Commit effa00e
authored
fix(guard): add copilot-swe-agent to trusted first-party bots (#2777)
PRs opened by Copilot's coding agent (`app/copilot-swe-agent`) were not
recognized as trusted first-party bots, causing them to receive
`none`/`unapproved` integrity. On public repos with auto-defaulted
`min-integrity: approved`, this blocked `pull_request_read` on any PR
the agent authored — a chicken-and-egg problem for PR review workflows.
## Changes
- **`guards/github-guard/rust-guard/src/labels/helpers.rs`** — add all
three login variants to `is_trusted_first_party_bot()`:
```rust
|| lower == "copilot-swe-agent[bot]" // REST API bot user
|| lower == "copilot-swe-agent" // without [bot] suffix
|| lower == "app/copilot-swe-agent" // gh CLI app/ prefix
```
- **`guards/github-guard/rust-guard/src/labels/mod.rs`** — extend
`test_trusted_first_party_bot_detection` to assert all three variants
are trusted, including case-insensitive matching
> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build3121127075/b334/launcher.test
/tmp/go-build3121127075/b334/launcher.test
-test.testlogfile=/tmp/go-build3121127075/b334/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build3121127075/b237/vet.cfg ebug/debug.s .go x_amd64/compile
/home/REDACTED/wor/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
fips140 /home/REDACTED/wor-unreachable=false x_amd64/compile 6871�� g_.a
JWaf/v-LJHyKfeZzW2BDEJWaf x_amd64/vet
/home/REDACTED/wor/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
/home/REDACTED/wor-atomic /home/REDACTED/wor-bool x_amd64/vet` (dns
block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build3121127075/b319/config.test
/tmp/go-build3121127075/b319/config.test
-test.testlogfile=/tmp/go-build3121127075/b319/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -m64�� ternal/wasm/counts.go
ternal/wasm/engine.go x_amd64/compile
/home/REDACTED/wor/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
6871160/b009/ 64-REDACTED-linux-unreachable=false x_amd64/compile --no��
@v1.1.3/cpu/arm/arm.go /home/REDACTED/.rustup/toolchains/-dumpbase
x_amd64/vet
bug/deps/rustcKv/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
bug/deps/github_-unsafeptr=false bug/deps/github_-unreachable=false
x_amd64/vet` (dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build3121127075/b334/launcher.test
/tmp/go-build3121127075/b334/launcher.test
-test.testlogfile=/tmp/go-build3121127075/b334/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build3121127075/b237/vet.cfg ebug/debug.s .go x_amd64/compile
/home/REDACTED/wor/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
fips140 /home/REDACTED/wor-unreachable=false x_amd64/compile 6871�� g_.a
JWaf/v-LJHyKfeZzW2BDEJWaf x_amd64/vet
/home/REDACTED/wor/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
/home/REDACTED/wor-atomic /home/REDACTED/wor-bool x_amd64/vet` (dns
block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build3121127075/b334/launcher.test
/tmp/go-build3121127075/b334/launcher.test
-test.testlogfile=/tmp/go-build3121127075/b334/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build3121127075/b237/vet.cfg ebug/debug.s .go x_amd64/compile
/home/REDACTED/wor/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
fips140 /home/REDACTED/wor-unreachable=false x_amd64/compile 6871�� g_.a
JWaf/v-LJHyKfeZzW2BDEJWaf x_amd64/vet
/home/REDACTED/wor/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
/home/REDACTED/wor-atomic /home/REDACTED/wor-bool x_amd64/vet` (dns
block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build3121127075/b343/mcp.test
/tmp/go-build3121127075/b343/mcp.test
-test.testlogfile=/tmp/go-build3121127075/b343/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build3121127075/b273/vet.cfg g_.a
/home/REDACTED/worruntime/pprof x_amd64/vet
/home/REDACTED/wor/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
6871160/b073/ /home/REDACTED/wor-unreachable=false x_amd64/vet 6871��
afu_mdwfy /home/REDACTED/wor-nolocalimports x_amd64/vet
/home/REDACTED/wor/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
/home/REDACTED/wor-unsafeptr=false /home/REDACTED/wor-unreachable=false
x_amd64/vet` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>
<!-- START COPILOT CODING AGENT TIPS -->
---
⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS
or Windows machine with [Raycast](https://gh.io/cca-raycast-docs).0 file changed
0 commit comments