Conversation
…conversation resolution Add mechanical checkpoints (GH-30, GH-31) that verify enforce_admins and required_conversation_resolution via GitHub API, plus an LLM review checkpoint (GH-32) for the combined audit. Without enforce_admins, admins can bypass all branch protection rules including unresolved review threads. Updates verify script to check these settings and security-config.md reference to document the enforce_admins requirement.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the GitHub project skill to version 2.11.0, introducing new audits and documentation for branch protection enforcement. It adds mechanical and LLM-based checks to ensure that both 'enforce_admins' and 'required_conversation_resolution' are enabled on the default branch, ensuring that administrators cannot bypass review requirements. Additionally, the verification script has been enhanced to automate these security checks using the GitHub API. I have no feedback to provide as there were no review comments to evaluate.
There was a problem hiding this comment.
Pull request overview
Adds branch-protection enforcement auditing to the github-project skill to ensure admins cannot bypass review/thread-resolution requirements, and documents the rationale and configuration steps.
Changes:
- Extend
verify-github-project.shto query GitHub’s branch protection API and report onenforce_adminsandrequired_conversation_resolution. - Add new mechanical checkpoints (GH-30, GH-31) and an LLM audit checkpoint (GH-32) for branch protection enforcement.
- Update security documentation and bump skill version.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| skills/github-project/scripts/verify-github-project.sh | Adds gh api-based checks for enforce_admins and required_conversation_resolution on the default branch. |
| skills/github-project/references/security-config.md | Documents enforce_admins requirement and clarifies interaction with required conversation resolution. |
| skills/github-project/checkpoints.yaml | Introduces GH-30/GH-31 mechanical checks and GH-32 LLM audit prompt for combined enforcement. |
| skills/github-project/SKILL.md | Version bump to 2.11.0. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
enforce_adminsandrequired_conversation_resolutionvia GitHub API on the default branchverify-github-project.shto check these settings whenghCLI is availablesecurity-config.mdto document theenforce_adminsrequirement and its interaction with conversation resolutionWhy
Without
enforce_admins: true, repository admins can bypass all branch protection rules -- required status checks, required reviews, and required conversation resolution. This means unresolved review threads can be bypassed by admins even whenrequired_conversation_resolutionis enabled. Both settings must be enabled together for effective protection.Test plan
verify-github-project.shagainst a repo with branch protection to confirm the new checks executegh api repos/{owner}/{repo}/branches/{branch}/protection --jq '.enforce_admins.enabled'returnstruegh api repos/{owner}/{repo}/branches/{branch}/protection --jq '.required_conversation_resolution.enabled'returnstrue