refactoring: introduce shared/pr-review-base.md for PR code review workflows

[Copilot]

Six PR/slash-command workflows duplicated the same guard policy, cli-proxy tool, and min-integrity config. This consolidates that pattern into a new shared component and migrates 5 workflows to use it.

New: shared/pr-review-base.md

Bundles github-guard-policy + pr-code-review-config + standard PR review tooling into a single import:

imports:
  - uses: shared/pr-review-base.md
    with:
      min-integrity: approved   # optional, defaults to "approved"

Provides: permissions: contents/pull-requests: read, tools: cli-proxy + github(min-integrity, pull_requests/repos toolsets), safe-outputs: noop.

Updated: shared/pr-code-review-config.md

Added max: 10 default to create-pull-request-review-comment (was unset).

Migrated workflows

Workflow	Net change
grumpy-reviewer	Replaced 2 imports + explicit tool config; keeps max: 5 override
pr-nitpick-reviewer	Gains guard-policy (previously absent); removes duplicate cli-proxy
security-review	Gains guard-policy (previously absent); removes duplicate cli-proxy
refiner	Collapses github-guard-policy import + cli-proxy + min-integrity into base
pr-triage-agent	Same as refiner

org-health-report was left unchanged — it uses github-guard-policy but has a different tool/permission shape that doesn't benefit from this base.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw or.lock.yml (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw bot-detection.lo-1 brave.lock.yml breaking-change-checker.lock.ymlorigin chan�� ci-coach.lock.yml ci-doctor.lock.yml n-dir/bash (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name k/gh-aw/gh-aw -f me: String!) { -lang=go1.25 -f owner=github -f git -C k/gh-aw/gh-aw show de -q st/suppress-warn-1 1/x64/bin/git git (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv GOMODCACHE pBvTgXO/G1KutSxXHjoE8hqd2SJr /usr/bin/git se 4009082/b018/vetrev-parse ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git math pkg/mod/github.c/opt/hostedtoolcache/node/24.14.1/x64/bin/npm ache/go/1.25.8/xinstall git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git 3121-57139/test-sh }} {{context.Com-c 1/x64/bin/node git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm modules/@npmcli/run-script/lib/node-gyp-bin/node SameOutput476093node om/github/gh-aw./opt/hostedtoolcache/node/24.14.1/x64/bin/npm lone-2580127861 git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --get (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv s/test.md git /usr/bin/git h ../../../.pretgit show /usr/bin/infocmp--show-toplevel git rev-�� --show-toplevel infocmp /usr/bin/git ithub/workflows oFiles,IgnoredOtrev-parse kflows/update-as--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv 2748-40816/test-.artifacts[].name g/envutil/envutil_test.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -p crypto/internal/rev-parse -lang=go1.25 ache/go/1.25.8/x64/pkg/tool/linutest@example.com -uns�� 4009082/b413/_pkg_.a /tmp/go-build1824009082/b030/vet.cfg x_amd64/vet -goversion go1.25.8 -c=4 x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuAdd workflow /usr/bin/git se 4009082/b222/vet\n $name) { has: git rev-�� --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git 2748-40816/test-git /tmp/go-build182rev-parse /opt/hostedtoolc--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/link /usr/bin/git /ref/tags/v9 rev-parse sv git rev-�� --show-toplevel VWw7VJguVlRAx/jNQYSQDdMsvnnTZDbyx2/zg1-jwF1IRoPasY5xy3c/9ezsDU_VWw7VJguVlRAx /usr/bin/git ry=1 rev-parse 4009082/b462/_pk--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv import\|import-i-f g/ r: $owner, name:-f (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --get-regexp --local r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git runs/20260430-17git /tmp/go-build182status r: $owner, name: $name) { hasxterm-color git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/xremote.origin.url /usr/bin/git -unreachable=falgit /tmp/go-build182rev-parse /opt/hostedtoolc--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv ./../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore /opt/hostedtoolcache/go/1.25.8/xtest@example.com /usr/bin/infocmp '/tmp/TestParseDgit '/tmp/TestParseDstatus 3919906/b429/vet.cfg infocmp -1 xterm-color /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet 86_64/node runs/20260430-17git -buildtags /opt/hostedtoolc--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json 4/arm64.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json exer.