior already differs by helper: AWF and MCPG compare defaults, while Copilot returns true for default because the pinned default is known to satisfy the minimum. Future changes could make these semantics drift.
• Code Bloat: The duplicated bodies are each small, but together they exceed the duplicate-code threshold and are likely to grow as more feature gates are added.

Refactoring Recommendations

1. Extract a shared version threshold helper

   • Suggested location: pkg/workflow/version_gate.go or another workflow-local helper file.
   • Possible shape: versionAtLeast(version, defaultVersion, minVersion string) bool, where callers resolve domain-specific defaults before calling, or pass an explicit default version.
   • Estimated effort: Low.

2. Keep domain-specific wrapper functions

   • Preserve awfSupports..., copilotSupportsNoAskUser, and mcpgSupportsIntegrityReactions as readable call sites.
   • Have each wrapper handle only config extraction and call the shared threshold helper.

3. Add focused table tests for shared behavior

   • Cover empty/default version, explicit old/new versions, latest, and non-semver branch names.

Implementation Checklist

• Review the three helper implementations and confirm shared semantics
• Extract a workflow-local version threshold helper
• Update AWF, Copilot, and MCPG feature-gate wrappers to use it
• Add or update unit tests for shared behavior and each wrapper
• Run make agent-finish before opening the remediation PR

Analysis Metadata

• Analyzed Files: 2 changed production Go files, plus secondary semantic checks across pkg/workflow production Go code
• Detection Method: Serena symbol overview, symbol body inspection, referencing-symbol analysis, and targeted pattern search
• Commit: 06ae01f8e10698a239a930f7ff69df3592ec9d72
• Workflow Run: §25717161421
• Analysis Date: 2026-05-12

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• api.github.com
• github.com

💡 Tip: api.github.com is blocked because GitHub API access uses the built-in GitHub tools by default. Instead of adding api.github.com to network.allowed, use tools.github.mode: gh-proxy for direct pre-authenticated GitHub CLI access without requiring network access to api.github.com:

tools:
  github:
    mode: gh-proxy

See GitHub Tools for more information on gh-proxy mode.

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "api.github.com"
    - "github.com"

See Network Configuration for more information.

Generated by Duplicate Code Detector · ◷