Add address-pr-feedback workflow

[Copilot]

Adds an automated PR-feedback workflow that runs on review submission and addresses actionable review comments with minimal code changes.

Trigger and guardrails

• Event: pull_request_review with type submitted
• Runs only when review state is changes_requested or commented
• Skips draft PRs
• Skips PRs labeled skip-auto-address-pr-feedback

Behavior

The workflow gathers unresolved review threads, applies targeted fixes when feedback is actionable, runs repo validation commands, pushes changes to the PR branch, resolves threads it addressed, and posts inline replies for feedback it intentionally does not apply.

Included workflow pieces

• Reusable workflow definition: .github/workflows/gh-aw-address-pr-feedback.md
• Compiled reusable workflow used at runtime: .github/workflows/gh-aw-address-pr-feedback.lock.yml
• Repo-local trigger workflow wiring review events to the reusable workflow: .github/workflows/trigger-address-pr-feedback.yml
• New safe output fragment for inline thread replies: .github/workflows/gh-aw-fragments/safe-output-reply-to-review-comment.md
• Consumer docs and template: gh-agent-workflows/address-pr-feedback/README.md and gh-agent-workflows/address-pr-feedback/example.yml

Quick install (consumer repo)

mkdir -p .github/workflows && curl -sL \
  https://raw.githubusercontent.com/elastic/ai-github-actions/v0/gh-agent-workflows/address-pr-feedback/example.yml \
  -o .github/workflows/address-pr-feedback.yml

Generated by Update PR Body

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a reusable, multi-stage GitHub Actions workflow and docs to automate addressing PR review feedback via Copilot agents, Safe Inputs/Outputs MCP servers, threat detection, and PR updates; includes a trigger workflow, example, and README for setup and usage. (47 words)

Changes

Cohort / File(s)	Summary
Core Workflows .github/workflows/gh-aw-address-pr-feedback.lock.yml, .github/workflows/trigger-address-pr-feedback.yml	Adds a large reusable workflow implementing end-to-end PR-feedback automation (activation, agent run, detection, pre-activation gating, safe-outputs, conclusion) and a trigger that invokes it on pull_request_review events with conditions and secrets.
Docs / Examples .github/workflows/gh-aw-address-pr-feedback.md, gh-agent-workflows/address-pr-feedback/README.md, gh-agent-workflows/address-pr-feedback/example.yml	Adds comprehensive documentation, usage guide, procedural steps, and an example workflow demonstrating how to invoke the reusable workflow and configure inputs/permissions.
Safe Outputs Fragment .github/workflows/gh-aw-fragments/safe-output-reply-to-review-comment.md	New fragment documenting safe-outputs reply-to-review-comment semantics, API constraints, and per-run limits.

Sequence Diagram(s)

sequenceDiagram
    participant PR as "GitHub PR (client)"
    participant Trigger as "Trigger workflow"
    participant Orchestrator as "gh-aw-address-pr-feedback\n(reusable workflow)"
    participant Copilot as "Copilot CLI / Agent"
    participant MCPGW as "MCP Gateway"
    participant SafeOut as "Safe Outputs MCP"
    participant SafeIn as "Safe Inputs MCP"
    participant GH as "GitHub API"

    PR->>Trigger: pull_request_review event
    Trigger->>Orchestrator: workflow_call (with secrets/inputs)
    Orchestrator->>Copilot: prepare env, render prompt, start agent
    Copilot->>MCPGW: request tools / md generation / code-search
    MCPGW->>SafeOut: validate/produce safe outputs
    MCPGW->>SafeIn: accept validated inputs
    Copilot->>Orchestrator: agent outputs (edits, logs, artifacts)
    Orchestrator->>GH: push commits, resolve threads, add comments
    Orchestrator->>SafeOut: upload final artifacts & safety reports

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

• Auto-address PR Feedback #321 — This PR implements an auto-address-PR-feedback workflow matching the feature request described.

Suggested reviewers

• github-actions

Poem

🐰 A tiny hop, a careful fix,

I stitch the threads and patch the mix.
Copilot hums, safe gates are true,
PRs grow tidy, logs in view.
Hooray — a branch refreshed anew!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding a new workflow for addressing pull request feedback, which is the primary objective of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch copilot/add-pr-feedback-workflow

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[strawgate]

@copilot let's use https://github.github.com/gh-aw/reference/safe-outputs/#reply-to-pr-review-comment-reply-to-pull-request-review-comment for replying to pr review comments that we dont end up implementing or that we disagree with instead of putting the details in the comment we add

[Copilot]

@copilot let's use https://github.github.com/gh-aw/reference/safe-outputs/#reply-to-pr-review-comment-reply-to-pull-request-review-comment for replying to pr review comments that we dont end up implem...

Added reply-to-pull-request-review-comment safe output (new fragment + import) and updated the prompt so the agent uses reply_to_pull_request_review_comment for inline replies to threads it disagrees with or skips, instead of putting those details in the summary comment. Commit: 2ca1c48.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• github.github.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
• https://api.github.com/repos/ruby/setup-ruby/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/ruby/setup-ruby/git/ref/tags/v1 --jq .object.sha 0.1-go1.25.7.lin--gdwarf-5 0.1-go1.25.7.lin--64 rg/toolchain@v0.-o ame (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)