Skip to content

feat: add smoke tests for sink visibility (private-to-public-flows)#6148

Merged
lpcox merged 2 commits into
mainfrom
smoke-sink-visibility-tests
Jul 12, 2026
Merged

feat: add smoke tests for sink visibility (private-to-public-flows)#6148
lpcox merged 2 commits into
mainfrom
smoke-sink-visibility-tests

Conversation

@lpcox

@lpcox lpcox commented Jul 12, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds two smoke test workflow .md files to validate the MCP Gateway private-to-public-flows frontmatter implemented in github/gh-aw#45113.

Workflows

smoke-sink-visibility-blocked.md

Tests that default sink-visibility enforcement blocks reads from private repo github/agentic-workflows when private-to-public-flows is NOT set. Both access methods should be denied:

  • gh CLI (mcpg proxy mode) — gh repo view github/agentic-workflows
  • GitHub MCP tools (mcpg gateway mode) — get_file_contents

smoke-sink-visibility-allowed.md

Tests that private-to-public-flows: allow correctly disables enforcement, permitting reads from the private repo. Both access methods should succeed:

  • gh CLI (mcpg proxy mode)
  • GitHub MCP tools (mcpg gateway mode)

Details

  • Both workflows use GH_AW_CROSS_REPO_PAT for authentication via tools.github.github-token
  • All access to github/agentic-workflows is read-only
  • Only .md files — compilation deferred to a follow-up step
  • strict: false since private-to-public-flows: allow is incompatible with strict mode

Related

Add two workflow .md files to smoke-test the MCP Gateway
private-to-public-flows frontmatter from gh-aw#45113:

- smoke-sink-visibility-blocked.md: Verifies that the default
  sink-visibility enforcement blocks reads from private repo
  github/agentic-workflows when private-to-public-flows is not set.

- smoke-sink-visibility-allowed.md: Verifies that
  private-to-public-flows: allow correctly disables enforcement,
  permitting reads from the private repo.

Both workflows test gh CLI (mcpg proxy mode) and GitHub MCP tools
(mcpg gateway mode) with GH_AW_CROSS_REPO_PAT for authentication.
All access is read-only.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 12, 2026 19:13

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds smoke workflows for MCP Gateway private-to-public repository visibility controls.

Changes:

  • Tests default blocking for private-repository reads.
  • Tests the private-to-public-flows: allow opt-out.
  • Covers both GitHub CLI proxy mode and MCP gateway mode.
Show a summary per file
File Description
.github/workflows/smoke-sink-visibility-blocked.md Adds default-enforcement smoke coverage.
.github/workflows/smoke-sink-visibility-allowed.md Adds opt-out smoke coverage.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 2
  • Review effort level: Medium

enabled: false
sandbox:
mcp:
version: v0.3.32
enabled: false
sandbox:
mcp:
version: v0.3.32
@lpcox

lpcox commented Jul 12, 2026

Copy link
Copy Markdown
Collaborator Author

@copilot address the review feedback but remove the mcp gateway version. rely on the compiler default

Copilot AI commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

@copilot address the review feedback but remove the mcp gateway version. rely on the compiler default

Removed the sandbox: mcp: version pin from both workflow files in 6e32e97. Both will now use whatever MCP Gateway version the compiler injects by default.

Copilot finished work on behalf of lpcox July 12, 2026 19:21
@lpcox lpcox merged commit 28fc3af into main Jul 12, 2026
@lpcox lpcox deleted the smoke-sink-visibility-tests branch July 12, 2026 19:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants