Fix incorrect bots: placement from PR #64 #70
Description
Problem
PR #64 added bots: [copilot-pull-request-reviewer] as a top-level frontmatter field in review-responder.md and quality-gate.md. This compiled without errors but had no effect — the compiled .lock.yml files did not contain GH_AW_ALLOWED_BOTS.
Root Cause
The bots: field must be placed under on:, not at the top level of the frontmatter. The gh-aw compiler silently accepts top-level bots: but only emits GH_AW_ALLOWED_BOTS into the lock file when bots: is nested under on:.
What PR #64 did (wrong):
on:
pull_request_review:
types: [submitted]
bots: [copilot-pull-request-reviewer] # top-level — ignored by compilerLock file result: GH_AW_REQUIRED_ROLES: admin,maintainer,write only — no GH_AW_ALLOWED_BOTS.
What is correct:
on:
pull_request_review:
types: [submitted]
bots: [copilot-pull-request-reviewer] # under on: — compiles into GH_AW_ALLOWED_BOTSLock file result: GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_ALLOWED_BOTS: copilot-pull-request-reviewer.
How check_membership.cjs works
From the gh-aw test suite (check_membership.test.cjs):
- Role check runs first — checks
GH_AW_REQUIRED_ROLESagainst the actor's repo permission - If role check fails (Copilot bot has no repo role), it falls back to
GH_AW_ALLOWED_BOTS - If the actor is in the allowed bots list AND the bot is active/installed on the repo →
authorized_bot
So bots: under on: is sufficient — no roles: all needed.
Fix
PR #65 corrects the placement. When merged, it overwrites PR #64's changes with the correct config.