feat(workflows): add maintainer-only skip-review label guard

[katriendg]

Description

Added a dual-condition skip-review noop guard to the agentic automated PR review workflow (pr-review.md). The guard calls noop and halts review when a PR carries the skip-review label and the author's association is MEMBER, OWNER, or COLLABORATOR. Requiring both conditions prevents any contributor from self-applying the label to bypass automated review: only maintainers qualify.

The lock file (pr-review.lock.yml) was recompiled from gh-aw v0.63.1 to v0.65.6, incorporating several security hardening and operational improvements alongside the feature change.

Core Feature

• Added skip-review label + privileged-association guard in pr-review.md — calls noop with "Skipping: skip-review label set by maintainer." when both conditions are met
  • Author association must be MEMBER, OWNER, or COLLABORATOR; label alone is insufficient to skip review

Security Hardening (Lock File Recompilation)

• Uniquified heredoc sentinels with hash suffixes (e.g., GH_AW_PROMPT_b4e589eddbf00c0a_EOF) to close a prompt-injection path where adversarial content could terminate heredocs prematurely
• Replaced --env-all with explicit --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY to follow least-privilege for sensitive tokens in the agent sandbox
• Added --audit-dir /tmp/gh-aw/sandbox/firewall/audit to the awf invocation; extended firewall artifact upload to include the audit path

Operational Improvements (Lock File Recompilation)

• Bumped gh-aw compiler v0.63.1 → v0.65.6; AWF binary v0.25.0 → v0.25.11; gh-aw-mcpg v0.2.4 → v0.2.11; Docker image tags updated atomically
• Several other changes based on the CLI update.

Dependency Lock

• Added SHA pin for github/gh-aw-actions/setup@v0.65.6 (31130b20a8fd3ef263acbe2091267c0aace07e09) in .github/aw/actions-lock.json

Related Issue(s)

Closes #1290

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

• Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
• Skills: Must include both bash and PowerShell scripts. See Skills.
• Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
• See Agents Not Accepted and Model Version Requirements.

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Testing

Testing will be done when merged, to trigger this in a future PR.

Automated validation commands run and results:

• npm run lint:md — Passed (pre-confirmed by author)
• npm run spell-check — Passed (pre-confirmed by author)
• npm run lint:frontmatter — Passed
• npm run validate:skills — Passed
• npm run lint:md-links — Passed
• npm run lint:ps — Passed
• npm run plugin:generate — Passed

Security analysis: no secrets or sensitive data expose; the diff reinforces security posture by adding sensitive token exclusions and audit logging. No unintended file changes detected. Commit message follows conventional commits format.

Checklist

Required Checks

• Documentation is updated (if applicable) (N/A — changes are workflow source and compiler output only)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable) (N/A — no test files changed)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege (N/A — no security scripts modified)

Additional Notes

The pr-review.lock.yml file is a compiler output (DO NOT EDIT header present). Reviewers should focus on pr-review.md for intent and treat the lock file diff as evidence of correct recompilation. The lock file accumulates several gh-aw v0.65.6 improvements (heredoc hardening, token exclusions, detection job extraction) as a natural consequence of the recompilation.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.71%. Comparing base (84ddd5d) to head (18d0070).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1293      +/-   ##
==========================================
- Coverage   87.72%   87.71%   -0.02%     
==========================================
  Files          61       61              
  Lines        9320     9320              
==========================================
- Hits         8176     8175       -1     
- Misses       1144     1145       +1     

Flag	Coverage Δ
pester	85.31% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Advisory review — this PR is from a maintainer. Findings are informational only.

---

Review Summary

This PR adds a dual-condition skip-review guard and recompiles pr-review.lock.yml from gh-aw v0.63.1 to v0.65.6. The changes are well-reasoned, correctly implemented, and include meaningful security hardening in the lock file recompilation.

---

Issue Alignment

The PR links Closes #1290. The described feature — a maintainer-only bypass using both a label and an elevated association check — is coherent and self-consistent. I could not verify the issue content directly due to an integrity-policy restriction, but the PR description is detailed enough to stand independently.

No scope creep detected; all three changed files relate directly to the stated feature.

---

PR Template Compliance

✅ Description section: thoroughly filled in, covering the core feature, security hardening, operational improvements, and dependency lock.
✅ Related Issue(s): Closes #1290 present.
✅ Type of Change: New feature and GitHub Actions workflow both checked and accurate — pr-review.md and pr-review.lock.yml are both under .github/workflows/.
✅ Testing section: describes deferral to a follow-up PR (acceptable given the setup required: a real PR with the label and a maintainer author).
✅ All Required Automated Checks marked as passed.
✅ Security Considerations: appropriate annotations — token exclusions and audit logging in the lock file actively improve security posture.
✅ AI Artifact checkboxes correctly left unchecked — pr-review.md is a workflow source file, not a Copilot agent/prompt/instructions file.

One minor note: the "Security-related scripts follow the principle of least privilege" checkbox is marked N/A ("no security scripts modified"). Technically the lock file changes do apply least-privilege principles (explicit --exclude-env flags for sensitive tokens). The N/A annotation is defensible since scripts/security/ was not touched, but the spirit of that check is clearly met by the changes.

---

Coding Standards

.github/workflows/pr-review.lock.yml — auto-generated (DO NOT EDIT); reviewed as evidence of correct recompilation rather than hand-authored code.

• All action SHA pins updated atomically and correctly formatted with inline version comments (# v0.65.6). ✅
• New detection job declares permissions: contents: read at job level — minimal privilege. ✅
• New checkout in detection job uses persist-credentials: false. ✅
• runs-on: ubuntu-latest throughout. ✅

.github/workflows/pr-review.md — the three added lines follow the existing bullet-list conventions and integrate cleanly with the draft-skip guard already present.

.github/aw/actions-lock.json — adds a single new SHA-pinned entry for github/gh-aw-actions/setup@v0.65.6. Format is consistent with the existing entries. ✅

---

Code Quality and Security

Core guard logic — the dual condition (label AND privileged association) is the right design. Requiring both conditions means label-only does not bypass review; only a maintainer who also applies the label gets the bypass. The noop message is clear and consistent in style with the draft guard above it.

Heredoc sentinel uniquification — replacing generic GH_AW_PROMPT_EOF with hash-suffixed sentinels (e.g., GH_AW_PROMPT_b4e589eddbf00c0a_EOF) closes a real prompt-injection path. ✅

--exclude-env for sensitive tokens — replacing bare --env-all with explicit exclusions for COPILOT_GITHUB_TOKEN, GITHUB_MCP_SERVER_TOKEN, and MCP_GATEWAY_API_KEY follows the principle of least privilege in the agent sandbox. ✅

--audit-dir — surfacing the firewall audit path into the artifact upload provides better forensic capability. ✅

Detection job extraction — moving threat detection into a dedicated job with needs: agent improves separation of concerns and reduces blast radius if detection fails. The job correctly inherits if: always() so it runs regardless of agent job outcome. ✅

---

Action Items

No required changes. One informational inline comment posted regarding the skip-review label prerequisite.

---

Review completed by the automated PR Review agent.

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

• #1290 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by PR Review for issue #1293 · ● 1.8M