[safeoutputs] Add pull_request_number and repo fields to create_pull_request_review_comment tool schema

[Copilot]

create_pull_request_review_comment was missing pull_request_number and repo from its input schema. With additionalProperties: false, agents couldn't include these fields even when they were needed — the handler requires pull_request_number when target: "*" is configured, and supports repo for cross-repo targets, but both were blocked by the schema.

Changes

• pkg/workflow/js/safe_outputs_tools.json — Added pull_request_number (number | string, optional) and repo (string, optional) to create_pull_request_review_comment properties; updated description to call out the target: "*" requirement
• actions/setup/js/safe_outputs_tools.json — Mirrored same changes to the runtime copy
• pkg/workflow/safe_output_validation_config.go — Added "pull_request_number": {OptionalPositiveInteger: true} to align with other PR-targeting tools (update_pull_request, push_to_pull_request_branch, add_reviewer, etc.)

"pull_request_number": {
  "type": ["number", "string"],
  "description": "Pull request number to add the review comment to. ... Required when the workflow target is '*' (any PR) — omitting it will cause the comment to fail."
},
"repo": {
  "type": "string",
  "description": "Target repository in 'owner/repo' format. If omitted, uses the configured target repository. Must be in the allowed-repos list if specified."
}

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[Copilot]

Pull request overview

Adds support for specifying an explicit PR number when creating inline PR review comments, fixing cases where workflows target "*" (any PR) and the handler requires pull_request_number.

Changes:

• Added optional pull_request_number (number | string) to the create_pull_request_review_comment tool JSON schema (source + runtime copies) and clarified the "target: \"*\"" requirement in descriptions.
• Updated Go safe-output validation config to allow/validate pull_request_number for create_pull_request_review_comment.
• Regenerated/updated several workflow *.lock.yml files to reflect the tool schema + validation config changes.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
pkg/workflow/safe_output_validation_config.go	Allows pull_request_number in validation rules for create_pull_request_review_comment.
pkg/workflow/js/safe_outputs_tools.json	Adds pull_request_number to the tool schema and updates the tool description.
actions/setup/js/safe_outputs_tools.json	Mirrors the schema + description updates for runtime usage.
.github/workflows/smoke-copilot.lock.yml	Updates embedded tools/validation config to include pull_request_number.
.github/workflows/smoke-copilot-arm.lock.yml	Same as above for ARM smoke workflow lock.
.github/workflows/smoke-claude.lock.yml	Same as above for Claude smoke workflow lock.
.github/workflows/security-review.lock.yml	Same as above for security-review workflow lock.
.github/workflows/pr-nitpick-reviewer.lock.yml	Same as above for nitpick reviewer workflow lock.
.github/workflows/poem-bot.lock.yml	Same as above for poem-bot workflow lock.
.github/workflows/grumpy-reviewer.lock.yml	Same as above for grumpy-reviewer workflow lock.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[pelikhan]

@copilot review comments

[Copilot]

@copilot review comments

Added repo to the create_pull_request_review_comment input schema in both pkg/workflow/js/safe_outputs_tools.json and actions/setup/js/safe_outputs_tools.json (3a4eddd). The field was already supported by the handler and present in the validation config but was blocked by additionalProperties: false. All affected lock files have been regenerated.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw e17mAviFCL1i (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -pack /home/REDACTED/work/gh-aw/gh-aw/cmd/gh-aw/main.go (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)