feat(workflows): add maintainer-only skip-review label guard#1293
feat(workflows): add maintainer-only skip-review label guard#1293WilliamBerryiii merged 1 commit intomainfrom
Conversation
- add dual-condition noop guard: skip-review label + maintainer association - recompile pr-review.lock.yml with gh-aw v0.65.6 - pin gh-aw-actions/[email protected] in actions-lock.json 🛡️ - Generated by Copilot
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1293 +/- ##
==========================================
- Coverage 87.72% 87.71% -0.02%
==========================================
Files 61 61
Lines 9320 9320
==========================================
- Hits 8176 8175 -1
- Misses 1144 1145 +1
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Advisory review — this PR is from a maintainer. Findings are informational only.
Review Summary
This PR adds a dual-condition skip-review guard and recompiles pr-review.lock.yml from gh-aw v0.63.1 to v0.65.6. The changes are well-reasoned, correctly implemented, and include meaningful security hardening in the lock file recompilation.
Issue Alignment
The PR links Closes #1290. The described feature — a maintainer-only bypass using both a label and an elevated association check — is coherent and self-consistent. I could not verify the issue content directly due to an integrity-policy restriction, but the PR description is detailed enough to stand independently.
No scope creep detected; all three changed files relate directly to the stated feature.
PR Template Compliance
✅ Description section: thoroughly filled in, covering the core feature, security hardening, operational improvements, and dependency lock.
✅ Related Issue(s): Closes #1290 present.
✅ Type of Change: New feature and GitHub Actions workflow both checked and accurate — pr-review.md and pr-review.lock.yml are both under .github/workflows/.
✅ Testing section: describes deferral to a follow-up PR (acceptable given the setup required: a real PR with the label and a maintainer author).
✅ All Required Automated Checks marked as passed.
✅ Security Considerations: appropriate annotations — token exclusions and audit logging in the lock file actively improve security posture.
✅ AI Artifact checkboxes correctly left unchecked — pr-review.md is a workflow source file, not a Copilot agent/prompt/instructions file.
One minor note: the "Security-related scripts follow the principle of least privilege" checkbox is marked N/A ("no security scripts modified"). Technically the lock file changes do apply least-privilege principles (explicit --exclude-env flags for sensitive tokens). The N/A annotation is defensible since scripts/security/ was not touched, but the spirit of that check is clearly met by the changes.
Coding Standards
.github/workflows/pr-review.lock.yml — auto-generated (DO NOT EDIT); reviewed as evidence of correct recompilation rather than hand-authored code.
- All action SHA pins updated atomically and correctly formatted with inline version comments (
# v0.65.6). ✅ - New
detectionjob declarespermissions: contents: readat job level — minimal privilege. ✅ - New checkout in
detectionjob usespersist-credentials: false. ✅ runs-on: ubuntu-latestthroughout. ✅
.github/workflows/pr-review.md — the three added lines follow the existing bullet-list conventions and integrate cleanly with the draft-skip guard already present.
.github/aw/actions-lock.json — adds a single new SHA-pinned entry for github/gh-aw-actions/[email protected]. Format is consistent with the existing entries. ✅
Code Quality and Security
Core guard logic — the dual condition (label AND privileged association) is the right design. Requiring both conditions means label-only does not bypass review; only a maintainer who also applies the label gets the bypass. The noop message is clear and consistent in style with the draft guard above it.
Heredoc sentinel uniquification — replacing generic GH_AW_PROMPT_EOF with hash-suffixed sentinels (e.g., GH_AW_PROMPT_b4e589eddbf00c0a_EOF) closes a real prompt-injection path. ✅
--exclude-env for sensitive tokens — replacing bare --env-all with explicit exclusions for COPILOT_GITHUB_TOKEN, GITHUB_MCP_SERVER_TOKEN, and MCP_GATEWAY_API_KEY follows the principle of least privilege in the agent sandbox. ✅
--audit-dir — surfacing the firewall audit path into the artifact upload provides better forensic capability. ✅
Detection job extraction — moving threat detection into a dedicated job with needs: agent improves separation of concerns and reduces blast radius if detection fails. The job correctly inherits if: always() so it runs regardless of agent job outcome. ✅
Action Items
No required changes. One informational inline comment posted regarding the skip-review label prerequisite.
Review completed by the automated PR Review agent.
