[WIP] Refactor workflows to adopt github-guard-policy.md

[Copilot]

Thanks for asking me to work on this. I will get started on it and keep this PR's description up to date as I form a plan and make progress.

---

This section details on the original issue you should resolve

<issue_title>[refactoring] Expand github-guard-policy.md adoption to all GitHub MCP workflows</issue_title>
<issue_description>### Problem

138 workflows (89% of workflows using GitHub MCP tools) don't import shared/github-guard-policy.md. This means:

• Each workflow must define approval labels independently
• Policy changes require updating 138+ workflow files
• Inconsistent approval behavior across workflows

Current State

• 155 workflows use GitHub MCP tools (66.5% of all workflows)
• Only 17 workflows (11%) import shared/github-guard-policy.md
• 138 workflows either duplicate approval labels inline or omit them entirely

What is github-guard-policy.md?

Provides standard approval labels (cookie, community) that allow issues and PRs from community contributors to bypass the min-integrity check when the GitHub MCP server performs tool calls.

Current implementation (5 lines):

---
tools:
  github:
    approval-labels: [cookie, community]
---

Proposed Solution

1. Audit all 138 workflows - Identify which need approval label configuration
2. Add import to all GitHub MCP workflows - Make it standard practice
3. Update AGENTS.md - Document when to import github-guard-policy.md

Migration Path

Phase 1: High-priority workflows (issue/PR automation, moderation, security)

• ai-moderator.md
• bot-detection.md
• contribution-check.md
• code-scanning-fixer.md
• (and ~30 others with community interaction)

Phase 2: Medium-priority workflows (daily reports, analysis)

• All workflows in daily-*.md that use GitHub tools
• All workflows with slash_command or label_command triggers

Phase 3: Remaining workflows

• Smoke tests, experiments, low-frequency workflows

Example Before/After

Before (duplicated in many workflows):

tools:
  github:
    mode: local
    read-only: true
    toolsets: [default]
    approval-labels: [cookie, community]  # ← duplicated

After (centralized):

imports:
  - shared/github-guard-policy.md  # ← standard import
  - shared/otlp.md
tools:
  github:
    mode: local
    read-only: true
    toolsets: [default]
    # approval-labels inherited from github-guard-policy.md

Impact

• Workflows affected: 138
• Line savings: ~3-5 lines × 138 = 414-690 lines
• Maintenance benefit: Single source of truth for approval policy
• Security benefit: Consistent approval behavior across all workflows

Sample Workflows Missing Import

View 20 workflows without github-guard-policy.md

• ab-testing-advisor.md
• ai-moderator.md
• approach-validator.md
• archie.md
• artifacts-summary.md
• aw-portfolio-yield.md
• bot-detection.md
• breaking-change-checker.md
• ci-coach.md
• ci-doctor.md
• claude-code-user-docs-review.md
• code-scanning-fixer.md
• code-simplifier.md
• codex-github-remote-mcp-test.md
• commit-changes-analyzer.md
• contribution-check.md
• copilot-cli-deep-research.md
• copilot-opt.md
• copilot-pr-merged-report.md
• copilot-session-insights.md

References

• Current policy: .github/workflows/shared/github-guard-policy.md
• Analysis: §26206419572

Generated by 🔍 Workflow Skill Extractor · ● 1.6M · ◷

• expires on May 23, 2026, 5:08 AM UTC

Comments on the Issue (you are @copilot in this section)