Skip to content

Add command position validation for command triggers to prevent accidental execution#2031

Merged
pelikhan merged 5 commits intomainfrom
copilot/update-command-validation-checks
Oct 20, 2025
Merged

Add command position validation for command triggers to prevent accidental execution#2031
pelikhan merged 5 commits intomainfrom
copilot/update-command-validation-checks

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Oct 20, 2025
edited
Loading

Problem Summary

The command trigger should require the command to be the first word of the comment/body. Currently, the system uses contains() to check if the command appears anywhere in the text.

Implementation Plan

  • Add a pre-activation step to validate command is first word in text
    • Modified buildPreActivationJob to add command validation step when command trigger is present
    • Created check_command_position.cjs JavaScript script to check command position
    • Updated activation condition to include command position check
  • During safe output collection, prevent generated text from starting with command words
    • Modified sanitize_output.cjs to check for and neutralize command words at start of text
    • Pass GITHUB_AW_COMMAND to safe output sanitization step
  • Update documentation
    • Updated command-triggers.md to document first-word requirement with Astro caution adornment
    • Removed redundant section
    • Updated agentic-authoring instructions
  • Address PR feedback
    • Use Astro Starlight caution adornment for better documentation
    • Remove redundant "Command Position Requirement" section
    • Optimize logic to pass check when text doesn't contain command
  • Tests and formatting
    • All tests passing (10 tests for command position)
    • JavaScript formatting validated

Implementation Details

Pre-Activation Validation

  1. New JavaScript Script: check_command_position.cjs

    • Validates command is the first word in triggering text
    • Optimized to pass check when text is empty or doesn't contain command at all
    • Handles all event types (issues, comments, PRs, discussions)
    • Sets command_position_ok output for activation condition

  2. Compiler Changes:

    • Added CheckCommandPositionStepID and CommandPositionOkOutput constants
    • Modified buildPreActivationJob to add command position check step
    • Updated pre-activation job creation condition to include command triggers
    • Added command position check to activation conditions

Safe Output Protection

  1. Sanitization Enhancement: sanitize_output.cjs

    • Added neutralizeCommandAtStart() function
    • Checks if text starts with command pattern
    • Wraps command in backticks to prevent re-trigger
    • Integrates with existing sanitization pipeline

  2. Environment Variable Pass-through:

    • Modified compiler to pass GITHUB_AW_COMMAND to ingest step
    • Ensures command name is available for sanitization

Testing

  • Added comprehensive test suite for check_command_position.cjs (10 tests)
  • Added tests for command neutralization in sanitize_output.test.cjs (6 tests)
  • All existing tests pass
  • JavaScript formatting validated

Verification

Compiled poem-bot.md and verified:

  • ✅ Pre-activation job includes command position check step with optimized logic
  • ✅ Activation condition includes command_position_ok check
  • GITHUB_AW_COMMAND passed to ingest agent output step
  • ✅ All tests passing
  • ✅ Linting passing

Key Files Modified

  1. pkg/workflow/js/check_command_position.cjs - Validation script with optimized logic
  2. pkg/workflow/js/check_command_position.test.cjs - Tests (10 tests)
  3. pkg/workflow/js/sanitize_output.cjs - Command neutralization
  4. pkg/workflow/js/sanitize_output.test.cjs - Tests (6 new tests)
  5. pkg/workflow/compiler.go - Pre-activation job and env vars
  6. pkg/workflow/js.go - Embed new script
  7. pkg/constants/constants.go - New constants for step IDs
  8. docs/src/content/docs/reference/command-triggers.md - Documentation with Astro adornments
  9. .github/instructions/github-agentic-workflows.instructions.md - Instructions
Original prompt

The command trigger should require the command to be the first word of the comment.

  • add a step in the pre-activation job that validate that the command if the first word, if the text contains the command. Update the activated expression to reflect this check

  • during the collection and validation of safe outputs, ensure that the generated text does not start with any command word to prevent cycles.

  • update docs

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot AI and others added 2 commits October 20, 2025 16:14
@pelikhan
Add command position validation for command triggers
f887f57 
- Add check_command_position.cjs script to validate command is first word
- Update compiler to add command position check step to pre-activation job
- Update activation condition to include command position check
- Add command neutralization in sanitize_output.cjs to prevent cycles
- Pass GITHUB_AW_COMMAND to safe output steps
- Add comprehensive tests for command position validation
- Update documentation to explain first-word requirement

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Fix JavaScript formatting
02217c7 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add command validation in pre-activation job Add command position validation for command triggers to prevent accidental execution Oct 20, 2025
Copilot AI requested a review from pelikhan October 20, 2025 16:23
pelikhan
pelikhan reviewed Oct 20, 2025
View reviewed changes
Comment thread docs/src/content/docs/reference/command-triggers.md Outdated

This automatically creates issue/PR triggers (`opened`, `edited`, `reopened`), comment triggers (`created`, `edited`), and conditional execution matching `/command-name` mentions.

**Important**: The command must be the **first word** of the comment or body text to trigger the workflow. This prevents accidental triggers when the command is mentioned elsewhere in the content.
Copy link
Copy Markdown
Collaborator

@pelikhan pelikhan Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot use Astro starlight adornments

Copy link
Copy Markdown
Contributor Author

Copilot AI Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed to use Astro Starlight caution adornment in commit a0b2d5c.

Comment thread docs/src/content/docs/reference/command-triggers.md Outdated

**Note**: You cannot combine `command` with `issues`, `issue_comment`, or `pull_request` as they would conflict.

## Command Position Requirement
Copy link
Copy Markdown
Collaborator

@pelikhan pelikhan Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot remove section

Copy link
Copy Markdown
Contributor Author

Copilot AI Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed redundant "Command Position Requirement" section in commit a0b2d5c.

Comment thread pkg/workflow/js/check_command_position.cjs Outdated
return;
}

if (!text) {
Copy link
Copy Markdown
Collaborator

@pelikhan pelikhan Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot if !text or not text contains command

Copy link
Copy Markdown
Contributor Author

Copilot AI Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Optimized logic to pass check when text is empty or doesn't contain the command. Updated tests accordingly in commit a0b2d5c.

@pelikhan
Address PR feedback: use Astro adornments, remove redundant section, …
e9b961b 
…optimize logic

- Use Astro caution adornment for command position requirement
- Remove redundant "Command Position Requirement" section
- Optimize check_command_position.cjs to pass check when text is empty or doesn't contain command
- Add test for text without command
- Update test assertions to match new log messages

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI requested a review from pelikhan October 20, 2025 16:36
@pelikhan pelikhan marked this pull request as ready for review October 20, 2025 16:39
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Oct 20, 2025

Agentic Changeset Generator triggered by this pull request.

@pelikhan pelikhan merged commit 5ca872d into main Oct 20, 2025
4 checks passed
@pelikhan pelikhan deleted the copilot/update-command-validation-checks branch October 20, 2025 16:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan