Add neat workflow for automatic content removal from blocked users

[Copilot]

Implements automated content moderation that removes issues, PRs, discussions, and comments created by users on a configurable blocklist.

Implementation

Workflow Configuration (.github/workflows/neat.md):

• Event triggers: issues.opened, pull_request.opened, discussion.created, issue_comment.created, discussion_comment.created
• Manual testing: workflow_dispatch with item_url input to validate against specific items
• Engine: Copilot with GitHub MCP tools (local mode, default toolsets)

Safe-Outputs:

• close-issue, close-pull-request, close-discussion (max 10/run)
• hide-comment (max 10/run, reasons: spam, off_topic, abuse)
• Threat detection enabled

Verification Flow:

1. Fetch content via GitHub MCP tools (issue_read, pull_request_read, etc.)
2. Case-insensitive username matching against blocklist
3. Triple-verification: username check → content fetch → final confirmation
4. Action with explanatory comment

Blocklist (example users):

- spam-bot-123
- malicious-user
- test-spammer
- automated-spam-account
- promotional-bot

Security Patterns:

• Read-only permissions (writes via safe-outputs only)
• Rate limiting (10 actions max per run)
• Concurrency control per item
• Fork support with forks: "*"
• Issue locking via lock-for-agent: true

The workflow uses GitHub expressions safely (avoids unauthorized *.user.login patterns) by fetching author information through MCP tools instead.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ba778da9 (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw d (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v2
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha json' --ignore-path ../../../.pr**/*.json (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha successfully" (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha get --local bin/git http.https://git/usr/bin/gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha ./../pkg/workfloremote.origin.url --local x_amd64/cgo (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha ./../pkg/workflow/js/**/*.json' --ignore-path --local x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha ./../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore --local e_modules/esbuild/node_modules/.bin/sh credential.helpegit (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha get --local r: $owner, name: $name) { hasDiscussionsEnabled } } credential.helpegit (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha h ../../../.pret.prettierignore (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha on (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build2911838391/b001/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/cmd/gh-aw/main.go (http block)
  • Triggering command: `/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha TOKEN"; }; f sto**/*.ts ers

Co-authored**/*.json /node` (http block)

• https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0
  • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha get --local r: $owner, name: $name) { hasDiscussionsEnabled } } http.https://git/usr/bin/gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha ./../pkg/workfloremote.origin.url --local 0/x64/bin/git http.https://gitgit ase,codename,all-C (http block)
  • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha ./../pkg/workfloremote.origin.url --local r: $owner, name: $name) { hasDiscussionsEnabled } } credential.helpe/usr/bin/gh (http block)
• https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha get --local /opt/hostedtoolcache/node/24.13.0/x64/bin/git http.https://gitgit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha ./../pkg/workflow/js/**/*.json' --ignore-path --local x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha ./../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore --local de/node/bin/sh (http block)
• https://api.github.com/repos/docker/login-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha ./../pkg/workflow/js/**/*.json' --ignore-path --local it (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha ./../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore --local /usr/local/sbin/git credential.helpegit (http block)
• https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha ./../pkg/workfloremote.origin.url --local ndor/bin/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha ./../pkg/workfloremote.origin.url --local r: $owner, name: $name) { hasDiscussionsEnabled } } credential.helpe/usr/bin/gh (http block)
• https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha ithub/workflows --local r: $owner, name: $name) { hasDiscussionsEnabled } } http.https://git/usr/bin/gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha ./../pkg/workfloremote.origin.url --local r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 --jq .object.sha (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)
• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login -c=4 -nolocalimports -importcfg /tmp/go-build4171779459/b001/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/cmd/gh-aw/main.go (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login d -n 10 (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.