Conversation
Extend GraphQL field injection to support commit queries. The Commit
type uses author{user{login}} (different from Issue/PR author{login})
and has no authorAssociation field. This enables the guard's trusted-bot
detection for commit objects.
Also adds a GraphQL pattern for commit history queries (list_commits)
and refactors the injection to use tool-specific field sets.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The Copilot SWE Agent (app/copilot-swe-agent) was not recognized as a trusted first-party bot, causing its PRs to receive none integrity and be filtered by DIFC. Add all login variants: - copilot-swe-agent[bot] (REST API bot user) - copilot-swe-agent (without [bot] suffix) - app/copilot-swe-agent (gh CLI app/ prefix) Update tests to use a non-builtin bot name for configured-only trusted bot scenarios since copilot-swe-agent is now built-in. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds support for commit-history GraphQL operations to the proxy/guard pipeline so commit authors can be integrity-labeled without extra enrichment, and extends trusted first-party bot detection for Copilot SWE agent identities.
Changes:
- Extend GraphQL request rewriting to inject commit-specific guard fields (
author{user{login}}) forlist_commits. - Add GraphQL routing pattern to classify commit history queries as
list_commits. - Update Rust guard trusted-bot detection + tests for additional Copilot SWE agent login variants.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/proxy/graphql_rewrite_test.go | Adds tests for commit-specific field injection behavior. |
| internal/proxy/graphql_rewrite.go | Introduces per-tool field sets and commit-specific injection requirements. |
| internal/proxy/graphql.go | Routes GraphQL commit-history queries to list_commits. |
| guards/github-guard/rust-guard/src/labels/mod.rs | Updates tests for trusted first-party bot detection and configured trusted bots. |
| guards/github-guard/rust-guard/src/labels/helpers.rs | Expands trusted first-party bot login allowlist (Copilot SWE agent variants). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // author{user{login}} enables trusted-bot detection. Commits don't have an | ||
| // authorAssociation field in the GraphQL schema. | ||
| var commitFields = []guardFieldSet{ | ||
| {"author{user{login}}", regexp.MustCompile(`\bauthor\s*\{[^}]*\buser\s*\{[^}]*\blogin\b`)}, |
There was a problem hiding this comment.
The present regexp for commit fields will never match a real author{user{login}} selection because it uses [^}]* around nested braces; the first [^}]* will greedily consume through user{login and then stop before the inner }, leaving no user{ token for the remainder of the pattern. This causes InjectGuardFields to think the field is missing and inject it again, potentially producing invalid GraphQL or duplicated selections. Consider using non-greedy quantifiers (e.g. [^}]*?) or a different presence check that can handle nested selections reliably.
| {"author{user{login}}", regexp.MustCompile(`\bauthor\s*\{[^}]*\buser\s*\{[^}]*\blogin\b`)}, | |
| {"author{user{login}}", regexp.MustCompile(`(?s)\bauthor\b.*\buser\b.*\blogin\b`)}, |
| // Commit history operations | ||
| {queryPattern: regexp.MustCompile(`(?i)\bhistory\s*[\({]`), toolName: "list_commits"}, | ||
|
|
There was a problem hiding this comment.
A new list_commits GraphQL routing pattern is introduced here, but there isn’t corresponding unit test coverage in the existing TestMatchGraphQL tables to ensure commit-history queries are classified as list_commits (and that other patterns still win when combined). Adding a focused test case for a typical ... on Commit { history(first:...) { nodes { ... } } } query would prevent regressions.
No description provided.