Skip to content

agentic-workflow updates (network, integrity, upd of gh aw)#65926

Closed
DeagleGross wants to merge 12 commits intodotnet:mainfrom
DeagleGross:dmkorolev/workflow-upd
Closed

agentic-workflow updates (network, integrity, upd of gh aw)#65926
DeagleGross wants to merge 12 commits intodotnet:mainfrom
DeagleGross:dmkorolev/workflow-upd

Conversation

@DeagleGross
Copy link
Copy Markdown
Member

@DeagleGross DeagleGross commented Mar 23, 2026
edited
Loading

Several things done here:

  1. updated gh aw and recompiled merged workflows to 0.62.5
  2. set min-integrity: none as per docs. Problem I am solving is that seems like there is another update from gh aw which dissalows MCP calls for searching issues:
✗ Fetch issue 65911 via GitHub API (shell)
  │ curl -s "https://api.github.com/repos/dotnet/aspnetcore/issues/65911" 2>&1 | head -50
  └ Permission denied and could not request permission from user

● issue_read
  └ []

● missing_data
  └ {"result":"success"}

I was unable to triage issue #65911 because the GitHub MCP server tools (`issue_read`, `list_issues`, `search_issues`) are all returning empty results for the `dotnet/aspnetcore` repository, and direct API calls are blocked by the network firewall.
  1. fixed network access to trusted sources
  2. only public repos to search from
  3. use github-token: COPILOT_GITHUB_TOKEN for MCP searches of issues approved

Copilot AI review requested due to automatic review settings March 23, 2026 13:18
@DeagleGross DeagleGross requested review from a team and wtgodbe as code owners March 23, 2026 13:18
@github-actions github-actions Bot added the area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework label Mar 23, 2026
Copilot AI reviewed Mar 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repository’s gh-aw–generated agentic workflows to the newer gh-aw toolchain and refreshes the compiled/locked workflow outputs, including network and integrity guard configuration changes used by the GitHub MCP server integration.

Changes:

  • Recompiled gh-aw locked workflows to gh-aw v0.62.5 and updated referenced action SHAs/binary versions (e.g., AWF v0.24.5, MCPG v0.1.20).
  • Moved gh-aw runtime assets from /opt/gh-aw/... to ${{ runner.temp }} / ${RUNNER_TEMP} paths and adjusted Safe Outputs paths accordingly.
  • Updated the issue triage workflow definition to allow additional network domains and set GitHub tool integrity filtering to none.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
.github/workflows/test-quarantine.lock.yml Recompiled locked workflow to gh-aw v0.62.5; updates runtime paths, firewall/container versions, and conclusion gating.
.github/workflows/issue-triage-agent.md Updates workflow frontmatter to configure github.min-integrity: none and expand allowed network domains.
.github/workflows/issue-triage-agent.lock.yml Recompiled locked workflow to gh-aw v0.62.5; updates runtime paths, firewall/container versions, MCP guard policy config, and conclusion gating.
.github/aw/actions-lock.json Consolidates pinned gh-aw setup action version to v0.62.5.

Comment thread .github/workflows/issue-triage-agent.lock.yml
Comment on lines 548 to 552
"GITHUB_HOST": "\${GITHUB_SERVER_URL}",
"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
"GITHUB_READ_ONLY": "1",
"GITHUB_TOOLSETS": "context,repos,issues,pull_requests"
},
Copy link

Copilot AI Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The GITHUB_TOOLSETS value here does not include search, but the triage agent workflow relies on searching for duplicate issues (e.g., search_issues). Without enabling the search toolset, the GitHub MCP server may not expose the search tools and duplicate detection will fail.

Consider adding search back to GITHUB_TOOLSETS (or otherwise ensuring the search_issues capability is enabled for this MCP server instance).

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/issue-triage-agent.lock.yml
Comment thread .github/workflows/issue-triage-agent.lock.yml
Comment thread .github/workflows/issue-triage-agent.md Outdated
@DeagleGross DeagleGross marked this pull request as draft March 23, 2026 16:46
@DeagleGross
Copy link
Copy Markdown
Member Author

DeagleGross commented Mar 23, 2026

Marked as draft for now: latest gh aw updates introduced some other token or whatever which blocks agentic workflow from reading issues (agent) and posting the labels on them (safe_outputs). Waiting for docs / support here

This was referenced Mar 25, 2026
Open
Closed
Merged
Closed
Merged
Open
Merged
Merged
Merged
This was referenced Mar 25, 2026
Merged
Merged
Merged
Merged
Merged
@DeagleGross
Copy link
Copy Markdown
Member Author

DeagleGross commented Mar 27, 2026

It got unblocked

@dotnet-policy-service dotnet-policy-service Bot added this to the 11.0-preview3 milestone Mar 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@wtgodbe wtgodbe wtgodbe approved these changes

Assignees

No one assigned

Labels

area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework

Projects

None yet

Milestone

11.0-preview3

Development

Successfully merging this pull request may close these issues.

3 participants

@DeagleGross @wtgodbe