[PR Triage Report] PR Triage Report - 2026-04-01 #23937
Description
Executive Summary
- Total PRs Triaged: 0 (all 8 examined PRs excluded — same-repo policy)
- Agent PRs Found: 8
- Fork PRs (Eligible): 0
- Auto-merge Candidates: 0
- Fast-track Needed: 0
- Batches Identified: 0
- Close Candidates: 0
Policy Reminder: This triage workflow processes only fork PRs (where
head.repo.full_name ≠ base.repo.full_name). All 8 open Copilot PRs originate from branches withingithub/gh-awitself, so none qualify for automated labeling or commenting under the current policy.
⚠️ Notable Observation: Security PR Wave
7 new security-focused PRs were opened today (2026-04-01), suggesting an active security audit is in progress. These warrant prompt human review:
| PR | Title | Status |
|---|---|---|
| #23934 | fix: address 4 security findings — env.* expression blocklist, protocol-relative | Draft |
| #23933 | Enforce MCP gateway tool allowlist at the gateway layer and restrict config file | Draft |
| #23932 | fix: reject env.* expressions in markdown per documented safety policy | Draft |
| #23931 | fix: enforce mcp/fetch domain allowlist to close web-fetch AWF bypass | Draft |
| #23930 | fix: treat protocol-relative URLs as blocked domains in safe-outputs sanitizer | Draft |
| #23929 | fix(security): clear .git/hooks/ and disable hooksPath in cache-memory git setup | Draft |
| #23928 | security: scope safe-outputs write-sink to a distinct bearer token | Draft |
All are currently draft PRs — they'll need to be marked ready for review before merging.
🔄 Trends vs Previous Run (Run #23847991207)
PRs Closed/Merged Since Last Run (7)
| PR | Title |
|---|---|
| #23879 | bump: gh-aw-firewall v0.25.6, gh-aw-mcpg v0.2.11 |
| #23878 | Remove noisy negative-result messages from compile output |
| #23876 | fix: update_cache_memory must not run if agent job failed |
| #23870 | [WIP] Allow engine.version to accept GitHub Actions expressions |
| #23869 | [WIP] Parameterize tools config fields to accept expressions |
| #23868 | Improve test quality: pkg/parser/frontmatter_utils_test.go |
| #23863 | feat: allow timeout-minutes to accept GitHub Actions expressions |
PRs Still Open (Persistent)
| PR | Title | Age |
|---|---|---|
| #23695 | fix: Gemini CLI exits 41 in AWF sandbox — missing API key and ~/.gemini dir | ~1 day (draft, labels: lgtm, awf) |
Triage Statistics
By Category
(No fork PRs to categorize)
Among all examined same-repo Copilot PRs (informational only):
- Bug/Security: 6
- Feature/Security: 2
By Risk Level
(No fork PRs to assess)
By Priority
(No fork PRs to score)
By Recommended Action
- Auto-merge: 0
- Fast-track: 0
- Batch Review: 0
- Defer: 0
- Close: 0
Next Steps
- Human review required for the 7 security draft PRs — mark ready for review once ready
- Check for overlap: PRs fix: reject env.* expressions in markdown per documented safety policy #23932, fix: enforce mcp/fetch domain allowlist to close web-fetch AWF bypass #23931, fix: treat protocol-relative URLs as blocked domains in safe-outputs sanitizer #23930 may address overlapping concerns with the omnibus fix: address 4 security findings — env.* expression blocklist, protocol-relative URL sanitization, git hook injection, MCP token permissions #23934 — consider consolidating
- PR fix: Gemini CLI exits 41 in AWF sandbox — missing API key and ~/.gemini dir #23695 has been open ~1 day as a draft with
lgtmlabel — confirm if ready to promote - Re-triage in ~6 hours for any newly opened fork PRs
Generated by PR Triage Agent — Run #23863767275
Generated by PR Triage Agent · ◷
- expires on Apr 2, 2026, 6:18 PM UTC