You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Before: - User type is "Bot" AND not in allowlist: [dependabot, renovate, github-actions]
After: - User type is "Bot" AND not in allowlist: [dependabot, renovate, github-actions, copilot]
Reason: Added copilot to match the documentation on line 328 and prevent false positives
Expected Improvements
✅ Eliminates false positive detections of @Copilot GitHub App
✅ Aligns allowlist implementation with documented policy
✅ Prevents unnecessary security alerts for legitimate automation
Context
This fix addresses issue #15033 where the bot-detection workflow incorrectly flagged @Copilot as suspicious when it authored/merged PR #15026. The Copilot GitHub App is a legitimate automation tool and should be treated the same as other known bots (dependabot, renovate, github-actions).
Validation
✅ Single-line surgical change to allowlist
✅ No lock file changes (will be compiled automatically)
The patch file is available in the agent-artifacts artifact in the workflow run linked above.
To apply the patch locally:
# Download the artifact from the workflow run https://github.com/github/gh-aw/actions/runs/21928155640# (Use GitHub MCP tools if gh CLI is not available)
gh run download 21928155640 -n agent-artifacts
# The patch file will be at agent-artifacts/tmp/gh-aw/aw.patch after download# Apply the patch
git am agent-artifacts/tmp/gh-aw/aw.patch
Show patch (30 lines)
From b2e4b4327b046d34e3fd4b02b311883a7610cbad Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Thu, 12 Feb 2026 00:11:38 +0000
Subject: [PATCH] fix(bot-detection): Add copilot to bot allowlist
The copilot user is a legitimate GitHub App that should not be flagged
as suspicious. This change adds 'copilot' to the bot allowlist on line 197
to match the documentation on line 328 which already lists it as a known
legitimate bot.
---
.github/workflows/bot-detection.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/bot-detection.md b/.github/workflows/bot-detection.md
index bca5c0f..f483d86 100644
--- a/.github/workflows/bot-detection.md+++ b/.github/workflows/bot-detection.md@@ -194,7 +194,7 @@ Analyze the account for these 8 specific red flags:
3. For bots: Verify if it's a legitimate, known bot (dependabot, renovate, github-actions)
**Threshold**: Flag if:
-- User type is "Bot" AND not in allowlist: [dependabot, renovate, github-actions]+- User type is "Bot" AND not in allowlist: [dependabot, renovate, github-actions, copilot]
- OR username ends with `[bot]` but isn't a known legitimate bot
## Analysis Process
--
2.52.0
Q Workflow Optimization Report
Issues Found (from issue #15033)
bot-detection.md
@Copilotwas flagged as suspicious (Medium Risk, score 3/12)[dependabot, renovate, github-actions]- missingcopilotChanges Made
.github/workflows/bot-detection.md (Line 197)
- User type is "Bot" AND not in allowlist: [dependabot, renovate, github-actions]- User type is "Bot" AND not in allowlist: [dependabot, renovate, github-actions, copilot]copilotto match the documentation on line 328 and prevent false positivesExpected Improvements
@CopilotGitHub AppContext
This fix addresses issue #15033 where the bot-detection workflow incorrectly flagged
@Copilotas suspicious when it authored/merged PR #15026. The Copilot GitHub App is a legitimate automation tool and should be treated the same as other known bots (dependabot, renovate, github-actions).Validation
Fixes #15033Note
This was originally intended as a pull request, but the git push operation failed.
Workflow Run: View run details and download patch artifact
The patch file is available in the
agent-artifactsartifact in the workflow run linked above.To apply the patch locally:
Show patch (30 lines)