Skip to content

Track whose turn on issues and pull requests#9420

Open
JesperSchulz wants to merge 2 commits into
mainfrom
jesperschulz-track-whose-turn
Open

Track whose turn on issues and pull requests#9420
JesperSchulz wants to merge 2 commits into
mainfrom
jesperschulz-track-whose-turn

Conversation

@JesperSchulz

@JesperSchulz JesperSchulz commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

What & why

Add deterministic Turn: Microsoft, Turn: Partner, and Turn: Blocked classification for every open issue and pull request. The trusted default-branch workflow reacts to issue/PR lifecycle, human conversation, review, and inline-review activity; preserves explicit blocked state; and enforces exactly one turn label without touching unrelated labels.

Team actors must be human and have effective write, maintain, or admin repository permission. Team approvals return the turn to Microsoft only when no team reviewer's latest opinionated review still requests changes. Comment-only and pending reviews cannot mask an earlier change request; approval or dismissal clears that reviewer's request.

Fork review events use a zero-write producer and privileged workflow_run consumer because direct review-event tokens are read-only. The producer uploads one raw artifact containing only event kind, repository, PR number, and review/comment ID. The consumer resolves the trusted originating PR before job-level concurrency, bounds and validates the raw artifact, binds it to the exact first-attempt source event/actor/time, and re-fetches canonical API data before label mutation.

The workflow never creates or updates label definitions. .github/WHOS_TURN.md contains the one-time provisioning and operational backfill commands.

Linked work

AB#642155

How I validated this

  • I read the full diff and it contains only changes I intended.
  • I built the affected app(s) locally with no new analyzer warnings. (N/A: GitHub workflow only.)
  • I ran the change in Business Central and confirmed it behaves as expected. (N/A: GitHub workflow only.)
  • I added or updated tests for the new behavior, or explained below why none are needed.

What I tested and the outcome

  • Parsed and structurally checked both workflow YAML files, permissions, triggers, raw artifact settings, and 40-character action pins.
  • Compiled all three inline github-script bodies as async JavaScript functions.
  • Syntax-checked the documented provisioning/backfill commands with Git Bash.
  • Ran 30 non-repository mock scenarios covering producer artifact shapes, raw size/shape checks, first-attempt and source-kind/actor/time binding, cross-PR rejection, trusted unique/ambiguous PR fallback, fallback concurrency input, canonical review/comment association, draft and malformed fallback, sticky blocking and explicit unblocking, team/partner/bot activity, opinionated review ordering, dismissal, permission errors, closed-item safety, exact-one enforcement, and unrelated-label preservation.
  • Ran repeated independent read-only security reviews. Fixed findings for exact canonical label names, fork review token writes, comment-only review masking, dismissal events, cross-PR artifact targeting, same-PR event replay, and fallback PR concurrency. The final audit reported no remaining high-confidence findings.
  • No repository test/helper files were added: the final footprint is exactly the labeling workflow, the read-only review bridge, and concise operations documentation.

Risk & compatibility

The three labels must be provisioned exactly as documented before the workflows are enabled. The first PR adding the workflows cannot classify itself before merge, and the one-time backfill does not replay historical conversation.

CI failures and fork workflow approvals do not reliably identify who owns the next action, so this workflow deliberately does not infer turns from them. There is no scheduled reconciliation; one-item dispatch is the repair path.

Neither workflow checks out or executes PR code or uses secrets. The bridge has no repository permissions. The resolver has only Actions and pull-request read access; the mutation job has Actions read, issue-label write, and pull-request read access.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 9182e868-8873-4c36-b06e-50c4e6ad9c33
@JesperSchulz JesperSchulz requested review from a team July 14, 2026 10:49
@github-actions github-actions Bot added the Build: Automation Workflows and other setup in .github folder label Jul 14, 2026
@github-actions github-actions Bot modified the milestone: Version 29.0 Jul 14, 2026
@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Copilot PR Review

Iteration 2 · Outcome: completed

Knowledge source: https://github.com/microsoft/BCQuality@be1b92b624679f8c031061602e7d3a3b5f71a688

Findings by domain

Findings split into Knowledge-backed (cite a BCQuality article) and Agent (the agent's own judgement, no matching BCQuality rule).

Domain Findings Knowledge-backed Agent Inline Fallback
Agent 1 0 1 0 0

Totals: 0 knowledge-backed · 1 agent findings.

Orchestrator pre-filter (16 file(s) excluded)

  • layer-disabled (knowledge) : 16 file(s)

Findings produced by the Copilot CLI agent against BCQuality at be1b92b624679f8c031061602e7d3a3b5f71a688. Reply 👎 on any inline comment to flag false positives.

@JesperSchulz JesperSchulz self-assigned this Jul 14, 2026
@JesperSchulz JesperSchulz added the Integration GitHub request for Integration area label Jul 14, 2026
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 9182e868-8873-4c36-b06e-50c4e6ad9c33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Build: Automation Workflows and other setup in .github folder Integration GitHub request for Integration area

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant