|
| 1 | +name: PR Copilot PII Review |
| 2 | + |
| 3 | +on: |
| 4 | + pull_request: |
| 5 | + types: [opened, reopened, ready_for_review, synchronize] |
| 6 | + |
| 7 | + |
| 8 | +permissions: |
| 9 | + contents: read |
| 10 | + pull-requests: write |
| 11 | + |
| 12 | +jobs: |
| 13 | + copilot_pii_review: |
| 14 | + name: Copilot PII Review |
| 15 | + runs-on: ubuntu-latest |
| 16 | + steps: |
| 17 | + - name: Checkout code |
| 18 | + uses: actions/checkout@v4 |
| 19 | + with: |
| 20 | + fetch-depth: 0 |
| 21 | + |
| 22 | + - name: Set up Node.js |
| 23 | + uses: actions/setup-node@v4 |
| 24 | + with: |
| 25 | + node-version: '22' |
| 26 | + |
| 27 | + - name: Compute diff and changed files |
| 28 | + id: diff |
| 29 | + run: | |
| 30 | + BASE_SHA="${{ github.event.pull_request.base.sha }}" |
| 31 | + HEAD_SHA="${{ github.event.pull_request.head.sha }}" |
| 32 | +
|
| 33 | + git diff --name-only "$BASE_SHA" "$HEAD_SHA" > changed_files.txt |
| 34 | + git diff --unified=3 "$BASE_SHA" "$HEAD_SHA" > diff.patch |
| 35 | +
|
| 36 | + if [ ! -s changed_files.txt ]; then |
| 37 | + echo "no_changes=true" >> "$GITHUB_OUTPUT" |
| 38 | + else |
| 39 | + echo "no_changes=false" >> "$GITHUB_OUTPUT" |
| 40 | + fi |
| 41 | +
|
| 42 | + - name: Install Copilot CLI |
| 43 | + if: steps.diff.outputs.no_changes == 'false' |
| 44 | + run: | |
| 45 | + npm install -g @github/copilot |
| 46 | + copilot --version |
| 47 | +
|
| 48 | + - name: Run Copilot PII review |
| 49 | + env: |
| 50 | + GITHUB_TOKEN: ${{ secrets.COPILOT_CLI_PAT }} |
| 51 | + if: steps.diff.outputs.no_changes == 'false' |
| 52 | + run: | |
| 53 | + if [ -z "$GITHUB_TOKEN" ]; then |
| 54 | + echo "GITHUB_TOKEN secret is not configured." >&2 |
| 55 | + exit 1 |
| 56 | + fi |
| 57 | +
|
| 58 | + printf 'GITHUB_TOKEN is set: ${{secrets.COPILOT_CLI_PAT}}' |
| 59 | +
|
| 60 | + HEADER="You are a professional security expert specializing in PII (Personally Identifiable Information) detection. The current working directory is a Git repository undergoing a Pull Request code review." |
| 61 | + |
| 62 | + REVIEW_REQUIREMENTS="**Review Task**: |
| 63 | + Analyze the provided code diff for potential PII exposure and privacy concerns. |
| 64 | + |
| 65 | + **Changed Files**: $(cat changed_files.txt | tr '\n' ', ' | sed 's/,$//') |
| 66 | + |
| 67 | + **Review Requirements**: |
| 68 | + Please focus on the following PII-related aspects and provide a detailed security review: |
| 69 | + 1. Direct PII exposure (names, emails, phone numbers, addresses, SSN, credit card numbers, etc.) |
| 70 | + 2. Indirect PII that could identify individuals when combined |
| 71 | + 3. Hardcoded credentials, API keys, or tokens |
| 72 | + 4. Logging or printing of sensitive user data |
| 73 | + 5. Insufficient data masking or anonymization |
| 74 | + 6. PII stored in comments, test data, or configuration files |
| 75 | + 7. Potential GDPR, CCPA, or other privacy regulation violations" |
| 76 | + |
| 77 | + RULES="**Output Format Requirements**: |
| 78 | + - Output ONLY a GitHub-flavored Markdown table with exactly these columns: File | Concern | Recommendation | Severity |
| 79 | + - Every row must reference a real file path from the Changed files list |
| 80 | + - Severity must be one of: info, minor, major, critical |
| 81 | + - If no PII issues are found, return a single table row with 'All files' in the File column and 'No PII issues found' in the Concern column |
| 82 | + - Cite line numbers from the diff using the format L<line> |
| 83 | + - Do not wrap the table in backticks or add any prose before or after the table |
| 84 | + - Focus on actionable PII-related feedback specific to the diff |
| 85 | + |
| 86 | + **Mandatory Requirements**: |
| 87 | + 1. Base your review on the actual diff content provided below |
| 88 | + 2. Provide comprehensive PII analysis with specific examples where applicable |
| 89 | + 3. Prioritize critical privacy concerns that could lead to data breaches" |
| 90 | +
|
| 91 | + DIFF_SECTION="**Unified diff**:\n$(cat diff.patch)" |
| 92 | +
|
| 93 | + export COPILOT_PROMPT="$HEADER\n\n$REVIEW_REQUIREMENTS\n\n$RULES\n\n$DIFF_SECTION" |
| 94 | +
|
| 95 | + printf '%s\n' "$COPILOT_PROMPT" |
| 96 | +
|
| 97 | + copilot -p "$COPILOT_PROMPT" | tee copilot_raw.txt >/dev/null |
| 98 | +
|
| 99 | + printf '\n\nRaw Copilot Output:\n%s\n' "$(cat copilot_raw.txt)" |
| 100 | +
|
| 101 | + sed -E 's/\x1B\[[0-9;]*[A-Za-z]//g' copilot_raw.txt | tr -d '\r' > raw_review.md |
| 102 | +
|
| 103 | + if ! grep -q '|' raw_review.md; then |
| 104 | + printf '%s\n' "$REVIEW_TABLE_FALLBACK" > raw_review.md |
| 105 | + fi |
| 106 | +
|
| 107 | + - name: Format review output |
| 108 | + run: | |
| 109 | + PR_NUMBER="${{ github.event.pull_request.number }}" |
| 110 | + |
| 111 | + cat > review_result.md <<EOF |
| 112 | + 🔒 **GitHub Copilot Automated PII Review** |
| 113 | +
|
| 114 | + --- |
| 115 | +
|
| 116 | + ### 📋 Summary |
| 117 | +
|
| 118 | + This is an automated PII (Personally Identifiable Information) security review generated by GitHub Copilot CLI for pull request #${PR_NUMBER}. |
| 119 | +
|
| 120 | + ### 🔍 Review Feedback |
| 121 | +
|
| 122 | + $(cat raw_review.md) |
| 123 | +
|
| 124 | + --- |
| 125 | +
|
| 126 | + This is an automated PII security review. Please use human judgment when evaluating suggestions. |
| 127 | + EOF |
| 128 | +
|
| 129 | + - name: Post review as PR comment |
| 130 | + env: |
| 131 | + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 132 | + run: | |
| 133 | + gh pr comment ${{ github.event.pull_request.number }} --body-file review_result.md |
| 134 | +
|
| 135 | + - name: Upload Copilot raw output |
| 136 | + if: steps.diff.outputs.no_changes == 'false' |
| 137 | + uses: actions/upload-artifact@v4 |
| 138 | + with: |
| 139 | + name: copilot-review-logs |
| 140 | + path: | |
| 141 | + copilot_raw.txt |
| 142 | + raw_review.md |
| 143 | + review_result.md |
| 144 | + diff.patch |
| 145 | + changed_files.txt |
0 commit comments