Skip to content

Remove experimental warning for tools.github guard policy (repos/min-integrity)#21717

Merged
pelikhan merged 3 commits intomainfrom
copilot/remove-experimental-guard-policy
Mar 19, 2026
Merged

Remove experimental warning for tools.github guard policy (repos/min-integrity)#21717
pelikhan merged 3 commits intomainfrom
copilot/remove-experimental-guard-policy

Conversation

Copy link
Contributor

Copilot AI commented Mar 19, 2026
edited
Loading

The tools.github guard policy (repos/min-integrity) is already active for public repos, making the "experimental feature" warning misleading and noisy — especially for the common min-integrity: none suppression pattern.

Changes

  • pkg/workflow/compiler.go — Remove the block that emitted ⚠ Using experimental feature: tools.github guard policy (repos/min-integrity) during compilation
  • pkg/workflow/guard_policy_experimental_warning_test.go — Flip integration test from asserting the warning is present to asserting it is absent; add GetWarningCount() == 0 assertion
  • docs/reference/github-tools.md — Remove :::caution[Experimental Feature] callout from the Guard Policies section
  • docs/reference/glossary.md — Remove "experimental" qualifier and the compilation-warning note from the Guard Policy entry

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw .cfg 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json .cfg 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name k/gh-aw/gh-aw/pkGOSUMDB k/gh-aw/gh-aw/pkGOWORK 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc/tmp/go-build1622263021/b207/vet.cfg -o /tmp/go-build1170901702/b403/_pkGOINSECURE -trimpath 64/bin/go -p github.com/charm-atomic -lang=go1.24 go (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --git-dir x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/vet git conf�� user.name Test User /usr/bin/git ub/workflows GO111MODULE x_amd64/vet git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha sistency_GoAndJavaScript2724146930/001/test-empty-frontmatter.md /tmp/go-build1622263021/b208/vet.cfg ache/node/24.14.0/x64/bin/node -json GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet t-21�� bility_SameInputSameOutput1106576612/001/stability-test.md -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --git-dir x_amd64/vet /usr/bin/git -json GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git ty-test.md GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 2263021/b070/vetrev-parse .cfg git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 2263021/b216/vetrev-parse ache/go/1.25.0/x--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --get remote.origin.url 2263021/b452/scripts.test -json GO111MODULE 64/bin/go 2263021/b452/scripts.test e=/t�� t0 go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/go-build1622263021/b440/_pkg_.a -trimpath /usr/bin/git -p main -lang=go1.25 git conf�� user.email test@example.com /usr/bin/git go1.25.0 -c=4 -nolocalimports git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git i/install.sh GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linutest@example.com /usr/bin/git 1232-28364/test-git 2263021/b094/vetrev-parse .cfg git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha "prettier" --che-errorsas GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go git for-�� --format %(refname) 64/bin/go --merged 72066515c0d06995-atomic 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha "prettier" --check 'scripts/**/*GOINSECURE node 64/bin/go tierignore ../../../pkg/wor-atomic 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha "prettier" --check 'scripts/**/*GOINSECURE /bin/sh 64/bin/go tierignore (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha /tmp/TestHashConsistency_GoAndJavaScript2724146930/001/test-frontmatter-with-nested-objects.md go /usr/bin/git -json GO111MODULE 64/bin/go git chec�� -b feature-branch /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha -test.paniconexit0 -test.v=true /usr/lib/git-core/git -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel /usr/lib/git-core/git main�� run --auto /usr/bin/git --detach GO111MODULE x_amd64/vet git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha 2263021/b417/_pkg_.a -buildtags 2263021/b417=> -errorsas b/gh-aw/pkg/loggrev-parse -nilfunc /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -ato�� n1lx/Nx0LJO0_CqQzgIQWn1lx -buildtags 2263021/b435/stringutil.test -errorsas -ifaceassert -nilfunc 2263021/b435/stringutil.test (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha -bool -buildtags 2263021/b331/vet.cfg -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -ato�� ithub-script/git/ref/tags/v8 -buildtags 0/x64/bin/node -errorsas -ifaceassert -nilfunc ache/go/1.25.0/x64/pkg/tool/linux_amd64/link (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha -bool -buildtags 2263021/b327/vet.cfg -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -ato�� runs/20260319-031232-28364/test-2497408562/custom/workflows -buildtags /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linu^remote\..*\.gh-resolved$ (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env ub/workflows .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/pkg/tool/linu-nilfunc GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu-tests env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env ub/workflows .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path che/go-build/28/GOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc/tmp/go-build1622263021/b216/vet.cfg -o /tmp/go-build1170901702/b420/_pkGOINSECURE -trimpath 64/bin/go -p github.com/githu-atomic -lang=go1.25 go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 main -lang=go1.25 go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE At,event,headBranch,headSha,displayTitle GOINSECURE aec4e4bf GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha /tmp/go-build1170901702/b370/_pkGOINSECURE -trimpath 64/bin/go -p github.com/githu-atomic -lang=go1.25 go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha /tmp/go-build1170901702/b371/_pkGOINSECURE -trimpath 64/bin/go -p main -lang=go1.25 go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -m -json 64/bin/go --write **/*.cjs 64/bin/go go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json aec4e4bf:go.mod 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 930328417/.github/workflows .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc/tmp/go-build1622263021/b218/vet.cfg -o /tmp/go-build1170901702/b422/_pkGOINSECURE -trimpath 64/bin/go -p github.com/githu-atomic -lang=go1.25 go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc/tmp/go-build1622263021/b221/vet.cfg -o /tmp/go-build1170901702/b426/_pkGOINSECURE -trimpath 64/bin/go -p github.com/githu-atomic -lang=go1.25 go (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build1622263021/b399/cli.test /tmp/go-build1622263021/b399/cli.test -test.testlogfile=/tmp/go-build1622263021/b399/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOSUMDB GOWORK 64/bin/go node /hom�� --check scripts/**/*.js 64/bin/go .prettierignore (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name pkg/mod/github.c-p pkg/mod/github.cmain 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc/tmp/go-build1622263021/b198/vet.cfg -o /tmp/go-build117-c=4 -trimpath 64/bin/go -d github.com/stret-atomic -lang=go1.17 go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

