Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adjusts the skill evaluation workflows introduced in PR #1195 by fixing the PR trigger behavior for the PR-gate validator and preventing nightly report creation from failing due to GitHub body-size limits.
Changes:
- Update the PR-gate workflow to run on
pull_request_targetand explicitly checkout the PR head SHA. - Add report body truncation logic to keep Skill Quality Report discussions/issues under GitHub’s body limit.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/skill-check.yml | Changes trigger to pull_request_target and checks out PR head SHA to run validation and post PR comments. |
| .github/workflows/skill-quality-report.yml | Truncates generated report body before posting to Discussion/Issue to avoid exceeding GitHub limits. |
Comments suppressed due to low confidence (1)
.github/workflows/skill-check.yml:26
- Because this workflow checks out untrusted PR code (head SHA) under
pull_request_target, any later shell execution that incorporates repo-controlled paths/content becomes high-risk. In this job, the validator command is assembled fromgit diff-derived paths and executed as a shell string, which can be vulnerable to command injection with crafted filenames. If you keeppull_request_target, ensure subsequent steps build commands using argument arrays / proper quoting (avoid executing concatenated strings) and considerpersist-credentials: falseon checkout to further reduce token exposure.
- name: Checkout PR code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
- skill-check.yml: Revert to pull_request trigger (read-only token). Remove PR comment posting; upload results as artifact instead. - skill-check-comment.yml: New workflow_run-triggered workflow that downloads the artifact and posts/updates the PR comment with write permissions, without ever checking out PR code. - skill-quality-report.yml: Replace character-based truncation with byte-based (Buffer.byteLength) limit. Shrink <details> sections structurally before falling back to hard byte-trim, keeping markdown rendering intact.
aaronpowell
approved these changes
Mar 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Fixing the trigger and limits for eval pipelines from
#1195