A Secure Mobile Handoff Checklist for Copilot Conflict Resolution
GitHub announced on July 8, 2026 that GitHub Mobile can start a Copilot cloud-agent workflow to fix pull-request merge conflicts. Primary source: GitHub Changelog, July 8, 2026.
The unsafe mental model is βtap once and the conflict is solved.β A safer model is: mobile intent -> bounded remote task -> proposed patch -> verification -> human merge.
This is a source-based checklist, not a hands-on product assessment. Exact controls and permissions must come from current GitHub documentation.
Handoff Record
Record the handoff:
- repository:
"owner/project" - pull_request:
123 - base_branch:
"main" - expected_base_sha:
"<commit>" - expected_head_sha:
"<commit>" - allowed_scope:
"src/example/**""tests/example/**"
- forbidden_scope:
".github/workflows/**""deployment/**"
- required_checks:
"unit-tests"
- reviewer:
"<responsible human>" - expires_at:
"<UTC timestamp>"
This operator artifact is not a representation of the mobile UI. It preserves intent across interruptions, network changes, and the delay between delegation and review.
Before Handoff
Before handoff, confirm repository, pull request, branches, expected files, sensitive paths, required checks, and the person responsible for merge. Never place secrets, customer data, or private incident details in the instruction.
Bounded Instruction
A bounded instruction is better than βmake CI greenβ:
- Resolve conflicts between the recorded base and head revisions.
- Preserve documented behavior, limit changes to the listed paths, do not modify workflow or deployment configuration, and return a patch without merging.
Verification Checklist
Verify the returned revision:
- The result belongs to the expected repository and pull request.
- Base and head revisions still match the handoff.
- Every changed file is expected or explained.
- No conflict markers remain.
- No workflow, ownership, deployment, or policy file changed unexpectedly.
- Tests ran against the exact reviewed commit.
- Tests were not weakened or removed.
- A human can explain the semantic choice made for each conflict.
- The reviewed commit is the commit being merged.
Authority and Trust
Repository text is untrusted input to an agent. Comments, docs, and fixtures do not gain authority merely because they are in the repository. Authority should come from policy, authenticated bounded instruction, branch protection, and accountable review.
When to Escalate
Stop and move to a larger screen or domain expert when:
- The branch moved.
- Changed-file scope expanded.
- Sensitive files appeared.
- Checks ran against another revision.
- The diff is too large to understand on the available display.
Final Notes
A green check proves only what its test observed. Conflict resolution can choose between two valid-looking behaviors, so semantic review remains necessary.
Mobile is a useful place to initiate and monitor work. The security boundary should remain revision-bound evidence plus a human merge decision-not the convenience of the handoff button.
Comments
No comments yet. Start the discussion.