feat(guard): elevate trusted first-party bot integrity to approved

[lpcox]

Summary

Objects authored by trusted first-party GitHub bots now receive approved (writer) integrity regardless of their author_association value from the GitHub API.

Problem

Bot-authored issues, PRs, and commits were receiving baseline none integrity because their author_association from the GitHub API is typically NONE. This caused them to be incorrectly blocked by guard policies with min-integrity settings above none.

For example, with min-integrity: merged, all dependabot PRs and github-actions issues were filtered out — even though these bots are trusted platform services explicitly configured by repo admins.

Solution

Introduced is_trusted_first_party_bot() to identify 4 GitHub platform bots:

Bot	Service
dependabot[bot]	GitHub dependency updater
github-actions[bot]	GitHub Actions workflow actor (GITHUB_TOKEN)
github-merge-queue[bot]	GitHub merge queue automation
copilot	GitHub Copilot AI assistant

These bots receive approved (writer) integrity because:

1. Their presence requires explicit admin configuration
2. They are GitHub first-party platform services (no supply-chain risk)
3. Their actions carry implicit admin endorsement

Changes

helpers.rs

• Added is_trusted_first_party_bot() — narrow 4-bot detection (exact match)
• Added extract_author_login() — checks user.login (issues/PRs) and author.login (commits)
• Modified author_association_floor() — checks for trusted bots before falling back to author_association
• Kept existing is_bot() for broad bot detection (unchanged)

backend.rs

• Added author_login: Option<String> to PullRequestFacts
• Added IssueAuthorInfo struct with author_association + author_login
• Added get_issue_author_info() / get_issue_author_info_with_callback() for request-time bot detection

tool_rules.rs

• Updated issue path (get_issue/issue_read) to use get_issue_author_info and check trusted bot status
• Updated PR path (get_pull_request/pull_request_read) to check facts.author_login for trusted bots

Tests (155 new lines)

• test_trusted_first_party_bot_detection — all 4 bots detected, case-insensitive, third-party bots excluded
• test_trusted_bot_issue_integrity_public_repo — all 4 bots get approved on public repos
• test_trusted_bot_pr_integrity_public_repo — bot PRs get approved, merged bot PRs get merged
• test_trusted_bot_commit_integrity — bot commits get approved/merged based on branch

Design Decisions

• Narrow trust list: Only 4 first-party GitHub bots — third-party bots (renovate, codecov, etc.) should be handled via policy configuration
• Exact match: dependabot[bot] (not just dependabot) to avoid false positives
• Two code paths covered: Both response-time filtering (author_association_floor) and request-time labeling (tool_rules.rs)
• No behavior change for non-bot users: Existing author_association logic unchanged

[Copilot]

Pull request overview

This PR updates the GitHub guard’s integrity labeling so that objects authored by specific trusted first-party GitHub bots are treated as approved/writer integrity even when the GitHub API reports author_association: NONE, preventing them from being incorrectly filtered by min-integrity guard policies.

Changes:

• Added trusted first-party bot detection and elevated integrity floor logic in label helpers.
• Extended backend fact fetching to include author_login for PRs and issues, and used it in tool-time labeling rules.
• Added unit tests validating trusted-bot detection and integrity elevation for issues/PRs/commits.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
guards/github-guard/rust-guard/src/labels/helpers.rs	Adds is_trusted_first_party_bot and uses author login to elevate integrity floors for trusted bots.
guards/github-guard/rust-guard/src/labels/backend.rs	Extends PR facts with author_login and introduces IssueAuthorInfo + fetch helper for issue author login/association.
guards/github-guard/rust-guard/src/labels/tool_rules.rs	Uses fetched author login in request-time labeling to elevate trusted bot issues/PRs to writer integrity.
guards/github-guard/rust-guard/src/labels/mod.rs	Adds tests for trusted bot detection and integrity elevation behavior.

Comments suppressed due to low confidence (2)

guards/github-guard/rust-guard/src/labels/tool_rules.rs:116

• The trusted-bot elevation logic is now implemented in multiple places (author_association_floor() plus the request-time issue/PR paths here). To reduce the risk of future divergence, consider factoring the “association + optional login => floor integrity” calculation into a single helper that both response labeling and tool_rules can reuse.

                        let mut floor = author_association_floor_from_str(
                            repo_id,
                            info.author_association.as_deref(),
                            ctx,
                        );
                        // Elevate trusted first-party bots to approved
                        if let Some(ref login) = info.author_login {
                            if is_trusted_first_party_bot(login) {
                                floor = max_integrity(
                                    repo_id,
                                    floor,
                                    writer_integrity(repo_id, ctx),
                                    ctx,
                                );
                            }
                        }
                        integrity = max_integrity(repo_id, integrity, floor, ctx);

guards/github-guard/rust-guard/src/labels/tool_rules.rs:117

• The trusted-bot elevation logic on the request-time issue path isn’t covered by unit tests today (existing apply_tool_labels tests don’t assert integrity for get_issue/issue_read because the backend call can’t be mocked). Consider refactoring apply_tool_labels to accept an injectable backend callback (similar to *_with_callback helpers) so you can add a deterministic test that a trusted bot issue yields writer integrity when author_association is NONE.

                    if let Some(info) =
                        super::backend::get_issue_author_info(&owner, &repo, &issue_num)
                    {
                        let mut floor = author_association_floor_from_str(
                            repo_id,
                            info.author_association.as_deref(),
                            ctx,
                        );
                        // Elevate trusted first-party bots to approved
                        if let Some(ref login) = info.author_login {
                            if is_trusted_first_party_bot(login) {
                                floor = max_integrity(
                                    repo_id,
                                    floor,
                                    writer_integrity(repo_id, ctx),
                                    ctx,
                                );
                            }
                        }
                        integrity = max_integrity(repo_id, integrity, floor, ctx);
                    }

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.