[ci-scan] Allow feedback workflow to edit shared KBE instructions#128832
Open
vitek-karas wants to merge 2 commits into
Open
[ci-scan] Allow feedback workflow to edit shared KBE instructions#128832vitek-karas wants to merge 2 commits into
vitek-karas wants to merge 2 commits into
Conversation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
Tagging subscribers to this area: @dotnet/runtime-infrastructure |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR expands the ci-failure-scan-feedback agent workflow’s permitted edit surface so it can propose (and safely emit) changes not only to the main scanner prompt (ci-failure-scan.md), but also to the shared KBE authoring instructions (shared/create-kbe.instructions.md). The compiled lock workflow is regenerated so the Safe Outputs allow-list matches the updated source workflow.
Changes:
- Extend the workflow description and prompt text to explicitly allow edits to
.github/workflows/shared/create-kbe.instructions.md. - Add
.github/workflows/shared/create-kbe.instructions.mdto the Safe Outputsallowed-fileslist for PR creation and branch pushes. - Regenerate
ci-failure-scan-feedback.lock.ymlso the embedded Safe Outputs config matches the source workflow.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.github/workflows/ci-failure-scan-feedback.md |
Updates the workflow’s description, prompt “hard rules”, and Safe Outputs allow-list to include the shared KBE instructions file. |
.github/workflows/ci-failure-scan-feedback.lock.yml |
Recompiled lock file reflecting the expanded allow-list; also includes updated embedded Safe Outputs config. |
kotlarmilos
approved these changes
Jun 1, 2026
Address Copilot review comment on PR dotnet#128832: the rewritten manual-patch comment referenced a phantom 'ci-scan.lock.yml' file that does not exist (only ci-failure-scan.lock.yml and ci-failure-scan-feedback.lock.yml carry this patch). The recompile during this PR also moved the comment block into the middle of the 'needs:' list (between '- agent' and '- pat_pool') and dropped the upstream tracking reference (gh-aw issue dotnet#30232) and the user-visible symptom (the 'Security scanning requires review' CAUTION banner). Restore the canonical comment verbatim from ci-failure-scan.lock.yml so both lock files carry identical, accurate patch documentation. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
kotlarmilos
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
This pull request description was generated with Copilot assistance.
Summary
Validation