Filter out approving review from pr-reviewer agent#13553
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the GitHub Agentic Workflows configuration to prevent the PR review agent from submitting APPROVE reviews by restricting the allowed review events for the submit-pull-request-review safe-output tool.
Changes:
- Add
allowed-events: [COMMENT, REQUEST_CHANGES]tosubmit-pull-request-reviewsafe-outputs configuration. - Regenerate the
review.agentandreview-on-opencompiled lock workflows to carry the new safe-outputs constraint through to runtime config. - (Unrelated) Change the scheduled cron time in
close-stale-prs.agent.lock.yml.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/shared/review-shared.md | Restricts submit-pull-request-review to non-approving events. |
| .github/workflows/review.agent.lock.yml | Regenerated lock file reflecting the updated safe-outputs config (allowed_events). |
| .github/workflows/review-on-open.agent.lock.yml | Regenerated lock file reflecting the updated safe-outputs config (allowed_events). |
| .github/workflows/close-stale-prs.agent.lock.yml | Cron schedule changed (appears unrelated to the PR goal). |
Copilot's findings
- Files reviewed: 4/4 changed files
- Comments generated: 1
There was a problem hiding this comment.
Expert Review — PR #13553: Filter out approvals from pr-reviewer agent
Dimension Summary
| # | Dimension | Verdict | Notes |
|---|---|---|---|
| 1 | Backwards Compatibility | ✅ LGTM | review-shared.md already said "Never use APPROVE"; this adds enforcement. No workflow relied on the APPROVE path. |
| 10 | Design Before Implementation | ✅ LGTM | Correct abstraction — enforcement at the safe-outputs config layer, complementing existing prompt guidance. Both config locations (config.json + env var) updated consistently. |
| 19 | Build Infrastructure Care | ✅ LGTM | Lock file artifacts (hashes, heredoc markers) are expected recompilation side effects. close-stale-prs correctly omitted from allowed_events change (it has no submit_pull_request_review tool). |
| 20 | Scope & PR Discipline | Cron schedule change in close-stale-prs.agent.lock.yml ("18 11 * * 1" → "19 21 * * 1") is unrelated to the stated PR goal. However, the source .agent.md was not modified — this is a lock-file recompilation artifact where the "(scattered)" cron gets re-randomized. Not a true scope violation. |
|
| 22 | Correctness & Edge Cases | ✅ LGTM | allowed_events: ["COMMENT","REQUEST_CHANGES"] applied consistently in all 4 locations (2 files × 2 config points). JSON is valid. Event type names are correct GitHub API values. close-stale-prs correctly excluded. |
| 24 | Security Awareness | ✅ LGTM | Positive security improvement. Removes a concrete prompt-injection vector where malicious PR content could trick the AI into approving. Defense-in-depth: enforced at both config file and env var levels, not just prompt instructions. |
Dimensions N/A (C#-specific, not applicable to workflow YAML)
2 (ChangeWave), 3 (Performance), 5 (Error Messages), 6 (Logging), 7 (String Comparison), 8 (API Surface), 9 (Target Authoring), 11 (Cross-Platform), 13 (Concurrency), 14 (Naming), 15 (SDK Integration), 16 (Idiomatic C#), 17 (File I/O), 18 (Documentation), 21 (Evaluation Model), 23 (Dependencies)
Key Observations
- Completeness verified: All files containing
submit_pull_request_reviewconfig are updated.close-stale-prscorrectly excluded (usesclose_pull_request+add_comment, not review tools). - Cron scatter: The cron change in
close-stale-prs.agent.lock.ymlis a harmless recompilation artifact — the source.agent.mdwas not modified. - No issues found that would warrant requesting changes.
Overall: Clean, focused security improvement. LGTM.
Note
🔒 Integrity filter blocked 2 items
The following items were blocked because they don't meet the GitHub integrity level.
