Skip to content

Add disclosure-header message for AI authorship disclosure in safe-outputs#44497

Open
pelikhan with Copilot wants to merge 5 commits into
mainfrom
copilot/feature-ai-authorship-footer
Open

Add disclosure-header message for AI authorship disclosure in safe-outputs#44497
pelikhan with Copilot wants to merge 5 commits into
mainfrom
copilot/feature-ai-authorship-footer

Conversation

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Every workflow using safe-outputs under a maintainer PAT currently needs to repeat the same AI authorship boilerplate string across all 20+ workflows. This adds a first-class disclosure-header opt-in that prepends a built-in AI authorship notice to every safe-output body (issues, comments, PRs, discussions).

Changes

  • Go (SafeOutputMessagesConfig): New DisclosureHeader string field with yaml:"disclosure-header" / json:"disclosureHeader" tags. Parser handles both bool (true → sentinel "true") and custom string.
  • JS (messages_header.cjs): New getDisclosureHeader() alongside getBodyHeader(). When value is "true", renders the built-in DEFAULT_DISCLOSURE_HEADER; otherwise renders the value as a template.
  • 4 handlers (create_issue, add_comment, create_discussion, create_pull_request): Inject disclosure header after any threat-detection caution and before body-header.
  • JSON schema (main_workflow_schema.json): disclosure-header as oneOf: [boolean, string] with explicit ordering docs.

Usage

safe-outputs:
  messages:
    disclosure-header: true   # built-in default
    # or
    disclosure-header: "> 🤖 Custom notice by [{workflow_name}]({run_url})."

Default text:

🤖 Automated content — generated by the Workflow workflow. The account owner did not write or review this content personally.

Body ordering (top → bottom): threat-detection caution → disclosure-headerbody-header → agent content → footer.


Generated by 👨‍🍳 PR Sous Chef · 10.4 AIC · ⌖ 5.15 AIC · ⊞ 7.1K ·
Comment /souschef to run again

Copilot AI and others added 2 commits July 9, 2026 05:56
Adds a new `disclosure-header` configuration option to `safe-outputs.messages`
that prepends an AI authorship disclosure to every message body (issues,
comments, pull requests, discussions).

- Set `disclosure-header: true` to use the built-in default text:
  "> 🤖 **Automated content** — generated by the [{workflow_name}]({run_url})
   workflow. The account owner did **not** write or review this content personally."
- Set `disclosure-header: "<template>"` to use a custom template string
- Supports `{workflow_name}` and `{run_url}` placeholders

The disclosure header is inserted after any threat-detection caution alert and
before any `body-header` and the main body content.

Closes #38566

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add built-in AI-authorship disclosure footer for safe-outputs Add disclosure-header message for AI authorship disclosure in safe-outputs Jul 9, 2026
Copilot AI requested a review from pelikhan July 9, 2026 05:59
@pelikhan pelikhan marked this pull request as ready for review July 9, 2026 10:56
Copilot AI review requested due to automatic review settings July 9, 2026 10:56
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🔍 Design Decision Gate 🏗️ is checking for design decision records on this pull request...

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.

Adds an opt-in disclosure-header safe-outputs message that prepends an AI authorship notice (default or custom template) to generated issue/comment/PR/discussion bodies, reducing boilerplate across workflows.

Changes:

  • Extend Go safe-outputs messages config to parse/serialize disclosure-header (bool → sentinel "true" or custom string).
  • Add JavaScript getDisclosureHeader() + default built-in disclosure text, and re-export via messages.cjs.
  • Inject disclosure header into multiple handlers and document the new option in the workflow JSON schema; add unit tests (Go + JS).
Show a summary per file
File Description
pkg/workflow/safe_outputs_messages_test.go Adds Go tests for parsing + JSON serialization of disclosure-header.
pkg/workflow/safe_outputs_messages_config.go Implements Go parsing for disclosure-header (bool/string).
pkg/workflow/safe_outputs_config_types.go Adds DisclosureHeader field + tags to messages config type.
pkg/parser/schemas/main_workflow_schema.json Documents + validates disclosure-header in schema via oneOf boolean/string.
actions/setup/js/messages_header.test.cjs Adds JS tests for getDisclosureHeader() + default template constant.
actions/setup/js/messages_header.cjs Implements DEFAULT_DISCLOSURE_HEADER + getDisclosureHeader().
actions/setup/js/messages.cjs Re-exports getDisclosureHeader.
actions/setup/js/create_pull_request.cjs Injects disclosure header into PR body assembly.
actions/setup/js/create_issue.cjs Injects disclosure header into issue body assembly.
actions/setup/js/create_discussion.cjs Injects disclosure header into discussion body assembly.
actions/setup/js/add_comment.cjs Injects disclosure header into comment prefix assembly.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 11/11 changed files
  • Comments generated: 5
  • Review effort level: Low

Comment on lines +77 to +81
describe("getDisclosureHeader", () => {
it("returns empty string when disclosure-header is not configured", () => {
const result = getDisclosureHeader({ workflowName: WORKFLOW, runUrl: RUN_URL });
expect(result).toBe("");
});

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 259ec46. actions/setup/js/messages_header.test.cjs now clears GH_AW_SAFE_OUTPUT_MESSAGES in beforeEach, so getDisclosureHeader tests are isolated and order-independent.

