Skip to content

feat(ci): automated comment spam protection — block spam accounts and auto-moderate PR comments#753

Closed
diberry wants to merge 7 commits intodevfrom
squad/751-comment-spam-protection
Closed

feat(ci): automated comment spam protection — block spam accounts and auto-moderate PR comments#753
diberry wants to merge 7 commits intodevfrom
squad/751-comment-spam-protection

Conversation

@diberry
Copy link
Copy Markdown
Collaborator

@diberry diberry commented Apr 2, 2026

Summary

Adds automated comment spam protection for the repo. A new GitHub Action (squad-comment-moderation.yml) scans incoming comments on issues and PRs for spam signals and auto-hides them.

What it does

  • Triggers on issue_comment and pull_request_review_comment (created)
  • Checks multiple spam signals: account age, repo association, recruitment/crypto/SEO keywords, URL density, comment length
  • Scores each signal — only acts when score >= 5 (multiple signals must combine)
  • Acts by minimizing (hiding) the comment and posting a moderation notice
  • Skips trusted users (OWNER, MEMBER, COLLABORATOR, CONTRIBUTOR)

Files changed

  • .github/workflows/squad-comment-moderation.yml — the workflow
  • docs/proposals/comment-spam-protection.md — design proposal with alternatives analysis
  • CONTRIBUTING.md — added moderation notice for contributors

Why

Spam account
kleadproofficial-del posted a recruitment ad on PR #725. This will keep happening. Zero-maintenance automated protection beats manual cleanup.

Closes #751

Working as Booster (CI/CD Engineer)

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

Copilot AI review requested due to automatic review settings April 2, 2026 17:46
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 2, 2026
edited
Loading

🛫 PR Readiness Check

⚠️ 2 item(s) to address before review

Status Check Details
Single commit (or squashable) 4 commits — consider squashing before review (or repo will squash on merge)
Not in draft Ready for review
Branch up to date Up to date with dev
Copilot review No Copilot review yet — it may still be processing
Changeset present Changeset file found
No merge conflicts No merge conflicts
CI passing No CI checks have run yet

This check runs automatically on every push. Fix any ❌ items and push again.
See CONTRIBUTING.md and PR Requirements for details.

Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds automation intended to reduce maintainer burden by (1) auto-moderating spam comments and (2) posting an informational PR-readiness checklist comment.

Changes:

  • Add a comment auto-moderation GitHub Action that scores spam signals and minimizes comments over a threshold.
  • Add a PR readiness GitHub Action that upserts a checklist comment based on PR metadata, mergeability, and CI state.
  • Add/update contributor/process documentation and decision/history records describing these automations.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 9 comments.

Show a summary per file
File Description
.github/workflows/squad-comment-moderation.yml New workflow to detect spam signals on new comments and minimize them + post a notice.
.github/workflows/squad-pr-readiness.yml New workflow to upsert an informational PR readiness checklist comment.
CONTRIBUTING.md Documents PR readiness checklist and comment moderation behavior.
docs/proposals/comment-spam-protection.md Proposal describing the comment spam protection approach and scoring model.
docs/proposals/pr-readiness-checks.md Proposal describing PR readiness check approaches and recommended implementation.
.squad/decisions/inbox/flight-pr-readiness.md Decision log entry for the PR readiness approach.
.squad/agents/flight/history.md Agent history entry documenting the PR readiness automation pattern.
.changeset/pr-readiness-checks.md Changeset noting the PR readiness workflow addition.

diberry added a commit that referenced this pull request Apr 2, 2026
@diberry
fix(ci): address review feedback on spam moderation (#753)
2a20567 
- Add timeout-minutes: 5 to the moderate job
- Add bot-type skip condition (github.event.sender.type != 'Bot')
- Fix blob/main -> blob/dev in moderation notice URL
- Add recursion-safety comment (GITHUB_TOKEN can't re-trigger)
- Add changeset for the new workflow

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diberry added a commit that referenced this pull request Apr 2, 2026
@diberry
docs: update EECOM history and decision record for #753 refactor
51b133e 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This was referenced Apr 2, 2026
Closed
Closed
diberry added a commit that referenced this pull request Apr 2, 2026
@diberry
refactor(ci): remove all inline JS from moderation workflow
6a94226 
Move orchestration logic (user lookup, scoring, comment minimize, notice
posting) from inline actions/github-script block into the standalone
scripts/comment-moderation.mjs module.  The workflow now uses a plain
\
un: node scripts/comment-moderation.mjs\ step with env vars.

- Add run() orchestrator with injectable fetch for testability
- Use native fetch (Node 18+) for GitHub REST + GraphQL API calls
- Add 11 orchestration tests (skip, threshold, minimize, notice, errors)
- Workflow YAML now has ZERO JavaScript — only YAML with run: steps

All 46 tests pass.

Closes #753

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diberry added a commit that referenced this pull request Apr 2, 2026
@diberry
docs: update EECOM history with #753 learnings
2457d49 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diberry and others added 2 commits April 2, 2026 14:49
@diberry
[Scribe] Post-pipeline memory & decision consolidation
86d8549 
- Archive: 71 decisions (>30d), 10 (7-30d)
- Merge: 13 inbox decisions into canonical log
- Summarize: Flight, EECOM, FIDO histories (kept recent entries)
- Log: Bug-fix-pipeline session recorded
- Deduplicate: 73 unique decisions
- decisions.md: 385.8 KB -> 103.7 KB

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@diberry
chore: remove .squad state from PR diff
4068ce3 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@diberry diberry force-pushed the squad/751-comment-spam-protection branch from b8a6cbe to 4068ce3 Compare April 2, 2026 22:26
diberry and others added 3 commits April 2, 2026 15:26
@diberry
chore: remove .squad state from PR diff
539a2de 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@diberry
chore: remove .squad state from PR diff
c4c2147 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@diberry
chore: remove .squad state from PR diff
158f6d9 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@diberry diberry force-pushed the squad/751-comment-spam-protection branch from af584e9 to 158f6d9 Compare April 2, 2026 22:32
diberry and others added 2 commits April 2, 2026 15:59
@diberry
chore: remove .squad file leakage from PR
66ab133 
Reset .squad/ files to match origin/dev — these changes were not part of the PR content.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@diberry
Merge branch 'dev' into squad/751-comment-spam-protection
2496be1
@diberry diberry closed this Apr 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(ci): automated comment spam protection — block spam accounts and auto-moderate PR comments

2 participants

@diberry