[community] Update community contributions in README

[github-actions]

[community] Update community contributions in README

PR #38009 · community/update-contributions-2026-06-bc3920dda9a495f3 → main · Labels: automation, community

---

Summary

Automated daily update to the community contributions section in README.md. Adds new issue attributions for 9 contributors, corrects/deduplicates existing entries for 5 contributors, and introduces a new "⚠️ Attribution Candidates Need Review" section surfacing 5 unlinked community issues that require manual verification.

---

What changed

File: README.md (community contributions <details> block only)

New issue attributions added

Contributor	Issue added
@arthurfvives	#35682
@dholmes	#34949
@jamesadevine	#37806
@JamesNK	#28863
@jonathanpeppers	#32893
@michen00	#36857
@sg650	#36466
@Yoyokrazy	#36547
@yskopets	#37705

Corrections / deduplication

Contributor	Change
@alondahari	Entry removed entirely (was #21207)
@johnwilliams-12	Entry removed entirely (was #21205)
@MattSkala	#21203 removed; entry retained with #24567
@strawgate	#21157 removed; remaining issues retained
@veverkap	#21260, #21257 removed; entry retained with #22362

New section: Attribution Candidates Need Review

Five community issues that were closed but could not be automatically linked to a merged PR are surfaced for manual follow-up:

Contributor	Issue	Closed
@app/github-actions	#36674	Jun 3, 2026
@brase	#36651	Jun 3, 2026
@pelikhan	#35783	Jun 3, 2026
@arthurfvives	#32974	May 22, 2026
@jobayer-4	#32608	May 16, 2026

---

Impact

Property	Value
Breaking change	No
Impact level	Low
Scope	Documentation only (README.md)

---

Reviewer action required

The five issues in the Attribution Candidates Need Review section need a human to confirm or deny attribution before they can be added to the contributor list. Each was closed without a detectable keyword link to a merged PR.

Generated by PR Description Updater for issue #38009 · 105.3 AIC · ⌖ 12.7 AIC · ⊞ 19.6K · ◷

[github-actions]

🧪 Test Quality Sentinel completed test quality analysis.

No test files were added or modified in this PR. PR #38009 only modifies README.md (community contributions update). Test Quality Sentinel skipped.

[github-actions]

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

[github-actions]

✅ Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR #38009 does not have the implementation label (has_implementation_label=false) and has 0 new lines of code in business logic directories (default_business_additions=0, threshold=100). Neither Condition A nor Condition B is met.

[github-actions]

✅ PR Code Quality Reviewer completed the code quality review.

[Copilot]

Pull request overview

This PR updates the repository’s README.md “Community Contributions” section to refresh attributed community issue credits and add a new “Tier 4” style list of attribution candidates that require manual review.

Changes:

• Updates multiple contributor attribution rows (adds several new issue numbers, removes some existing ones).
• Adds a new “⚠️ Attribution Candidates Need Review” section listing five recently-closed issues that lacked confirmed PR linkage.

Show a summary per file

File	Description
README.md	Refreshes the community attribution list and adds a new manual-review candidates section.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 6

[github-actions]

Skills-Based Review 🧠

Applied /grill-with-docs — documentation-only change, no blocking issues.

📋 Key Themes & Highlights

Key Themes

• New section lifecycle: The added ⚠️ Attribution Candidates Need Review section needs a clear resolution strategy — will subsequent workflow runs replace it or accumulate new candidates? If replaced each run, README readers see stale data between runs; if accumulated, the section grows unbounded. A GitHub issue per batch (opened and closed by the workflow) or a dedicated wiki page would track this more durably than in-README prose.

• Unexplained removals: Several entries are removed in this PR — entire contributor records (@alondahari, @johnwilliams-12) and individual issues (@MattSkala #21203, @strawgate #21157, @veverkap #21260/#21257) — with no explanation in the PR description. The automated triage criteria are described for additions/Tier 0-4, but not for de-attribution. A brief note (e.g., "issues no longer meeting stateReason=COMPLETED criteria") would help human reviewers validate the removals.

Positive Highlights

• ✅ Transparent about ambiguous cases — surfacing Tier 4 candidates rather than silently dropping them is the right instinct.
• ✅ Clear labeling with (direct issue) maintains consistent attribution format throughout.
• ✅ PR description documents the full triage tier methodology (Tier 0–4), which is helpful context.

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 146.4 AIC · ⌖ 13.4 AIC

[github-actions]

[/grill-with-docs] The ### ⚠️ Attribution Candidates Need Review section introduces a persistent prompt for manual review directly in the public README. Two lifecycle questions worth clarifying:

💡 Lifecycle and placement considerations

1. Replacement vs. accumulation: Will the next workflow run replace this section entirely (clean state), append new candidates, or leave resolved items in place? If items accumulate across runs without removal, the section will grow with stale data.

2. Audience fit: The README is a public-facing document; no confirmed PR linkage found is an internal triage signal. A dedicated GitHub issue or a wiki page might be a more appropriate home — keeping the README focused on confirmed, resolved attributions and giving maintainers a trackable item to close once the review is done.

[github-actions]

REQUEST_CHANGES — one high-severity injection gap in the compiler's YAML output generation plus two medium security issues.

### Blocking issues (3)

[HIGH] Unescaped target-repo → YAML injection in generated workflow (compiler_safe_outputs_steps.go:221, also push_to_pull_request_branch.go:66, compiler_safe_outputs_steps.go:347): targetRepoSlug from user frontmatter is fmt.Sprintf'd directly into repository: %s without YAML quoting. A block-scalar value with embedded newlines lets a workflow author inject arbitrary keys into the actions/checkout with: block — overriding token:, ref:, or persist-credentials:. This is the same class of injection that patch-fix-heredoc-delimiter-injection and patch-escape-mcp-template-expressions address elsewhere in this PR; repository: was missed.

[MEDIUM] normalize_github_host does not strip newlines → GITHUB_ENV injection (configure_gh_for_ghe.sh:76 and :109): The host extracted from GITHUB_SERVER_URL / GITHUB_ENTERPRISE_HOST is written verbatim to $GITHUB_ENV. The normalizer strips the URL scheme and path but not \n or \r. A host string containing a literal newline would inject an extra variable into every subsequent step's environment.

[MEDIUM] CTR-015 wildcard check omits merge-pull-request.allowed-labels (safe_outputs_allowed_labels_validation.go:39): The validator covers four handlers but silently skips merge-pull-request.AllowedLabels, allowing allowed-labels: ["*"] on that handler to bypass the restriction.

### Non-blocking (1)

[LOW] Unreachable duplicate cleanup block (configure_gh_for_ghe.sh:81-87): identical condition to the preceding block; after unset GH_HOST in the first block the second can never execute. The dead block also writes GH_HOST= (empty) vs. GH_HOST=github.com in the first — an inconsistency if the code ever becomes reachable.

🔎 Code quality review by PR Code Quality Reviewer · 88.7 AIC · ⌖ 37.1 AIC