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/infocmp 6760836/b079/_pkgit rg/x/text@v0.36.rev-parse 64/pkg/tool/linu--show-toplevel infocmp -1 xterm-color 64/pkg/tool/linumyorg /usr/bin/git 6760836/b241/_pkgit GO111MODULE x_amd64/link git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git k/gh-aw/gh-aw rev-parse 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git t.json show .cfg git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /repos/actions/github-script/git/ref/tags/v9 s/3/artifacts /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -json GO111MODULE x_amd64/vet /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -o /tmp/go-build1824009082/b446/_pkg_.a -trimpath /usr/bin/git -p github.com/githurev-parse -lang=go1.25 git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 5b4d3ZQ/CzLq7wlyDIvrJo6ipZht /usr/bin/git LsRemoteWithRealgit LsRemoteWithRealrev-parse 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 62921651/001 V7o_/18xeupG6XnJrev-parse .cfg git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv .actor }}, Unsafe: ${{ secrets.TOKEN }} config /usr/bin/git remote.origin.urgit rev-parse layTitle git rev-�� --show-toplevel git /usr/bin/git ath ../../../.prgh rev-parse yml git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --get-regexp --local down-spellcheck.lock.yml (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows --others /usr/bin/infocmp l (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv origin l /usr/bin/git ithub/workflows est /usr/bin/git git -C /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_repos=public_3097478777/001 remote /usr/bin/git ithub/workflows show (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv get --local repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } copilot.originalgit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv get --local r: $owner, name: $name) { hasDiscussionsEnabled } } copilot.originalgh (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch get --global .lock.yml http.https://git/usr/bin/gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch ithub/workflows rev-parse repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch .go git 1/x64/bin/node --is-ancestor 14bf2125923a1f15-1 ode_modules/.binxterm-color 1/x64/bin/node ve -q tions/setup/js/node_modules/viteowner=github docker-compose -exist mp 1b59befcfe666b66/home/REDACTED/work/gh-aw/gh-aw/.github/workflows docker-compose (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel 8n/W7nDXlF-2wrJGrRo2mzy/Er_eZaAbl7x64n9tfT1u /usr/bin/infocmp ortcfg GO111MODULE 64/pkg/tool/linu--show-toplevel infocmp -1 xterm-color 64/pkg/tool/linuremote2 /usr/bin/git mpiledOutput5727git vNkW/MmwpPo_3e3trev-parse x_amd64/compile git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linuTest User /usr/bin/git 3955086625/.githgit show bin/node git rev-�� --show-toplevel git /usr/bin/git 2787518891 nly k git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyBlockedUsersCommaSeparatedCompiledOutput2685066641/001 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -stringintconv -tests /usr/bin/git k/gh-aw/gh-aw/.ggit config l git -C /tmp/TestGuardPolicyBlockedUsersCommaSeparatedCompiledOutput3210@{u} rev-parse /usr/bin/git /home/REDACTED/worgit erena-mcp-serverrev-parse li-deep-research--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/compile ache/node/24.14.1/x64/bin/node -json GO111MODULE x_amd64/link /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile t-27�� k/gh-aw/gh-aw/.github/workflows/agent-performance-analyzer.md -trimpath /usr/bin/git -p main -lang=go1.25 git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -m initial commit ache/node/24.14.1/x64/bin/node ithub/workflows config /usr/bin/git ache/node/24.14.1/x64/bin/node -141�� --show-toplevel git /usr/bin/git ithub/workflows show ed.lock.yml git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-23 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-03-31 GOMOD GOMODCACHE 64/pkg/tool/linuTest User ortc�� tmatter-with-env-template-expressions.md .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE /sys GOMODCACHE 64/pkg/tool/linuTest User (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-01-30 flow GOMODCACHE 64/pkg/tool/linutest@example.com ortc�� xq-u1suEb .