Harden reviewer eligibility for auto-assigned PR reviews

[neubig]

• A human has tested these changes.

---

Why

The assign-reviews workflow relies on a generic agent prompt for reviewer selection. In PR #2842, that flow assigned a reviewer on a Dependabot PR even though the reviewer does not appear to have commit history in this repo, which suggests the prompt allowed the agent to fall back to any maintainer/collaborator with write access.

Summary

• require auto-assigned reviewers to be backed by git blame and recent commit history in the repo and touched files
• make bot-authored PRs (for example Dependabot) opt for a no-assignment fallback instead of guessing a maintainer
• mirror the same guidance in the GitHub workflow example and record the constraint in AGENTS.md

Issue Number

N/A — follow-up to #2842 (comment)

How to Test

I validated that both edited workflow files still parse as YAML:

uv run python - <<'PY'
import yaml
for path in [
    '.github/workflows/assign-reviews.yml',
    'examples/03_github_workflows/01_basic_action/assign-reviews.yml',
]:
    with open(path) as f:
        yaml.safe_load(f)
    print('Parsed:', path)
PY

I did not run the workflow end-to-end locally because the behavior depends on live GitHub state plus the hosted agent/task runner.

Video/Screenshots

N/A

Type

• Bug fix
• Feature
• Refactor
• Breaking change
• Docs / chore

Notes

This keeps the existing prompt-driven workflow but makes the reviewer eligibility checks much more explicit and API-verifiable, which should reduce the chance of assigning arbitrary maintainers on bot-authored dependency PRs.

This PR was created by an AI assistant (OpenHands) on behalf of the user.

---

Agent Server images for this PR

• GHCR package: https://github.com/OpenHands/agent-sdk/pkgs/container/agent-server

Variants & Base Images

Variant	Architectures	Base Image	Docs / Tags
java	amd64, arm64	eclipse-temurin:17-jdk	Link
python	amd64, arm64	nikolaik/python-nodejs:python3.13-nodejs22-slim	Link
golang	amd64, arm64	golang:1.21-bookworm	Link

Pull (multi-arch manifest)

# Each variant is a multi-arch manifest supporting both amd64 and arm64
docker pull ghcr.io/openhands/agent-server:63dba31-python

Run

docker run -it --rm \
  -p 8000:8000 \
  --name agent-server-63dba31-python \
  ghcr.io/openhands/agent-server:63dba31-python

All tags pushed for this build

ghcr.io/openhands/agent-server:63dba31-golang-amd64
ghcr.io/openhands/agent-server:63dba31-golang_tag_1.21-bookworm-amd64
ghcr.io/openhands/agent-server:63dba31-golang-arm64
ghcr.io/openhands/agent-server:63dba31-golang_tag_1.21-bookworm-arm64
ghcr.io/openhands/agent-server:63dba31-java-amd64
ghcr.io/openhands/agent-server:63dba31-eclipse-temurin_tag_17-jdk-amd64
ghcr.io/openhands/agent-server:63dba31-java-arm64
ghcr.io/openhands/agent-server:63dba31-eclipse-temurin_tag_17-jdk-arm64
ghcr.io/openhands/agent-server:63dba31-python-amd64
ghcr.io/openhands/agent-server:63dba31-nikolaik_s_python-nodejs_tag_python3.13-nodejs22-slim-amd64
ghcr.io/openhands/agent-server:63dba31-python-arm64
ghcr.io/openhands/agent-server:63dba31-nikolaik_s_python-nodejs_tag_python3.13-nodejs22-slim-arm64
ghcr.io/openhands/agent-server:63dba31-golang
ghcr.io/openhands/agent-server:63dba31-java
ghcr.io/openhands/agent-server:63dba31-python

About Multi-Architecture Support

• Each variant tag (e.g., 63dba31-python) is a multi-arch manifest supporting both amd64 and arm64
• Docker automatically pulls the correct architecture for your platform
• Individual architecture tags (e.g., 63dba31-python-amd64) are also available if needed

[github-actions]

Python API breakage checks — ✅ PASSED

Result: ✅ PASSED

Action log

[github-actions]

REST API breakage checks (OpenAPI) — ✅ PASSED

Result: ✅ PASSED

Action log