Skip to content

Updated CI so Copilot-created PRs can start without waiting for manual workflow approval #978

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
StefH wants to merge 2 commits into
base: master
Choose a base branch
from
+39 −16
Open

Updated CI so Copilot-created PRs can start without waiting for manual workflow approval #978

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bf5e724
Updated CI so Copilot-created PRs can start without waiting for manua…
StefH Mar 29, 2026
a975fc9
Fix CI workflow: use exact actor allowlist, fix ref override, prevent…
Copilot Mar 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 29 additions & 16 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,29 +1,37 @@
name: Build with Tests

on:
push:
workflow_dispatch:
pull_request:
types: [opened, edited]
on:
push:
workflow_dispatch:
pull_request:
types: [opened, synchronize, reopened, edited]
pull_request_target:
types: [opened, synchronize, reopened, edited]
Comment on lines +6 to +9
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow triggers on both pull_request and pull_request_target. For Copilot-authored PRs, the jobs will run for both events (because the job if passes for pull_request and for pull_request_target), which can create duplicate CI runs and may still leave a blocked pull_request run “waiting for approval”. If the intent is to run only via pull_request_target for Copilot, add a complementary skip condition for the pull_request event (or split into separate workflows).

Copilot uses AI. Check for mistakes.

permissions:
contents: read

jobs:
build_and_test_Windows:
name: "Windows: Build and Tests"
if: ${{ github.event_name != 'pull_request_target' || startsWith(github.actor, 'copilot') || github.actor == 'github-copilot[bot]' }}

Check failure

Code scanning / SonarCloud

Workflows should not rely on unverified GitHub context values to trust events High

Workflows should not rely on forgeable GitHub context values to trust events See more on SonarQube Cloud

Check failure

Code scanning / SonarCloud

Workflows should not rely on unverified GitHub context values to trust events High

Workflows should not rely on forgeable GitHub context values to trust events See more on SonarQube Cloud
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The job gate for pull_request_target is spoofable: startsWith(github.actor, 'copilot') would allow any user with a username like copilot-foo to run this workflow in the privileged pull_request_target context. Restrict this to an explicit allow-list of the exact bot account(s) (or a non-spoofable identifier like a known actor_id) to avoid a security bypass.

Copilot uses AI. Check for mistakes.
runs-on: windows-latest

env:
IsRunningOnGitHubActions: 'true'
UseInMemory: 'true'

steps:
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha || github.sha }}
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This actions/checkout now always checks out github.event.pull_request.head.sha for pull_request runs, which changes CI from testing the PR merge commit to testing only the PR head commit. That can miss integration failures that would occur after merging. Consider only overriding ref for pull_request_target runs (and keep the default merge ref for pull_request).

Suggested change
ref: ${{ github.event.pull_request.head.sha || github.sha }}
ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}

Copilot uses AI. Check for mistakes.
persist-credentials: false

- uses: actions/setup-dotnet@v4
with:
dotnet-version: '10.0.x'

- name: Build
run: |
dotnet build ./src/System.Linq.Dynamic.Core/System.Linq.Dynamic.Core.csproj -c Release -p:buildType=azure-pipelines-ci
Expand All @@ -34,15 +42,19 @@

build_and_test_Linux:
name: "Linux: Build and Tests"
if: ${{ github.event_name != 'pull_request_target' || startsWith(github.actor, 'copilot') || github.actor == 'github-copilot[bot]' }}

Check failure

Code scanning / SonarCloud

Workflows should not rely on unverified GitHub context values to trust events High

Workflows should not rely on forgeable GitHub context values to trust events See more on SonarQube Cloud

Check failure

Code scanning / SonarCloud

Workflows should not rely on unverified GitHub context values to trust events High

Workflows should not rely on forgeable GitHub context values to trust events See more on SonarQube Cloud
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The job gate for pull_request_target is spoofable: startsWith(github.actor, 'copilot') would allow any user with a username like copilot-foo to run this workflow in the privileged pull_request_target context. Restrict this to an explicit allow-list of the exact bot account(s) (or a non-spoofable identifier like a known actor_id) to avoid a security bypass.

