Updated CI so Copilot-created PRs can start without waiting for manual workflow approval#978
Updated CI so Copilot-created PRs can start without waiting for manual workflow approval#978
Conversation
…l workflow approval
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
.github/workflows/ci.yml
Outdated
| jobs: | ||
| build_and_test_Windows: | ||
| name: "Windows: Build and Tests" | ||
| if: ${{ github.event_name != 'pull_request_target' || startsWith(github.actor, 'copilot') || github.actor == 'github-copilot[bot]' }} |
Check failure
Code scanning / SonarCloud
Workflows should not rely on unverified GitHub context values to trust events High
.github/workflows/ci.yml
Outdated
| jobs: | ||
| build_and_test_Windows: | ||
| name: "Windows: Build and Tests" | ||
| if: ${{ github.event_name != 'pull_request_target' || startsWith(github.actor, 'copilot') || github.actor == 'github-copilot[bot]' }} |
Check failure
Code scanning / SonarCloud
Workflows should not rely on unverified GitHub context values to trust events High
.github/workflows/ci.yml
Outdated
|
|
||
| build_and_test_Linux: | ||
| name: "Linux: Build and Tests" | ||
| if: ${{ github.event_name != 'pull_request_target' || startsWith(github.actor, 'copilot') || github.actor == 'github-copilot[bot]' }} |
Check failure
Code scanning / SonarCloud
Workflows should not rely on unverified GitHub context values to trust events High
.github/workflows/ci.yml
Outdated
|
|
||
| build_and_test_Linux: | ||
| name: "Linux: Build and Tests" | ||
| if: ${{ github.event_name != 'pull_request_target' || startsWith(github.actor, 'copilot') || github.actor == 'github-copilot[bot]' }} |
Check failure
Code scanning / SonarCloud
Workflows should not rely on unverified GitHub context values to trust events High
There was a problem hiding this comment.
Pull request overview
Updates the GitHub Actions CI workflow to allow Copilot-authored pull requests to run without waiting for manual workflow approval by introducing pull_request_target and gating execution.
Changes:
- Add
pull_request_targettrigger alongside expandedpull_requestevent types. - Restrict workflow token permissions (
contents: read) and adjust job execution conditions forpull_request_target. - Update
actions/checkoutto pin to the PR head SHA and disable persisted credentials; skip SonarCloud secret checks/analysis forpull_request_target.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
.github/workflows/ci.yml
Outdated
| jobs: | ||
| build_and_test_Windows: | ||
| name: "Windows: Build and Tests" | ||
| if: ${{ github.event_name != 'pull_request_target' || startsWith(github.actor, 'copilot') || github.actor == 'github-copilot[bot]' }} |
There was a problem hiding this comment.
The job gate for pull_request_target is spoofable: startsWith(github.actor, 'copilot') would allow any user with a username like copilot-foo to run this workflow in the privileged pull_request_target context. Restrict this to an explicit allow-list of the exact bot account(s) (or a non-spoofable identifier like a known actor_id) to avoid a security bypass.
.github/workflows/ci.yml
Outdated
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| ref: ${{ github.event.pull_request.head.sha || github.sha }} |
There was a problem hiding this comment.
This actions/checkout now always checks out github.event.pull_request.head.sha for pull_request runs, which changes CI from testing the PR merge commit to testing only the PR head commit. That can miss integration failures that would occur after merging. Consider only overriding ref for pull_request_target runs (and keep the default merge ref for pull_request).
| ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
| ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }} |
.github/workflows/ci.yml
Outdated
|
|
||
| build_and_test_Linux: | ||
| name: "Linux: Build and Tests" | ||
| if: ${{ github.event_name != 'pull_request_target' || startsWith(github.actor, 'copilot') || github.actor == 'github-copilot[bot]' }} |
There was a problem hiding this comment.
The job gate for pull_request_target is spoofable: startsWith(github.actor, 'copilot') would allow any user with a username like copilot-foo to run this workflow in the privileged pull_request_target context. Restrict this to an explicit allow-list of the exact bot account(s) (or a non-spoofable identifier like a known actor_id) to avoid a security bypass.
| pull_request: | ||
| types: [opened, synchronize, reopened, edited] | ||
| pull_request_target: | ||
| types: [opened, synchronize, reopened, edited] |
There was a problem hiding this comment.
This workflow triggers on both pull_request and pull_request_target. For Copilot-authored PRs, the jobs will run for both events (because the job if passes for pull_request and for pull_request_target), which can create duplicate CI runs and may still leave a blocked pull_request run “waiting for approval”. If the intent is to run only via pull_request_target for Copilot, add a complementary skip condition for the pull_request event (or split into separate workflows).
.github/workflows/ci.yml
Outdated
| - uses: actions/checkout@v4 | ||
|
|
||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha || github.sha }} |
There was a problem hiding this comment.
This actions/checkout now always checks out github.event.pull_request.head.sha for pull_request runs, which changes CI from testing the PR merge commit to testing only the PR head commit. That can miss integration failures that would occur after merging. Consider only overriding ref for pull_request_target runs (and keep the default merge ref for pull_request).
| ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
| ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }} |
|
@copilot apply changes based on the comments in this thread |
… duplicate runs Agent-Logs-Url: https://github.com/zzzprojects/System.Linq.Dynamic.Core/sessions/632e64ac-9f3a-4306-8d7b-7a4d7692f107 Co-authored-by: StefH <249938+StefH@users.noreply.github.com>
Applied all changes from the review thread in commit
|
No description provided.