From 35f4db8de967e90f86b0aa331d2b9e6a3b3e7e19 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Jul 2026 10:36:28 +0000 Subject: [PATCH] fix: skip lockdown detection step when guard policy explicitly configured Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/compiler_github_mcp_steps.go | 10 +++++++ .../compiler_github_mcp_steps_test.go | 26 ++++++++++++++++--- 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/pkg/workflow/compiler_github_mcp_steps.go b/pkg/workflow/compiler_github_mcp_steps.go index b4b8a7d6d6b..57e9536fde9 100644 --- a/pkg/workflow/compiler_github_mcp_steps.go +++ b/pkg/workflow/compiler_github_mcp_steps.go @@ -28,6 +28,16 @@ func (c *Compiler) generateGitHubMCPLockdownDetectionStep(yaml *strings.Builder, return } + // Skip the detection step when guard policies are already explicitly configured. + // Explicit guard policies mean the compiler already knows the min-integrity and repos values, + // so there is nothing for the runtime detection script to determine. + if toolConfig, ok := githubTool.(map[string]any); ok { + if len(getGitHubGuardPolicies(toolConfig)) > 0 { + githubConfigLog.Print("Skipping GitHub MCP lockdown detection step: guard policy explicitly configured") + return + } + } + githubConfigLog.Print("Generating automatic guard policy determination step for GitHub MCP server") // Resolve the latest version of actions/github-script diff --git a/pkg/workflow/compiler_github_mcp_steps_test.go b/pkg/workflow/compiler_github_mcp_steps_test.go index 4189297cd39..8fcbb08be58 100644 --- a/pkg/workflow/compiler_github_mcp_steps_test.go +++ b/pkg/workflow/compiler_github_mcp_steps_test.go @@ -39,7 +39,7 @@ func TestQuoteYAMLEnvValue(t *testing.T) { assert.Equal(t, `'["a","b"]'`, quoteYAMLEnvValue(`["a","b"]`)) } -func TestGenerateGitHubMCPLockdownDetectionStepQuotesConfiguredEnvValues(t *testing.T) { +func TestGenerateGitHubMCPLockdownDetectionStepSkipsWhenGuardPolicyExplicit(t *testing.T) { t.Parallel() var yaml strings.Builder @@ -55,6 +55,26 @@ func TestGenerateGitHubMCPLockdownDetectionStepQuotesConfiguredEnvValues(t *test NewCompiler().generateGitHubMCPLockdownDetectionStep(&yaml, data) output := yaml.String() - assert.Contains(t, output, "GH_AW_GITHUB_MIN_INTEGRITY: 'approved'") - assert.Contains(t, output, `GH_AW_GITHUB_REPOS: '["github/gh-aw","github/*"]'`) + // When guard policies are explicitly configured, the detection step must not be generated. + assert.Empty(t, output, "detection step should be skipped when guard policy is explicitly configured") +} + +func TestGenerateGitHubMCPLockdownDetectionStepGeneratedWhenNoGuardPolicy(t *testing.T) { + t.Parallel() + + var yaml strings.Builder + data := &WorkflowData{ + Tools: map[string]any{ + "github": map[string]any{ + "mode": "local", + }, + }, + } + + NewCompiler().generateGitHubMCPLockdownDetectionStep(&yaml, data) + output := yaml.String() + + assert.Contains(t, output, "determine-automatic-lockdown", "detection step should be generated when no explicit guard policy") + assert.NotContains(t, output, "GH_AW_GITHUB_MIN_INTEGRITY", "env var should not be present when min-integrity is not set") + assert.NotContains(t, output, "GH_AW_GITHUB_REPOS", "env var should not be present when repos is not set") }