Skip to content

Commit c02894b

Browse files
imran-siddiqueCopilot
imran-siddique
and
Copilot
authored
feat(ci): add contributor reputation check workflow (#1520)
Add automated contributor reputation screening on PR/issue open events using AGT's pip-installable CLI tools. Detects coordinated inauthentic contribution patterns (credential laundering, spray-and-pray). - Installs via pip (pinned to agent-governance-toolkit==3.3.0) - Uses jq for JSON parsing - Fails closed: UNKNOWN risk maps to MEDIUM - Posts risk summary comment on MEDIUM/HIGH with link to workflow run - Adds needs-review label for maintainer attention Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent ebd2249 commit c02894b

1 file changed

Lines changed: 152 additions & 0 deletions

File tree

.github/workflows/contributor-check.yml

Lines changed: 152 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,152 @@
1+
name: Contributor Reputation Check
2+
3+
on:
4+
pull_request_target:
5+
types: [opened]
6+
issues:
7+
types: [opened]
8+
9+
permissions:
10+
contents: read
11+
issues: write
12+
pull-requests: write
13+
14+
jobs:
15+
check:
16+
runs-on: ubuntu-latest
17+
if: >-
18+
github.actor != 'dependabot[bot]' &&
19+
github.actor != 'github-actions[bot]' &&
20+
github.actor != 'copilot-swe-agent[bot]'
21+
steps:
22+
- name: Setup Python
23+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
24+
with:
25+
python-version: "3.12"
26+
27+
- name: Install AGT CLI
28+
run: pip install --quiet 'agent-governance-toolkit==3.3.0'
29+
30+
- name: Determine author
31+
id: author
32+
run: |
33+
if [ "${{ github.event_name }}" = "pull_request_target" ]; then
34+
echo "username=${{ github.event.pull_request.user.login }}" >> "$GITHUB_OUTPUT"
35+
echo "number=${{ github.event.pull_request.number }}" >> "$GITHUB_OUTPUT"
36+
echo "type=pr" >> "$GITHUB_OUTPUT"
37+
else
38+
echo "username=${{ github.event.issue.user.login }}" >> "$GITHUB_OUTPUT"
39+
echo "number=${{ github.event.issue.number }}" >> "$GITHUB_OUTPUT"
40+
echo "type=issue" >> "$GITHUB_OUTPUT"
41+
fi
42+
43+
- name: Run profile check
44+
id: profile
45+
env:
46+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
47+
run: |
48+
set +e
49+
agt-contributor-check \
50+
--username "${{ steps.author.outputs.username }}" \
51+
--json > /tmp/profile.json 2>/tmp/profile.log
52+
set -e
53+
risk=$(jq -r '.risk // "UNKNOWN"' /tmp/profile.json 2>/dev/null || echo "UNKNOWN")
54+
echo "risk=$risk" >> "$GITHUB_OUTPUT"
55+
56+
- name: Run credential audit
57+
id: credential
58+
env:
59+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
60+
run: |
61+
set +e
62+
agt-credential-audit \
63+
--username "${{ steps.author.outputs.username }}" \
64+
--repo "${{ github.repository }}" \
65+
--json > /tmp/cred.json 2>/tmp/cred.log
66+
set -e
67+
risk=$(jq -r '.risk // "UNKNOWN"' /tmp/cred.json 2>/dev/null || echo "UNKNOWN")
68+
echo "risk=$risk" >> "$GITHUB_OUTPUT"
69+
70+
- name: Compute overall risk
71+
id: overall
72+
run: |
73+
risk_to_num() {
74+
case "$1" in
75+
HIGH) echo 3 ;;
76+
MEDIUM|UNKNOWN) echo 2 ;;
77+
LOW) echo 1 ;;
78+
*) echo 2 ;;
79+
esac
80+
}
81+
p=$(risk_to_num "${{ steps.profile.outputs.risk }}")
82+
c=$(risk_to_num "${{ steps.credential.outputs.risk }}")
83+
max=$p; [ "$c" -gt "$max" ] && max=$c
84+
case "$max" in 3) r="HIGH" ;; 2) r="MEDIUM" ;; 1) r="LOW" ;; *) r="MEDIUM" ;; esac
85+
echo "risk=$r" >> "$GITHUB_OUTPUT"
86+
87+
- name: Comment on MEDIUM or HIGH risk
88+
if: steps.overall.outputs.risk == 'MEDIUM' || steps.overall.outputs.risk == 'HIGH'
89+
env:
90+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
91+
run: |
92+
number="${{ steps.author.outputs.number }}"
93+
type="${{ steps.author.outputs.type }}"
94+
risk="${{ steps.overall.outputs.risk }}"
95+
profile="${{ steps.profile.outputs.risk }}"
96+
cred="${{ steps.credential.outputs.risk }}"
97+
98+
if [ "$risk" = "HIGH" ]; then icon="🔴"; else icon="🟡"; fi
99+
100+
body=$(cat <<EOF
101+
<!-- agt-contributor-check -->
102+
$icon **Contributor Reputation Check: $risk risk**
103+
104+
| Check | Risk |
105+
|-------|------|
106+
| Profile | $profile |
107+
| Credential audit | $cred |
108+
109+
Maintainers: please review this contributor before merging.
110+
See the [workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for full details.
111+
*Automated check powered by [AGT](https://github.com/microsoft/agent-governance-toolkit).*
112+
EOF
113+
)
114+
115+
if [ "$type" = "pr" ]; then
116+
gh pr comment "$number" --body "$body"
117+
else
118+
gh issue comment "$number" --body "$body"
119+
fi
120+
121+
- name: Add risk label
122+
if: steps.overall.outputs.risk == 'MEDIUM' || steps.overall.outputs.risk == 'HIGH'
123+
env:
124+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
125+
run: |
126+
number="${{ steps.author.outputs.number }}"
127+
type="${{ steps.author.outputs.type }}"
128+
risk="${{ steps.overall.outputs.risk }}"
129+
130+
gh label create "needs-review:$risk" \
131+
--description "Contributor reputation check flagged $risk risk" \
132+
--color "FFA500" --force 2>/dev/null || true
133+
134+
if [ "$type" = "pr" ]; then
135+
gh pr edit "$number" --add-label "needs-review:$risk"
136+
else
137+
gh issue edit "$number" --add-label "needs-review:$risk"
138+
fi
139+
140+
- name: Job summary
141+
if: always()
142+
run: |
143+
risk="${{ steps.overall.outputs.risk }}"
144+
case "$risk" in HIGH) icon="🔴" ;; MEDIUM) icon="🟡" ;; LOW) icon="✅" ;; *) icon="❓" ;; esac
145+
{
146+
echo "## $icon Contributor Check: \`${{ steps.author.outputs.username }}\`"
147+
echo "| Check | Risk |"
148+
echo "|-------|------|"
149+
echo "| Profile | ${{ steps.profile.outputs.risk }} |"
150+
echo "| Credential | ${{ steps.credential.outputs.risk }} |"
151+
echo "| **Overall** | **$risk** |"
152+
} >> "$GITHUB_STEP_SUMMARY"

0 commit comments

Comments
 (0)