Comment on lines +50 to +59
function getDisclosureHeader(ctx) {
const messages = getMessages();
if (!messages?.disclosureHeader) {
return "";
}

const templateContext = toSnakeCase(ctx);
const template = messages.disclosureHeader === "true" ? DEFAULT_DISCLOSURE_HEADER : messages.disclosureHeader;
return renderTemplate(template, templateContext);
}

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in 259ec46. getDisclosureHeader() now normalizes disclosureHeader values: boolean true and sentinel string use the default template, string values are rendered, and non-string/falsey values return an empty header.

Comment thread actions/setup/js/create_issue.cjs Outdated
Comment on lines +886 to +890
// Inject disclosure header before body header (unshifted after, so it appears first)
const disclosureHeader = getDisclosureHeader({ workflowName, runUrl });
if (disclosureHeader) {
bodyLines.unshift(...disclosureHeader.split("\n"), "");
}

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in 259ec46. The inline comment was clarified to match the actual flow: disclosure-header is unshifted after body-header in code order but appears above it in output due to prepend semantics (same adjustment applied where this pattern appears).

Comment on lines +10503 to +10506
{
"type": "boolean",
"description": "Set to true to prepend the built-in AI authorship disclosure header to every message body (issues, comments, pull requests, discussions). The default text states the content was automatically generated and was not written or reviewed by the account owner personally."
},

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Handled in 259ec46. The schema/docs now explicitly define boolean false as disabling disclosure-header, removing ambiguity while keeping boolean input support.

Comment on lines +46 to +55
if dh, exists := messagesMap["disclosure-header"]; exists {
switch v := dh.(type) {
case bool:
if v {
config.DisclosureHeader = "true"
}
case string:
config.DisclosureHeader = v
}
}

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implemented in 259ec46. Introduced named sentinel constants and reused them in Go/JS parsing and disclosure-header rendering paths to avoid magic-string drift across languages.

@pelikhan

pelikhan commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

/matt

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer failed during the skills-based review.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, address unresolved review feedback, and rerun checks once the branch update settles.

Unresolved review feedback to address first:

  • copilot-pull-request-reviewer review feedback remains open.

Run: https://github.com/github/gh-aw/actions/runs/29016118662

Generated by 👨‍🍳 PR Sous Chef · 10.4 AIC · ⌖ 5.15 AIC · ⊞ 7.1K ·
Comment /souschef to run again

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, address unresolved review feedback, and rerun checks once the branch update settles.

Unresolved review feedback to address first:...

Addressed the unresolved review feedback in commit 259ec46 (type-safe disclosureHeader handling, sentinel constants, schema false behavior docs, and header-ordering comment clarifications), then reran local checks (make fmt, make lint, make test-unit, make test, make recompile) and parallel validation.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🤖 PR Triage — Run §29020837798

Field Value
Category feature
Risk 🟡 Medium
Score 58 / 100
Action 🔄 batch_review
Batch safe-outputs-enhance (with #44501)

Score breakdown: Impact 28 + Urgency 16 + Quality 14

Rationale: Adds disclosure-header opt-in to safe-outputs — reduces boilerplate across 20+ workflows. Focused (263 +/ 10 −). Logically coupled with #44501 (content redaction); reviewing both together gives a complete picture of the safe-outputs message pipeline.

Generated by 🔧 PR Triage Agent · 77.6 AIC · ⌖ 14.7 AIC · ⊞ 5.4K ·

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, address the unresolved review feedback below, and rerun checks once the branch is up to date.

Unresolved review feedback:...

Addressed. I replied to each listed Copilot review thread and confirmed the requested fixes are already in 259ec46.

I also reran local checks on the current branch head (make fmt, make lint, make test-unit, make test, make recompile) and they passed.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

pr-sous-chef
@copilot please address these unresolved review threads first:

All five listed Copilot review items are already addressed in 259ec46, and I revalidated the branch locally (make fmt, make lint, make test-unit, make test, make recompile) with passing results and no new diffs.

I also checked the referenced workflow run (29027074231) via MCP logs—there are no failed jobs, and the latest PR runs for head 259ec46 are successful.

I attempted to resolve the remaining review threads programmatically, but GraphQL thread-resolution calls are blocked in this environment with HTTP 403 (proxygh).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Feature: built-in AI-authorship disclosure footer for safe-outputs (or shared snippet support)

4 participants