gh-aw Reviewer Mechanics

Reference for Step 4 of the release skill — the internals of how the paired policy review workflows are wired. Pulled out of SKILL.md so the main flow stays focused on what the operator does.

Trigger

Opening a PR, or pushing further commits to an existing PR, fires two paired GitHub Actions workflows on the pull_request event (a plain git push to a non-PR branch does NOT fire them):

• .github/workflows/review-openai.lock.yml — Codex (the engine; the exact model is declared as engine.model in the workflow source .github/workflows/review-openai.md so model bumps live in one place)
• .github/workflows/review-anthropic.lock.yml — Claude Code (the engine; the exact model is declared as engine.model in the workflow source .github/workflows/review-anthropic.md so model bumps live in one place)

Both run on every opened, synchronize, reopened, and edited event. Each lock file is compiled from its .md gh-aw source via gh aw compile — the lock is what GitHub Actions executes; the .md is what humans edit.

Self-gating

Each reviewer self-gates on the PR's Author-Model: declaration per rules/author-model-declaration.md:

• The same-family reviewer posts a one-line Skipping: self-review-bias — author-family <family> COMMENT and exits without reading the diff.
• The cross-family reviewer reads the in-tree rules/*.md from the PR head and checks the diff against them.

When the declaration spans both paired families or neither paired family, both run as the documented fallback (see rules/author-model-declaration.md for the full table).

Authorship of submitted reviews

Reviews are submitted by github-actions[bot]. Both submit_pull_request_review events and any create_pull_request_review_comment inline comments are attributed to the bot, not to the engine that ran the review. The engine identity (claude / codex) shows up in the review body's footer (Generated by [PR Policy Review (Anthropic)] for issue #N), not in the review author.

Copilot — second reviewer with a different lens

The skill keeps Copilot as a deliberate second reviewer alongside gh-aw, not as a temporary trial. They have complementary lenses: gh-aw enforces rules/*.md compliance (its prompt loads each rule file and checks the diff against it), while Copilot reads for doc accuracy, cross-step consistency, and ambiguity that no rule file specifically targets. PRs through this skill regularly see Copilot catch issues gh-aw misses (outdated model IDs in docs, unpinned install commands that would land below floor, contradictions between adjacent steps, vacuous-pass loopholes in gates) and vice-versa (rules-specific format violations Copilot doesn't track).

The operator requests Copilot via skills/release/request-copilot-review.sh. The script uses the GraphQL requestReviews mutation (REST drops bot reviewers silently — that's the failure mode the script exists to avoid), keeps a pinned bot ID BOT_kgDOCnlnWA for the hot path, and falls back to discovering the bot ID from recent reviews when the pin goes stale. It verifies Copilot landed in requested_reviewers before exiting. Exits non-zero on failure; emits a JSON summary on success. Both Copilot and gh-aw reviews gate the merge per Step 7.