Skip to content

[cli-tools-test] Issue Monster and other workflows failing: guard policy missing repos field #21875

New issue
New issue
Closed as not planned
Closed as not planned
[cli-tools-test] Issue Monster and other workflows failing: guard policy missing repos field#21875
Labels
automationbugSomething isn't workingcli-toolstesting
@github-actions

Description

@github-actions
github-actions
bot
opened on Mar 20, 2026

Exploratory testing of the audit and logs CLI tools revealed a critical regression causing multiple workflows to fail consistently since at least 2026-03-19.

Problem Description

Workflows using min-integrity: approved in their GitHub tool guard policy are failing at the Start MCP Gateway step with:

MCPG Error: failed to create unified server: failed to register guard for server "github": 
invalid server guard policy: invalid guard policy JSON: allow-only must include repos

The MCP gateway (ghcr.io/github/gh-aw-mcpg:v0.1.19) now requires the repos field in all allow-only policies, but the gh-aw compiler only includes it when min-integrity: none.

Root Cause

Compiler generates two different guard policy formats:

When min-integrity: none (working — Contribution Check):

"allow-only": {
  "min-integrity": "none",
  "repos": "all"
}

When min-integrity: approved (broken — Issue Monster):

"allow-only": {
  "min-integrity": "approved"
}
```

The `repos: all` field is missing from the compiled guard policy for non-`none` integrity levels.

### Steps to Reproduce

1. Look at `.github/workflows/issue-monster.md` — it uses `min-integrity: approved`
2. Examine the compiled `issue-monster.lock.yml` — guard policy lacks `repos` field
3. Compare to `contribution-check.lock.yml` (uses `min-integrity: none`) — it has `"repos": "all"`
4. Run Issue Monster — it fails at **Start MCP Gateway**

### Impact

- **Severity**: Critical
- **Frequency**: Every run (100% failure rate)
- **Affected workflows** (those using `min-integrity: approved`):
  - Issue Monster (3082–3091+, ~10 consecutive failures)
  - daily-issues-report
  - discussion-task-miner
  - grumpy-reviewer
  - issue-arborist
  - issue-triage-agent
  - org-health-report
  - pr-triage-agent
- **Total failed runs detected**: 52+ in the downloaded log set

### Evidence

From run [§23322201021](https://github.com/github/gh-aw/actions/runs/23322201021) (`workflow-logs/agent/17_Start MCP Gateway.txt`):

```
2026-03-19T23:41:38Z ERROR: Gateway process (PID: 4106) exited during initialization
2026-03-19T23:41:38Z Gateway exit status: 1
2026-03-19T23:41:38Z MCPG Error: failed to create unified server: failed to register guard for server "github": 
invalid server guard policy: invalid guard policy JSON: allow-only must include repos

Fix

In the guard policy compiler, always include "repos": "all" in the allow-only policy regardless of the min-integrity value. The compiled output should be:

"allow-only": {
  "min-integrity": "approved",
  "repos": "all"
}

Workaround

Temporarily change min-integrity: approved to min-integrity: none in affected workflow markdown files (not recommended as it reduces security).

References:

Generated by Daily CLI Tools Exploratory Tester ·

  • expires on Mar 27, 2026, 12:02 AM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    automationbugSomething isn't workingcli-toolstesting

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions