Skip to content

Surface pre-activation denial reason in job summary#24792

Merged
pelikhan merged 6 commits intomainfrom
copilot/fix-bot-gated-pr-review-issue
Apr 6, 2026
Merged

Surface pre-activation denial reason in job summary#24792
pelikhan merged 6 commits intomainfrom
copilot/fix-bot-gated-pr-review-issue

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 6, 2026
edited
Loading

When pre_activation denies activation (bot/role gate), all downstream jobs silently skip — leaving the PR with no check row, no neutral indicator, and no visible reason. The only trace is buried in raw job logs.

What changes

Each pre-activation check script now writes a $GITHUB_STEP_SUMMARY directly at the point of denial — no extra compiled step required. When a check denies activation, it emits a summary rendered from a shared markdown template with the specific reason and a targeted remediation hint.

Example summary output when a bot is denied:

## ⏭️ Workflow Activation Skipped

> Access denied: User 'prd-to-prod-pipeline[bot]' is not authorized. Required permissions: admin, maintainer, write. ...

**Remediation:** To allow a bot or GitHub App actor, add it to `on.bots:` in the workflow frontmatter. To change the required roles for human actors, update `on.roles:` in the workflow frontmatter.

Markdown template

actions/setup/md/pre_activation_skip.md defines the summary layout with {reason} and {remediation} placeholders. The file is copied to ${RUNNER_TEMP}/gh-aw/prompts/ at runtime by setup.sh (alongside all other prompt templates). A shared helper pre_activation_summary.cjs uses renderTemplateFromFile from messages_core.cjs to load and render it; if the template is unavailable it falls back to a hardcoded equivalent.

Check scripts updated

Script When summary is written
check_membership.cjs insufficient_permissions, bot_not_active, api_error, config_error
check_skip_bots.cjs Actor is in on.skip-bots list
check_skip_roles.cjs Actor has a role in on.skip-roles list
check_stop_time.cjs Workflow has passed its on.stop-after time
check_skip_if_match.cjs on.skip-if-match query matched
check_skip_if_no_match.cjs on.skip-if-no-match query returned too few results
check_skip_if_check_failing.cjs CI checks on the target branch are failing
check_command_position.cjs Trigger comment doesn't start with the required command

Each script calls writeDenialSummary(reason, remediation) from pre_activation_summary.cjs instead of inlining markdown.

No compiler changes needed

The denial summary is written inline within the existing check step — no additional step is added to compiled workflow YAML and no new compiler logic or constants are required.

Copilot AI linked an issue Apr 6, 2026 that may be closed by this pull request
bot-gated PR review runs can disappear with no review check or surfaced skip reason #24755
Closed
This was referenced Apr 6, 2026
Closed
Closed
@pelikhan
Add report-skip-reason step to pre_activation job to surface denial r…
c6878bd 
…easons in job summary (#bot-gated-pr-review-issue)

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/067ab295-8ff2-4434-9c93-bad0eb8fe31b

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix disappearing bot-gated PR review runs Surface pre-activation denial reason in job summary Apr 6, 2026
Copilot AI requested a review from pelikhan April 6, 2026 01:00
This was referenced Apr 6, 2026
Closed
Merged
Closed
pelikhan
pelikhan reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@pelikhan pelikhan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot integrate the new code in the existing check membership script to save adding a new step

Copilot AI and others added 2 commits April 6, 2026 01:32
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 6, 2026
edited
Loading

@copilot integrate the new code in the existing check membership script to save adding a new step

