Skip to content

Add skip-roles to conditionally skip workflows based on repository permissions#15988

Merged
pelikhan merged 8 commits intomainfrom
copilot/add-skip-roles-option
Feb 15, 2026
Merged

Add skip-roles to conditionally skip workflows based on repository permissions#15988
pelikhan merged 8 commits intomainfrom
copilot/add-skip-roles-option

Conversation

Copy link
Contributor

Copilot AI commented Feb 15, 2026
edited
Loading

Implementation Plan for skip-roles Feature

This feature adds on.skip-roles: [...] to skip workflows for specified roles (e.g., admin, maintainer).

  • Add SkipRoles field to FrontmatterConfig struct
  • Add SkipRoles field to WorkflowData struct
  • Extract skip-roles from frontmatter on section
  • Add constants for skip-roles check (step ID, output name)
  • Create check_skip_roles.cjs JavaScript check script
  • Add check_skip_roles.test.cjs test file
  • Generate skip-roles check step in pre-activation job
  • Add skip-roles condition to activation gate logic
  • Add Go tests for skip-roles compilation
  • Add skip-roles to JSON schema
  • Add skip-roles commenting in frontmatter (including array items)
  • Fix pre-activation job creation when skip-roles or rate-limit present
  • Apply skip-roles to AI moderator workflow
  • Merge main branch and recompile workflows
  • Format Go code and pass linter
Original prompt

This section details on the original issue you should resolve

<issue_title>skip-roles</issue_title>
<issue_description>Add a front matter options on.skip-roles: [...] that allows to skip a workflow for particular roles. For example, in AI moderation scenario, certain check do not need to be applied to team members, only external users need to have it checked.

on:
  skip-roles: [admin, maintainer, write]

The check should be done in pre-activation and cleanly cancel activation. </issue_description>

Comments on the Issue (you are @copilot in this section)

@pelikhan /cloclo @pelikhan /cloclo @pelikhan /cloclo

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 4 commits February 15, 2026 21:20
@pelikhan
Initial planning for skip-roles feature
296446f 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Add skip-roles feature implementation
80bdabe 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Fix skip-roles array commenting in YAML frontmatter
93143cf 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Remove example workflow files
14b9d59
Copilot AI changed the title [WIP] Add front matter option to skip roles in workflow Add skip-roles to conditionally skip workflows based on repository permissions Feb 15, 2026
Copilot AI requested a review from pelikhan February 15, 2026 21:34
pelikhan
pelikhan reviewed Feb 15, 2026
View reviewed changes
Copy link
Contributor

@pelikhan pelikhan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot add skip roles to ai moderator: admin, maintainer, write, triage

@pelikhan
Add skip-roles to AI moderator and fix pre-activation trigger
9a17b71 
- Add skip-roles: [admin, maintainer, write, triage] to ai-moderator.md
- Remove custom check_external_user job (replaced by skip-roles)
- Fix buildPreActivationAndActivationJobs to trigger on skip-roles and rate-limit
- Update logging to include hasSkipRoles and hasRateLimit flags

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 15, 2026
edited
Loading

@copilot add skip roles to ai moderator: admin, maintainer, write, triage

Added skip-roles: [admin, maintainer, write, triage] to ai-moderator.md and removed the custom check_external_user job. The workflow now uses the native skip-roles feature in pre-activation. (9a17b71)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/user
    • Triggering command: /usr/bin/gh gh api user --jq .login (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI requested a review from pelikhan February 15, 2026 21:51
@pelikhan
Copy link
Contributor

pelikhan commented Feb 15, 2026

@copilot merge main and recompile

Copy link
Contributor Author

Copilot AI commented Feb 15, 2026
edited
Loading

@copilot merge main and recompile

Merged main branch and recompiled all 154 workflows successfully. The merge commit (c822101) includes upstream changes to unlock job handling and other improvements. All skip-roles tests pass.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v2
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/download-artifact/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha &#34; -o gh-aw ./cmd/gh-aw (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v6 --jq .object.sha logs/user.env (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v6 --jq .object.sha &#34; -o gh-aw ./cmd/gh-aw (http block)
  • https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 --jq .object.sha (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)
  • https://api.github.com/user
    • Triggering command: /usr/bin/gh gh api user --jq .login (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@pelikhan pelikhan marked this pull request as ready for review February 15, 2026 22:12
Copilot AI review requested due to automatic review settings February 15, 2026 22:12
@pelikhan
Copy link
Contributor

pelikhan commented Feb 15, 2026

@copilot lint go

Copilot AI reviewed Feb 15, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a skip-roles feature that allows workflows to conditionally skip execution based on repository permissions. The primary use case is AI moderation workflows that should only run for external contributors, not team members with elevated permissions.

Changes:

  • Added skip-roles configuration in the on: section (schema, extraction, YAML processing)
  • Implemented pre-activation check via check_skip_roles.cjs that queries GitHub API for user permissions
  • Updated pre-activation trigger logic to create pre_activation job when skip-roles or rate-limit are configured, even if roles: all is set
  • Applied the feature to AI moderator workflow, removing 87 lines of custom permission checking code

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
pkg/parser/schemas/main_workflow_schema.json Added schema definition for skip-roles field supporting string or array format
pkg/constants/constants.go Added CheckSkipRolesStepID and SkipRolesOkOutput constants
pkg/workflow/compiler_types.go Added SkipRoles field to WorkflowData struct
pkg/workflow/role_checks.go Added extractSkipRoles() and extractStringSliceField() helper functions
pkg/workflow/compiler_orchestrator_workflow.go Integrated skip-roles extraction into workflow compilation
pkg/workflow/compiler_jobs.go Updated pre-activation trigger condition to include hasSkipRoles and hasRateLimit flags
pkg/workflow/compiler_activation_jobs.go Added skip-roles check step generation and condition to pre-activation job
pkg/workflow/frontmatter_extraction_yaml.go Added YAML commenting logic for skip-roles field
pkg/workflow/skip_roles_test.go Comprehensive tests for skip-roles feature including edge cases
actions/setup/js/check_skip_roles.cjs JavaScript implementation using shared permission checking utility
actions/setup/js/check_skip_roles.test.cjs Comprehensive unit tests for the JavaScript implementation
.github/workflows/ai-moderator.md Applied skip-roles to AI moderator, replacing custom permission check
.github/workflows/ai-moderator.lock.yml Compiled workflow with skip-roles pre-activation check
.github/workflows/bot-detection.lock.yml Recompiled workflow with mention normalization (@pelikhanpelikhan)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pelikhan
Format Go code - remove trailing whitespace in compiler_unlock_job.go
d96179a 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 15, 2026

@copilot lint go

Go code linted successfully. Formatted compiler_unlock_job.go to remove trailing whitespace. All linter validations passed. (d96179a)

Copilot AI requested a review from pelikhan February 15, 2026 22:24
@pelikhan pelikhan merged commit c16fce0 into main Feb 15, 2026
@pelikhan pelikhan deleted the copilot/add-skip-roles-option branch February 15, 2026 22:25
@github-actions github-actions bot mentioned this pull request Feb 16, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

skip-roles

2 participants

@pelikhan