Restrict bash tools for read-only reviewer agents#37927
Merged
deyaaeldeen merged 1 commit intomainfrom Apr 1, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens several read-only reviewer workflows by replacing unrestricted bash: true with an explicit shell-command allowlist so the compiled *.lock.yml uses --allow-tool shell(...) instead of --allow-all-tools, reducing exposure in pull_request_target contexts.
Changes:
- Add explicit
bash:allowlists to 5 reviewer workflow definition files (*.md). - Regenerate the corresponding 5 compiled workflow lock files (
*.lock.yml) to pass explicit--allow-toolarguments to the Copilot CLI.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/tester.md | Switch bash from unrestricted to an explicit allowlist for the Tester agent. |
| .github/workflows/tester.lock.yml | Regenerated lock file to replace --allow-all-tools with explicit --allow-tool entries. |
| .github/workflows/sentinel.md | Switch bash from unrestricted to an explicit allowlist for the Sentinel agent. |
| .github/workflows/sentinel.lock.yml | Regenerated lock file to use explicit --allow-tool entries. |
| .github/workflows/scribe.md | Declare an explicit bash allowlist for the Scribe agent (previously undeclared). |
| .github/workflows/scribe.lock.yml | Regenerated lock file to use explicit --allow-tool entries. |
| .github/workflows/dexter.md | Switch bash from unrestricted to an explicit allowlist for the Dexter agent. |
| .github/workflows/dexter.lock.yml | Regenerated lock file to use explicit --allow-tool entries. |
| .github/workflows/archie.md | Switch bash from unrestricted to an explicit allowlist (including git:*) for the Archie agent. |
| .github/workflows/archie.lock.yml | Regenerated lock file to use explicit --allow-tool entries (including shell(git:*)). |
Replace `bash: true` (unrestricted) with explicit safe-command allowlists for the 5 read-only reviewer workflows. This causes gh-aw to compile `--allow-tool shell(...)` instead of `--allow-all-tools`, reducing the attack surface for prompt injection on pull_request_target workflows. Changes: - archie: bash: ["cat","date","echo","git:*","grep","head","ls","pwd","sort","tail","uniq","wc"] - dexter, sentinel, tester: bash: ["cat","date","echo","grep","head","ls","pwd","sort","tail","uniq","wc"] - scribe: same (was missing bash declaration entirely) dash and mgmt-review are unchanged (they need unrestricted bash for benchmarking and code fixes respectively). Resolves: github/gh-aw#23198 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
721b8a5 to
6ba47aa
Compare
jeremymeng
approved these changes
Apr 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Restrict the
bashtool in 5 read-only reviewer workflows from unrestricted (bash: true) to an explicit safe-command allowlist. This causesgh-awto compile--allow-tool shell(...)instead of--allow-all-tools, reducing the attack surface for prompt injection onpull_request_targetworkflows.Changes
bash: truebash: ["cat","date","echo","git:*","grep","head","ls","pwd","sort","tail","uniq","wc"]bash: truebash: ["cat","date","echo","grep","head","ls","pwd","sort","tail","uniq","wc"]bash: truebash: truedash and mgmt-review are unchanged — they need unrestricted bash for benchmarking and code fixes respectively.
Why
All reviewer agents run on
pull_request_targetand process untrusted PR content. Withbash: true, the compiled lock file includes--allow-all-tools, granting the Copilot CLI agent access to file-write, file-edit, and arbitrary shell execution — none of which read-only reviewers need.Verification
All 5 lock files now compile with explicit
--allow-toolflags instead of--allow-all-tools:--allow-tool github--allow-tool safeoutputs--allow-tool write--allow-tool shell(cat),shell(grep),shell(head), etc.--allow-tool shell(git:*)for API report diffingResolves github/gh-aw#23198