Skip to content

fix: skip lockdown autodetection step when guard policy is explicitly configured#44270

Merged
pelikhan merged 1 commit into
mainfrom
copilot/fix-issue-in-action-run-28934666950
Jul 8, 2026
Merged

fix: skip lockdown autodetection step when guard policy is explicitly configured#44270
pelikhan merged 1 commit into
mainfrom
copilot/fix-issue-in-action-run-28934666950

Conversation

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

TestGitHubLockdownAutodetection/No_auto_detection_when_guard_policy_explicitly_configured was failing because generateGitHubMCPLockdownDetectionStep unconditionally emitted the determine-automatic-lockdown step whenever the GitHub tool was present, even when min-integrity/repos were already statically configured in the frontmatter.

Changes

  • compiler_github_mcp_steps.go: Early-return from generateGitHubMCPLockdownDetectionStep when getGitHubGuardPolicies(toolConfig) is non-empty — explicit guard policies make runtime detection redundant, and mcp_environment.go already omits the GITHUB_MCP_GUARD_* env vars in this case.

  • compiler_github_mcp_steps_test.go: Replaced TestGenerateGitHubMCPLockdownDetectionStepQuotesConfiguredEnvValues (testing a now-dead code path) with two focused tests:

    • asserts step is skipped when explicit guard policies are present
    • asserts step is generated when no guard policy is configured

…ured

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title fix: skip lockdown detection step when guard policy explicitly configured fix: skip lockdown autodetection step when guard policy is explicitly configured Jul 8, 2026
Copilot AI requested a review from pelikhan July 8, 2026 10:37
@pelikhan pelikhan marked this pull request as ready for review July 8, 2026 10:38
Copilot AI review requested due to automatic review settings July 8, 2026 10:38
@pelikhan pelikhan merged commit 46eccb0 into main Jul 8, 2026
@pelikhan pelikhan deleted the copilot/fix-issue-in-action-run-28934666950 branch July 8, 2026 10:38

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR changes the GitHub MCP step generation logic to skip emitting the determine-automatic-lockdown step when GitHub guard policies are explicitly configured in workflow frontmatter, and updates unit tests accordingly.

Changes:

  • Adds an early-return in generateGitHubMCPLockdownDetectionStep when getGitHubGuardPolicies(...) is non-empty.
  • Replaces a prior env-quoting test with new tests asserting the step is skipped/present depending on guard policy configuration.
Show a summary per file
File Description
pkg/workflow/compiler_github_mcp_steps.go Skips generating the lockdown autodetection step when guard policies are explicitly configured.
pkg/workflow/compiler_github_mcp_steps_test.go Updates tests to validate skipped vs generated behavior for the autodetection step.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment on lines +31 to +39
// Skip the detection step when guard policies are already explicitly configured.
// Explicit guard policies mean the compiler already knows the min-integrity and repos values,
// so there is nothing for the runtime detection script to determine.
if toolConfig, ok := githubTool.(map[string]any); ok {
if len(getGitHubGuardPolicies(toolConfig)) > 0 {
githubConfigLog.Print("Skipping GitHub MCP lockdown detection step: guard policy explicitly configured")
return
}
}
Comment on lines +58 to +60
// When guard policies are explicitly configured, the detection step must not be generated.
assert.Empty(t, output, "detection step should be skipped when guard policy is explicitly configured")
}
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants