Skip to content

Honor global mention allowlists in add-comment sanitization#42313

Merged
pelikhan merged 4 commits into
mainfrom
copilot/fix-safe-outputs-add-comment-sanitizer
Jun 29, 2026
Merged

Honor global mention allowlists in add-comment sanitization#42313
pelikhan merged 4 commits into
mainfrom
copilot/fix-safe-outputs-add-comment-sanitizer

Conversation

Copilot AI commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

add_comment was re-sanitizing comment bodies with a narrower allowlist than the one resolved earlier in the safe-outputs pipeline. As a result, mentions allowed via global safe-outputs.mentions settings—especially allowed-teams and collaborator/context-derived aliases—were being escaped before posting.

  • Bug fix: preserve resolved mention aliases in add_comment

    • Include handler-manager allowedMentionAliases in the final add_comment sanitization pass
    • Keep existing parent-author and explicit mentions.allowed behavior intact
    • This aligns add_comment with the global mention resolution already used earlier in the run
  • Regression coverage

    • Add a focused JS test proving that a pre-resolved alias passed from the handler manager survives the final sanitizer and is posted as a real @mention
  • Effective behavior

    // before final sanitize in add_comment
    const allowedMentionAliases = deduplicateCaseInsensitive([
      ...parentAuthors,
      ...preResolvedMentionAliases,
      ...configuredMentionAliases,
    ]);

This keeps the final sanitizer consistent with the resolved global mentions policy instead of collapsing back to comment-local aliases only.

Copilot AI and others added 2 commits June 29, 2026 18:10
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix add-comment sanitizer not honoring mentions.allowed-teams Honor global mention allowlists in add-comment sanitization Jun 29, 2026
Copilot AI requested a review from pelikhan June 29, 2026 18:17
@pelikhan pelikhan marked this pull request as ready for review June 29, 2026 18:21
Copilot AI review requested due to automatic review settings June 29, 2026 18:21

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a safe-outputs mention-sanitization regression where add_comment was re-sanitizing bodies with a narrower allowlist than the one already resolved earlier in the pipeline, causing globally-allowed mentions (e.g., from teams/collaborators) to be escaped before posting.

Changes:

  • Extend add_comment’s final sanitization pass to include handler-manager-provided allowedMentionAliases (in addition to parent author + mentions.allowed).
  • Add a regression test ensuring a pre-resolved alias survives the final sanitizer and is posted as a real @mention.
  • Minor readability-only refactor in the dashboard CLI child-process buffering logic (expanded single-line if blocks).
Show a summary per file
File Description
actions/setup/js/add_comment.cjs Threads pre-resolved allowedMentionAliases into the final sanitizeContent() allowlist used when posting comments.
actions/setup/js/add_comment.test.cjs Adds regression coverage verifying pre-resolved aliases are not neutralized during the final sanitize pass.
.github/extensions/agentic-workflows-dashboard/dashboard-cli.mjs Expands overflow checks into block form for clearer control flow; no functional change intended.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 3/3 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment on lines 437 to 441
const mentionsDisabled = config.mentions === false || config.mentions?.enabled === false;
const preResolvedMentionAliases =
!mentionsDisabled && Array.isArray(config.allowedMentionAliases) ? config.allowedMentionAliases.map(alias => (typeof alias === "string" ? alias.trim().replace(/^@+/, "") : "")).filter(alias => alias.length > 0) : [];
const configuredMentionAliases =
!mentionsDisabled && Array.isArray(config.mentions?.allowed) ? config.mentions.allowed.map(alias => (typeof alias === "string" ? alias.trim().replace(/^@+/, "") : "")).filter(alias => alias.length > 0) : [];
@pelikhan pelikhan closed this Jun 29, 2026
@pelikhan pelikhan reopened this Jun 29, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🔍 PR Triage — §28395315609

Field Value
Category bug
Risk low
Score 56 / 100
Action fast_track
Batch bug-fixes-ready (#41830 · #42318 · #42313 · #42317)

Score breakdown: impact 25 + urgency 15 + quality 16

Fixes add_comment silently dropping @mentions that were resolved globally earlier in the pipeline. 2 files (+39/-1), regression test included. CI in progress. Small, well-described, focused correction.

Generated by 🔧 PR Triage Agent · 99.1 AIC · ⌖ 11.6 AIC · ⊞ 5.4K ·

@pelikhan

Copy link
Copy Markdown
Collaborator

@copilot run pr-finisher skill

Copilot stopped work on behalf of pelikhan due to an error June 29, 2026 19:11
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot Please run the pr-finisher skill to drive this PR to a mergeable state — all CI checks are passing and the branch is clean. Address any outstanding review feedback, confirm all checks pass, and prepare this PR for merge.

Run skill: pr-finisher

Generated by 👨‍🍳 PR Sous Chef · 141.7 AIC · ⌖ 10.1 AIC · ⊞ 6.7K ·

@pelikhan pelikhan merged commit 1402808 into main Jun 29, 2026
14 of 15 checks passed
@pelikhan pelikhan deleted the copilot/fix-safe-outputs-add-comment-sanitizer branch June 29, 2026 19:35
Copilot stopped work on behalf of gh-aw-bot due to an error June 29, 2026 19:36
Copilot AI requested a review from gh-aw-bot June 29, 2026 19:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bug: safe-outputs add-comment sanitizer not honoring mentions.allowed-teams

4 participants