Create REQUEST_CHANGES review for create_pull_request threat-warning mode#34133
Merged
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
Add REQUEST_CHANGES review for create_pull_request threat warnings
Create REQUEST_CHANGES review for May 22, 2026
create_pull_request threat-warning mode
Copilot created this pull request from a session on behalf of
pelikhan
May 22, 2026 22:35
View session
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a formal, blocking-style PR review gate when threat detection returns a warning, aligning threat-warning handling with the existing protected-files “request review” flow and composing both signals into a single review when applicable.
Changes:
- Extend
create_pull_requestto submit apulls.createReviewwithevent: "REQUEST_CHANGES"when threat-warning caution is active (and compose with protected-files request-review content). - Refactor request-changes review body construction to support multiple sections separated by a Markdown divider.
- Update unit tests to mock
createReviewin additional scenarios and assert threat-warning review behavior.
Show a summary per file
| File | Description |
|---|---|
| actions/setup/js/create_pull_request.cjs | Compose protected-files + threat-warning “request changes” sections and submit a blocking PR review when either signal is present. |
| actions/setup/js/create_pull_request.test.cjs | Add assertions/mocks to verify threat-warning triggers a REQUEST_CHANGES review and non-warning does not. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comments suppressed due to low confidence (1)
actions/setup/js/create_pull_request.cjs:2080
- This code now creates a REQUEST_CHANGES review for both protected-files and threat-warning cases, but the log message below still says it’s "due to protected files". Update the message to reflect the actual reasons (protected files and/or threat-detection warning) to avoid misleading operational logs.
if (requestChangesSections.length > 0) {
const requestChangesBody = requestChangesSections.join("\n\n---\n\n");
/** @type {{ owner: string, repo: string, pull_number: number, event: "REQUEST_CHANGES" | "COMMENT", body: string, commit_id?: string }} */
const requestChangesParams = {
owner: repoParts.owner,
repo: repoParts.repo,
- Files reviewed: 2/2 changed files
- Comments generated: 3
Comment on lines
+2056
to
+2062
| requestChangesSections.push( | ||
| `Protected files were modified in this pull request and require manual scrutiny before merge. | ||
|
|
||
| Please verify that each protected-file change is intentional, policy-compliant, and safe: | ||
|
|
||
| ${protectedFilesList}` | ||
| ); |
Comment on lines
+2067
to
+2072
| `Threat detection produced a warning for this pull request output. | ||
|
|
||
| These changes need to be scrutinized before merge and only merged after a careful manual review. | ||
|
|
||
| - Detection reason: \`${detectionReason}\` | ||
| - Review workflow run logs: ${runUrl}` |
| expect(createReviewCall.body).toContain("Threat detection produced a warning"); | ||
| expect(createReviewCall.body).toContain("need to be scrutinized"); | ||
| }); | ||
|
|
Collaborator
|
@copilot move templates to actions/setup/md and use rendertemplatefile also use renderFilesList helper |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Implemented in 6709de0 and 743ab75: moved REQUEST_CHANGES review templates to |
Contributor
|
|
github-actions Bot
added a commit
that referenced
this pull request
May 23, 2026
…-warning REQUEST_CHANGES review The `protected-files` policy on `create-pull-request` and `push-to-pull-request-branch` now defaults to `request_review` (creates the PR and submits a REQUEST_CHANGES review) and accepts a fourth value of that same name. The reference tables previously listed only `blocked`/`allowed`/`fallback-to-issue` and marked `blocked` as the default, which no longer matches runtime behavior. PR #34133 additionally extended `create_pull_request` to submit a REQUEST_CHANGES review when threat detection returns a warning (with the detection reason and run-log link), composing with the protected-files review when both fire. Added a short "When Detection Returns a Warning" note under Error Handling. Refs: #34133 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When threat detection returns
warning,create_pull_requestalready adds a caution message but did not force a formal review gate. This change aligns threat-warning handling with protected-files behavior by creating a blocking-style review signal that requires human scrutiny.Threat-warning review gating
create_pull_requestto submit a PR review withevent: "REQUEST_CHANGES"when detection caution is active.Policy composition with protected-files flow
Behavioral coverage updates
create_pull_requestunit assertions to verify:REQUEST_CHANGESreview with scrutiny language,