File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1616 daily-code-review :
1717 runs-on : ubuntu-latest
1818 timeout-minutes : 30
19+ # Require environment approval for manual triggers (configure in repo Settings > Environments)
20+ environment : copilot-agent
1921
2022 env :
2123 NODE_VER : " 22"
@@ -165,7 +167,13 @@ jobs:
165167 PROMPT_EOF
166168 )
167169
168- # Run with safety timeout (20 min) and non-interactive flags
170+ # Security notes on flags:
171+ # --allow-all-tools: Required for non-interactive CI — CLI would hang waiting for
172+ # user confirmation otherwise. Safe here because the prompt is hardcoded (not
173+ # sourced from external/untrusted input) and PRs require human review to merge.
174+ # --allow-all-paths: Required so CLI can read source files for analysis.
175+ # The GITHUB_TOKEN is repo-scoped and branch protections prevent direct pushes
176+ # to main. The agent can only create PRs, not merge them.
169177 EXIT_CODE=0
170178 timeout --foreground --signal=TERM --kill-after=30s 1200s \
171179 copilot \
You can’t perform that action at this time.
0 commit comments