Add user profile and data processing functionality with logging #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Copilot PII Review | |
| on: | |
| pull_request: | |
| types: [opened, reopened, ready_for_review, synchronize] | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| copilot_pii_review: | |
| name: Copilot PII Review | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| - name: Compute diff and changed files | |
| id: diff | |
| run: | | |
| BASE_SHA="${{ github.event.pull_request.base.sha }}" | |
| HEAD_SHA="${{ github.event.pull_request.head.sha }}" | |
| git diff --name-only "$BASE_SHA" "$HEAD_SHA" > changed_files.txt | |
| git diff --unified=3 "$BASE_SHA" "$HEAD_SHA" > diff.patch | |
| if [ ! -s changed_files.txt ]; then | |
| echo "no_changes=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "no_changes=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Install Copilot CLI | |
| if: steps.diff.outputs.no_changes == 'false' | |
| run: | | |
| npm install -g @github/copilot | |
| copilot --version | |
| - name: Run Copilot PII review | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.COPILOT_CLI_PAT }} | |
| if: steps.diff.outputs.no_changes == 'false' | |
| run: | | |
| if [ -z "$GITHUB_TOKEN" ]; then | |
| echo "GITHUB_TOKEN secret is not configured." >&2 | |
| exit 1 | |
| fi | |
| printf 'GITHUB_TOKEN is set: ${{secrets.COPILOT_CLI_PAT}}' | |
| HEADER="You are a professional security expert specializing in PII (Personally Identifiable Information) detection. The current working directory is a Git repository undergoing a Pull Request code review." | |
| REVIEW_REQUIREMENTS="**Review Task**: | |
| Analyze the provided code diff for potential PII exposure and privacy concerns. | |
| **Changed Files**: $(cat changed_files.txt | tr '\n' ', ' | sed 's/,$//') | |
| **Review Requirements**: | |
| Please focus on the following PII-related aspects and provide a detailed security review: | |
| 1. Direct PII exposure (names, emails, phone numbers, addresses, SSN, credit card numbers, etc.) | |
| 2. Indirect PII that could identify individuals when combined | |
| 3. Hardcoded credentials, API keys, or tokens | |
| 4. Logging or printing of sensitive user data | |
| 5. Insufficient data masking or anonymization | |
| 6. PII stored in comments, test data, or configuration files | |
| 7. Potential GDPR, CCPA, or other privacy regulation violations" | |
| RULES="**Output Format Requirements**: | |
| Provide specific, actionable feedback including: | |
| 1. Relevant file names and line numbers | |
| 2. Clear issue descriptions | |
| 3. Concrete fix recommendations | |
| 4. Severity levels (info, minor, major, critical) | |
| 5. Organize the review report in markdown format with clear section structure | |
| **Mandatory Requirements**: | |
| 1. Base your review on the actual diff content provided below | |
| 2. Provide comprehensive PII analysis with specific examples where applicable | |
| 3. Prioritize critical privacy concerns that could lead to data breaches" | |
| REVIEW_FALLBACK="No Personally Identifiable Information (PII) exposure or privacy concerns were detected in the analyzed code changes." | |
| DIFF_SECTION="**Unified diff**:\n$(cat diff.patch)" | |
| export COPILOT_PROMPT="$HEADER\n\n$REVIEW_REQUIREMENTS\n\n$RULES\n\n$DIFF_SECTION" | |
| printf '%s\n' "$COPILOT_PROMPT" | |
| copilot -p "$COPILOT_PROMPT" | tee copilot_raw.txt >/dev/null | |
| printf '\n\nRaw Copilot Output:\n%s\n' "$(cat copilot_raw.txt)" | |
| sed -E 's/\x1B\[[0-9;]*[A-Za-z]//g' copilot_raw.txt | tr -d '\r' > raw_review.md | |
| if ! grep -q '|' raw_review.md; then | |
| printf '%s\n' "$REVIEW_FALLBACK" > raw_review.md | |
| fi | |
| - name: Format review output | |
| run: | | |
| PR_NUMBER="${{ github.event.pull_request.number }}" | |
| cat > review_result.md <<EOF | |
| **GitHub Copilot CLI PII Review** | |
| --- | |
| This is an PII security review generated by GitHub Copilot CLI for pull request #${PR_NUMBER}. | |
| ### Review Feedback | |
| $(cat raw_review.md) | |
| --- | |
| This is an PII security review by GitHub Copilot CLI. Please use human judgment when evaluating suggestions. | |
| EOF | |
| - name: Post review as PR comment | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| gh pr comment ${{ github.event.pull_request.number }} --body-file review_result.md | |
| - name: Upload Copilot raw output | |
| if: steps.diff.outputs.no_changes == 'false' | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: copilot-review-logs | |
| path: | | |
| copilot_raw.txt | |
| raw_review.md | |
| review_result.md | |
| diff.patch | |
| changed_files.txt |