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name l_test.go 64/pkg/tool/linux_amd64/compile GOINSECURE fips140/edwards2config ache/go/1.25.8/xuser.email 64/pkg/tool/linutest@example.com (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 .cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet .git�� 6760836/b033/importcfg 79XR/6YQuLpx94_gDFryr79XR ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOSUMDB GOWORK 64/bin/go ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name k/gh-aw/gh-aw/acconfig At,event,headBranch,headSha,displayTitle ithub/workflows /home/REDACTED/worrev-parse erignore (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE b/gh-aw/pkg/stri/tmp/js-hash-test-2604487827/test-hash.js GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 38wk/F3_s36TZU8RlNGu_38wk ntdrain.test GOINSECURE GOMOD GOMODCACHE ntdrain.test 8240�� 3327119400 4009082/b024/vet.cfg .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linurev-parse (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name config /opt/hostedtoolcache/go/1.25.8/x64/bin/go remote.origin.urgit /opt/hostedtoolcrev-parse repository(owne--show-toplevel go xpor�� runs/20260430-173121-57139/test-source-field-variant-1709127931/.github/workflows {{context.GOARCH}} {{context.Compiler}} ache/node/24.14.1/x64/bin/node l git /node_modules/.b--show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/asm (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE b/gh-aw/pkg/typerev-parse GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 bft1/1yO0RzBmJIVi0dFibft1 ionpins.test GOINSECURE fips140/rsa GOMODCACHE ionpins.test 8240�� 3327119400/.github/workflows 4009082/b023/vet.cfg .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name show 1/x64/bin/node ithub/workflows /opt/hostedtoolcrev-parse /home/REDACTED/wor--show-toplevel 9493126/b068/importcfg t-ha�� ithub/workflows/audit-workflows.md go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu-test.short=true /tmp/go-handler-git git t-incident-monit--show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE contextprotocol/rev-parse ache/go/1.25.8/x--git-dir 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 .cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE fips140/tls13 ache/go/1.25.8/xuser.email ache/go/1.25.8/xtest@example.com (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name --package-lock-only /opt/hostedtoolcache/go/1.25.8/x64/bin/go k/gh-aw/gh-aw/.ggit main erignore go list�� -f {{context.GOARCH}} {{context.Compiler}} /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet unsafe -importcfg .yml /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/compile GOINSECURE 6760836/b011/sysrev-parse ache/go/1.25.8/x--show-toplevel 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE g/x/crypto/chachrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name --jq 1/x64/bin/node k/gh-aw/gh-aw/.ggit /home/REDACTED/worrev-parse erignore 1/x64/bin/node list�� -e -json=Name,ImportPath,Error,Dir,GoFiles,IgnoredGoFiles,IgnoredOtherFiles,CFiles,CgoFiles,CXXFileconfig /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -test=false -export=true -deps=true /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu^remote\..*\.gh-resolved$ (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE fips140cache ache/go/1.25.8/x--show-toplevel sY5xy3c/9ezsDU_VWw7VJguVlRAx (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE fips140/mlkem 6760836/b078/symabis ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name ractive_orchestrator.go 3919906/b398/vet.cfg k/gh-aw/gh-aw /home/REDACTED/worrev-parse erignore go list�� -e -f .cfg -- unsafe lock.yml /opt/hostedtoolc--json (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE 6760836/b011/rt0/tmp/js-hash-test-1335505305/test-hash.js ache/go/1.25.8/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows/ai-moderator.md 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 eFae/0ahu769BnKY-c=4 ache/go/1.25.8/x-nolocalimports GOINSECURE contextprotocol/rev-parse GOMODCACHE ache/go/1.25.8/x/tmp/go-build1824009082/b459/_testmain.go (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name k/gh-aw/gh-aw/acrev-parse 3919906/b403/vet.cfg k/gh-aw/gh-aw/.ggit /home/REDACTED/worrev-parse erignore go list�� '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmain_branch2--repo '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmain_branch2owner/repo /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet unsafe git (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -c=4 -nolocalimports -importcfg /tmp/go-build1824009082/b434/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/repoutil/repoutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/repoutil/repoutil_test.go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/vet env g_.a @v1.1.3/cpu/cpu.go x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 6760836/b040/importcfg HCmd/oMQac4bC0uy1Yg0zHCmd 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
  • Triggering command: /tmp/go-build1824009082/b404/cli.test /tmp/go-build1824009082/b404/cli.test -test.testlogfile=/tmp/go-build1824009082/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /tmp/go-build3403919906/b404/cli.test /tmp/go-build3403919906/b404/cli.test -test.testlogfile=/tmp/go-build3403919906/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true user.email mp git /usr/bin/gh api k/gh-aw/gh-aw/.g-test=false -f ity-sentinel.loc-deps=true -f owner=github -f git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel hz/8-8vmLiYCmHH9origin /usr/bin/git 1323782262 -trimpath flow.lock.yml git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/xTest User /usr/bin/git -bool -buildtags 1/x64/bin/node git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv th .prettierignore --log-level=error ^remote\..*\.gh-resolved$ /usr/bin/git 1580410914 /opt/hostedtoolcrev-parse sv git rev-�� --show-toplevel go /usr/bin/git '/tmp/TestParseDdu '/tmp/TestParseD-k /home/REDACTED/nod/tmp/gh-aw/aw-feature-branch.patch git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv se 4009082/b057/vet.cfg .cfg -I /tmp/go-build369rev-parse -I ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw x_amd64/link x_amd64/vet HEAD /bin/sh k/node_modules/./tmp/compile-instructions-test-596253783/.github/workflows x_amd64/vet imag�� ithub/workflows mcp/arxiv-mcp-server kflows/craft.lock.yml commit.gpgsign ode_modules/viterev-parse 1/x64/bin/node git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env g_.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv ithub/workflows config /usr/bin/docker remote.origin.urnode --auto git docker imag�� ithub/workflows l x_amd64/vet HEAD git ache/node/24.14.user.name x_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env lGitmain_branch1390974592/001' lGitmain_branch1390974592/001' x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env g_.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv ithub/workflows config /home/REDACTED/.local/bin/node remote.origin.urnode main de_modules/.bin//tmp/TestHashConsistency_InlinedImports2109330541/001/noflag-a.md node /opt�� Gitmaster_branch2073558960/001' Gitmaster_branch2073558960/001' ry.lock.yml name /usr/lib/git-cor-C nfig/composer/ve/tmp/compile-all-instructions-test-3746486110/.github/workflows infocmp (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv se 4009082/b061/vet.cfg ck -I /tmp/go-build369/tmp/js-hash-test-1128261625/test-hash.js -I ache/go/1.25.8/x64/pkg/tool/linutest@example.com estl�� se 4009082/b226/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -p vendor/golang.orrev-parse -lang=go1.25 ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv ithub/workflows mcp/markitdown x_amd64/vet HEAD git DiscussionsEnabl/home/REDACTED/work/gh-aw/gh-aw/.github/workflows/agent-performance-analyzer.md x_amd64/vet api ithub/workflows -f /usr/bin/git l owner=github -f git (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE t/internal/tag GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion - CgoFiles,CXXFilerev-parse kflows/copilot-p--show-toplevel npm run runs/20260430-173121-57139/test-49292704/.github/workflows --silent (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD sm_wasm.s x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD emclr_wasm.s x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json n/codec.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD r_wasm.s x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name ithub/workflows config /usr/bin/git remote.origin.ursh ache/node/24.14.-c ache/go/1.25.8/x"prettier" --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pretremote.origin.url git -C ithub/workflows show l -q st/suppress-warn-C n-dir/git /usr/bin/gh (http block)
• https://api.github.com/repos/test/repo
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch 3572974923/001 YknE/_O2drKQQrICaTWjRYknE .cfg -n1 --format=format:init --end-of-options ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch --get remote.origin.url /usr/bin/git ithub/workflows show kflows/schema-fexterm-color git rev-�� --show-toplevel l /usr/bin/git ithub/workflows show (http block)
• invalid.example.invalid
  • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git e/git init�� ndor/bin/git git ode_modules/.bin/git =receive test@example.com--git-dir=/tmp/bare-incremental-C1BKOI /git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

