fix(workflows): gate pr-review-panel on panel-review label at pre-activation#948
Merged
danielmeppiel merged 1 commit intomainfrom Apr 26, 2026
Merged
Conversation
…ivation
The label-name guard previously lived inside the agent prompt as Step 0
('exit 0 if label != panel-review'). This had two failure modes:
1. EVERY label add on EVERY PR triggered the workflow, spent ~50s on
pre_activation + activation + apm bundle restore + agent container
spin-up, then asked the LLM to please exit early. Observed real
cost: PR #943 was labelled 'automation'/'testing' (never
'panel-review') and the agent ran for 5 min 12 s before stopping.
2. The 'exit 0' instruction was a prompt-level request to the LLM,
not a deterministic gate. An LLM that decides the PR diff is
interesting can ignore the instruction and proceed.
Fix: move the guard to gh-aw's 'on.steps:' (pre-activation step). When
the triggering label is not 'panel-review' (and the event is not
workflow_dispatch), the step exits 1 -> pre_activation job fails ->
all downstream jobs (activation, apm, agent) skip. Total cost when
filtered out: one ubuntu-slim runner for ~10s, no LLM, no bundle
restore.
gh-aw does not expose 'names:' on pull_request_target (verified at
compile time), so 'on.steps:' is the cheapest available gate. The
prompt's Step 0 is removed; a short note documents that filtering now
happens at the workflow level.
Lock file regenerated via 'gh aw compile pr-review-panel'.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes the pr-review-panel agentic workflow so it only runs the expensive panel pipeline when the triggering label is panel-review, rather than on every label change. It does this by moving the label-name guard from the LLM prompt into gh-aw's on.steps: pre-activation hook, preventing APM restore and the agent container from starting on irrelevant labels.
Changes:
- Add a deterministic pre-activation
label_checkstep underon.steps:to gate execution topanel-review(or allow manualworkflow_dispatch). - Remove the prompt-embedded Step 0 label guard, replacing it with a short note pointing to the workflow-level gate.
- Regenerate the compiled workflow lock file to reflect the new pre-activation step and updated prompt content.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/pr-review-panel.md | Adds on.steps label gate and removes the prompt-level label guard instructions. |
| .github/workflows/pr-review-panel.lock.yml | Updates the compiled workflow to inject the label_check step into pre_activation and refreshes prompt/metadata hashes. |
Copilot's findings
- Files reviewed: 2/2 changed files
- Comments generated: 0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
pr-review-panelworkflow was firing on every label change to every PR, not just when thepanel-reviewlabel was applied.The label-name guard lived inside the agent prompt as Step 0 ("exit 0 if label != panel-review"), which had two failure modes:
pre_activation+activation+ APM bundle restore + agent container spin-up (~50s) before the LLM was even prompted. Then it asked the LLM to please exit early.automation/testing(neverpanel-review); the agent ran for 5 min 12 s before stopping. That's a paid LLM call plus full container lifecycle for nothing.Fix
Move the guard to gh-aw's
on.steps:(pre-activation hook). The newlabel_checkstep:When the triggering label is not
panel-review, the step exits 1 -> thepre_activationjob fails -> all downstream jobs (activation,apm,agent,safe_outputs, etc.) skip. Total cost when filtered out: one ubuntu-slim runner for ~10s. No LLM, no bundle restore, no agent container.The redundant Step 0 is removed from the prompt body and replaced with a short note pointing at the workflow-level guard.
Why not
names:?gh-aw's
names:filter is documented to apply only topull_request,issues,discussion, andlabel_commandtriggers. Addingnames: [panel-review]topull_request_targetfails compilation:We need
pull_request_targetto retain secret access on fork PRs (so the agent can post the verdict comment).label_command:would auto-remove the label after activation, but it generatespull_request(notpull_request_target) -- same fork-secret problem.on.steps:is the documented escape hatch.Validation
gh aw compile pr-review-panelsucceeds with 0 errors / 0 warnings.label_checkstep present inpre_activationjob.microsoft/apm#main,roles: [admin, maintainer, write], no checkout of PR head.Test plan after merge
panel-review-> workflow should runpre_activationonly (~10s) and then skip everything else.panel-reviewlabel to a PR -> full panel runs as before.workflow_dispatchwith apr_numberinput -> still works (manual override path).Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com