fix: skip lockdown autodetection step when guard policy is explicitly configured#44270
Merged
Merged
Conversation
…ured Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
fix: skip lockdown detection step when guard policy explicitly configured
fix: skip lockdown autodetection step when guard policy is explicitly configured
Jul 8, 2026
Copilot created this pull request from a session on behalf of
pelikhan
July 8, 2026 10:37
View session
pelikhan
approved these changes
Jul 8, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR changes the GitHub MCP step generation logic to skip emitting the determine-automatic-lockdown step when GitHub guard policies are explicitly configured in workflow frontmatter, and updates unit tests accordingly.
Changes:
- Adds an early-return in
generateGitHubMCPLockdownDetectionStepwhengetGitHubGuardPolicies(...)is non-empty. - Replaces a prior env-quoting test with new tests asserting the step is skipped/present depending on guard policy configuration.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/compiler_github_mcp_steps.go | Skips generating the lockdown autodetection step when guard policies are explicitly configured. |
| pkg/workflow/compiler_github_mcp_steps_test.go | Updates tests to validate skipped vs generated behavior for the autodetection step. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 2
- Review effort level: Low
Comment on lines
+31
to
+39
| // Skip the detection step when guard policies are already explicitly configured. | ||
| // Explicit guard policies mean the compiler already knows the min-integrity and repos values, | ||
| // so there is nothing for the runtime detection script to determine. | ||
| if toolConfig, ok := githubTool.(map[string]any); ok { | ||
| if len(getGitHubGuardPolicies(toolConfig)) > 0 { | ||
| githubConfigLog.Print("Skipping GitHub MCP lockdown detection step: guard policy explicitly configured") | ||
| return | ||
| } | ||
| } |
Comment on lines
+58
to
+60
| // When guard policies are explicitly configured, the detection step must not be generated. | ||
| assert.Empty(t, output, "detection step should be skipped when guard policy is explicitly configured") | ||
| } |
Contributor
|
🎉 This pull request is included in a new release. Release: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TestGitHubLockdownAutodetection/No_auto_detection_when_guard_policy_explicitly_configuredwas failing becausegenerateGitHubMCPLockdownDetectionStepunconditionally emitted thedetermine-automatic-lockdownstep whenever the GitHub tool was present, even whenmin-integrity/reposwere already statically configured in the frontmatter.Changes
compiler_github_mcp_steps.go: Early-return fromgenerateGitHubMCPLockdownDetectionStepwhengetGitHubGuardPolicies(toolConfig)is non-empty — explicit guard policies make runtime detection redundant, andmcp_environment.goalready omits theGITHUB_MCP_GUARD_*env vars in this case.compiler_github_mcp_steps_test.go: ReplacedTestGenerateGitHubMCPLockdownDetectionStepQuotesConfiguredEnvValues(testing a now-dead code path) with two focused tests: