[q] Add copilot to bot-detection allowlist #15042
Description
Q Workflow Optimization Report
Issues Found (from issue #15033)
bot-detection.md
- Issue Context: Issue #15033 reports that
@Copilotwas flagged as suspicious (Medium Risk, score 3/12) - Root Cause: The bot-detection workflow has an inconsistency between the allowlist definition and documentation
- Specific Problem:
- Line 197 allowlist:
[dependabot, renovate, github-actions]- missingcopilot - Line 328 documentation: Lists "copilot" as a known legitimate bot
- Result: Copilot App triggers Red Flag Add workflow: githubnext/agentics/weekly-research #8 (Identity Headers) incorrectly
- Line 197 allowlist:
Changes Made
.github/workflows/bot-detection.md (Line 197)
- Before:
- User type is "Bot" AND not in allowlist: [dependabot, renovate, github-actions] - After:
- User type is "Bot" AND not in allowlist: [dependabot, renovate, github-actions, copilot] - Reason: Added
copilotto match the documentation on line 328 and prevent false positives
Expected Improvements
- ✅ Eliminates false positive detections of
@CopilotGitHub App - ✅ Aligns allowlist implementation with documented policy
- ✅ Prevents unnecessary security alerts for legitimate automation
Context
This fix addresses issue #15033 where the bot-detection workflow incorrectly flagged @Copilot as suspicious when it authored/merged PR #15026. The Copilot GitHub App is a legitimate automation tool and should be treated the same as other known bots (dependabot, renovate, github-actions).
Validation
- ✅ Single-line surgical change to allowlist
- ✅ No lock file changes (will be compiled automatically)
- ✅ Matches existing documentation on line 328
Fixes #15033
AI generated by Q
- expires on Feb 14, 2026, 12:14 AM UTC
Note
This was originally intended as a pull request, but the git push operation failed.
Workflow Run: View run details and download patch artifact
The patch file is available in the agent-artifacts artifact in the workflow run linked above.
To apply the patch locally:
# Download the artifact from the workflow run https://github.com/github/gh-aw/actions/runs/21928155640
# (Use GitHub MCP tools if gh CLI is not available)
gh run download 21928155640 -n agent-artifacts
# The patch file will be at agent-artifacts/tmp/gh-aw/aw.patch after download
# Apply the patch
git am agent-artifacts/tmp/gh-aw/aw.patchShow patch (30 lines)
From b2e4b4327b046d34e3fd4b02b311883a7610cbad Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Thu, 12 Feb 2026 00:11:38 +0000
Subject: [PATCH] fix(bot-detection): Add copilot to bot allowlist
The copilot user is a legitimate GitHub App that should not be flagged
as suspicious. This change adds 'copilot' to the bot allowlist on line 197
to match the documentation on line 328 which already lists it as a known
legitimate bot.
---
.github/workflows/bot-detection.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/bot-detection.md b/.github/workflows/bot-detection.md
index bca5c0f..f483d86 100644
--- a/.github/workflows/bot-detection.md
+++ b/.github/workflows/bot-detection.md
@@ -194,7 +194,7 @@ Analyze the account for these 8 specific red flags:
3. For bots: Verify if it's a legitimate, known bot (dependabot, renovate, github-actions)
**Threshold**: Flag if:
-- User type is "Bot" AND not in allowlist: [dependabot, renovate, github-actions]
+- User type is "Bot" AND not in allowlist: [dependabot, renovate, github-actions, copilot]
- OR username ends with `[bot]` but isn't a known legitimate bot
## Analysis Process
--
2.52.0