11name : 🔎 PR Verification Agent
22
3+ # Security: This workflow has write permissions to issues and PRs, so it must NOT
4+ # use the `pull_request` trigger (which checks out untrusted PR code and could
5+ # exfiltrate the job token). Instead, it runs on schedule/manual dispatch only.
6+ # The agent fetches each PR's branch itself before building and verifying.
37on :
4- # Trigger when a PR is labeled
5- pull_request :
6- types : [labeled]
7-
8- # Safety-net: run periodically to catch any missed PRs
8+ # Run periodically to pick up PRs labeled pending-verification
99 schedule :
1010 - cron : " 0 */6 * * *" # Every 6 hours
1111
@@ -19,14 +19,14 @@ permissions:
1919
2020jobs :
2121 verify-prs :
22- # For the labeled trigger, only run when the label is 'pending-verification'
23- if : >-
24- github.event_name != 'pull_request' ||
25- github.event.label.name == 'pending-verification'
26-
2722 runs-on : ubuntu-latest
2823 timeout-minutes : 30
2924
25+ # Prevent overlapping runs from racing on label updates / comment posts
26+ concurrency :
27+ group : pr-verification
28+ cancel-in-progress : false
29+
3030 env :
3131 NODE_VER : " 22"
3232
@@ -35,21 +35,13 @@ jobs:
3535 uses : actions/checkout@v4
3636 with :
3737 fetch-depth : 0
38- # For pull_request events, this checks out the PR merge commit (includes PR changes).
39- # For schedule/workflow_dispatch, this checks out main. The agent will
40- # switch to each PR's branch before building and verifying.
38+ persist-credentials : false
4139
4240 - name : ⚙️ Setup Node.js
4341 uses : actions/setup-node@v4
4442 with :
4543 node-version : ${{ env.NODE_VER }}
4644
47- - name : 📦 Install dependencies and build (PR trigger only)
48- if : github.event_name == 'pull_request'
49- run : |
50- npm ci
51- npm run build
52-
5345 - name : 🐳 Start DTS Emulator
5446 run : |
5547 docker run --name dts-emulator -d --rm -p 8080:8080 \
@@ -68,14 +60,68 @@ jobs:
6860 sleep 1
6961 done
7062
71- name : 🤖 Run PR Verification Agent
72- uses : github/copilot-agent@v1
73- with :
74- agent : pr-verification
63+ name : 🤖 Install GitHub Copilot CLI
64+ run : npm install -g @github/copilot
65+ env :
66+ COPILOT_GITHUB_TOKEN : ${{ secrets.COPILOT_GITHUB_TOKEN }}
67+ GH_TOKEN : ${{ github.token }}
68+
69+ - name : 🔎 Run PR Verification Agent
70+ run : |
71+ AGENT_PROMPT=$(cat .github/agents/pr-verification.agent.md)
72+
73+ FULL_PROMPT=$(cat <<PROMPT_EOF
74+ $AGENT_PROMPT
75+
76+ ---
77+
78+ ## Execution Context
79+
80+ You are running in CI. Today's date is $(date +%Y-%m-%d).
81+ Repository: ${{ github.repository }}
82+
83+ Environment variables available:
84+ - ENDPOINT=$ENDPOINT
85+ - TASKHUB=$TASKHUB
86+
87+ Execute the full workflow described above:
88+ 1. Find PRs labeled pending-verification
89+ 2. For each PR: understand the fix, extract the scenario, checkout the PR branch, build, create and run verification sample
90+ 3. Post verification results to the linked issue
91+ 4. Update PR labels accordingly
92+
93+ Remember:
94+ - Process PRs one at a time
95+ - Always checkout the PR branch and rebuild before verifying
96+ - If a verification sample fails, retry up to 2 times before reporting failure
97+ - Maximum timeout per PR: 5 minutes
98+ PROMPT_EOF
99+ )
100+
101+ EXIT_CODE=0
102+ timeout --foreground --signal=TERM --kill-after=30s 1200s \
103+ copilot \
104+ --prompt "$FULL_PROMPT" \
105+ --model "claude-opus-4.6" \
106+ --allow-all-tools \
107+ --allow-all-paths \
108+ < /dev/null 2>&1 || EXIT_CODE=$?
109+
110+ if [ $EXIT_CODE -eq 124 ]; then
111+ echo "::warning::Agent timed out after 20 minutes"
112+ elif [ $EXIT_CODE -ne 0 ]; then
113+ echo "::warning::Agent exited with code $EXIT_CODE"
114+ fi
115+
116+ echo "PR verification agent completed."
75117env :
76- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
118+ COPILOT_GITHUB_TOKEN : ${{ secrets.COPILOT_GITHUB_TOKEN }}
119+ GH_TOKEN : ${{ github.token }}
77120 ENDPOINT : localhost:8080
78121 TASKHUB : default
122+ CI : " true"
123+ NO_COLOR : " 1"
124+ TERM : " dumb"
79125
80126 - name : 🧹 Stop DTS Emulator
81127 if : always()
0 commit comments