Skip to content

docs: add integrity filtering reference and blocked-users/approval-labels to README#2250

Merged
lpcox merged 1 commit intomainfrom
docs/readme-integrity-updates
Mar 21, 2026
Merged

docs: add integrity filtering reference and blocked-users/approval-labels to README#2250
lpcox merged 1 commit intomainfrom
docs/readme-integrity-updates

Conversation

@lpcox
Copy link
Collaborator

@lpcox lpcox commented Mar 21, 2026

Changes

Updates the README Guard Policies section to document the new integrity features:

Added

  • blocked-users option — array of usernames whose content gets unconditional blocked integrity (below none)
  • approval-labels option — array of labels that elevate items to approved integrity (human-review gate)
  • blocked integrity level in the min-integrity hierarchy
  • Example config showing both options in context
  • Link to the Integrity Filtering Reference in the Further Reading table

Improved

  • Reordered integrity levels from highest to lowest for clarity
  • Added notes on private repo items and trusted bots qualifying as approved

Related

@lpcox
docs: add integrity filtering reference and blocked-users/approval-la…
690d1ee 
…bels to README

- Add blocked-users and approval-labels options to allow-only policy docs
- Add blocked integrity level (below none) to min-integrity list
- Reorder integrity levels from highest to lowest for clarity
- Add example config with blocked-users and approval-labels
- Add link to Integrity Filtering Reference in Further Reading table
- Note that approval-labels elevate to approved via max(base, approved)
- Note that blocked-users override is unconditional and not overridable

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 21, 2026 00:44
@lpcox lpcox merged commit 2ccc405 into main Mar 21, 2026
10 checks passed
@lpcox lpcox deleted the docs/readme-integrity-updates branch March 21, 2026 00:44
Copilot AI reviewed Mar 21, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the README Guard Policies documentation to reflect recent GitHub-guard integrity filtering features (blocked users, approval labels) and adds a link to the external Integrity Filtering Reference.

Changes:

  • Expands allow-only policy docs to include blocked-users, approval-labels, and the blocked integrity level.
  • Reorders and clarifies integrity level descriptions and adds a more complete example config snippet.
  • Adds “Integrity Filtering” to the Further Reading links.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

README.md
- `"unapproved"` — Contributors (CONTRIBUTOR, FIRST_TIME_CONTRIBUTOR)
- `"approved"` — Members (OWNER, MEMBER, COLLABORATOR)
**`min-integrity`** — Minimum integrity level required for content items. Levels from highest to lowest:
- `"merged"` — Objects reachable from main branch
Copy link

Copilot AI Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The description of the "merged" integrity level as “Objects reachable from main branch” doesn’t match the current guard behavior: merged is applied to merged PRs and to commits in default-branch context (including get_commit by SHA, which may not be reachable from the default branch). Please reword this line to reflect the actual semantics so readers don’t infer a stronger guarantee than the implementation provides.

Suggested change
- `"merged"`Objects reachable from main branch
- `"merged"`Content associated with merged pull requests and operations in default-branch context (for example, commits fetched by SHA while working against the default branch)

Copilot uses AI. Check for mistakes.
README.md
- `"approved"` — Members (OWNER, MEMBER, COLLABORATOR); private repo items; trusted bots
- `"unapproved"` — Contributors (CONTRIBUTOR, FIRST_TIME_CONTRIBUTOR)
- `"none"` — All objects (FIRST_TIMER, NONE)
- `blocked` — Items from `blocked-users` (always denied; not a configurable value)
Copy link

Copilot AI Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The integrity level list mixes quoted string values ("none", "approved", etc.) with an unquoted blocked. Since blocked is still an integrity level string (even though it’s not a valid min-integrity value), this formatting can be confusing. Consider formatting it consistently (e.g., "blocked") and explicitly stating it’s not allowed as a min-integrity setting.

Suggested change
- `blocked` — Items from `blocked-users` (always denied; not a configurable value)
- `"blocked"` — Items from `blocked-users` (always denied; derived integrity only; not allowed as a `min-integrity` setting)

Copilot uses AI. Check for mistakes.
This was referenced Mar 21, 2026
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lpcox