feat: daily DIFC integrity-filtered events analysis workflow + MCP logs filtered_integrity param

[Copilot]

Adds a daily agentic workflow that analyzes DIFC integrity-filtered events across workflow runs, producing statistical charts and actionable tuning recommendations published as a GitHub discussion. Also exposes the existing --filtered-integrity CLI flag through the MCP logs tool, which was previously inaccessible to agents.

Changes

pkg/cli/mcp_tools_privileged.go

• Add filtered_integrity bool to logsArgs — maps to --filtered-integrity CLI flag
• Passes --filtered-integrity to the subprocess when set
• Updates debug log line to include the new field

actions/setup/md/agentic_workflows_guide.md

• Documents filtered_integrity in the logs tool parameter list

.github/workflows/daily-integrity-analysis.md (new)

• Pre-step: downloads logs pre-filtered to only runs with DIFC events via ./gh-aw logs --filtered-integrity --start-date -7d --json -c 200 before the agent starts
• Python analysis: bucketizes events by tool, server, reason, integrity/secrecy tags, and time; generates 3 charts (daily timeline, top filtered tools bar, filter reason/tag breakdown)
• Safe outputs: upload-asset for charts + create-discussion (expires 3d, audits category, auto-closes older reports)
• Imports shared/reporting.md + shared/python-dataviz.md
• Early-exit guard: calls noop when no filtered events exist in the window