Copilot AI linked an issue Mar 19, 2026 that may be closed by this pull request
Remove ⚠ Using experimental feature: tools.github guard policy (repos/min-integrity #21716
Closed
@dsyme
fix: remove experimental warning for tools.github guard policy (repos…
58a9157 
…/min-integrity)

Co-authored-by: dsyme <7204669+dsyme@users.noreply.github.com>
Copilot AI changed the title [WIP] Remove warning for experimental feature in guard policy Remove experimental warning for tools.github guard policy (repos/min-integrity) Mar 19, 2026
Copilot AI requested a review from dsyme March 19, 2026 03:17
@pelikhan pelikhan marked this pull request as ready for review March 19, 2026 03:25
Copilot AI review requested due to automatic review settings March 19, 2026 03:25
@pelikhan
Copy link
Contributor

pelikhan commented Mar 19, 2026

@copilot fix https://github.com/github/gh-aw/actions/runs/23278162537/job/67686143872

Copilot AI reviewed Mar 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Removes the compile-time “experimental feature” warning for the tools.github guard policy (repos / min-integrity), since the policy is already active and the warning is now noisy/misleading.

Changes:

  • Removed emission of the experimental-warning message (and its warning-count increment) during workflow validation/compilation.
  • Updated the integration test to assert the experimental warning is absent.
  • Updated docs to remove “experimental” callouts/wording for guard policies.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
pkg/workflow/compiler.go Deletes the guard-policy experimental warning block during validation.
pkg/workflow/guard_policy_experimental_warning_test.go Renames/updates the integration test to expect no experimental warning.
docs/src/content/docs/reference/github-tools.md Removes the “Experimental Feature” caution block from Guard Policies docs.
docs/src/content/docs/reference/glossary.md Removes “experimental” wording and the compilation-warning note from the Guard Policy glossary entry.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

pkg/workflow/guard_policy_experimental_warning_test.go Outdated
Comment on lines 122 to 126
// Verify that no guard policy warning was recorded in the warning count
warningCount := compiler.GetWarningCount()
if warningCount != 0 {
t.Errorf("Expected no warnings but got %d warning(s); stderr:\n%s", warningCount, stderrOutput)
}
@github-actions github-actions bot mentioned this pull request Mar 19, 2026
Closed
@pelikhan
fix: remove overly-strict warning count check from guard policy test
68f03d9 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Mar 19, 2026

@copilot fix https://github.com/github/gh-aw/actions/runs/23278162537/job/67686143872

Fixed in 68f03d9. The test was checking GetWarningCount() == 0, but compilation can emit unrelated warnings (e.g. permissions for issues/pull_requests toolsets). Removed that overly-strict assertion — the test now only checks that the specific guard policy experimental warning message is absent from stderr.

Copilot AI requested a review from pelikhan March 19, 2026 03:34
@pelikhan pelikhan merged commit 477b67c into main Mar 19, 2026
53 checks passed
@pelikhan pelikhan deleted the copilot/remove-experimental-guard-policy branch March 19, 2026 03:44
This was referenced Mar 19, 2026
Closed
Closed
Merged
Closed
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dsyme dsyme Awaiting requested review from dsyme

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@dsyme dsyme

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Remove ⚠ Using experimental feature: tools.github guard policy (repos/min-integrity

4 participants

@pelikhan @dsyme