Skip to content

Disclose Copilot authorship on expert reviewer comments#8819

Open
Evangelink wants to merge 2 commits into
microsoft:mainfrom
Evangelink:dev/amauryleve/expert-reviewer-copilot-attribution
Open

Disclose Copilot authorship on expert reviewer comments#8819
Evangelink wants to merge 2 commits into
microsoft:mainfrom
Evangelink:dev/amauryleve/expert-reviewer-copilot-attribution

Conversation

@Evangelink
Copy link
Copy Markdown
Member

@Evangelink Evangelink commented Jun 4, 2026

What & why

The expert-reviewer agentic workflow posts reviews via gh-aw safe-output tools that use a maintainer's PAT (COPILOT_GITHUB_TOKEN). As a result, every add_comment, create_pull_request_review_comment, and submit_pull_request_review call shows the maintainer's avatar and username — with no way for readers to tell the content was authored by Copilot rather than by the human whose account they see.

This PR adds an explicit disclosure so the authorship is clear.

Change

  1. .github/agents/expert-reviewer.agent.md

    • New Absolute Rule Bug Fix #258333 : Tests running multiple times in case we have multiple test projects #4 mandating the attribution banner.
    • New ## Copilot Attribution Banner section defining the verbatim banner with a <workflow-run-url> placeholder.
    • Wave 3 step 5 (add_comment) and Wave 4 step 6 (submit_pull_request_review) updated to require the banner at the top of each body. Both example bodies in step 6 now show the banner.
    • Wave 3 step 4 (inline comments) explicitly says no per-comment footer — inline comments are bundled into the Wave 4 review whose body already carries the banner, and gh-aw's shared/formatting.md already appends an automatic footer that we should not duplicate.

  2. .github/workflows/shared/review-shared.md

    • Step 2 of ## Instructions: the orchestrator now forwards the workflow run URL (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) to the subagent prompt and references the new banner section. Without this forwarding, the subagent (a background task) has no access to the parent <github-context> block and could not populate the link.

Resulting banner

Note

🤖 Automated review by GitHub Copilot. Posted via a maintainer's GitHub token, so it appears under their account — the account owner did not write or approve this content personally. Generated by the Expert Code Review workflow. To request a follow-up action, reply by tagging @copilot directly.

Validation

  • gh aw compile --strict review.agent review-on-open.agent review-after-autofix.agent → 3 workflow(s), 0 errors, 0 warnings.
  • No lockfile regenerations were needed for this change: the agent file is loaded at runtime by the subagent (not embedded into the lock), and shared/review-shared.md is pulled in via {{#runtime-import}} rather than inlined. Local strict-compile did surface unrelated SHA-pin regressions in the lock files (likely a local compiler-version artifact) — those were reverted to keep this PR scoped to the disclosure change.

Disclose Copilot authorship on expert reviewer comments
b74f9c5 
The expert-reviewer agent posts reviews via gh-aw safe-output tools that
use a maintainer's PAT (COPILOT_GITHUB_TOKEN), so every comment appears
under that maintainer's avatar and username. Readers currently have no
way to tell the content was authored by Copilot rather than the human
whose account they see.

Add a mandatory attribution banner at the top of every add_comment body
and every submit_pull_request_review body, with a link back to the
generating workflow run so anyone can audit it. The orchestrator now
forwards the workflow run URL to the subagent so the banner link
resolves.

Inline review comments still get no per-comment footer: they are
bundled into the Wave 4 review whose body already carries the banner,
and gh-aw's formatting shared fragment already appends an automatic
attribution footer that we should not duplicate.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 4, 2026 11:23
Copilot AI reviewed Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves transparency for the repository’s “expert-reviewer” agentic workflow by requiring an explicit “authored by GitHub Copilot” disclosure in posted PR comments and review bodies, clarifying that content is published via a maintainer PAT and may otherwise be mistaken for human-written feedback.

Changes:

  • Added a mandatory Copilot attribution banner (with a workflow-run URL placeholder) to the expert reviewer agent definition and required it at the start of add_comment and submit_pull_request_review bodies.
  • Clarified that inline comments (create_pull_request_review_comment) should not add per-comment attribution, since they’re bundled into the final review and gh-aw already appends its own footer attribution.
  • Updated the shared review workflow instructions to forward the workflow run URL into the subagent prompt so it can populate the banner link.
Show a summary per file
File Description
.github/workflows/shared/review-shared.md Instructs the orchestrator to pass the workflow run URL to the expert-reviewer subagent so it can link the disclosure banner to the originating run.
.github/agents/expert-reviewer.agent.md Defines the required Copilot attribution banner and enforces its inclusion at the start of posted top-level comments and the submitted review body.

Copilot's findings

  • Files reviewed: 2/2 changed files
  • Comments generated: 2

Comment thread .github/workflows/shared/review-shared.md Outdated
Comment thread .github/agents/expert-reviewer.agent.md Outdated
Address Copilot review feedback on attribution-banner PR
3ed7f9f 
Two clarifications:

- expert-reviewer.agent.md: spell out a full fallback banner variant for
  the case where the orchestrator does not supply a workflow run URL,
  instead of telling the agent to `omit the parenthesized link'' (which
  would have left dangling markdown like `[Expert Code Review
  workflow]()`). The fallback drops the entire `Generated by ...''
  sentence so the rendered markdown stays valid.
- shared/review-shared.md: tighten the rationale for forwarding the
  workflow run URL. The URL is needed for the banner that goes on
  add_comment and submit_pull_request_review bodies only; inline
  create_pull_request_review_comment bodies inherit the banner from the
  bundled review and do not carry it themselves.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Evangelink
Copy link
Copy Markdown
Member Author

Evangelink commented Jun 4, 2026

Addressed both review comments in 3ed7f9f:

  1. .github/agents/expert-reviewer.agent.md (line 36 comment) — replaced the ambiguous "omit the parenthesized link and keep the rest of the banner" guidance with an explicit, verbatim fallback banner that drops the whole "Generated by …" sentence, so the rendered markdown stays valid when no run URL is available.
  2. .github/workflows/shared/review-shared.md (line 42 comment) — tightened the rationale to clarify the URL is needed for the banner on add_comment and submit_pull_request_review bodies only; inline create_pull_request_review_comment bodies inherit the banner from the bundled review and do not carry it themselves.

Strict compile still clean: gh aw compile --strict review.agent review-on-open.agent review-after-autofix.agent → 0 errors, 0 warnings.

@Evangelink Evangelink enabled auto-merge (squash) June 4, 2026 11:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Evangelink