Add soft-gate PR risk scan automation for agentic PRs (#1969)

* Add soft-gate PR risk scanning automation Introduce a PR risk scanner script plus two workflows: one to scan changed files and upload findings, and one to upsert a sticky PR comment with a summary table and findings. This adds non-blocking supply-chain risk visibility for agentic contributions. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Harden path checks and reduce scanner false positives Reject absolute paths, enforce repo-root containment after resolution, and tighten unpinned-version detection to dependency/version contexts to avoid markdown noise. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Harden soft-gate behavior and scanner coverage Make PR risk scan workflows non-blocking on scanner/artifact edge cases, always upload artifacts, reduce required permissions, and extend scanner script detection to plugin skill paths. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-06-16 20:51:26 +00:00 · 2026-06-14 17:59:01 -07:00
parent 71c55d4e12
commit 3ae6b2007c
3 changed files with 579 additions and 0 deletions
@@ -0,0 +1,98 @@
+name: PR Risk Scan — Comment
+
+on:
+  workflow_run:
+    workflows: ["PR Risk Scan — Gate"]
+    types: [completed]
+
+permissions:
+  issues: write
+  pull-requests: write
+  actions: read
+
+jobs:
+  comment:
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.event == 'pull_request'
+    steps:
+      - name: Download scan artifact
+        id: download
+        continue-on-error: true
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: pr-risk-scan-results
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ github.token }}
+
+      - name: Upsert PR comment
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
+        with:
+          script: |
+            const fs = require('fs');
+            const marker = '<!-- pr-risk-scan-results -->';
+            const reportPath = 'report.md';
+            const prNumberPath = 'pr-number.txt';
+
+            if (!fs.existsSync(reportPath)) {
+              core.warning('Risk scan report.md artifact was not found. Skipping comment update.');
+              return;
+            }
+
+            let body = fs.readFileSync(reportPath, 'utf8');
+
+            // Treat artifact content as untrusted (the gate workflow runs on PR code).
+            // Prevent spam/notification abuse and avoid API failures on oversized bodies.
+            body = body.replace(/@/g, '@\u200b');
+            const maxLength = 65000;
+            if (body.length > maxLength) {
+              body = `${body.slice(0, maxLength)}\n\n_...(truncated)..._`;
+            }
+            if (!body.includes(marker)) {
+              body = `${marker}\n${body}`;
+            }
+            let prNumber = null;
+            if (fs.existsSync(prNumberPath)) {
+              const parsed = parseInt(fs.readFileSync(prNumberPath, 'utf8').trim(), 10);
+              if (!Number.isNaN(parsed)) {
+                prNumber = parsed;
+              }
+            }
+
+            if (!prNumber) {
+              const fallback = context.payload.workflow_run.pull_requests?.[0]?.number;
+              if (fallback) {
+                prNumber = fallback;
+              }
+            }
+
+            if (!prNumber) {
+              core.warning('Could not determine PR number for comment upsert. Skipping.');
+              return;
+            }
+
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+              per_page: 100,
+            });
+
+            const existing = comments.find((comment) => comment.body.includes(marker));
+
+            if (existing) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existing.id,
+                body,
+              });
+              console.log(`Updated existing risk scan comment ${existing.id}`);
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                body,
+              });
+              console.log('Created new risk scan comment');
+            }