TEST: Do not merge (testing spec review action) #15786
Conversation
Add a github action which runs on pull request and adds inline annotations for changed specs based on upstream package standards. The check uses the Copilot CLI via a GitHub App user and requires the following secrets to be set in the repository: - COPILOT_TOKEN: The token for the GitHub App user. The action will run two parallel copies of the spec review agent with different models to review the changed specs and provide feedback. A third agent will then combine the feedback from both agents and create inline annotations on the pull request. Any annotation that is an error will cause the check to fail, while warnings and suggestions will be added as annotations without failing the check.
Add a custom agent compatible with both VSCode and GitHub CLI which reviews spec files.
There was a problem hiding this comment.
Pull request overview
Adds an automated “Spec Review” GitHub Actions workflow that runs a Copilot-powered review of changed .spec files, produces a structured JSON report, and posts annotations/comments back to the PR.
Changes:
- Introduces
.github/workflows/spec-review.ymlplus supporting scripts to run multi-model spec reviews, validate JSON output, and publish PR comments/annotations/artifacts. - Adds a new
go-md2manRPM spec file underbase/comps/. - Updates ignore rules and a small comment tweak in
azurelinux-release.spec.
Reviewed changes
Copilot reviewed 13 out of 14 changed files in this pull request and generated 12 comments.
Show a summary per file
| File | Description |
|---|---|
test.txt |
Adds a one-line test file (appears to be a PR artifact). |
base/comps/go-md2man/go-md2man.spec |
New RPM spec for go-md2man. |
base/comps/azurelinux-release/azurelinux-release.spec |
Updates a TODO comment near EOL date macro. |
.gitignore |
Ignores Python caches and spec-review output directory/files. |
.github/workflows/spec-review.yml |
New workflow to run spec review, generate annotations, comment on PR, and upload artifacts. |
.github/workflows/scripts/spec_review_schema.py |
JSON schema validation + report comparison utility. |
.github/workflows/scripts/spec_review_multi.sh |
Orchestrates two review passes + synthesis pass. |
.github/workflows/scripts/spec_review.sh |
Core runner for Copilot agent, KB/log/report handling, validation loop. |
.github/workflows/scripts/requirements.txt |
Adds Python dependency for schema validation. |
.github/workflows/scripts/format_pr_comment.py |
Formats report into a PR comment with links and raw JSON section. |
.github/workflows/scripts/create_check_annotations.py |
Emits workflow-command annotations / Checks-style annotations from report. |
.github/workflows/scripts/_common.py |
Shared path helper for repo-relative linking. |
.github/workflows/scripts/README.md |
Local developer documentation for running the review scripts. |
.github/agents/spec-review.agent.md |
Defines the spec-review agent instructions for Copilot CLI. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| SPEC_ARGS="$SPEC_ARGS --spec $spec" | ||
| done < "$SPEC_ARGS_FILE" | ||
| rm -f "$SPEC_ARGS_FILE" | ||
|
|
There was a problem hiding this comment.
After filtering suspicious spec paths, the script always sets skip=false even if all paths were filtered out, which will run the review with no --spec args (causing the scripts to scan all specs in the repo). Add a check for an empty validated list and set skip=true (or fail) to avoid unexpectedly expensive runs.
| # If no valid specs remain after filtering, skip the review to avoid scanning all specs | |
| if [[ -z "$SPEC_ARGS" ]]; then | |
| echo "No valid .spec files to review after filtering suspicious paths" | |
| echo "skip=true" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi |
| - name: Install Copilot CLI | ||
| if: steps.changed-specs.outputs.skip != 'true' | ||
| run: | | ||
| npm i -g @github/copilot | ||
| copilot --version |
There was a problem hiding this comment.
npm i -g @github/copilot is unpinned, so the workflow can change behavior unexpectedly over time (and makes failures harder to reproduce). Consider installing a specific version (or using a lockfile/cached toolchain) so the CI environment is deterministic.
| --allow-tool "shell(tail:*)" \ | ||
| --allow-tool "shell(wc:*)" \ | ||
| --allow-tool "shell(diff:*)" \ | ||
| --allow-tool "shell(test:*)" \ |
There was a problem hiding this comment.