Hey @Copilot 👋 — great initiative refactoring the shared PR review base! Consolidating github-guard-policy.md, pr-code-review-config.md, and the common safe-outputs across the 6 review workflows into a single shared/pr-review-base.md component is a solid DRY improvement.

A couple of things to address before this is ready for review:

• No diff yet — the PR currently has zero changed files. The implementation still needs to be committed (create shared/pr-review-base.md and migrate the 6 workflows as outlined in the migration plan).
• No tests — once the workflow files are in place, make sure make recompile runs cleanly and that lock files for each migrated workflow are updated/committed. If the repo has any schema validation or compile-check CI steps, ensure they pass.
• Draft status — mark the PR as ready for review only after the implementation commits are pushed and CI is green.

When you're ready to proceed:

Implement the shared/pr-review-base.md refactor as described in PR #29359:
1. Create `shared/pr-review-base.md` with the import-schema, imports, permissions, tools, and safe-outputs block specified in the issue.
2. Migrate these 6 workflows to import the new shared component:
   - grumpy-reviewer.md
   - pr-nitpick-reviewer.md
   - security-review.md
   - refiner.md
   - pr-triage-agent.md
   - org-health-report.md
3. Remove the now-redundant guard-policy, pr-code-review-config, permissions, and safe-outputs blocks from each migrated workflow.
4. Run `make recompile` and commit any updated lock files.
5. Verify all 6 workflows still compile and produce correct output.

Generated by Contribution Check · ● 1.1M · ◷

[Copilot]

Pull request overview

Consolidates duplicated PR/slash-command workflow frontmatter (guard policy, PR review tooling, and safe-output defaults) into a shared base component and migrates several workflows to use it.

Changes:

• Added shared/pr-review-base.md to bundle github-guard-policy, pr-code-review-config, and standard PR-review tooling behind a single import.
• Updated shared/pr-code-review-config.md to set a default max: 10 for create-pull-request-review-comment.
• Migrated grumpy-reviewer, pr-nitpick-reviewer, security-review, refiner, and pr-triage-agent to use the new base import (with regenerated lockfiles).

Show a summary per file

File	Description
docs/src/content/docs/reference/frontmatter-full.md	Documents additional supported formats for safe-outputs.threat-detection and related fields.
.github/workflows/shared/pr-review-base.md	New shared base import bundling guard policy + PR review config + standard tooling.
.github/workflows/shared/pr-code-review-config.md	Sets default max review comments per run to 10.
.github/workflows/security-review.md	Switches to shared base import; removes duplicated tool/safe-output config.
.github/workflows/security-review.lock.yml	Regenerated compiled workflow lockfile after imports/tooling changes.
.github/workflows/refiner.md	Switches to shared base import (removes standalone guard/tool config).
.github/workflows/refiner.lock.yml	Regenerated compiled workflow lockfile after imports/tooling changes.
.github/workflows/pr-triage-agent.md	Switches to shared base import (removes standalone guard/tool config).
.github/workflows/pr-triage-agent.lock.yml	Regenerated compiled workflow lockfile after imports/tooling changes.
.github/workflows/pr-nitpick-reviewer.md	Switches to shared base import; removes duplicated tool/safe-output config.
.github/workflows/pr-nitpick-reviewer.lock.yml	Regenerated compiled workflow lockfile after imports/tooling changes.
.github/workflows/grumpy-reviewer.md	Switches to shared base import; keeps max: 5 override.
.github/workflows/grumpy-reviewer.lock.yml	Regenerated compiled workflow lockfile after imports/tooling changes.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 13/13 changed files
• Comments generated: 3