Add Copilot CLI comment attribution hook#14376
Conversation
Add a repository-scoped, cross-platform hook that marks Copilot CLI-generated GitHub comments for dotnet/msbuild while remaining idempotent and fail-open. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Copilot-Session: 15610918-bf12-4c85-9775-0d518c25711d
There was a problem hiding this comment.
Pull request overview
Adds a repository-scoped Copilot CLI preToolUse hook under .github/hooks/ to prepend an attribution note to GitHub comments and PR reviews targeting dotnet/msbuild, including gh command wrappers and offline tests for Windows (PowerShell) and Unix (bash/python).
Changes:
- Introduces Python/PowerShell hook handlers to prefix GitHub MCP comment/review tool payloads and wrap supported
ghwrite commands. - Adds
ghwrapper implementations (bash + python, and PowerShell) that inject the attribution while remaining fail-open and idempotent. - Adds offline test coverage and documentation, retaining upstream MIT license.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/hooks/copilot-cli-comment-prefix/tests/test.ps1 | PowerShell offline tests for MCP rewriting and gh wrapper behavior. |
| .github/hooks/copilot-cli-comment-prefix/tests/test-unix.sh | Unix offline tests (bash + embedded python) for handler/wrapper behavior. |
| .github/hooks/copilot-cli-comment-prefix/README.md | Hook documentation and usage/testing instructions. |
| .github/hooks/copilot-cli-comment-prefix/prefix-github-comments.py | Python hook handler for MCP tool args and bash command wrapping. |
| .github/hooks/copilot-cli-comment-prefix/prefix-github-comments.ps1 | PowerShell hook handler for MCP tool args and PowerShell command wrapping. |
| .github/hooks/copilot-cli-comment-prefix/LICENSE | Retained MIT license for the adapted implementation. |
| .github/hooks/copilot-cli-comment-prefix/github-comment-prefix.txt | The attribution prefix text injected into comments/reviews. |
| .github/hooks/copilot-cli-comment-prefix/gh-comment-wrapper.sh | Bash trampoline defining a gh() wrapper when dependencies are available. |
| .github/hooks/copilot-cli-comment-prefix/gh-comment-wrapper.py | Argument-level transformer for gh to prefix bodies/body-files/api payloads and cleanup temp files. |
| .github/hooks/copilot-cli-comment-prefix/gh-comment-wrapper.ps1 | PowerShell gh() wrapper that prefixes body arguments and temp files for applicable commands. |
| .github/hooks/copilot-cli-comment-prefix.json | Copilot CLI hook configuration wiring preToolUse to the handlers. |
There was a problem hiding this comment.
Expert Review — 24 Dimensions
22/24 dimensions clean, 2 N/A, 0 blocking findings.
| Dimension | Result |
|---|---|
| Backwards Compatibility | ✅ LGTM |
| ChangeWave | N/A |
| Performance | N/A |
| Test Coverage | ✅ Comprehensive |
| Error Message Quality | N/A |
| Logging | N/A |
| String Comparison | N/A |
| API Surface | N/A |
| Target Authoring | N/A |
| Design | ✅ Fail-open, idempotent, repo-scoped |
| Cross-Platform | ✅ Python+Bash and PowerShell |
| Code Simplification | ✅ |
| Concurrency | N/A |
| Naming | ✅ |
| SDK Integration | N/A |
| Evaluation Model | N/A |
| Correctness | ✅ (1 NIT) |
| Dependency Management | N/A |
| Security | ✅ (shlex.quote for paths, original commands passed through unchanged) |
| Build Infrastructure | N/A |
| Nullable | N/A |
| Binary Log | N/A |
| Allocation | N/A |
| Immutable Collections | N/A |
NIT — Correctness (non-blocking)
GH_REVIEW_BODY regex in prefix-github-comments.py (line ~51) and prefix-github-comments.ps1 matches --approve, causing gh pr review --approve (with no body) to trigger wrapper injection. This is harmless since the wrapper is a no-op without a --body argument, but it's semantically imprecise. Consider removing --approve from the pattern if only body-bearing review actions need interception.
Summary
Well-designed, defensive infrastructure. All paths are fail-open with proper error handling. Tests cover the key scenarios including idempotency, cross-repo filtering, temp file cleanup, and malformed input. No action items required.
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpg
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
Generated by Expert Code Review (on open) for #14376 · 112.6 AIC · ⌖ 7.55 AIC · ⊞ 4.8K
Inline the attribution text and remove the bundled documentation, nested license, and offline test files so the repository hook contains only its configuration and executable scripts. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Copilot-Session: 15610918-bf12-4c85-9775-0d518c25711d
Context
GitHub comments created through Copilot CLI use the developer's GitHub identity, so the automation source is not otherwise visible in the comment body. This adds best-effort repository-level attribution for comments targeting
dotnet/msbuild.This is a repository-scoped adaptation of the MIT-licensed general implementation.
Changes Made
.github/hooksconfiguration and cross-platform runtime scripts for GitHub MCP comment tools and supportedghcomment/review/REST API writes.dotnet/msbuild; explicit targets for other repositories pass through unchanged.Notes
Copilot CLI loads repository hooks at startup, so an existing session must be restarted after pulling this change. A user-level copy with the standard prefix can coexist with this hook without duplicating the attribution.