Filter out approving review from pr-reviewer agent#13553
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the GitHub Agentic Workflows configuration to prevent the PR review agent from submitting APPROVE reviews by restricting the allowed review events for the submit-pull-request-review safe-output tool.
Changes:
- Add
allowed-events: [COMMENT, REQUEST_CHANGES]tosubmit-pull-request-reviewsafe-outputs configuration. - Regenerate the
review.agentandreview-on-opencompiled lock workflows to carry the new safe-outputs constraint through to runtime config. - (Unrelated) Change the scheduled cron time in
close-stale-prs.agent.lock.yml.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/shared/review-shared.md | Restricts submit-pull-request-review to non-approving events. |
| .github/workflows/review.agent.lock.yml | Regenerated lock file reflecting the updated safe-outputs config (allowed_events). |
| .github/workflows/review-on-open.agent.lock.yml | Regenerated lock file reflecting the updated safe-outputs config (allowed_events). |
| .github/workflows/close-stale-prs.agent.lock.yml | Cron schedule changed (appears unrelated to the PR goal). |
Copilot's findings
- Files reviewed: 4/4 changed files
- Comments generated: 1
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Expert Review — PR #13553: Filter out approvals from pr-reviewer agent
Dimension Summary
| # | Dimension | Verdict | Notes |
|---|---|---|---|
| 1 | Backwards Compatibility | ✅ LGTM | review-shared.md already said "Never use APPROVE"; this adds enforcement. No workflow relied on the APPROVE path. |
| 10 | Design Before Implementation | ✅ LGTM | Correct abstraction — enforcement at the safe-outputs config layer, complementing existing prompt guidance. Both config locations (config.json + env var) updated consistently. |
| 19 | Build Infrastructure Care | ✅ LGTM | Lock file artifacts (hashes, heredoc markers) are expected recompilation side effects. close-stale-prs correctly omitted from allowed_events change (it has no submit_pull_request_review tool). |
| 20 | Scope & PR Discipline | Cron schedule change in close-stale-prs.agent.lock.yml ("18 11 * * 1" → "19 21 * * 1") is unrelated to the stated PR goal. However, the source .agent.md was not modified — this is a lock-file recompilation artifact where the "(scattered)" cron gets re-randomized. Not a true scope violation. |
|
| 22 | Correctness & Edge Cases | ✅ LGTM | allowed_events: ["COMMENT","REQUEST_CHANGES"] applied consistently in all 4 locations (2 files × 2 config points). JSON is valid. Event type names are correct GitHub API values. close-stale-prs correctly excluded. |
| 24 | Security Awareness | ✅ LGTM | Positive security improvement. Removes a concrete prompt-injection vector where malicious PR content could trick the AI into approving. Defense-in-depth: enforced at both config file and env var levels, not just prompt instructions. |
Dimensions N/A (C#-specific, not applicable to workflow YAML)
2 (ChangeWave), 3 (Performance), 5 (Error Messages), 6 (Logging), 7 (String Comparison), 8 (API Surface), 9 (Target Authoring), 11 (Cross-Platform), 13 (Concurrency), 14 (Naming), 15 (SDK Integration), 16 (Idiomatic C#), 17 (File I/O), 18 (Documentation), 21 (Evaluation Model), 23 (Dependencies)
Key Observations
- Completeness verified: All files containing
submit_pull_request_reviewconfig are updated.close-stale-prscorrectly excluded (usesclose_pull_request+add_comment, not review tools). - Cron scatter: The cron change in
close-stale-prs.agent.lock.ymlis a harmless recompilation artifact — the source.agent.mdwas not modified. - No issues found that would warrant requesting changes.
Overall: Clean, focused security improvement. LGTM.
Note
🔒 Integrity filter blocked 2 items
The following items were blocked because they don't meet the GitHub integrity level.
- #13553
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved". - #13553
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | noneGenerated by Expert Code Review (on open) for issue #13553 · ● 4.1M
ViktorHofer
approved these changes
Apr 16, 2026
This was referenced Apr 20, 2026
This was referenced Jun 10, 2026
This was referenced Jun 11, 2026
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow up of #13512
Context
PR review agent is now prevented from approving PR reviews