Skip to content

fix: correct bots: placement under on: for agent activation#65

Merged
microsasa merged 1 commit intomainfrom
fix/activation-roles-all
Mar 15, 2026
Merged

fix: correct bots: placement under on: for agent activation#65
microsasa merged 1 commit intomainfrom
fix/activation-roles-all

Conversation

@microsasa
Copy link
Owner

@microsasa microsasa commented Mar 15, 2026
edited
Loading

Closes #70
Related: #53

Problem

PR #64 added bots: [copilot-pull-request-reviewer] at the top level of the frontmatter in review-responder.md and quality-gate.md. The gh-aw compiler accepted this silently but did not emit GH_AW_ALLOWED_BOTS into the compiled lock files. Result: the pre_activation gate still checked only GH_AW_REQUIRED_ROLES: admin,maintainer,write, and the Copilot reviewer bot (which has no repo role) was blocked.

How check_membership.cjs works

From the gh-aw source (check_membership.test.cjs):

  1. Role check runs first — checks actor's repo permission against GH_AW_REQUIRED_ROLES
  2. If role check fails, falls back to GH_AW_ALLOWED_BOTS
  3. If actor is in the allowed bots list AND the bot is active/installed on the repo → authorized_bot

So GH_AW_ALLOWED_BOTS in the lock file is sufficient — no roles: all needed.

What this PR does

Moves bots: from top-level to under on: in both workflows:

Before (PR #64 — no effect):

on:
  pull_request_review:
    types: [submitted]

bots: [copilot-pull-request-reviewer]  # top-level — compiler ignores

Lock file: GH_AW_REQUIRED_ROLES: admin,maintainer,write only.

After (this PR):

on:
  pull_request_review:
    types: [submitted]
  bots: [copilot-pull-request-reviewer]  # under on: — compiles correctly

Lock file: GH_AW_REQUIRED_ROLES: admin,maintainer,write + GH_AW_ALLOWED_BOTS: copilot-pull-request-reviewer.

Companion repo setting change

This PR alone is not sufficient. GitHub Actions also has its own approval gate (action_required) for outside contributors that blocks workflow runs before any jobs execute. The repo setting "Approval for running fork pull request workflows" was changed to "Require approval for first-time contributors who are new to GitHub" (least restrictive option that still blocks suspicious new accounts). Additionally, "Allow GitHub Actions to create and approve pull requests" was enabled for the quality-gate agent to submit approval reviews.

Copilot AI review requested due to automatic review settings March 15, 2026 06:09
Copilot AI reviewed Mar 15, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the gh-aw “Review Responder” and “Quality Gate” workflows’ frontmatter to allow all roles and to constrain execution to the Copilot reviewer bot via compiled allowlisting behavior.

Changes:

  • Add roles: all alongside existing bots: [copilot-pull-request-reviewer] in the gh-aw workflow sources.
  • Re-compile gh-aw workflows, removing the prior pre_activation membership gate and wiring bot allowlisting via GH_AW_ALLOWED_BOTS.
  • Remove references to the deleted pre_activation outputs in the compiled workflows.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
.github/workflows/review-responder.md Adds roles: all in the gh-aw workflow frontmatter for PR review-triggered responder.
.github/workflows/review-responder.lock.yml Regenerated compiled workflow: drops pre_activation gating and adds GH_AW_ALLOWED_BOTS.
.github/workflows/quality-gate.md Adds roles: all in the gh-aw workflow frontmatter for PR review-triggered quality gate.
.github/workflows/quality-gate.lock.yml Regenerated compiled workflow: drops pre_activation gating and adds GH_AW_ALLOWED_BOTS.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

fix: add bots under on: for review-responder and quality-gate activation
88ca712 
Move bots: under on: so the compiler emits GH_AW_ALLOWED_BOTS in the
lock file. The check_membership.cjs script checks allowed bots alongside
required roles, letting the Copilot reviewer bot bypass the role gate.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@microsasa microsasa force-pushed the fix/activation-roles-all branch from e6c3b56 to 88ca712 Compare March 15, 2026 06:13
This was referenced Mar 15, 2026
Closed
Open
@microsasa microsasa changed the title fix: correct bots placement and add roles: all for agent activation fix: correct bots: placement under on: for agent activation Mar 15, 2026
@microsasa microsasa requested a review from Copilot March 15, 2026 16:18
Copilot AI reviewed Mar 15, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the gh-aw “Review Responder” and “Quality Gate” workflows to explicitly allow the copilot-pull-request-reviewer bot, ensuring these workflows can activate and run when triggered by bot-submitted PR reviews.

Changes:

  • Move bots: [copilot-pull-request-reviewer] into the on: block in the source workflow markdown files.
  • Regenerate compiled workflow lockfiles to include GH_AW_ALLOWED_BOTS in the relevant actions/github-script steps (e.g., sanitization and pre-activation membership checks).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
.github/workflows/review-responder.md Adjusts frontmatter so the workflow declares the allowed bot trigger under on:.
.github/workflows/review-responder.lock.yml Compiled output updated to carry bot allowlist into runtime env (GH_AW_ALLOWED_BOTS).
.github/workflows/quality-gate.md Adjusts frontmatter so the workflow declares the allowed bot trigger under on:.
.github/workflows/quality-gate.lock.yml Compiled output updated to carry bot allowlist into runtime env (GH_AW_ALLOWED_BOTS).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@microsasa microsasa merged commit 70a35a1 into main Mar 15, 2026
17 of 25 checks passed
@microsasa microsasa deleted the fix/activation-roles-all branch March 15, 2026 16:26
@microsasa microsasa mentioned this pull request Mar 15, 2026
Closed
microsasa pushed a commit that referenced this pull request Mar 15, 2026
fix: use roles: all workaround for bot activation (gh-aw#21098)
f2a4b14 
check_membership.cjs has a bug where the error branch from a 404
(GitHub App actors are not users) exits before the bot allowlist
fallback is evaluated. This makes the bots: field ineffective.

Workaround: roles: all skips the permission check entirely so
check_membership.cjs is not included in pre_activation.

Previous attempts that didn't fix this:
- PR #64: bots: at top level (ignored by compiler)
- PR #65: bots: under on: (correct placement, but runtime bug)
- PR #72: added Copilot to bots list (correct actor, but bot check unreachable)

Tracked for removal when upstream is fixed: #74
Upstream bug: github/gh-aw#21098

Closes #75

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This was referenced Mar 15, 2026
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fix incorrect bots: placement from PR #64

2 participants

@microsasa