Add disclosure-header message for AI authorship disclosure in safe-outputs#44497
Conversation
Adds a new `disclosure-header` configuration option to `safe-outputs.messages`
that prepends an AI authorship disclosure to every message body (issues,
comments, pull requests, discussions).
- Set `disclosure-header: true` to use the built-in default text:
"> 🤖 **Automated content** — generated by the [{workflow_name}]({run_url})
workflow. The account owner did **not** write or review this content personally."
- Set `disclosure-header: "<template>"` to use a custom template string
- Supports `{workflow_name}` and `{run_url}` placeholders
The disclosure header is inserted after any threat-detection caution alert and
before any `body-header` and the main body content.
Closes #38566
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
disclosure-header message for AI authorship disclosure in safe-outputs
|
🔍 Design Decision Gate 🏗️ is checking for design decision records on this pull request... |
There was a problem hiding this comment.
Pull request overview
Note
Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.
Adds an opt-in disclosure-header safe-outputs message that prepends an AI authorship notice (default or custom template) to generated issue/comment/PR/discussion bodies, reducing boilerplate across workflows.
Changes:
- Extend Go safe-outputs messages config to parse/serialize
disclosure-header(bool → sentinel"true"or custom string). - Add JavaScript
getDisclosureHeader()+ default built-in disclosure text, and re-export viamessages.cjs. - Inject disclosure header into multiple handlers and document the new option in the workflow JSON schema; add unit tests (Go + JS).
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/safe_outputs_messages_test.go | Adds Go tests for parsing + JSON serialization of disclosure-header. |
| pkg/workflow/safe_outputs_messages_config.go | Implements Go parsing for disclosure-header (bool/string). |
| pkg/workflow/safe_outputs_config_types.go | Adds DisclosureHeader field + tags to messages config type. |
| pkg/parser/schemas/main_workflow_schema.json | Documents + validates disclosure-header in schema via oneOf boolean/string. |
| actions/setup/js/messages_header.test.cjs | Adds JS tests for getDisclosureHeader() + default template constant. |
| actions/setup/js/messages_header.cjs | Implements DEFAULT_DISCLOSURE_HEADER + getDisclosureHeader(). |
| actions/setup/js/messages.cjs | Re-exports getDisclosureHeader. |
| actions/setup/js/create_pull_request.cjs | Injects disclosure header into PR body assembly. |
| actions/setup/js/create_issue.cjs | Injects disclosure header into issue body assembly. |
| actions/setup/js/create_discussion.cjs | Injects disclosure header into discussion body assembly. |
| actions/setup/js/add_comment.cjs | Injects disclosure header into comment prefix assembly. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 11/11 changed files
- Comments generated: 5
- Review effort level: Low
|
/matt |
|
🧠 Matt Pocock Skills Reviewer failed during the skills-based review. |
|
@copilot please run the Unresolved review feedback to address first:
Run: https://github.com/github/gh-aw/actions/runs/29016118662
|
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Addressed the unresolved review feedback in commit |
Done in |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
| * @returns {string} | ||
| */ | ||
| function getDefaultDisclosureHeaderTemplate() { | ||
| try { |
There was a problem hiding this comment.
- remove try/catch, getPromptPath never fails
- remove core check guard, it is guaranteeded to exist
There was a problem hiding this comment.
Updated in 4f3d09c: removed the try/catch and the core.warning guard in getDefaultDisclosureHeaderTemplate(). It now follows the same direct getPromptPath(...) + readFileSync(...) resolution pattern used by other templates.
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
@copilot use renderTemplateFile helper, see other place where templates are rendered |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Updated in |
|
Run: https://github.com/github/gh-aw/actions/runs/29072075004
|
…thorship-footer Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Completed in
|
Every workflow using safe-outputs under a maintainer PAT currently needs to repeat the same AI authorship boilerplate string across all 20+ workflows. This adds a first-class
disclosure-headeropt-in that prepends a built-in AI authorship notice to every safe-output body (issues, comments, PRs, discussions).Changes
SafeOutputMessagesConfig): NewDisclosureHeader stringfield withyaml:"disclosure-header"/json:"disclosureHeader"tags. Parser handles bothbool(true→ sentinel"true") and customstring.messages_header.cjs): NewgetDisclosureHeader()alongsidegetBodyHeader(). When value is"true", renders the built-inDEFAULT_DISCLOSURE_HEADER; otherwise renders the value as a template.create_issue,add_comment,create_discussion,create_pull_request): Inject disclosure header after any threat-detection caution and beforebody-header.main_workflow_schema.json):disclosure-headerasoneOf: [boolean, string]with explicit ordering docs.Usage
Default text:
Body ordering (top → bottom): threat-detection caution →
disclosure-header→body-header→ agent content → footer.