Add codeowner-update agentic workflow#870
Conversation
Adds an agentic workflow triggered by #codeowner comments on PRs. It creates a PR against staged updating CODEOWNERS with the PR's files (in agents/, skills/, instructions/, workflows/, hooks/, plugins/) owned by the PR creator. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds a new agentic workflow to automate CODEOWNERS updates when a maintainer triggers it via a #codeowner PR comment, generating a follow-up PR against staged and notifying on the original PR.
Changes:
- Introduces an agentic workflow definition that reacts to
issue_commentevents containing#codeowneron PRs. - Adds the compiled
gh-awlock workflow that executes the agent, performs threat detection, and applies safe outputs (create PR + comment).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.github/workflows/codeowner-update.md |
Defines the agent prompt, trigger, and safe outputs for generating a CODEOWNERS-update PR. |
.github/workflows/codeowner-update.lock.yml |
Compiled workflow implementing the runtime, safety gates, and safe-output handling for the agent. |
You can also share your feedback on Copilot code review. Take the survey.
| Use `create-pull-request` to open a PR with the updated `CODEOWNERS` file. The PR should: | ||
|
|
||
| - **Title:** `Update CODEOWNERS for PR #${{ github.event.issue.number }}` | ||
| - **Body:** A summary listing every new or updated CODEOWNERS entry and the PR creator who was assigned ownership. |
There was a problem hiding this comment.
create-pull-request safe output calls must include a branch field, but the workflow instructions never tell the agent to choose/provide one. In this repo’s compiled workflow, the safe-outputs validator marks create_pull_request.branch as required, so omitting it will cause the tool call to fail. Update the instructions to require a deterministic, unique branch name (e.g., derived from PR number and username).
| - **Body:** A summary listing every new or updated CODEOWNERS entry and the PR creator who was assigned ownership. | |
| - **Body:** A summary listing every new or updated CODEOWNERS entry and the PR creator who was assigned ownership. | |
| - **Branch:** Set the `branch` field in the `create-pull-request` call to a deterministic, unique name derived from the triggering PR and its creator, for example: `codeowner-update/pr-${{ github.event.issue.number }}-<pr-creator-username>`. Normalize the username by lowercasing it and replacing any non-alphanumeric characters with `-`. |
|
|
||
| - Construct a CODEOWNERS entry: `/<file-path> @<pr-creator-username>` | ||
| - For files inside `skills/`, `hooks/`, or `plugins/` (which are directory-based resources), use the **directory pattern** instead of individual file paths. For example, if the PR touches `skills/my-skill/SKILL.md` and `skills/my-skill/template.txt`, add a single entry: `/skills/my-skill/ @<pr-creator-username>` | ||
| - If an entry for that exact path already exists in CODEOWNERS, **replace** the owner with the PR creator rather than adding a duplicate line. |
There was a problem hiding this comment.
The instructions say to replace the owner for an existing CODEOWNERS entry when the exact path already exists. This can unintentionally remove existing owners (e.g., /workflows/ @brunoborges in the current CODEOWNERS) and transfer ownership entirely to the PR author. Consider preserving existing owners (append the PR author) or only replacing entries that were previously added by this workflow’s own comment blocks.
| - If an entry for that exact path already exists in CODEOWNERS, **replace** the owner with the PR creator rather than adding a duplicate line. | |
| - If an entry for that exact path already exists in CODEOWNERS, **preserve all existing owners** and add the PR creator as an additional owner if they are not already listed. You may update a prior `#codeowner` comment block created by this workflow instead of adding a duplicate line, but do not remove any existing owners for that path. |
| issues: read | ||
| tools: | ||
| github: | ||
| toolsets: [default] |
There was a problem hiding this comment.
Other agentic workflows in this repo declare minimal GitHub MCP toolsets (e.g., toolsets: [repos, issues]). Using toolsets: [default] here is less explicit about required capabilities and can make reviews/audits harder. Prefer listing the specific toolsets needed (likely repos, issues, pull_requests, and optionally context).
| toolsets: [default] | |
| toolsets: [repos, issues, pull_requests, context] |
Adds an agentic workflow that triggers when a maintainer comments
#codeowneron a pull request.What it does
#codeownercomments on PRsagents/,skills/,instructions/,workflows/,hooks/, andplugins/directoriesstagedthat updates theCODEOWNERSfile with entries assigning the PR creator as owner of their contributed filesFiles
.github/workflows/codeowner-update.md— the agentic workflow definition.github/workflows/codeowner-update.lock.yml— compiled lock file