Disable lockdown mode for weekly blog post generator#21598
Merged
Conversation
The workflow was failing because lockdown: true was set but no custom GitHub token (GH_AW_GITHUB_TOKEN) was configured as a repository secret. Changed to lockdown: false and recompiled the lock file. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Disable lockdown mode for weekly blog post generator
Disable lockdown mode for weekly blog post generator
Mar 18, 2026
…integrity=approved Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Contributor
There was a problem hiding this comment.
Pull request overview
Disables GitHub MCP Server lockdown mode for the weekly blog post generator workflow to prevent startup failures when custom GitHub tokens are not configured, while adding an explicit guard policy to scope GitHub access.
Changes:
- Updated the workflow frontmatter to set
tools.github.lockdown: falseand added a scoped guard policy (repos: [github/gh-aw],min-integrity: approved). - Recompiled the lock workflow to remove explicit lockdown/token env wiring and to apply derived write-sink guard policies scoped to
github/gh-aw.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/weekly-blog-post-writer.md | Disables lockdown and adds scoped GitHub guard policy for the workflow’s GitHub tools usage. |
| .github/workflows/weekly-blog-post-writer.lock.yml | Regenerates compiled workflow to reflect the new non-lockdown GitHub config and derived guard policies. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| lockdown: false | ||
| repos: | ||
| - github/gh-aw | ||
| min-integrity: approved |
| "allow-only": { | ||
| "min-integrity": "$GITHUB_MCP_GUARD_MIN_INTEGRITY", | ||
| "repos": "$GITHUB_MCP_GUARD_REPOS" | ||
| "min-integrity": "approved", |
lpcox
added a commit
that referenced
this pull request
Mar 18, 2026
* docs: add GH_HOST and RUNNER_TEMP to glossary (daily scan 2026-03-18) (#21553) * docs: update GHES CLI docs and add Copilot GHES troubleshooting guide (#21528) * Fix list height not updating on terminal resize (#21555) * fix(daily-workflow-updater): unblock PR creation by setting protected-files: allowed (#21554) * chore: bump MCP Gateway v0.1.15→v0.1.17 (#21552) * feat: custom Huh theme mapped from pkg/styles Dracula palette (#21557) * Add top-level `github-app` frontmatter as universal fallback for token minting (#21510) * feat: add GitHub App-only permissions support (#21511) * fix: fall back to existing remote tracking ref when incremental patch fetch fails (#21568) * Add weekly blog post writer agentic workflow (#21575) * ci: add timeout-minutes to all 25 jobs lacking explicit limits (#21601) * fix: add setupGlobals in generate_aw_info step to fix staged mode ReferenceError (#21602) * Disable lockdown mode for weekly blog post generator (#21598) * fix: replace git push with GraphQL signed commits to satisfy required_signatures rulesets (#21576) * docs: add weekly update blog post for 2026-03-18 (#21608) Covers v0.58.0 through v0.61.0 (7 releases this week), notable PRs, and auto-triage-issues as Agent of the Week. Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix failing CI: merge main to include setupGlobals in generate_aw_info step and update golden files Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
lpcox
added a commit
that referenced
this pull request
Mar 18, 2026
…ains on data residency (#21527) * Initial plan * Fix threat detection AWF run missing --copilot-api-target and GHE domains on data residency When engine.api-target is configured for GHE Cloud with data residency, propagate the APITarget from the main engine config to the detection engine config so the threat detection AWF invocation receives the same --copilot-api-target flag and GHE-specific domains in --allow-domains. Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Add GITHUB_COPILOT_BASE_URL env var support and fix integration test api-target - Fix TestAPITargetDomainsInThreatDetectionStep to use api.contoso-aw.ghe.com (copilot-api. prefix does not trigger base-domain derivation in GetAPITargetDomains) - Add GetCopilotAPITarget() helper: resolves --copilot-api-target from engine.api-target (explicit) or GITHUB_COPILOT_BASE_URL in engine.env (fallback), mirroring the OPENAI_BASE_URL/ANTHROPIC_BASE_URL pattern for Codex/Claude - Update awf_helpers.go, copilot_engine_execution.go, and domains.go to use the helper - Add unit tests for GetCopilotAPITarget and engine execution step - Add integration test TestGitHubCopilotBaseURLInCompiledWorkflow - Update engines.md docs to document GITHUB_COPILOT_BASE_URL Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * Update DefaultMCPGatewayVersion to v0.1.17 and regenerate golden/lock files (#21609) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * fix: merge main to resolve failing build-wasm and test CI jobs (#21612) * docs: add GH_HOST and RUNNER_TEMP to glossary (daily scan 2026-03-18) (#21553) * docs: update GHES CLI docs and add Copilot GHES troubleshooting guide (#21528) * Fix list height not updating on terminal resize (#21555) * fix(daily-workflow-updater): unblock PR creation by setting protected-files: allowed (#21554) * chore: bump MCP Gateway v0.1.15→v0.1.17 (#21552) * feat: custom Huh theme mapped from pkg/styles Dracula palette (#21557) * Add top-level `github-app` frontmatter as universal fallback for token minting (#21510) * feat: add GitHub App-only permissions support (#21511) * fix: fall back to existing remote tracking ref when incremental patch fetch fails (#21568) * Add weekly blog post writer agentic workflow (#21575) * ci: add timeout-minutes to all 25 jobs lacking explicit limits (#21601) * fix: add setupGlobals in generate_aw_info step to fix staged mode ReferenceError (#21602) * Disable lockdown mode for weekly blog post generator (#21598) * fix: replace git push with GraphQL signed commits to satisfy required_signatures rulesets (#21576) * docs: add weekly update blog post for 2026-03-18 (#21608) Covers v0.58.0 through v0.61.0 (7 releases this week), notable PRs, and auto-triage-issues as Agent of the Week. Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix failing CI: merge main to include setupGlobals in generate_aw_info step and update golden files Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> Co-authored-by: Landon Cox <landon.cox@microsoft.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
weekly-blog-post-writerworkflow was failing at startup becauselockdown: truerequires a custom GitHub token (GH_AW_GITHUB_TOKENorGH_AW_GITHUB_MCP_SERVER_TOKEN), neither of which is configured in the repository.Changes
weekly-blog-post-writer.md: Changedlockdown: true→lockdown: falsein the GitHub tools config. Added a guard policy restricting access togithub/gh-awwithmin-integrity: approved. This workflow only reads public repository data (releases, PRs) and writes viasafe-outputs: create-pull-request, so lockdown protection is unnecessary.weekly-blog-post-writer.lock.yml: Recompiled —GITHUB_MCP_LOCKDOWN_EXPLICITenv var removed from the activation job, guard policy (allow-only: { min-integrity: approved, repos: [github/gh-aw] }) added to the MCP configuration.Original prompt
💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.