fix(workflows): lower min-integrity for issue-plan-maker /plan command#952
Merged
Conversation
The /plan slash command could not investigate issues filed by external contributors because the GitHub MCP gateway's default min-integrity=approved filtered out their issue bodies (e.g. run 27272313921 on #945). Set tools.github.min-integrity: none on the workflow so the agent can read external-contributor content, and add an explicit untrusted-input note to the prompt. The /plan slash command, read-only permissions, capped add-comment safe-output, and detection stage continue to bound the blast radius. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
issue-plan-makerworkflow run on #945 (run 27272313921) completed successfully but produced no plan. The agent correctly emitted amissing_datasafe-output instead — the GitHub MCP gateway had filtered the issue body because the author (kotlarmilos) hasauthor_association: NONE, and the defaultmin-integrity: approvedon public repos blocks anything belowapproved.This change lowers
tools.github.min-integritytononefor this workflow so/plancan investigate issues filed by external contributors.Why this is safe enough
/planslash command, which gh-aw gates to actors with write access — random users cannot fire it.permissions:block is read-only.safe-outputs.add-comment(capped at 2), and the detection stage scans agent output for prompt injection before posting.${{ steps.sanitized.outputs.text }}, which neutralizes@mention/bot triggers.Recompile artifacts
gh aw compile issue-plan-makerregenerated the lock file. Incidental version bumps were pulled in from the latest releases:gh-aw-actions/setupv0.76.1 → v0.77.5 (.github/aw/actions-lock.json)parse-guard-varsstep in the agent job (mechanical change from current compiler)Test plan
gh aw compile issue-plan-maker— succeeds with 0 errors / 0 warnings."min-integrity": "none"and"repos": "all"inguard-policies.allow-only, replacing the previous dynamicdetermine-automatic-lockdownlookup./planon Custom MCP container env passthrough never reaches the server (step env mapping missing) #945 (or any external-contributor issue) will exercise the new policy.