The Copilot allowlist enables very broad shell access (e.g., shell(find:*), shell(cat:*), shell(diff:*)). If shell tooling isn’t constrained to the --add-dir roots, an injected prompt could use these to read arbitrary files (including runner files) and potentially exfiltrate secrets into logs/artifacts. Consider removing wildcard shell tools or tightening them to the minimal safe set needed for the agent to function.
| --allow-tool "shell(test:*)" \ |
| Vendor: Microsoft Corporation | ||
| Distribution: Azure Linux |
There was a problem hiding this comment.
Vendor: and Distribution: are declared twice (once in the header and again after %define OUR_GOPATH). Duplicate spec tags can cause ambiguity/override behavior during build; please keep a single definition in the header.
| Vendor: Microsoft Corporation | |
| Distribution: Azure Linux |
| BuildRequires: golang | ||
| BuildRequires: which | ||
| # required packages on install | ||
| Requires: /bin/sh |
There was a problem hiding this comment.
Requires: /bin/sh looks unnecessary for a Go binary package (there are no scriptlets in this spec that would require a shell at runtime). Consider dropping it to avoid adding an artificial runtime dependency.
| Requires: /bin/sh |
| @@ -0,0 +1 @@ | |||
| test | |||
There was a problem hiding this comment.
This file appears to be a PR/testing artifact and doesn’t look like it’s used by the repo (single line "test"). Consider removing it to avoid leaving stray files in the tree.
| test | |
| This file documents manual test procedures. |
| # TODO(azl): review -- set to a future date for now, fix before release | ||
| %define eol_date 1900-01-01 |
There was a problem hiding this comment.
The TODO says the EOL date was set to a future date, but %define eol_date 1900-01-01 is in the past. Please update the comment or set eol_date to the intended value to avoid misleading release metadata.
| # TODO(azl): review -- set to a future date for now, fix before release | |
| %define eol_date 1900-01-01 | |
| # TODO(azl): review -- temporary far-future EOL; set real date before release | |
| %define eol_date 2099-12-31 |
| URL: https://github.com/cpuguy83/go-md2man | ||
| Source0: https://github.com/cpuguy83/go-md2man/archive/v%{version}.tar.gz#/go-md2man-%{version}.tar.gz | ||
| BuildRequires: golang | ||
| BuildRequires: which |
There was a problem hiding this comment.
BuildRequires: which doesn’t appear to be used anywhere in this spec. Consider removing it to avoid unnecessary build dependencies.
| BuildRequires: which |
| export CGO_ENABLED=0 | ||
| export GO111MODULE=on | ||
|
|
||
| cd %{_topdir}/BUILD/%{name}-%{version}/go-md2man-%{version} |
There was a problem hiding this comment.
The build step hard-codes %{_topdir}/BUILD/... for the working directory. This is less portable than using the standard rpm macros/working directory (e.g., %{_builddir} / staying in the directory created by %setup) and can break in nonstandard buildroots.
| cd %{_topdir}/BUILD/%{name}-%{version}/go-md2man-%{version} | |
| cd %{_builddir}/%{name}-%{version}/go-md2man-%{version} |
| - name: Test gh auth | ||
| env: | ||
| GH_TOKEN: ${{ secrets.COPILOT_TOKEN }} | ||
| run: | | ||
| gh auth status |
There was a problem hiding this comment.
This workflow uses secrets.COPILOT_TOKEN on the pull_request event. For PRs from forks, GitHub won’t provide repository secrets, so this step (and the job) will fail and block CI. Consider adding a guard to skip the job when the secret is unavailable / when github.event.pull_request.head.repo.fork is true, and emit a neutral message instead.
1 participant
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
What does the PR accomplish, why was it needed?
Change Log
Does this affect the toolchain?
YES/NO
Associated issues
Links to CVEs
Test Methodology