Skip to content

fix(bug-assess): set min-integrity: none to allow reading external user issues#3030

Merged
mnriem merged 12 commits into
mainfrom
copilot/assess-bug-from-labeled-issue
Jun 17, 2026
Merged

fix(bug-assess): set min-integrity: none to allow reading external user issues#3030
mnriem merged 12 commits into
mainfrom
copilot/assess-bug-from-labeled-issue

Conversation

Copilot AI commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

The bug-assess workflow was failing with an integrity policy error when triggered on issues from external (non-collaborator) users. The automatic lockdown mechanism sets min-integrity: approved by default, but external user content is classified as unapproved, causing the GitHub MCP server to filter the issue body entirely — making bug assessment impossible for the exact issues this workflow exists to handle.

Changes

  • bug-assess.md: Added min-integrity: none under tools.github to explicitly allow the agent to read issue content from any user

    tools:
  github:
    toolsets: [issues, repos]
    min-integrity: none   # ← added

  • bug-assess.lock.yml: Recompiled — guard policy now emits "min-integrity": "none" statically instead of reading $GITHUB_MCP_GUARD_MIN_INTEGRITY at runtime

The setting is appropriate here: the workflow is purpose-built to read untrusted issue content, already carries explicit prompt-injection guardrails, and its only write outputs are one comment and up to two labels.

Copilot AI requested review from Copilot and removed request for Copilot June 17, 2026 20:09
Copilot AI requested review from Copilot and removed request for Copilot June 17, 2026 20:14
Copilot AI requested review from Copilot and removed request for Copilot June 17, 2026 20:15
Copilot AI changed the title [WIP] Update assessment process for bug from labeled issue fix(bug-assess): set min-integrity: none to allow reading external user issues Jun 17, 2026
Copilot AI requested a review from mnriem June 17, 2026 20:16
@mnriem mnriem marked this pull request as ready for review June 17, 2026 20:20
Copilot AI review requested due to automatic review settings June 17, 2026 20:20
Copilot AI reviewed Jun 17, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the bug-assess agentic workflow configuration to allow reading issue content from external (non-collaborator) users by lowering the GitHub MCP integrity threshold.

Changes:

  • Set tools.github.min-integrity: none in .github/workflows/bug-assess.md.
  • Recompiled the generated lock workflow .github/workflows/bug-assess.lock.yml to reflect the new MCP guard policy behavior and newer gh-aw compiler/runtime.
  • Adjusted Dependabot ignore entries and minor repo metadata/config files related to generated workflow handling.
Show a summary per file
File Description
.github/workflows/bug-assess.md Lowers GitHub MCP minimum integrity to allow reading unapproved external issue content.
.github/workflows/bug-assess.lock.yml Regenerated compiled workflow reflecting new guard policy settings and updated gh-aw versions.
.github/dependabot.yml Expands ignore patterns for gh-aw actions dependencies.
.github/aw/actions-lock.json Removes a previously-locked gh-aw setup action entry.
.gitattributes Adjusts attributes for generated *.lock.yml workflows.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 5/5 changed files
  • Comments generated: 3

Comment thread .github/workflows/bug-assess.lock.yml
Comment thread .github/workflows/bug-assess.lock.yml Outdated
Comment thread .github/workflows/bug-assess.lock.yml Outdated
@mnriem
Potential fix for pull request finding
330adc6 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 17, 2026 20:24
@mnriem
Potential fix for pull request finding
6b8424c 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@mnriem
Potential fix for pull request finding
af39cab 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI reviewed Jun 17, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot's findings

  • Files reviewed: 5/5 changed files
  • Comments generated: 7

Comment thread .gitattributes Outdated
Comment thread .github/workflows/bug-assess.lock.yml Outdated
Comment thread .github/workflows/bug-assess.lock.yml Outdated
Comment thread .github/workflows/bug-assess.lock.yml Outdated
Comment thread .github/workflows/bug-assess.lock.yml Outdated
Comment thread .github/workflows/bug-assess.lock.yml Outdated
Comment thread .github/workflows/bug-assess.lock.yml Outdated
@mnriem
Potential fix for pull request finding
c9b1c0f 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 17, 2026 20:29
mnriem and others added 2 commits June 17, 2026 15:29
@mnriem
Potential fix for pull request finding
596a766 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@mnriem
Potential fix for pull request finding
dc8830f 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
mnriem and others added 2 commits June 17, 2026 15:29
@mnriem
Potential fix for pull request finding
0f3db73 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@mnriem
Potential fix for pull request finding
d1b6f7e 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@mnriem mnriem requested review from Copilot and removed request for Copilot June 17, 2026 20:30
@mnriem
Potential fix for pull request finding
3f77bfa 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@mnriem mnriem requested review from Copilot and removed request for Copilot June 17, 2026 20:30
Copilot AI reviewed Jun 17, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot's findings

  • Files reviewed: 4/4 changed files
  • Comments generated: 6

Comment thread .github/workflows/bug-assess.md
Comment thread .github/workflows/bug-assess.lock.yml
Comment thread .github/workflows/bug-assess.lock.yml Outdated
Comment thread .github/workflows/bug-assess.lock.yml Outdated
Comment thread .github/aw/actions-lock.json
Comment thread .github/workflows/bug-assess.lock.yml
@mnriem mnriem merged commit 9775c27 into main Jun 17, 2026
13 checks passed
@mnriem mnriem deleted the copilot/assess-bug-from-labeled-issue branch June 17, 2026 21:26
@mnriem mnriem mentioned this pull request Jun 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@mnriem mnriem mnriem approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@mnriem mnriem

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mnriem