Done in 516fff6. The denial summary is now written inline within each existing check script at the point of denial — no separate step needed. Each check (check_membership, check_skip_bots, check_skip_roles, check_stop_time, check_skip_if_match, check_skip_if_no_match, check_skip_if_check_failing, check_command_position) writes a $GITHUB_STEP_SUMMARY with the reason and a targeted remediation hint when it denies activation. The dedicated report_pre_activation_skip.cjs script and the compiler-level generateReportSkipStep() have been removed.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ache/go/1.25.8/xrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw git /usr/bin/git node /opt�� install --package-lock-only /usr/bin/git --show-toplevel git /opt/hostedtoolcnpx prettier --write &#39;../../../**/*.json&#39; &#39;!../../../pkg/workflow/js/**/*.json&#39; --ignore-path ../../../.prettierignore git (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -unreachable=false /tmp/go-build3691532078/b111/vet.cfg 1532078/b356/vet.cfg (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha 64/pkg/tool/linu--show-toplevel git /opt/hostedtoolcache/node/24.14.1/x64/bin/node --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git node js/f�� 64/pkg/tool/linu--show-toplevel git /usr/bin/bash --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git bash (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/infocmp /tmp/gh-aw/aw-fegit node /usr/bin/git infocmp -1 xterm-color git /snap/bin/bash json&#39; --ignore-pgit git 1/x64/bin/node bash (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --local .cfg 64/pkg/tool/linux_amd64/vet .test.cjs test.cjs (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git 1/x64/bin/node --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha ithub/workflows **/*.cjs (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git rev-�� --show-toplevel -tests /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha &#34;vitest&#34; run check_membership.test.cjs check_skip_bots.test.cjs check_skip_roles.test.cjs check_git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.1/x64/bin/node --show-toplevel x_amd64/vet /usr/bin/git node (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --noprofile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha se 1532078/b312/vet.cfg /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha pkg/mod/github.com/stretchr/testify@v1.11.1/require/doc.go pkg/mod/github.com/stretchr/testify@v1.11.1/require/forward_requirements.go 1532078/b160/vet.cfg (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha &#34;vitest&#34; run check_membership.test.cjs check_skip_bots.test.cjs check_skip_roles.test.cjs check_git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.1/x64/bin/node --show-toplevel x_amd64/vet /usr/bin/git node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config /usr/bin/git remote.origin.urgit node /usr/bin/grep git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/gh js/**/*.json&#39; --git /tmp/gh-aw/aw-marev-parse $name) { has--show-toplevel /usr/bin/gh (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha &#34;vitest&#34; run check_membership.test.cjs check_skip_bots.test.cjs check_skip_roles-p (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.1/x64/bin/node --show-toplevel x_amd64/vet /usr/bin/git node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha xterm-color erena-mcp-server:latest /usr/bin/git /ref/tags/v8 node $name) { has--show-toplevel git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/git js/**/*.json&#39; --git node $name) { has--show-toplevel git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha gated-pr-review-issue^{commit} .cfg 64/pkg/tool/linux_amd64/vet js check_skip_ifgit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --show-toplevel git 1/x64/bin/node --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha ithub/workflows on rkflow/js/**/*.json /../../.prettiergit erignore /usr/bin/git sh -c ithub/workflows git /usr/bin/sh l git /usr/bin/git sh (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha install --package-lock-only /usr/bin/git --show-toplevel git /opt/hostedtoolcnpx prettier --write &#39;../../../**/*.json&#39; &#39;!../../../pkg/workflow/js/**/*.json&#39; --ignore-path ../../../.prettierignore git /pre�� --show-toplevel node modules/@npmcli/run-script/lib/node-gyp-bin/sh 64/pkg/tool/linu/usr/bin/git git /opt/hostedtoolc--get-regexp git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /opt/hostedtoolc--write git rev-�� --show-toplevel node /usr/bin/git 64/pkg/tool/linugit git /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility --show-toplevel git 1/x64/bin/node --show-toplevel git /usr/bin/git git rev-�� th .prettierignore --log-level=e!../../../pkg/workflow/js/**/*.json git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.1/x64/bin/node --show-toplevel x_amd64/vet /usr/bin/git node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha k/gh-aw/gh-aw/.github/workflows config /usr/bin/infocmp remote.origin.urgit node modules/@npmcli/--show-toplevel infocmp -1 xterm-color git /usr/bin/gh --count 019adb3dd7462790rev-parse DiscussionsEnabl--show-toplevel /usr/bin/gh (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha get .cfg 64/pkg/tool/linux_amd64/vet js check_skip_ifgit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git 1/x64/bin/node --show-toplevel -tests /usr/bin/git git rev-�� --show-toplevel git 1/x64/bin/node --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha 1/x64/bin/node :latest /home/REDACTED/work/node_modules/.bin/node --show-toplevel git /usr/bin/git node /opt�� ithub/workflows --write (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha get .cfg 64/pkg/tool/linux_amd64/vet js check_skip_ifgit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git 1/x64/bin/node --show-toplevel -tests /usr/bin/git git rev-�� --show-toplevel git 1/x64/bin/node --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha ithub/workflows git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel -tests /usr/bin/git check_skip_rolesgit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.8/x-c /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linuconfig /usr/bin/git --show-toplevel git de/node/bin/sh git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha check_skip_roles.test.cjs check_stop_time.test.cjs check_skip_if_match.test.cjs check_skip_if_no/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git ck_membership.tenode commit.gpgsign .cfg git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 1532078/b128/vetjs/fuzz_sanitize_label_harness.cjs .cfg git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha ./../pkg/workfloremote.origin.url git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git ules/.bin/sh --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha --show-toplevel node $name) { hasDiscussionsEnabled } } 64/pkg/tool/linugit git /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows sed -n js/**/*.json&#39; --ignore-path ../../../.prettierignore node /usr/bin/git 64/pkg/tool/linugit git /usr/bin/git git (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha check_skip_roles.test.cjs check_stop_time.test.cjs check_skip_if_match.test.cjs check_skip_if_no/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha heckout/git/ref/tags/v6 64/pkg/tool/linux_amd64/vet /usr/bin/git ck_membership.tenode commit.gpgsign .cfg git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 1532078/b085/vetjs/fuzz_sanitize_label_harness.cjs .cfg git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ./../pkg/workfloremote.origin.url git $name) { hasDiscussionsEnabled } } --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git h --show-toplevel git /usr/bin/git git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI requested a review from pelikhan April 6, 2026 01:37
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 6, 2026

