docs: add AI security review notice to README#40
Merged
shps951023 merged 10 commits intomainfrom Feb 22, 2026
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
Updates repository documentation and GitHub configuration around automated Copilot-based PR security reviews.
Changes:
- Adds a security notice to
README.mdstating PRs are automatically reviewed by Copilot AI. - Removes the
ai-pr-reviewjob (and relatedpull-requests: writepermission) from the CI workflow. - Adds a
.github/copilot-code-review.mdinstructions file intended to guide Copilot code review behavior.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| README.md | Adds a “Security” notice about automatic Copilot PR reviews. |
| .github/workflows/ci.yml | Removes the Copilot PR review job and PR write permissions from CI. |
| .github/copilot-code-review.md | Adds Copilot review instruction text (currently not referenced in repo config/workflows). |
Comments suppressed due to low confidence (1)
.github/workflows/ci.yml:14
- This workflow no longer runs the Copilot PR review step/job, but the PR/README update suggests PRs are automatically reviewed for security. If the automation is still desired, reintroduce the review job (and scope the minimal required permissions); otherwise consider removing/adjusting any documentation that states reviews are automatic.
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
README.md
Outdated
|
|
||
| A minimal, zero-dependency .NET library for generating PDF documents from text and Excel (.xlsx) files. | ||
|
|
||
| > **Security**: All PRs are automatically reviewed by Copilot AI for security vulnerabilities. |
There was a problem hiding this comment.
The README claims that all PRs are automatically reviewed by Copilot for security vulnerabilities, but this repo’s CI workflow no longer runs an AI PR review job (it was removed in this PR). Please either adjust the README wording to match the actual enforcement (e.g., optional/manual review) or restore the automation so the statement is accurate.
Suggested change
| > **Security**: All PRs are automatically reviewed by Copilot AI for security vulnerabilities. | |
| > **Security**: PRs may be reviewed with Copilot AI for potential security vulnerabilities as part of our development workflow. |
Comment on lines
+1
to
+9
| You are a rigorous senior code reviewer tasked with preventing security vulnerabilities in code submissions. | ||
| Your assessment must be based on the code diffs of each commit. | ||
|
|
||
| - Language: English | ||
| - Focus on .NET security policy and best practices | ||
| - Flag any potential SQL injection, XSS, path traversal, insecure deserialization, or other OWASP Top 10 risks | ||
| - Check for hardcoded secrets, credentials, or sensitive data exposure | ||
| - Verify proper input validation and output encoding | ||
| - Ensure secure file I/O patterns (no arbitrary file access) |
There was a problem hiding this comment.
This Copilot code review instructions file is not referenced anywhere in the repository (no workflow or config points to it), so it likely has no effect as-is. Consider wiring it into the intended Copilot review mechanism (or renaming/relocating per the tool’s expected convention) or deleting it to avoid dead configuration.
Suggested change
| You are a rigorous senior code reviewer tasked with preventing security vulnerabilities in code submissions. | |
| Your assessment must be based on the code diffs of each commit. | |
| - Language: English | |
| - Focus on .NET security policy and best practices | |
| - Flag any potential SQL injection, XSS, path traversal, insecure deserialization, or other OWASP Top 10 risks | |
| - Check for hardcoded secrets, credentials, or sensitive data exposure | |
| - Verify proper input validation and output encoding | |
| - Ensure secure file I/O patterns (no arbitrary file access) | |
| # Deprecated: Copilot code review instructions | |
| This file previously contained instructions for GitHub Copilot Code Review, but it is **not** | |
| referenced by any workflow or configuration in this repository and therefore has no effect | |
| on automated reviews. | |
| It is retained only for historical reference. When configuring Copilot Code Review, prefer: | |
| - The officially supported `.github/copilot-instructions.md` file, **or** | |
| - Explicit configuration inside your CI workflows or other documented mechanisms. | |
| If you do not need this historical reference, you may safely delete this file. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.