Add pull_request.opened event support to ai-moderator

[Copilot]

Update ai-moderator to handle PR created events

• Analyze current ai-moderator workflow configuration
• Add pull_request.opened event to workflow frontmatter
• Update workflow prompt to handle PR diff analysis
• Test workflow compilation
• Run validation checks (fmt, lint, test)
• Verify lock file changes
• Address feedback: Set cancel-in-progress: false
• Address feedback: Allow workflow to run on fork PRs

Summary of Changes

Workflow Event Trigger:

• Added pull_request: types: [opened] to the workflow's on configuration
• The workflow now triggers on PR creation in addition to issues and comments
• Added forks: "*" to allow the workflow to run on PRs from forked repositories

Concurrency Configuration:

• Explicitly set cancel-in-progress: false to allow concurrent moderation runs to complete without cancellation
• Prevents in-progress spam detection jobs from being cancelled when new events arrive

Fork Support:

• Workflow now runs on PRs from forks by setting forks: "*" in the pull_request configuration
• Removed fork protection checks from both activation and pre_activation jobs

Prompt Instructions:

• Added Context item Add workflow: githubnext/agentics/weekly-research #3: "For Pull Requests: Use pull_request_read with method get_diff to fetch the PR diff and analyze the changes for spam patterns"
• Added new Actions section Add workflow: githubnext/agentics/weekly-research #3 for handling PRs:
  • Instructs the AI to fetch PR diff using GitHub MCP server
  • Analyzes diff for spam patterns (promotional content in comments, suspicious files, mass link injection, AI-generated promotional code comments)
  • Applies appropriate labels (spam, link-spam, ai-generated) if issues detected
  • Applies ai-inspected label if PR appears legitimate

Lock File Changes:

• Added pull_request: types: [opened] event trigger
• Updated concurrency group to handle both issue and PR numbers: ${{ github.event.issue.number || github.event.pull_request.number }}
• Set cancel-in-progress: false (per feedback)
• Added rate limiting for pull_request events
• Removed fork protection checks to allow workflow on fork PRs (per feedback)

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[pelikhan]

@copilot run on forks too

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

@copilot run on forks too

Added forks: "*" to the pull_request configuration. The workflow now runs on PRs from forked repositories. (56170a7)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Updates the ai-moderator agentic workflow to run on newly created pull requests and guide the agent to inspect PR diffs for spam/link-spam signals, in addition to issues and issue comments.

Changes:

• Added pull_request: types: [opened] trigger with forks: "*" and explicit concurrency.cancel-in-progress: false.
• Updated the moderation prompt with PR-specific instructions to fetch and analyze the PR diff and apply moderation labels.
• Regenerated the compiled workflow lock file to reflect the new trigger, concurrency group, and rate-limit events.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/ai-moderator.md	Adds PR-open trigger + forks allowance, concurrency config, and PR diff analysis instructions in the prompt.
.github/workflows/ai-moderator.lock.yml	Compiled output reflecting the new PR trigger, updated concurrency group, and rate-limit events including pull_request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Enabling the workflow on pull_request from forks (forks: "*") means this workflow will run against untrusted PR content. The compiled workflow checks out repo content and executes local actions/scripts (e.g., uses: ./actions/setup), which a fork PR can modify to get arbitrary code execution in the runner. To mitigate, ensure checkouts that provide executable code are pinned to the default branch (or a trusted ref) for PR events, or avoid using local actions when running on fork PRs (alternatively switch to pull_request_target with a safe checkout strategy).

Suggested change

forks: "*"

[Copilot]

With pull_request enabled for forks, safe outputs that write (e.g., adding labels) will typically not work on fork PRs because secrets are not provided and GITHUB_TOKEN is read-only for fork-triggered pull_request workflows. If the intent is to label/moderate fork PRs, consider using pull_request_target (with strict safeguards) or add logic to skip/soft-fail write operations when the PR comes from a fork.

Suggested change

forks: "*"

[Copilot]

Instruction to fetch the full PR diff via pull_request_read --method get_diff is likely to exceed the MCP 25k token response limit on larger PRs (this repo documents pull_request_read large diffs exceeding limits). Consider adjusting the prompt to start with get_files (paginated) and only fetch diffs selectively / for suspicious files, or explicitly handle/avoid oversized diff responses.

Suggested change

	- Fetch the PR diff using `pull_request_read` with method `get_diff`
	- Analyze the diff for spam patterns:
	- First, list changed files using `pull_request_read` with method `get_files` (use pagination if needed)
	- Identify potentially suspicious files (for example, files with large additions, many links, unusual paths, or newly added binaries/scripts)
	- For only those suspicious or relevant files, fetch diffs using `pull_request_read` with method `get_diff` (or an equivalent per-file diff), taking care to avoid oversized responses that might exceed token limits
	- Analyze the selected file diffs for spam patterns:

[Copilot]

This workflow prompt still contains guidance about handling workflow_dispatch, but the workflow’s on: configuration does not include a workflow_dispatch trigger. Consider removing that instruction (or adding the trigger if it’s intended) so the agent doesn’t try to follow a non-existent execution path.