- #13553
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved". - #13553
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | noneGenerated by Expert Code Review (on open) for issue #13553 · ● 4.1M
Updated [Microsoft.Build](https://github.com/dotnet/msbuild) from 18.6.3 to 18.7.1. <details> <summary>Release notes</summary> _Sourced from [Microsoft.Build's releases](https://github.com/dotnet/msbuild/releases)._ ## 18.7.1 ## What's Changed * Fix TraceEngine file contention deadlock in multithreaded mode by @JanProvaznik in dotnet/msbuild#13446 * Remove duplicate test cases in MultithreadableTaskAnalyzer by @Youssef1313 in dotnet/msbuild#13483 * Ensure ThreadSafeTaskAnalyzer.Tests is considered as a unit test project by @Youssef1313 in dotnet/msbuild#13481 * Fix MSBuildTask0002 analyzer warnings in already-migrated tasks by @JanProvaznik in dotnet/msbuild#13466 * Fix race conditions in task host path resolution by @AR-May in dotnet/msbuild#13485 * Migrate ToolTask and Al task to TaskEnvironment API by @OvesN in dotnet/msbuild#13423 * Bump main to 18.7, add vs18.6 to merge flow by @MichalPavlik in dotnet/msbuild#13472 * Avoid allocations in GetHashCode implementations by @DustinCampbell in dotnet/msbuild#13475 * Add PATs rotation to agentic workflow(s) by @JanKrivanek in dotnet/msbuild#13496 * Fix ASP.NET WebSite projects to copy netstandard.dll facade when required by @JanProvaznik in dotnet/msbuild#13058 * Migrate AspNetCompiler to TaskEnvironment API by @OvesN in dotnet/msbuild#13424 * Add review workflow by @JanKrivanek in dotnet/msbuild#13503 * Strengthen reviewer skill: add step-back analysis dimensions by @JanProvaznik in dotnet/msbuild#13504 * Add 'Request Speedometer Perf Run' to VS experimental insertion build policies by @Copilot in dotnet/msbuild#13505 * Remove duplicate @ prefix from issueAuthor in GitOps by @akoeplinger in dotnet/msbuild#13492 * Improve review aw by @JanKrivanek in dotnet/msbuild#13510 * Migrates unit tests to use RoslynCodeTaskFactory to enable running tests under .NET Core by @jankratochvilcz in dotnet/msbuild#13500 * Fix cross-AppDomain TaskItem modifier cache regression by @DustinCampbell in dotnet/msbuild#13493 * Discourage review agent from approving PRs by @JanKrivanek in dotnet/msbuild#13512 * Stop trying to deploy ValueTuple by @rainersigwald in dotnet/msbuild#13507 * Ad-hoc re-sign bootstrap dotnet on macOS to prevent SIGKILL by @jankratochvilcz in dotnet/msbuild#13513 * RoslynCodeTaskFactory: Log MSB3753 when task class does not implement ITask by @jankratochvilcz in dotnet/msbuild#13517 * Update gh-aw (upon mcp policy changes) by @JanKrivanek in dotnet/msbuild#13526 * Eliminate XmlChildNodes allocations in GetXmlNodeInnerContents by @nareshjo in dotnet/msbuild#13509 * Fix telemetry allocation regression: per-engine collector ownership by @JanProvaznik in dotnet/msbuild#13516 * Migrate to xunit.v3 by @Youssef1313 in dotnet/msbuild#13482 * Fix stray brace in HandleBuildCancel trace string causing MSB1025 by @Copilot in dotnet/msbuild#13535 * Bumping to 10.0.4 runtime packages by @MichalPavlik in dotnet/msbuild#13533 * Remove early return in GetCanonicalForm, always call System.IO.Path by @OvesN in dotnet/msbuild#13532 * Do not overwrite GetCopyToOutputDirectoryItemsDependsOn, just add new… by @snechaev in dotnet/msbuild#13474 * Migrate GetReferenceAssemblyPaths task to TaskEnvironment API by @OvesN in dotnet/msbuild#13495 * Stabilize ToolTaskThatTimeoutAndRetry test by @rainersigwald in dotnet/msbuild#13489 * [automated] Merge branch 'vs18.6' => 'main' by @github-actions[bot] in dotnet/msbuild#13506 * Add extra test assertions around tests by @Youssef1313 in dotnet/msbuild#13536 * Add static eval for repo skills/agents via skill-validator by @JanKrivanek in dotnet/msbuild#13537 * Migrate SGen task to Task environment API by @OvesN in dotnet/msbuild#13457 * Fix TerminalLogger assert failure for metaproj files and cached project eval ID by @OvesN in dotnet/msbuild#13480 * Filter out approving review from pr-reviewer agent by @JanKrivanek in dotnet/msbuild#13553 * Use a unique task name per invocation to tabilize RoslynCodeTaskFactory_ReuseCompilation test by @huulinhnguyen-dev in dotnet/msbuild#13551 * Brief doc on feedback/logging/data systems by @rainersigwald in dotnet/msbuild#13554 * Localized file check-in by OneLocBuild Task: Build definition ID 9434: Build ID 13881982 by @dotnet-bot in dotnet/msbuild#13437 * Stage 3: Forward BuildProjectFile* callbacks from OOP TaskHost to worker node by @JanProvaznik in dotnet/msbuild#13350 * Enable TaskHost Callbacks by default by @JanProvaznik in dotnet/msbuild#13579 * Remove unactionable info from reviewer agent by @JanKrivanek in dotnet/msbuild#13578 * Enlighten RequiresFramework35SP1Assembly task for multithreaded mode by @jankratochvilcz in dotnet/msbuild#13575 * Make SdkResolver-provided environment variables take precedence over ambient environment by @Copilot in dotnet/msbuild#12655 * Add dotnet/skills marketplace and enable plugins by @Evangelink in dotnet/msbuild#13582 * The skills/agents check filters-in only touched files by @JanKrivanek in dotnet/msbuild#13586 * Fix skill-validation workflow failing when agents directory is deleted by @JeremyKuhne in dotnet/msbuild#13592 ... (truncated) Commits viewable in [compare view](dotnet/msbuild@v18.6.3...v18.7.1). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Follow up of #13512
Context
PR review agent is now prevented from approving PR reviews