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw eutil_test.go apter_test.go (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw tants_test.go ler_safe_outputsnpx prettier --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ler_error_formatter_test.go /pre�� ler_orchestrator_workflow.go to_pull_request_branch_validation.go cal/bin/git hub.com/.extrahegit (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name "prettier" --wriGOINSECURE go 64/bin/go tierignore GO111MODULE /sh node /hom�� --write ../../../**/*.jsGOWORK 64/bin/go --ignore-path ../../../.pretti/home/REDACTED/.npm/_npx/b388654678d519d9/node_modules/.bin/prettier (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile /usr/bin/git 507409914/001 GO111MODULE /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel go /usr/bin/git runs/20260319-21git GO111MODULE /snap/bin/sh git (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha HEAD .github/workflows/test.md /usr/bin/git -json GO111MODULE 64/bin/go git conf�� user.name Test User /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha 108654/b435/_pkg_.a **/*.cjs 108654/b435=> **/*.json --ignore-path ../../../.pretti--show-toplevel /tmp/go-build775108654/b001/gh-aw.test -tes�� T0us/8MBkAlss8NoqMJPDT0us -test.v=true /usr/bin/git -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go 0/x6�� -json GO111MODULE ole.test GOINSECURE GOMOD GOMODCACHE ole.test (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE At,event,headBra--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha user.email test@example.com /usr/bin/git orts,XTestImpor GO111MODULE 64/bin/go git conf�� user.email test@example.com /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel go /usr/bin/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel w.test /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha prettier --write 64/bin/go --ignore-path .prettierignore --log-level=erronpx prettier --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json sh -c "prettier" --wriGOSUMDB sed 64/bin/go /workflows/dailysh GOPROXY 64/bin/go go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha "prettier" --wriGOINSECURE sort 64/bin/go rror GOPROXY 64/bin/go go env ath ../../../.pr.prettierignore GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha "prettier" --wriGOSUMDB /usr/bin/php8.3 modules/@npmcli/run-script/lib/node-gyp-bin/node rror -d 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -bool l /usr/bin/git -errorsas -ifaceassert -nilfunc git -C /tmp/gh-aw-test-runs/20260319-211206-39181/test-2893875916 rev-parse /usr/bin/git @{u} GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha add origin /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE nch,headSha,disp--show-toplevel git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha th .prettierignoremote.origin.url g/workflow/push_to_pull_request_branch_validation.go $name) { hasDiscussionsEnabled } } (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha 108654/b428/_pkg_.a GO111MODULE 108654/b428=> GOINSECURE b/gh-aw/pkg/reporev-parse GOMODCACHE node /opt�� runs/20260319-211206-39181/test-29871795/.github/workflows --check ache/node/24.14.0/x64/bin/node l **/*.json --ignore-path 108654/b428/importcfg (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha h ../../../.pret.prettierignore (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility grity\|filteredIntegrity g/cli/mcp_server.go k/_temp/uv-python-dir/bash (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE sh t-ha�� ithub/workflows/artifacts-summary.md GOPROXY 0/x64/bin/node GOSUMDB GOWORK 64/bin/go 0/x64/bin/node (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha 1206-39181/test-2893875916 GO111MODULE /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE sh -c k/gh-aw/gh-aw/.github/workflows GOPROXY ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOSUMDB GOWORK 64/bin/go ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE de/node/bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 git /usr/bin/git /tmp/gh-aw-test-git config /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel node /usr/bin/git /tmp/TestHashCongit /home/REDACTED/worrev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 0/x64/bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 gh /usr/bin/git /repos/actions/ggit --jq /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git user.name Test User /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 infocmp /usr/bin/infocmp xterm-color (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE 0/x64/bin/npx GOINSECURE GOMOD GOMODCACHE HC/wPHmRHH07drGotDxh6_4/9rUbv3kNVNgnGPLEQds7 (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 git /usr/bin/git /tmp/gh-aw-test-git config /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git user.name Test User /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 gh /usr/bin/gh /repos/actions/ggit --jq /usr/bin/git gh api /repos/actions/checkout/git/ref/-errorsas --jq /usr/bin/git user.email test@example.comrev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 git /usr/bin/gh --show-toplevel 108654/b440/_tesrev-parse /usr/bin/git gh api heckout/git/ref/tags/v5 --jq /usr/bin/git add origin /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path "prettier" --wriGOINSECURE x_amd64/vet 64/bin/go tierignore GO111MODULE 64/bin/go node /hom�� --write ../../../**/*.js**/*.json 64/bin/go --ignore-path ../../../.prettirun /sh go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go /pre�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE go stlo�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env y_only_defaults_repo1748525156/001 GO111MODULE ode GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel _8PrFuEMPUBX-/_hIk68it_nH2gSrVWrsb/WrsaZCqRpvSTiHMe1VZH/CV7k7xB_8PrFuEMPUBX- /usr/bin/git ithub-script/gitgit GO111MODULE 108654/b411/_pkg--show-toplevel git rev-�� --show-toplevel npx ache/node/24.14.0/x64/bin/npm --check scripts/**/*.js ache/node/24.14./tmp/gh-aw-test-runs/20260319-211431-44034/test-4064192180/.github/workflows ache/node/24.14.rev-parse (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha --show-toplevel 26u1sQBUTLj2u/4bGH9PK-iMdI7cWs0XO8/TjivPCOEst-pSD1DY-XQ/n_dXDQ92-buildtags be591bad9227d484-d ithub/workflows/git GO111MODULE 0/x64/bin/node git rev-�� --show-toplevel node k/_temp/uv-python-dir/node ithub/workflows/git --check /opt/hostedtoolc--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha --show-toplevel go /usr/bin/git -json (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha ll 2>&1 (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE At,event,headBranch,headSha,displayTitle GOINSECURE GOMOD GOMODCACHE go env y_with_explicit_repo1661736517/001 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --show-toplevel 108654/b452/_tesrev-parse ache/node/24.14.--show-toplevel git rev-�� --show-toplevel ache/node/24.14.0/x64/bin/node /usr/bin/git (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go .prettierignore --log-level=erro/opt/hostedtoolcache/node/24.14.0/x64/bin/npx 64/bin/go node /hom�� --write ../../../**/*.js**/*.json /node --ignore-path ../../../.pretti-c 64/bin/go go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go .prettierignore --log-level=erro-c modules/@npmcli/"prettier" --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore node /hom�� --write ../../../**/*.jsGOWORK 64/bin/go --ignore-path ../../../.prettifor-each-ref 64/bin/go go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /usr/bin/git ository }} GO111MODULE /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel go /usr/bin/git runs/20260319-21git GO111MODULE /home/REDACTED/.do--show-toplevel git (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build775108654/b399/cli.test /tmp/go-build775108654/b399/cli.test -test.testlogfile=/tmp/go-build775108654/b399/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true **/*.json --ignore-path ../../../.pretti-json sh -c "prettier" --wriGOINSECURE go 64/bin/go rror GO111MODULE modules/@npmcli/prettier go (http block)
  • Triggering command: /tmp/go-build3588281778/b399/cli.test /tmp/go-build3588281778/b399/cli.test -test.testlogfile=/tmp/go-build3588281778/b399/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOPATH); \ if cogit tmain.go ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/link /usr/bin/git 108654/b429/repogit GO111MODULE 108654/b429/impo--show-toplevel git (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name "prettier" --wriGOINSECURE go 64/bin/go -json GO111MODULE 64/bin/go sh -c "prettier" --wriGOSUMDB go 64/bin/go /workflows/dailynode GO111MODULE 64/bin/go go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --show-toplevel go /usr/bin/git SameOutput110337git GO111MODULE /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE /opt/hostedtoolc--show-toplevel git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Create an agentic workflow that runs daily and investigates all logs containing filtered integrity events. In a pre-step, it downloads the logs using the new flag that filters by filtered events.