Note
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
- #1290
issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | none
… label guard PR microsoft#1293 changed the PR Review workflow in two ways that aren't yet reflected in the architecture docs: 1. Maintainer advisory mode — when the PR author is a MEMBER, OWNER, or COLLABORATOR, the agent posts a COMMENT review prefixed with 'Advisory review ...', never uses REQUEST_CHANGES, does not add the needs-revision label, and does not convert the PR to draft. 2. skip-review label guard — the skip-review label now only skips the workflow when the author's association is MEMBER/OWNER/COLLABORATOR; non-maintainer PRs are reviewed normally even when the label is present. Update the Workflow Inventory row for 'PR Review' to call out the maintainer-vs-non-maintainer split, and add a NOTE callout immediately below the inventory that covers both behaviours. The two Mermaid diagrams (End-to-End Process Flow PR Review subgraph and Label-Driven Handoffs state diagram) are left alone for now since the advisory and skip-review paths are additive rather than contradictory — a follow-up pass can extend them if reviewers prefer. Closes microsoft#1299.
… label guard (#1386) # Pull Request ## Description `docs/architecture/agentic-workflows.md` predates two behaviors added by #1293 in the PR Review workflow: 1. Maintainer advisory mode, where member/owner/collaborator PRs receive an advisory `COMMENT` review rather than `REQUEST_CHANGES`. 2. The `skip-review` label guard, which only bypasses review for maintainers and does not exempt external contributors. This PR updates the workflow inventory wording and adds a note callout so the architecture docs reflect those current review-path rules without changing the workflow itself. ## Related Issue(s) Closes #1299. ## Type of Change Select all that apply: **Code & Documentation:** * [ ] Bug fix (non-breaking change fixing an issue) * [ ] New feature (non-breaking change adding functionality) * [ ] Breaking change (fix or feature causing existing functionality to change) * [x] Documentation update **Infrastructure & Configuration:** * [ ] GitHub Actions workflow * [ ] Linting configuration (markdown, PowerShell, etc.) * [ ] Security configuration * [ ] DevContainer configuration * [ ] Dependency update **AI Artifacts:** * [ ] Reviewed contribution with `prompt-builder` agent and addressed all feedback * [ ] Copilot instructions (`.github/instructions/*.instructions.md`) * [ ] Copilot prompt (`.github/prompts/*.prompt.md`) * [ ] Copilot agent (`.github/agents/*.agent.md`) * [ ] Copilot skill (`.github/skills/*/SKILL.md`) > Note for AI Artifact Contributors: > > * Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review `.github/agents/` before creating new ones. > * Skills: Must include both bash and PowerShell scripts. See [Skills](../docs/contributing/skills.md). > * Model Versions: Only contributions targeting the **latest Anthropic and OpenAI models** will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected. > * See [Agents Not Accepted](../docs/contributing/custom-agents.md#agents-not-accepted) and [Model Version Requirements](../docs/contributing/ai-artifacts-common.md#model-version-requirements). **Other:** * [ ] Script/automation (`.ps1`, `.sh`, `.py`) * [ ] Other (please describe): ## Testing - `npx markdownlint-cli2 docs/architecture/agentic-workflows.md` - `npx markdown-table-formatter docs/architecture/agentic-workflows.md` - Cross-checked the new wording against `.github/workflows/pr-review.md`. ## Checklist ### Required Checks * [x] Documentation is updated (if applicable) * [x] Files follow existing naming conventions * [x] Changes are backwards compatible (if applicable) * [ ] Tests added for new functionality (if applicable) ### AI Artifact Contributions * [ ] Used `/prompt-analyze` to review contribution * [ ] Addressed all feedback from `prompt-builder` review * [ ] Verified contribution follows common standards and type-specific requirements ### Required Automated Checks The following validation commands must pass before merging: * [ ] Markdown linting: `npm run lint:md` * [ ] Spell checking: `npm run spell-check` * [ ] Frontmatter validation: `npm run lint:frontmatter` * [ ] Skill structure validation: `npm run validate:skills` * [ ] Link validation: `npm run lint:md-links` * [ ] PowerShell analysis: `npm run lint:ps` * [ ] Plugin freshness: `npm run plugin:generate` * [ ] Docusaurus tests: `npm run docs:test` ## Security Considerations * [x] This PR does not contain any sensitive or NDA information * [x] Any new dependencies have been reviewed for security issues * [x] Security-related scripts follow the principle of least privilege ## Additional Notes - The Mermaid diagrams are intentionally unchanged in this PR; the scope here is documentation of the additive advisory and skip-review behaviors. - This description keeps the original workflow-source references and rationale while restructuring them into the required PR template. Co-authored-by: Bill Berry <[email protected]>
## Pre-Release 3.3.101 ### ✨ Features - add removed maturity tier and retire owasp-docker (#1444) - add evaluation dataset creator (#1279) - align RAI planner with guide, remove scoring, improve UX (#1287) - add PSGallery staleness check and BOM cleanup (#1379) - ISA-95 network planner agent (#1177) - auto-generate collection.md with maturity filtering (#1316) - add folder-consistency check and standardize WARN outp… (#1350) - add synth-data-generate prompt to data-science collection (#1419) - add canonical deck workflow and customer-card rendering for design thinking (#1413) - add Figma MCP integration for DT artifact export (#1222) - introduce `owasp-docker` (#1245) - replace hve-core-specific references with portable discovery-based language (#1335) - introduce `owasp-cicd` (#1246) - add secure-by-design knowledge skill (#1223) - introduce `owasp-infrastructure` (#1244) - introduce `owasp-mcp` (#1207) - add OutputPath parameter to Invoke-LinkLanguageCheck.ps1 (#1229) - add -OutputPath parameter to Validate-SkillStructure.ps1 (#1225) - add maintainer-only skip-review label guard (#1293) - add extension collections overview and integrate into getting started flow (#950) - add agentic workflows for automated issue triage, implementation, PR review, dependency review, and doc-staleness detection (#1219) - consolidate package-lock.json version sync into Update-VersionFiles.ps1 (#1240) - add standards code review agent and full review orchestrator (#1174) - standardize pytest-mock as Python mocking framework (#1170) - add Jira backlog workflows and Jira/GitLab skills (#978) - add centralized version bump script and supply-chain attestation (#1183) ### 🐛 Bug Fixes - pin PowerShell-Yaml to 0.4.7 across all install sites (#1378) - close fork-PR/workflow-file-PR secret-strip gap and normalize upload-artifact version (#1421) - replace stream-based lookahead with array indexing in list-changed-files.sh (#1376) - centralize ISO 8601 timestamp regex in CIHelpers (#1343) - update stale documentation date in release-process.md (#1363) - pin basic-ftp to 5.3.0 to resolve GHSA-rp42-5vxx-qpwr (#1374) - add bot filter to dependency PR review workflow (#1362) - resolve pip-audit findings in powerpoint, gitlab, and jira skill lock files (#1360) - standardize Timestamp JSON key casing across all lint result files (#1314) - add synchronize trigger to PR Review workflow (#1323) - standardize timestamp in Validate-SkillStructure.ps1 to use Get-StandardTimestamp (#1280) - add parallel subagent dispatch and structured JSON contracts to code-review-full (#1304) - standardize timestamp in SecurityHelpers.psm1 to use Get-StandardTimestamp (#1284) - standardize timestamps in Test-DependencyPinning.ps1 and SecurityClasses.psm1 (#1282) - derive collection artifact counts from YAML at build time (#1275) - standardize timestamp in FrontmatterValidation.psm1 to use Get-StandardTimestamp (#1285) - standardize timestamp in Markdown-Link-Check.ps1 to use Get-StandardTimestamp (#1283) - escape hyphens in Mermaid diagram on Collections page (#1262) - add summary timestamp to PSScriptAnalyzer output (#1211) - fix plugin compatibility and robustness for coding-standards code review agents (#1289) - standardize timestamp in Test-CopyrightHeaders.ps1 to use Get-StandardTimestamp (#1278) - standardize timestamp in Invoke-YamlLint.ps1 to use Get-StandardTimestamp (#1270) - standardize timestamp in Invoke-LinkLanguageCheck.ps1 to use Get-StandardTimestamp (#1264) - fix dependency-review path filters and sparse-checkout cone mode (#1259) - replace invalid bare tool names with official tool identifiers (#1198) - fix broken links and remove orphaned reference in code review docs (#1257) - exclude Python env dirs from skill validation warnings (#1255) - pin happy-dom and serialize-javascript to resolve Dependabot vulnerabilities (#1253) - remove Mermaid diagram and add missing collection cards (#1247) - disable MCP servers by default to prevent token limit errors (#1144) - sync package-lock.json after pre-release version bump (#1236) - separate mermaid node declarations and add dynamic diagram generation with tests (#1215) - replace anchor links in meeting-analyst with bold text references (#1201) - remove recursive symlinks in jira and gitlab skill directories (#1233) - validate-installation scripts now check .github/skills directory (#1010) (#1206) - resolve npm audit vulnerabilities via dependency overrides (#1200) - add post-release triggers to scorecard workflow (#1186) - add missing .md extensions to relative links in agent documentation (#1180) ### 📚 Documentation - broaden Security Review description beyond OWASP (#1385) - document maintainer advisory mode and skip-review label guard (#1386) - document ExcludePaths/OutputPath for Invoke-LinkLanguageCheck (#1383) - CLI getting-started: clarify plugin install commands as alternatives (-all vs base) (#1251) ### ♻️ Refactoring - align agent and prompt folder names to collection identifier (#1210) ### 🔧 Maintenance - pin PSScriptAnalyzer to 1.25.0 and sync stale workflow version comments (#1389) - bump lxml from 6.0.2 to 6.1.0 in /.github/skills/experimental/powerpoint (#1424) - bump @vscode/vsce from 3.7.1 to 3.9.1 in the npm-dependencies group (#1390) - bump the github-actions group across 1 directory with 7 updates (#1391) - bump follow-redirects from 1.15.11 to 1.16.0 in /docs/docusaurus (#1356) - upgrade Node.js from 20 to 24 and bump cspell to v10 (#1353) - bump basic-ftp from 5.2.0 to 5.2.1 (#1324) - update github/gh-aw-actions requirement to 536ea1bad8c6715d098a9dc1afea8d403733acfe in the github-actions group across 1 directory (#1298) - update security instruction attributions and compliance (#1294) - bump the npm-dependencies group with 2 updates (#1297) - pre-release 3.3.41 (#1252) - streamline RAI Planner phase structure and documentation (#1273) - bump happy-dom from 20.8.8 to 20.8.9 in /docs/docusaurus (#1237) - pre-release 3.3.27 (#1191) - bump pygments from 2.19.2 to 2.20.0 in /.github/skills/gitlab/gitlab (#1234) - bump path-to-regexp from 0.1.12 to 0.1.13 in /docs/docusaurus (#1226) - bump the github-actions group with 4 updates (#1231) - add missing folders and alphabetize location lists (#1193) - bump brace-expansion (#1224) - bump handlebars from 4.7.8 to 4.7.9 in /docs/docusaurus (#1217) - bump brace-expansion from 5.0.3 to 5.0.5 in /docs/docusaurus (#1213) - pre-release 3.3.10 (#1187) - bump markdownlint-cli2 from 0.21.0 to 0.22.0 in the npm-dependencies group (#1175) - bump the github-actions group with 3 updates (#1176) - pre-release 3.3.1 (#1165) --- *Managed automatically by pre-release workflow.* Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
5 participants
Description
Added a dual-condition skip-review noop guard to the agentic automated PR review workflow (
pr-review.md). The guard callsnoopand halts review when a PR carries theskip-reviewlabel and the author's association isMEMBER,OWNER, orCOLLABORATOR. Requiring both conditions prevents any contributor from self-applying the label to bypass automated review: only maintainers qualify.The lock file (
pr-review.lock.yml) was recompiled from gh-aw v0.63.1 to v0.65.6, incorporating several security hardening and operational improvements alongside the feature change.Core Feature
skip-reviewlabel + privileged-association guard inpr-review.md— callsnoopwith"Skipping: skip-review label set by maintainer."when both conditions are metMEMBER,OWNER, orCOLLABORATOR; label alone is insufficient to skip reviewSecurity Hardening (Lock File Recompilation)
GH_AW_PROMPT_b4e589eddbf00c0a_EOF) to close a prompt-injection path where adversarial content could terminate heredocs prematurely--env-allwith explicit--exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEYto follow least-privilege for sensitive tokens in the agent sandbox--audit-dir /tmp/gh-aw/sandbox/firewall/auditto theawfinvocation; extended firewall artifact upload to include the audit pathOperational Improvements (Lock File Recompilation)
v0.63.1→v0.65.6; AWF binaryv0.25.0→v0.25.11;gh-aw-mcpgv0.2.4→v0.2.11; Docker image tags updated atomicallyDependency Lock
github/gh-aw-actions/[email protected](31130b20a8fd3ef263acbe2091267c0aace07e09) in.github/aw/actions-lock.jsonRelated Issue(s)
Closes #1290
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
AI Artifacts:
prompt-builderagent and addressed all feedback.github/instructions/*.instructions.md).github/prompts/*.prompt.md).github/agents/*.agent.md).github/skills/*/SKILL.md)Other:
.ps1,.sh,.py)Testing
Testing will be done when merged, to trigger this in a future PR.
Automated validation commands run and results:
npm run lint:md— Passed (pre-confirmed by author)npm run spell-check— Passed (pre-confirmed by author)npm run lint:frontmatter— Passednpm run validate:skills— Passednpm run lint:md-links— Passednpm run lint:ps— Passednpm run plugin:generate— PassedSecurity analysis: no secrets or sensitive data expose; the diff reinforces security posture by adding sensitive token exclusions and audit logging. No unintended file changes detected. Commit message follows conventional commits format.
Checklist
Required Checks
AI Artifact Contributions
/prompt-analyzeto review contributionprompt-builderreviewRequired Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsnpm run lint:md-linksnpm run lint:psnpm run plugin:generateSecurity Considerations
Additional Notes
The
pr-review.lock.ymlfile is a compiler output (DO NOT EDITheader present). Reviewers should focus onpr-review.mdfor intent and treat the lock file diff as evidence of correct recompilation. The lock file accumulates several gh-aw v0.65.6 improvements (heredoc hardening, token exclusions, detection job extraction) as a natural consequence of the recompilation.