@copilot use markdown templates in actions/setup/md and renderTemplateFile to create the messages.

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 6, 2026
edited
Loading

@copilot use markdown templates in actions/setup/md and renderTemplateFile to create the messages.

Done in aebc5d6. Added actions/setup/md/pre_activation_skip.md with {reason} and {remediation} placeholders. A new shared helper pre_activation_summary.cjs uses renderTemplateFromFile from messages_core.cjs to load and render this template at runtime (from ${RUNNER_TEMP}/gh-aw/prompts/ where setup.sh copies it). All 8 check scripts now call writeDenialSummary(reason, remediation) from the shared helper.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw credential.helperev-parse 1/x64/bin/npx git rev-�� --show-toplevel git (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -unreachable=false /tmp/go-build573164802/b134/vet.cfg 164802/b360/vet.cfg (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha te &#39;../../../**/*.json&#39; &#39;!../../../pkg/workflow/-errorsas cfg 64/pkg/tool/linux_amd64/vet .test.cjs check_git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha get --local bin/sh pull.rebase (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git rev-�� --show-toplevel -tests /usr/bin/git json&#39; --ignore-pgit --local 86_64/node git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git */*.json&#39; &#39;!../.git .test.cjs x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/gh _activation_summgit (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha &#34;vitest&#34; run pre_activation_summary.test.cjs check_membership.test.cjs check_skip_bots.test.cjs git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git */*.ts&#39; &#39;**/*.jsgit (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha &#34;vitest&#34; run pre_activation_summary.test.cjs check_membership.test.cjs check_ski-p k/_temp/runtime-logs/command.sh 164802/b155/vet.cfg ignore-path ../.git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha &#34;vitest&#34; run pre_activation_summary.test.cjs check_membership.test.cjs check_skip_bots.test.cjs git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git */*.ts&#39; &#39;**/*.jsgit (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha &#34;vitest&#34; run pre_activation_summary.test.cjs check_membership.test.cjs check_skip_bots.test.cjs git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha &#34;vitest&#34; run pre_activation_summary.test.cjs check_membership.test.cjs check_skip_bots.test.cjs git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --exclude-standard cfg 64/pkg/tool/linux_amd64/vet .test.cjs check_git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha &#34;vitest&#34; run pre_activation_summary.test.cjs check_membership.test.cjs check_ski-p (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha te &#39;**/*.cjs&#39; &#39;**/*.ts&#39; &#39;**/*.json&#39; --ignore-pat-c=4 cfg 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha te &#39;**/*.cjs&#39; &#39;**/*.ts&#39; &#39;**/*.json&#39; --ignore-pat-errorsas cfg 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel -tests /usr/bin/git get ode_modules/viterev-parse rgo/bin/bash git rev-�� --show-toplevel ode_modules/vite-buildtags /usr/bin/git get --local de_modules/.bin/git-upload-pack &#39;origin&#39; git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha st.cjs check_skip_bots.test.cjs check_skip_roles.test.cjs check_stop_time.test.cjs check_skip_if/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet --local k/_temp/ghcca-node/node/bin/bash _match.test.cjs /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha st.cjs check_skip_bots.test.cjs check_skip_roles.test.cjs check_stop_time.test.cjs check_skip_if/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet --local 1/x64/bin/sh _match.test.cjs /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@pelikhan pelikhan marked this pull request as ready for review April 6, 2026 02:14
Copilot AI review requested due to automatic review settings April 6, 2026 02:14
Copilot AI reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR makes pre-activation denials visible in the GitHub Actions job summary by having pre-activation check scripts write a standardized “activation skipped” summary (rendered from a shared markdown template) at the point they deny activation.

Changes:

  • Added a shared markdown template and helper (writeDenialSummary) to render/write a denial summary to $GITHUB_STEP_SUMMARY.
  • Updated multiple pre-activation check scripts to call the shared helper when they deny activation (bots/roles/stop-time/query/check-failing/command-position, etc.).
  • Added/updated Vitest coverage to exercise the new helper and accommodate summary-writing in relevant script tests.
Show a summary per file
File Description
pkg/workflow/compiler_pre_activation_job.go Adds a new comment near pre-activation job compilation logic (currently misleading).
actions/setup/md/pre_activation_skip.md New shared markdown template for “activation skipped” job summary output.
actions/setup/js/pre_activation_summary.cjs New helper to render/write denial summaries (template-first with fallback).
actions/setup/js/pre_activation_summary.test.cjs New tests for template rendering + fallback behavior.
actions/setup/js/check_stop_time.cjs Writes denial summary when stop-time prevents activation.
actions/setup/js/check_skip_roles.cjs Writes denial summary when actor role is in skip-roles.
actions/setup/js/check_skip_roles.test.cjs Mocks/adjusts summary behavior for new denial summary calls.
actions/setup/js/check_skip_if_no_match.cjs Writes denial summary when query returns too few matches.
actions/setup/js/check_skip_if_no_match.test.cjs Adds a core.summary mock to support new summary writes.
actions/setup/js/check_skip_if_match.cjs Writes denial summary when query exceeds match threshold.
actions/setup/js/check_skip_if_check_failing.cjs Writes denial summary when base-branch checks are failing.
actions/setup/js/check_skip_if_check_failing.test.cjs Adds a core.summary mock to support new summary writes.
actions/setup/js/check_skip_bots.cjs Writes denial summary when actor is in skip-bots.
actions/setup/js/check_skip_bots.test.cjs Adds a core.summary mock to support new summary writes.
actions/setup/js/check_membership.cjs Writes denial summary for config/bot/permission/api denial outcomes.
actions/setup/js/check_membership.test.cjs Stubs the new helper module to keep membership tests self-contained.
actions/setup/js/check_command_position.cjs Writes denial summary when trigger comment doesn’t start with required command.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 17/17 changed files
  • Comments generated: 2

pkg/workflow/compiler_pre_activation_job.go
Comment on lines +442 to 446
// generateReportSkipStep generates the "Report skip reason" step for the pre-activation job.
// The step runs with if: always() and writes skip reasons to the GitHub Actions job summary
// extractPreActivationCustomFields extracts custom steps and outputs from jobs.pre-activation field in frontmatter.
// It validates that only steps and outputs fields are present, and errors on any other fields.
// If both jobs.pre-activation and jobs.pre_activation are defined, imports from both.
Copy link

Copilot AI Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The added Go doc comment references generateReportSkipStep, but there is no such function in this file (and the comment is placed immediately before extractPreActivationCustomFields). This is misleading in Godoc and can confuse future readers. Either add/restore the referenced function, or move/rename this comment to match the actual function it documents.

Suggested change
// generateReportSkipStep generates the "Report skip reason" step for the pre-activation job.
// The step runs with if: always() and writes skip reasons to the GitHub Actions job summary
// extractPreActivationCustomFields extracts custom steps and outputs from jobs.pre-activation field in frontmatter.
// It validates that only steps and outputs fields are present, and errors on any other fields.
// If both jobs.pre-activation and jobs.pre_activation are defined, imports from both.
// extractPreActivationCustomFields extracts custom steps and outputs from the
// jobs.pre-activation field in frontmatter.
// It validates that only steps and outputs fields are present, and errors on
// any other fields.
// If both jobs.pre-activation and jobs.pre_activation are defined, it imports
// from both.

Copilot uses AI. Check for mistakes.
actions/setup/js/pre_activation_summary.cjs
content = renderTemplateFromFile(templatePath, { reason, remediation });
} catch (err) {
// Log unexpected errors but still fall through to the hardcoded fallback
if (err && typeof err === "object" && "code" in err && err.code !== "ENOENT") {
Copy link

Copilot AI Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The catch block intends to log “unexpected errors”, but it only warns when the thrown value has a code property and that code is not ENOENT. If renderTemplateFromFile throws an Error without code, the error is silently swallowed and you fall back without any warning. Consider warning for all errors except ENOENT (including when err.code is missing) so template rendering problems don’t get hidden.

Suggested change
if (err && typeof err === "object" && "code" in err && err.code !== "ENOENT") {
const isEnoent = !!(err && typeof err === "object" && "code" in err && err.code === "ENOENT");
if (!isEnoent) {

Copilot uses AI. Check for mistakes.
@pelikhan pelikhan merged commit 44233cc into main Apr 6, 2026
65 of 67 checks passed
@pelikhan pelikhan deleted the copilot/fix-bot-gated-pr-review-issue branch April 6, 2026 02:20
This was referenced Apr 6, 2026
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bot-gated PR review runs can disappear with no review check or surfaced skip reason

3 participants

@pelikhan