Feature Request
Problem
The submit-pull-request-review safe-output allows the agent to submit reviews with any event type: APPROVE, COMMENT, or REQUEST_CHANGES. There is no way to restrict which event types are allowed at the infrastructure level.
This is a security/governance concern: an AI agent running as github-actions[bot] can approve PRs, and that approval counts toward branch protection review requirements. This can inadvertently satisfy the "required approvals" check, bypassing human review gates.
Current Workaround
The only way to prevent the agent from approving is via prompt instructions (e.g., "Never use APPROVE"). This is a soft control that could be bypassed by prompt injection or agent error.
Proposed Solution
Add an allowed-events filter to submit-pull-request-review, similar to how add-labels has allowed and blocked filters:
safe-outputs:
submit-pull-request-review:
max: 1
allowed-events: [COMMENT, REQUEST_CHANGES] # block APPROVEThis would provide infrastructure-level enforcement that the agent cannot approve PRs, regardless of what the agent attempts to output.
Motivation
In dotnet/msbuild, we have a code review agentic workflow. The agent accidentally approved a PR, which counted as a contributor approval and cleared the required review check. We want to prevent this at the safe-output level rather than relying solely on prompt instructions.
Feature Request
Problem
The
submit-pull-request-reviewsafe-output allows the agent to submit reviews with any event type:APPROVE,COMMENT, orREQUEST_CHANGES. There is no way to restrict which event types are allowed at the infrastructure level.This is a security/governance concern: an AI agent running as
github-actions[bot]can approve PRs, and that approval counts toward branch protection review requirements. This can inadvertently satisfy the "required approvals" check, bypassing human review gates.Current Workaround
The only way to prevent the agent from approving is via prompt instructions (e.g., "Never use APPROVE"). This is a soft control that could be bypassed by prompt injection or agent error.
Proposed Solution
Add an
allowed-eventsfilter tosubmit-pull-request-review, similar to howadd-labelshasallowedandblockedfilters:This would provide infrastructure-level enforcement that the agent cannot approve PRs, regardless of what the agent attempts to output.
Motivation
In
dotnet/msbuild, we have a code review agentic workflow. The agent accidentally approved a PR, which counted as a contributor approval and cleared the required review check. We want to prevent this at the safe-output level rather than relying solely on prompt instructions.