Copilot uses AI. Check for mistakes.
runs-on: ubuntu-latest

env:
IsRunningOnGitHubActions: 'true'
BranchName: ${{ github.head_ref || github.ref_name }}

steps:
steps:
- uses: actions/checkout@v4

with:
ref: ${{ github.event.pull_request.head.sha || github.sha }}
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This actions/checkout now always checks out github.event.pull_request.head.sha for pull_request runs, which changes CI from testing the PR merge commit to testing only the PR head commit. That can miss integration failures that would occur after merging. Consider only overriding ref for pull_request_target runs (and keep the default merge ref for pull_request).

Suggested change
ref: ${{ github.event.pull_request.head.sha || github.sha }}
ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}

Copilot uses AI. Check for mistakes.
persist-credentials: false

- uses: actions/setup-dotnet@v4
with:
dotnet-version: '9.0.x'
Expand All @@ -58,6 +70,7 @@
dotnet tool install --global dotnet-coverage

- name: Check if analysis on SonarCloud is possible
if: ${{ github.event_name != 'pull_request_target' }}
id: secret-check
# perform secret check & put boolean result as an output
shell: bash
Expand All @@ -69,31 +82,31 @@
fi

- name: Begin analysis on SonarCloud
if: ${{ steps.secret-check.outputs.run_analysis == 'true' }}
if: ${{ github.event_name != 'pull_request_target' && steps.secret-check.outputs.run_analysis == 'true' }}
run: |
dotnet sonarscanner begin /k:"zzzprojects_System.Linq.Dynamic.Core" /o:"zzzprojects" /d:sonar.branch.name=$BranchName /d:sonar.host.url="https://sonarcloud.io" /d:sonar.token=${{ secrets.SONAR_TOKEN }} /d:sonar.pullrequest.provider=github /d:sonar.dotnet.excludeTestProjects=true /d:sonar.cs.vscoveragexml.reportsPaths=**/dynamic-coverage-*.xml /d:sonar.verbose=true

- name: Build
run: |
dotnet build ./src/System.Linq.Dynamic.Core/System.Linq.Dynamic.Core.csproj -c Debug -p:buildType=azure-pipelines-ci

- name: Run Tests EFCore .NET 10 (with Coverage)
run: |
dotnet-coverage collect 'dotnet test ./test/System.Linq.Dynamic.Core.Tests/System.Linq.Dynamic.Core.Tests.csproj --configuration Debug -p:buildType=azure-pipelines-ci' -f xml -o dynamic-coverage-efcore.xml

- name: Run Tests EF .NET 10 (with Coverage)
run: |
dotnet-coverage collect 'dotnet test ./test/EntityFramework.DynamicLinq.Tests/EntityFramework.DynamicLinq.Tests.csproj --configuration Debug --framework net10.0 -p:buildType=azure-pipelines-ci' -f xml -o dynamic-coverage-ef.xml

- name: Run Tests Newtonsoft.Json .NET 10 (with Coverage)
run: |
dotnet-coverage collect 'dotnet test ./test/System.Linq.Dynamic.Core.NewtonsoftJson.Tests/System.Linq.Dynamic.Core.NewtonsoftJson.Tests.csproj --configuration Debug --framework net10.0 -p:buildType=azure-pipelines-ci' -f xml -o dynamic-coverage-newtonsoftjson.xml

- name: Run Tests System.Text.Json .NET 10 (with Coverage)
run: |
dotnet-coverage collect 'dotnet test ./test/System.Linq.Dynamic.Core.SystemTextJson.Tests/System.Linq.Dynamic.Core.SystemTextJson.Tests.csproj --configuration Debug --framework net10.0 -p:buildType=azure-pipelines-ci' -f xml -o dynamic-coverage-systemtextjson.xml

- name: End analysis on SonarCloud
if: ${{ steps.secret-check.outputs.run_analysis == 'true' }}
if: ${{ github.event_name != 'pull_request_target' && steps.secret-check.outputs.run_analysis == 'true' }}
run: |
dotnet sonarscanner end /d:sonar.token=${{ secrets.SONAR_TOKEN }}
Loading