[P1] Lockdown token failures: Issue Monster, PR Triage Agent, Daily Issues Report, Org Health Report

[github-actions]

Problem

Four agentic workflows are failing consistently due to lockdown mode requiring GH_AW_GITHUB_TOKEN which is not configured as a repository secret.

Previous tracking issue #20315 was closed as not_planned on 2026-03-11, but all four workflows continue to fail.

Affected Workflows

Workflow	Frequency	Status	Failures
Issue Monster	Every 30 min	❌ 100% failure	10/10 recent runs
PR Triage Agent	Every 6h	❌ 100% failure	5/5 recent schedule runs
Daily Issues Report	Daily	❌ 100% failure	5/5 recent runs
Org Health Report	Weekly	❌ 100% failure	4+ consecutive weeks

Error Message

Lockdown mode is enabled (lockdown: true) but no custom GitHub token is configured.

Please configure one of the following as a repository secret:
  - GH_AW_GITHUB_TOKEN (recommended)
  - GH_AW_GITHUB_MCP_SERVER_TOKEN (alternative)
  - Custom github-token in your workflow frontmatter

See: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/auth.mdx

Root Cause

These workflows use lockdown: true in their MCP configuration, which requires GitHub API access via a fine-grained PAT. GH_AW_GITHUB_TOKEN is not set as a repository secret.

Fix Options

Option 1 (Recommended): Configure GH_AW_GITHUB_TOKEN secret

gh secret set GH_AW_GITHUB_TOKEN --body "YOUR_FINE_GRAINED_PAT"

The PAT needs: issues: read/write, pull_requests: read/write, contents: read.

Option 2: Remove lockdown: true from affected workflow frontmatter (reduces security posture).

Option 3: Add github-token: $\{\{ secrets.GITHUB_TOKEN }} to the affected workflows' MCP config.

Impact

• Issue Monster: ~50+ failures/day — issue tracking automation completely down
• PR Triage Agent: PR triage not running — PRs unmanaged
• Daily Issues Report: Daily metrics missing since ~Feb 2026
• Org Health Report: Weekly org health tracking missing

History

• Issue [P1] Lockdown mode failing: GH_AW_GITHUB_TOKEN not configured — 5 workflows affected #17414 (add token) — CLOSED "not_planned"
• Issue [q] fix(workflows): remove explicit lockdown:true to stop recurring failures #17807 (remove lockdown) — CLOSED "not_planned"
• Issue [P1] Lockdown token failures: Issue Monster, PR Triage Agent, Daily Issues Report #20315 (previous tracking) — CLOSED "not_planned" on 2026-03-11
• NO CURRENT FIX PATH — manual admin intervention required

References

• §23083203077 (Issue Monster latest failure)
• §23082233003 (PR Triage Agent latest failure)
  Related to Workflow Health Manager - Meta-Orchestrator - Issue Group #19352

Generated by Workflow Health Manager - Meta-Orchestrator · ◷

• expires on Mar 15, 2026, 7:32 AM UTC

[github-actions]

Status Update — 2026-03-15T07:28Z

Issue Monster and PR Triage Agent continue to fail with the same lockdown error. No change in status since issue was filed on 2026-03-14.

Latest failures:

• Issue Monster: run §23105695854 (run Add comprehensive threat detection documentation with custom steps and LlamaGuard examples #2878, 2026-03-15) — 100% failure rate continuing
• PR Triage Agent: run §23104839296 (2026-03-15) — still failing

New issue detected this run:

• Contribution Check ([P1] Contribution Check: add_labels safe output fails with temporary_id reference #21035) — new P1 failure with different root cause (safe outputs add_labels temporary_id bug)

This issue (#20915) remains the canonical tracking issue for the lockdown token problem. No fix path available without admin action to provision GH_AW_GITHUB_TOKEN.

Generated by Workflow Health Manager - Meta-Orchestrator · ◷

[github-actions]

This issue was automatically closed because it expired on 2026-03-15T07:32:38.104Z.

Closed by Workflow