Issue Triage: process issues from all authors (external + read-only members)#741
Open
JanKrivanek wants to merge 1 commit into
Open
Issue Triage: process issues from all authors (external + read-only members)#741JanKrivanek wants to merge 1 commit into
JanKrivanek wants to merge 1 commit into
Conversation
Lower the GitHub MCP integrity filter (min-integrity: none, allowed-repos: public) so the triage agent can read issue bodies/comments from external contributors and read-only org members instead of getting a [Filtered] placeholder. Harden the now-less-filtered path: disable issue-body edits on update-issue (body: false) and add an Untrusted content prompt section. Recompiled lock file.
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Issue Triage agentic workflow configuration so it can reliably read and triage issues authored by external contributors and read-only org members, while reducing mutation surface area.
Changes:
- Relax GitHub MCP integrity filtering for this workflow (
min-integrity: none,allowed-repos: public) so issue bodies/comments aren’t returned as[Filtered]. - Disable issue body edits via safe-outputs (
update-issuebody updates disallowed). - Add explicit “Untrusted content” prompt rules to harden against prompt-injection from issue content.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/issue-triage.md |
Adjusts GitHub MCP guard settings, tightens safe-outputs to prevent body edits, and adds untrusted-content prompt rules. |
.github/workflows/issue-triage.lock.yml |
Recompiled workflow lock output reflecting the updated MCP guard and safe-outputs configuration. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 2
Comment on lines
+90
to
+92
| # Scope the github MCP guard to public repos only — this workflow only | ||
| # ever inspects this repo (which is public). | ||
| allowed-repos: public |
Comment on lines
422
to
+423
| - name: Download container images | ||
| run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.20 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.20 ghcr.io/github/gh-aw-firewall/squid:0.25.20 ghcr.io/github/gh-aw-mcpg:v0.2.19 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f | ||
| run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.20 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.20 ghcr.io/github/gh-aw-firewall/squid:0.25.20 ghcr.io/github/gh-aw-mcpg:v0.2.19 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine |
ViktorHofer
approved these changes
Jun 9, 2026
Contributor
|
👋 @JanKrivanek — this PR has 2 unresolved review thread(s),merge conflict. When you're ready, please address the feedback and push an update; the triage bot will pick up the next state automatically. (Add the |
Evangelink
approved these changes
Jun 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The Issue Triage agentic workflow couldn't actually triage issues from two populations:
min-integrity: approved) returned a[Filtered]placeholder instead of the issue body/comments, so the agent fell back toneeds-manual-assignment.roles: all(Issues triage workflow should trigger for issues from any user #714); this PR addresses the remaining content-filtering issue, which also affected them once activated.Change
In
.github/workflows/issue-triage.md(and recompiled.lock.yml):min-integrity: none+allowed-repos: publicundertools.github— lets the triage agent read issue content from any author (external or member), since triage is a read-and-label task on a public repo.update-issue: body: false— triage only sets assignees + echoes the unchanged title; disabling body edits removes that mutation vector entirely.pr-malicious-scan.Defense-in-depth is unchanged: the agent holds no write token, and
safe-outputsstill caps every mutation (≤5 labels, ≤2 assignee-only updates, 1 comment).Testing
Dispatched the branch workflow against both investigation issues:
issue_readbodyNONE(external)[Filtered])noop(already Triaged)MEMBER(read-only)noop(already Triaged)Both now read the actual issue body instead of
[Filtered], confirming the fix. (The #732 run shows afailureconclusion from a transient AI-model server error after the agent completed its work — unrelated to this change.)gh aw compile issue-triage --strict→ 0 errors / 0 warnings.