Auto-allow gh in restricted bash when tools.github.mode: gh-proxy#31204
Merged
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
Auto-allow gh in restricted bash for gh-proxy mode
Auto-allow May 9, 2026
gh in restricted bash when tools.github.mode: gh-proxy
Copilot created this pull request from a session on behalf of
pelikhan
May 9, 2026 12:24
View session
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes a permissions gap when tools.github.mode: gh-proxy is used alongside a restricted tools.bash allowlist by implicitly allowing gh in both the restricted bash allowlist and Copilot CLI --allow-tool arguments.
Changes:
- Augments restricted bash allowlists with
gh:*when GitHub CLI (gh-proxy) mode is enabled. - Adds
--allow-tool shell(gh:*)to Copilot CLI arguments under the same conditions, and updates unit tests. - Regenerates/updates compiled workflow lock files.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/mcp_cli_mount.go | Injects gh:* into restricted bash allowlists when GitHub CLI mode is enabled. |
| pkg/workflow/mcp_cli_mount_test.go | Adds regression tests for gh:* injection behavior. |
| pkg/workflow/copilot_engine_tools.go | Adds shell(gh:*) to Copilot tool args for restricted bash in gh-proxy mode; refactors mount-data handling. |
| pkg/workflow/copilot_engine_test.go | Adds unit coverage ensuring shell(gh:*) is granted for gh-proxy + restricted bash. |
| .github/workflows/daily-news.lock.yml | Recompiled lock file with substantial workflow wiring/version/env/behavior changes. |
| .github/workflows/cli-version-checker.lock.yml | Recompiled lock file updates (prompt heredocs, metadata/hash, description text). |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 6/6 changed files
- Comments generated: 3
| for _, serverName := range getMountedCLIServerNamesIfBashRestricted(workflowData, tools, safeOutputs, mcpScripts) { | ||
| effectiveWorkflowData := buildCLIWorkflowDataForMounts(workflowData, tools, safeOutputs, mcpScripts) | ||
|
|
||
| for _, serverName := range getMountedCLIServerNamesIfBashRestricted(effectiveWorkflowData, tools, safeOutputs, mcpScripts) { |
| } | ||
| // When playwright is configured in CLI mode, playwright-cli must be executable. | ||
| // Automatically add shell(playwright-cli:*) to the restricted bash allowlist. | ||
| if workflowData != nil && isPlaywrightCLIMode(workflowData.Tools) { |
Comment on lines
+1
to
5
| # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"fd1a4558d3ce0325e2328114094f046652e1a55b2e764efc8821830eb2a7f064","strict":true,"agent_id":"copilot"} | ||
| # gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN","TAVILY_API_KEY"],"actions":[{"repo":"actions/cache/restore","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/cache/save","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.42"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.42"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.42"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.6","digest":"sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.6@sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c"},{"image":"ghcr.io/github/github-mcp-server:v1.0.3","digest":"sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} | ||
| # ___ _ _ | ||
| # / _ \ | | (_) | ||
| # | |_| | __ _ ___ _ __ | |_ _ ___ |
Collaborator
|
@copilot apply to all agentic engines |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Applied across agentic engines by regenerating all affected lock workflows so restricted bash includes |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug Fix
gh-proxymode routes GitHub operations through theghCLI, but restrictedtools.bashallowlists did not automatically permitgh, causing tool access gaps. This change aligns bash/Copilot permissions withgh-proxybehavior by auto-authorizingghwhen needed.What was the bug?
When
tools.github.mode: gh-proxywas enabled with a restricted bash allowlist, GitHub access could still be blocked becauseghwas not implicitly allowed.How did you fix it?
gh:*when GitHub CLI mode is active.shell(gh:*)to Copilot--allow-toolarguments under the same conditions.gh:*/engine-equivalent shell permissions ingh-proxy+ restricted bash configurations.Example
With this change, the effective restricted shell permissions include
gh:*(and Copilot receivesshell(gh:*)), so GitHub MCP access viaghworks without manual allowlist edits.Testing
Added focused unit coverage to validate
gh:*/shell(gh:*)auto-injection only whengh-proxyis enabled with restricted bash, and recompiled lock workflows to propagate the behavior across affected agentic engine workflows.