The workflow runs Python code to bucketize and centralize these events so the agent can perform statistical analysis with clear charts that show which events are triggered and when. It then provides important, actionable suggestions for tuning the integrity system.

The results are published in a discussion using create-discussion, and use safe-outputs for all generated content.

---

⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.

[github-actions]

Hey @Copilot 👋 — great start on the daily integrity-event analysis workflow! Bucketising filtered integrity events and surfacing actionable tuning suggestions via a discussion is exactly the kind of dogfooded agentic automation this project loves to see.

A few things to address before this is ready for review:

• WIP checklist items — only the research step is ticked off. The following items still need to be completed:
  • Add filtered_integrity parameter support to the MCP logs tool in internal/mcp/mcp_tools_privileged.go
  • Update agentic_workflows_guide.md to document the new parameter
  • Create the .github/workflows/daily-integrity-analysis.md workflow (daily schedule, pre-step log download with --filtered-integrity, Python bucketing + chart generation, create-discussion via safe-outputs)
  • Run make agent-finish to validate build, tests, lint, and recompile
• No tests yet — once the MCP parameter addition lands, add a test case in the adjacent *_test.go file covering the happy path and edge cases for filtered_integrity.
• No files changed yet — the diff is currently empty. The checklist above is the full scope of work remaining.

If you'd like a hand picking this back up, assign the prompt below to your coding agent:

Continue implementing PR #21855 in the github/gh-aw repository.
The research step is already complete. Complete all remaining checklist items:

1. Open `internal/mcp/mcp_tools_privileged.go` and add a `filtered_integrity` boolean parameter to the `logs` MCP tool. Follow the existing parameter patterns in that file.

2. Add a corresponding test case in the adjacent test file (e.g., `internal/mcp/mcp_tools_privileged_test.go`) covering:
   - `filtered_integrity: true` returns only integrity-filtered events
   - `filtered_integrity: false` / omitted behaves as before

3. Update `agentic_workflows_guide.md` to document the new `--filtered-integrity` / `filtered_integrity` parameter with a short description and example.

