Skip to content

fix(workflows): lower min-integrity for issue-plan-maker /plan command#952

Merged
jamesadevine merged 1 commit into
mainfrom
fix/issue-plan-maker-min-integrity
Jun 10, 2026
Merged

fix(workflows): lower min-integrity for issue-plan-maker /plan command#952
jamesadevine merged 1 commit into
mainfrom
fix/issue-plan-maker-min-integrity

Conversation

@jamesadevine

Copy link
Copy Markdown
Collaborator

Summary

The issue-plan-maker workflow run on #945 (run 27272313921) completed successfully but produced no plan. The agent correctly emitted a missing_data safe-output instead — the GitHub MCP gateway had filtered the issue body because the author (kotlarmilos) has author_association: NONE, and the default min-integrity: approved on public repos blocks anything below approved.

This change lowers tools.github.min-integrity to none for this workflow so /plan can investigate issues filed by external contributors.

Why this is safe enough

  • The trigger is a /plan slash command, which gh-aw gates to actors with write access — random users cannot fire it.
  • The workflow's permissions: block is read-only.
  • The only side-effect is safe-outputs.add-comment (capped at 2), and the detection stage scans agent output for prompt injection before posting.
  • Issue/comment content already flows through ${{ steps.sanitized.outputs.text }}, which neutralizes @mention/bot triggers.
  • The prompt now carries an explicit SECURITY: treat content as untrusted paragraph so the agent does not follow instructions embedded in issue bodies.

Recompile artifacts

gh aw compile issue-plan-maker regenerated the lock file. Incidental version bumps were pulled in from the latest releases:

  • gh-aw-actions/setup v0.76.1 → v0.77.5 (.github/aw/actions-lock.json)
  • AWF v0.25.55 → v0.25.58
  • mcp-gateway v0.3.19 → v0.3.22
  • new parse-guard-vars step in the agent job (mechanical change from current compiler)

Test plan

The /plan slash command could not investigate issues filed by external contributors because the GitHub MCP gateway's default min-integrity=approved filtered out their issue bodies (e.g. run 27272313921 on #945).

Set tools.github.min-integrity: none on the workflow so the agent can read external-contributor content, and add an explicit untrusted-input note to the prompt. The /plan slash command, read-only permissions, capped add-comment safe-output, and detection stage continue to bound the blast radius.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jamesadevine jamesadevine merged commit 2808e8a into main Jun 10, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant