Skip to content

Commit d28b8e8

Browse files
T-GroT-Gro
authored
Add PR Tooling Safety Check — scanner for detecting changes in design/build/agentic-time behavior (#19680)
* Add LabelOps PR security scan workflow Hourly text-only scan of external PRs. Reads diff, classifies risk into categories (build infra, compiler output, bootstrap, prompt injection, supply chain, scope mismatch), and labels accordingly. Never checks out or builds PR code.
1 parent ca489a6 commit d28b8e8

3 files changed

Lines changed: 1409 additions & 0 deletions

File tree

.github/tooling-check-repo-rules.md

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
# Repo-specific rules for PR Tooling Safety Check
2+
# Read by the labelops-pr-security-scan workflow at runtime.
3+
# Edit this file to customize for your repo.
4+
5+
## Repo context
6+
7+
This is the dotnet/fsharp repository — the F# compiler, core library, and tooling. The compiler builds itself (bootstrap): a PROTO compiler builds the new compiler, which then builds everything else.
8+
9+
## Non-fork bypass
10+
11+
If the PR's head repository is `dotnet/fsharp` (not a fork), apply `AI-Tooling-Check-Bypassed`. This means the author has write access to the repo. Full scans are only for **fork PRs** where the contributor has no repo permissions.
12+
13+
Compare the `headRepository.owner.login` and `headRepository.name` fields from the GitHub API — not the author's username, not the PR title/body.
14+
15+
## Repo-specific categories
16+
17+
<category name="Affects-Bootstrap">
18+
PR modifies anything in the compiler bootstrap chain. This repo's compiler builds itself — a PROTO compiler builds the new compiler, which then builds everything else. Any change that could influence which compiler binary is used, how the bootstrap stages work, or what tools (lexer/parser generators) produce during bootstrap belongs here.
19+
</category>
20+
21+
<category name="Affects-Compiler-Output">
22+
PR modifies anything that controls what bytes end up in compiled binaries — IL emission, code generation, binary serialization, or MSBuild tasks that ship with the compiler SDK. If the change could make compiled output differ from what a source review suggests, flag it.
23+
</category>
24+
25+
<category name="Affects-Design-Time">
26+
PR modifies anything that executes code at design time — type provider infrastructure (which loads and runs arbitrary assemblies), the `#r "nuget:..."` dependency manager (which resolves and loads packages at runtime in FSI), or IDE integration that runs code when a project is opened.
27+
</category>
28+
29+
<category name="Affects-Test-Tooling">
30+
PR modifies test infrastructure that controls how tests are built, discovered, or executed — not individual test cases. Changes to test runner configuration, test framework code that spawns external processes, or end-to-end build test infrastructure belong here. Adding a new test helper method or test case does not.
31+
</category>

0 commit comments

Comments
 (0)