4. Create `.github/workflows/daily-integrity-analysis.md` as a new agentic workflow that:
   - Runs on a daily schedule (cron)
   - Has a pre-step that downloads logs using the `--filtered-integrity` flag
   - Has an agent step that runs Python to bucket and chart the events, then provides actionable tuning suggestions
   - Publishes results to a GitHub Discussion via `create-discussion` using safe-outputs for all generated content
   - Follow existing daily workflow examples in `.github/workflows/` for structure and conventions

5. Run `make agent-finish` to validate build, tests, lint, and recompile. Fix any failures before marking the PR ready for review.

Generated by Contribution Check · ◷

[Copilot]

Pull request overview

Adds support for fetching DIFC integrity-filtered runs via MCP logs, and introduces a new daily agentic workflow that analyzes those events and publishes a discussion report with charts.

Changes:

• Exposes the existing --filtered-integrity filter through the MCP logs tool (filtered_integrity JSON param).
• Documents the new MCP logs parameter in the agentic workflows guide.
• Adds a new daily integrity-analysis workflow (and compiled lock) that pre-downloads filtered runs, analyzes events, generates charts, and publishes a discussion.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
pkg/cli/mcp_tools_privileged.go	Adds filtered_integrity to MCP logs args and forwards it to the CLI invocation.
actions/setup/md/agentic_workflows_guide.md	Documents the filtered_integrity parameter for the MCP logs tool.
.github/workflows/daily-integrity-analysis.md	New daily workflow definition/instructions for collecting DIFC filtered events, charting, and reporting to Discussions.
.github/workflows/daily-integrity-analysis.lock.yml	Generated compiled workflow for the new daily integrity analysis.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This workflow imports shared/python-dataviz.md, which sets up /tmp/gh-aw/python/{data,charts} and automatically uploads /tmp/gh-aw/python/charts/*.png artifacts. However, the instructions here write data/scripts/charts under /tmp/gh-aw/integrity/..., so the shared import’s artifact upload steps won’t capture the generated charts/scripts.

To align with the shared import (and get automatic artifact uploads), consider using /tmp/gh-aw/python/data for JSON/CSV outputs and /tmp/gh-aw/python/charts for chart PNGs (or remove the shared import if you intentionally want a separate directory layout).

[Copilot]

The download step treats the presence of /tmp/gh-aw/integrity/filtered-logs.json as success, but because stdout is redirected (> filtered-logs.json) the file will be created/truncated even when ./gh-aw logs ... fails. This can silently convert a failed fetch into an empty/invalid dataset and produce misleading "Downloaded 0" output.

Consider capturing the command exit status and validating the JSON (e.g., jq -e 'type=="array"') before reporting success; on failure, write [] and log that the fetch failed (or fail the workflow if that’s preferable).

Suggested change

	# Download logs filtered to only runs with DIFC integrity-filtered events
	./gh-aw logs --filtered-integrity --start-date -7d --json -c 200 \
	> /tmp/gh-aw/integrity/filtered-logs.json
	if [ -f /tmp/gh-aw/integrity/filtered-logs.json ]; then
	count=$(jq '. | length' /tmp/gh-aw/integrity/filtered-logs.json 2>/dev/null || echo 0)
	echo "✅ Downloaded $count runs with integrity-filtered events"
	else
	echo "⚠️ No logs file produced; continuing with empty dataset"
	echo "[]" > /tmp/gh-aw/integrity/filtered-logs.json
	log_path=/tmp/gh-aw/integrity/filtered-logs.json
	# Download logs filtered to only runs with DIFC integrity-filtered events
	if ./gh-aw logs --filtered-integrity --start-date -7d --json -c 200 > "$log_path"; then
	if jq -e 'type=="array"' "$log_path" >/dev/null 2>&1; then
	count=$(jq 'length' "$log_path")
	echo "✅ Downloaded $count runs with integrity-filtered events"
	else
	echo "⚠️ Downloaded logs are not a valid JSON array; continuing with empty dataset"
	echo "[]" > "$log_path"
	fi
	else
	echo "⚠️ Failed to download logs; continuing with empty dataset"
	echo "[]" > "$log_path"