Skip to content

fix: enforce draft as policy in create-pull-request, not agent-overridable fallback#20608

Merged
pelikhan merged 2 commits intomainfrom
copilot/fix-draft-configuration-issue
Mar 12, 2026
Merged

fix: enforce draft as policy in create-pull-request, not agent-overridable fallback#20608
pelikhan merged 2 commits intomainfrom
copilot/fix-draft-configuration-issue

Conversation

Copy link
Contributor

Copilot AI commented Mar 11, 2026
edited
Loading

safe-outputs.create-pull-request.draft was treated as a default rather than a policy — the agent could include "draft": true in its message to bypass a draft: false config, violating the Layer 1 security architecture.

Changes

  • create_pull_request.cjs: Always use draftDefault (from config); emit core.warning when the agent message contains a draft value that conflicts with config — consistent with how autoMerge and allowEmpty already work:
// Before — agent value wins
const draft = pullRequestItem.draft !== undefined ? pullRequestItem.draft : draftDefault;

// After — config is the policy
const draft = draftDefault;
if (pullRequestItem.draft !== undefined && pullRequestItem.draft !== draftDefault) {
  core.warning(`Agent requested draft: ${pullRequestItem.draft}, but configuration enforces draft: ${draftDefault}. ...`);
}
  • create_pull_request.test.cjs: 5 integration tests calling main() end-to-end verifying github.rest.pulls.create receives the config-enforced draft value and that the warning fires only on genuine override attempts.

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

Copilot AI linked an issue Mar 11, 2026 that may be closed by this pull request
safe-outputs.create-pull-request.draft: false is ignored when agent specifies draft: true #20359
Closed
6 tasks
@pelikhan
fix: enforce draft config as policy in create_pull_request, not as fa…
373f849 
…llback

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix issue with draft PR configuration being ignored fix: enforce draft as policy in create-pull-request, not agent-overridable fallback Mar 12, 2026
@pelikhan pelikhan marked this pull request as ready for review March 12, 2026 00:18
Copilot AI review requested due to automatic review settings March 12, 2026 00:18
Copilot AI reviewed Mar 12, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR ensures create-pull-request treats draft as a config-enforced policy (not an agent-overridable fallback) and adds end-to-end tests to prevent regressions.

Changes:

  • Enforce draft strictly from config (draftDefault) and emit a warning when the agent attempts to override it.
  • Add integration-style tests verifying github.rest.pulls.create receives the config-enforced draft value and that warnings only occur on override attempts.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
actions/setup/js/create_pull_request.cjs Enforces config-controlled draft policy and warns on agent override attempts.
actions/setup/js/create_pull_request.test.cjs Adds tests covering draft policy enforcement and warning behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

actions/setup/js/create_pull_request.test.cjs
Comment on lines +11 to +20
let tempDir;
let originalEnv;

beforeEach(() => {
originalEnv = { ...process.env };
process.env.GH_AW_WORKFLOW_ID = "test-workflow";
process.env.GITHUB_REPOSITORY = "test-owner/test-repo";
process.env.GITHUB_BASE_REF = "main";
tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "create-pr-draft-test-"));

Copy link

Copilot AI Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tempDir is created and cleaned up in this test suite, but it is never used (no files are written there and the process CWD isn’t changed). This adds unnecessary setup/teardown work and can be removed, or alternatively use it to write a real patch if the intent was to exercise the filesystem path.

Copilot uses AI. Check for mistakes.
@pelikhan pelikhan merged commit 3dc6207 into main Mar 12, 2026
111 checks passed
@pelikhan pelikhan deleted the copilot/fix-draft-configuration-issue branch March 12, 2026 00:24
github-actions bot added a commit that referenced this pull request Mar 12, 2026
@github-actions @claude
docs: update documentation for features from 2026-03-12
3e754f9 
- Add add-wizard command to CLI reference with --skip-secret flag (#20598)
- Document that Codex web-search is disabled by default (#20607)
- Clarify that draft is a configuration policy in create-pull-request (#20608)
- Document compile-time warnings for push-to-pull-request-branch with target: "*" (#20580)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This was referenced Mar 12, 2026
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

safe-outputs.create-pull-request.draft: false is ignored when agent specifies draft: true

3 participants

@pelikhan