Skip to content

Commit 53de993

Browse files
committed
Enhance daily code review workflow with environment approval and security notes
1 parent 68c970f commit 53de993

1 file changed

Lines changed: 9 additions & 1 deletion

File tree

.github/workflows/daily-code-review.yaml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@ jobs:
1616
daily-code-review:
1717
runs-on: ubuntu-latest
1818
timeout-minutes: 30
19+
# Require environment approval for manual triggers (configure in repo Settings > Environments)
20+
environment: copilot-agent
1921

2022
env:
2123
NODE_VER: "22"
@@ -165,7 +167,13 @@ jobs:
165167
PROMPT_EOF
166168
)
167169
168-
# Run with safety timeout (20 min) and non-interactive flags
170+
# Security notes on flags:
171+
# --allow-all-tools: Required for non-interactive CI — CLI would hang waiting for
172+
# user confirmation otherwise. Safe here because the prompt is hardcoded (not
173+
# sourced from external/untrusted input) and PRs require human review to merge.
174+
# --allow-all-paths: Required so CLI can read source files for analysis.
175+
# The GITHUB_TOKEN is repo-scoped and branch protections prevent direct pushes
176+
# to main. The agent can only create PRs, not merge them.
169177
EXIT_CODE=0
170178
timeout --foreground --signal=TERM --kill-after=30s 1200s \
171179
copilot \

0 commit comments

Comments
 (0)