perf(security-guard): eliminate redundant API call and raise diff pre-fetch limit to 100 KB

[Copilot]

Security Guard averaged ~376K tokens/run because the agent job re-fetched PR file metadata that the gate job already computed, and a 5 KB diff ceiling truncated almost every PR, forcing repeated get_file_contents tool calls.

Changes

• Remove redundant Check security relevance step — the agent job was duplicating the gh api …/pulls/…/files call already made by check_security_relevance. Replaced with a passthrough from the job output:

  - name: Set security relevance count
    id: security-relevance
    run: |
      echo "security_files_changed=${{ needs.check_security_relevance.outputs.security_files_changed }}" >> "$GITHUB_OUTPUT"

• Raise DIFF_LIMIT 5 KB → 100 KB — covers the full diff of typical security-relevant PRs, eliminating the get_file_contents round-trips that drove up token counts.

• Update prompt efficiency guidelines — instruct the agent to batch independent reads in a single tool-use block, work from the pre-fetched diff first, and fall back to mcp__github__get_pull_request_diff (not get_file_contents) only when the diff is truncated.

Lock file regenerated via gh aw compile + post-processing.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.71.1
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.71.1 --jq [.object.sha, .object.type] | @tsv (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	86.08%	86.16%	📈 +0.08%
Statements	86.08%	86.15%	📈 +0.07%
Functions	88.18%	88.18%	➡️ +0.00%
Branches	80.27%	80.31%	📈 +0.04%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	87.4% → 87.7% (+0.29%)	87.0% → 87.3% (+0.27%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR optimizes the Security Guard agentic workflow to reduce token usage and tool round-trips by reusing already-computed PR metadata and increasing the amount of pre-fetched diff content included in the prompt.

Changes:

• Increase the pre-fetched diff limit from 5 KB → 100 KB and update truncation guidance to use mcp__github__get_pull_request_diff.
• Remove the redundant “Check security relevance” API call from the agent job and pass through the count from check_security_relevance job outputs.
• Update prompt efficiency guidance to encourage batching tool reads and using the pre-fetched diff first.

Show a summary per file

File	Description
.github/workflows/security-guard.md	Raises diff prefetch limit, removes redundant relevance check step, and updates agent prompt guidance.
.github/workflows/security-guard.lock.yml	Regenerated compiled workflow reflecting the new diff limit and relevance count passthrough.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (4)

.github/workflows/security-guard.lock.yml:96

• This uses: reference is no longer pinned to a commit SHA (it uses the mutable tag @v0.71.1). Lock workflows elsewhere in this repo pin github/gh-aw-actions/setup to a full commit SHA; update this to the resolved SHA and recompile the lock file.

        uses: github/gh-aw-actions/setup@v0.71.1
        with:

.github/workflows/security-guard.lock.yml:344

• This job’s github/gh-aw-actions/setup action is referenced by tag (@v0.71.1) instead of a commit SHA, which defeats the purpose of the compiled lock file. Pin it to the resolved commit SHA and regenerate the lock file so all jobs use the same pinned ref.

        uses: github/gh-aw-actions/setup@v0.71.1
        with:

.github/workflows/security-guard.lock.yml:990

• This github/gh-aw-actions/setup reference is tag-based (@v0.71.1) rather than SHA-pinned. For lock workflows, please pin to the exact commit SHA (and ensure the manifest/header list are updated accordingly) to avoid supply-chain drift.

        uses: github/gh-aw-actions/setup@v0.71.1
        with:

.github/workflows/security-guard.lock.yml:1112

• This github/gh-aw-actions/setup uses: entry is tag-based (@v0.71.1) and should be SHA-pinned like other generated *.lock.yml workflows. Re-run compilation in an environment that can resolve tag→SHA (or manually set the resolved SHA) and commit the regenerated lock file.

        uses: github/gh-aw-actions/setup@v0.71.1
        with:

• Files reviewed: 2/2 changed files
• Comments generated: 2

[Copilot]

gh-aw-manifest now records github/gh-aw-actions/setup with sha:"v0.71.1", which is not a commit SHA. This breaks the lock-file’s action pinning and weakens supply-chain guarantees; resolve the tag to the actual commit SHA (as in other *.lock.yml files) and regenerate the lock file with the pinned SHA values.

This issue also appears in the following locations of the same file:

• line 95
• line 343
• line 989
• line 1111

[Copilot]

The instructions reference get_file_contents, but this workflow’s tool allowlist uses MCP tool names (e.g. mcp__github__get_file_contents). To avoid the agent attempting a non-existent tool, align the doc text/tool name with the actual allowed tool name.

Suggested change

	4. **Use `get_file_contents`** only for files not changed in this PR (e.g., to understand adjacent security context)
	4. **Use `mcp__github__get_file_contents`** only for files not changed in this PR (e.g., to understand adjacent security context)

[lpcox]

@copilot address the review feedback, merge main and recompile the workflows

[Copilot]

@copilot address the review feedback, merge main and recompile the workflows

Done in da7ca13:

• Fixed get_file_contents → mcp__github__get_file_contents in the prompt (review comment on line 138)
• Added github/gh-aw-actions/setup@v0.71.1 → 239aec45b78c8799417efdd5bc6d8cc036629ec1 to .github/aw/actions-lock.json so the compiler resolves the tag to the correct commit SHA; all four uses: lines and the gh-aw-manifest entry in the lock file now carry the pinned SHA
• Merged main (already up-to-date) and recompiled with post-processing

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv s (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.71.1
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.71.1 --jq [.object.sha, .object.type] | @tsv (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

Smoke Test Results:

• ✅ GitHub MCP: Retrieved fix: block Shocker container-escape syscalls in seccomp profile (CVE-2014-9357) #2276, chore: upgrade to firewall v0.25.29 and mcpg v0.3.1 #2271
• ✅ Playwright: Page title contains "GitHub"
• ✅ File Write: Created test file successfully
• ✅ Bash Tool: Verified file content

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔬 Smoke Test Results

PR: perf(security-guard): eliminate redundant API call and raise diff pre-fetch limit to 100 KB
Author: @Copilot | Assignees: @lpcox, @Copilot

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	❌ (template vars not expanded)
File write/read	❌ (template vars not expanded)

Overall: FAIL — pre-step template variables ($\{\{ steps.smoke-data.outputs.* }}) were not substituted, so HTTP and file test results are unavailable.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP	⚠️ template var unresolved
File write/read	❌ file not found
BYOK inference (this response)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

PR author: @Copilot · Assignees: @lpcox, @Copilot

Overall: FAIL — pre-step template variables ($\{\{ steps.smoke-data.outputs.* }}) were not resolved; file test could not be verified.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

fix: block Shocker container-escape syscalls in seccomp profile (CVE-2014-9357)
chore: upgrade to firewall v0.25.29 and mcpg v0.3.1
GitHub MCP review ❌
safeinputs-gh PR query ❌
Playwright GitHub title ✅
Tavily search ❌
File write + cat ✅
Discussion interaction ❌
Build AWF ✅
Overall: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Note: Java required using a custom Maven local repository path (-s settings.xml) because the pre-configured ~/.m2 directory was owned by root and not writable by the runner user.

Generated by Build Test Suite for issue #2281 · ● 413.9K · ◷