Skip to content

fix: remove lockdown from issue-monster workflow, add security screening, switch to codex engine, and merge main#17122

Closed
Copilot wants to merge 5 commits intomainfrom
copilot/debug-issue-monster-failure-again
Closed

fix: remove lockdown from issue-monster workflow, add security screening, switch to codex engine, and merge main#17122
Copilot wants to merge 5 commits intomainfrom
copilot/debug-issue-monster-failure-again

Conversation

Copy link
Contributor

Copilot AI commented Feb 20, 2026
edited
Loading

  • Remove lockdown: true from issue-monster.md tools.github configuration
  • Add security screening step (4a) to skip issues with suspicious/malicious content
  • Update guidelines and success criteria to include security screening
  • Switch engine from copilot (gpt-5.1-codex-mini) to codex
  • Merge origin/main (round 1)
  • Merge origin/main (round 2) and recompile all 153 workflow lock files
Original prompt

This section details on the original issue you should resolve

<issue_title>[agentics] Issue Monster failed</issue_title>
<issue_description>### Workflow Failure

Workflow: Issue Monster
Branch: main
Run URL: https://github.com/github/gh-aw/actions/runs/22207821070

Action Required

Option 1: Assign this issue to agent using agentic-workflows

Assign this issue to the agentic-workflows agent to automatically debug and fix the workflow failure.

Option 2: Manually invoke the agent

Debug this workflow failure using the agentic-workflows agent:

/agent agentic-workflows debug the agentic workflow issue-monster failure in https://github.com/github/gh-aw/actions/runs/22207821070

Generated from Issue Monster

  • expires on Feb 27, 2026, 1:42 AM UTC

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@pelikhan
fix: remove lockdown: true from issue-monster workflow
2a3dfca 
The Issue Monster workflow was failing because lockdown: true requires
a custom GitHub token (GH_AW_GITHUB_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN,
or custom github-token) but none are configured in this repo.

Removes lockdown: true and recompiles the lock file.

Fixes: https://github.com/github/gh-aw/actions/runs/22207821070

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Debug workflow failure for Issue Monster fix: remove lockdown from issue-monster workflow Feb 20, 2026
Copilot AI requested a review from pelikhan February 20, 2026 11:30
@pelikhan
Copy link
Contributor

pelikhan commented Feb 20, 2026

@copilot update the prompt to ignore any issue that has a suspicious request, malicious intent, or other harmful or unsecured behaviors

@pelikhan
fix: add security screening step to issue-monster prompt
243e9d1 
Adds a security screening step (step 4a) that instructs the agent to
skip any issue containing prompt injections, malicious code requests,
credential harvesting, supply chain attack patterns, social engineering,
or other harmful content before assigning to Copilot.

Also updates the guidelines and success criteria to reflect the new
security check, and recompiles the lock file.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 20, 2026

@copilot update the prompt to ignore any issue that has a suspicious request, malicious intent, or other harmful or unsecured behaviors

Added a security screening step (4a) in commit 243e9d1 that instructs the agent to skip any issue containing:

  • Prompt injection (e.g. "ignore previous instructions")
  • Malicious code requests (backdoors, data exfiltration, arbitrary commands)
  • Credential/secret harvesting (reading env vars, tokens, API keys)
  • Supply chain attacks (malicious dependency modifications)
  • Social engineering (claims of special authority to bypass review)
  • Harmful or illegal content

When flagged, the agent reports it via noop without commenting on the suspicious issue itself, then continues screening remaining candidates normally.

Copilot AI changed the title fix: remove lockdown from issue-monster workflow fix: remove lockdown from issue-monster workflow and add security screening Feb 20, 2026
@pelikhan pelikhan marked this pull request as ready for review February 20, 2026 11:41
Copilot AI review requested due to automatic review settings February 20, 2026 11:41
@pelikhan
Copy link
Contributor

pelikhan commented Feb 20, 2026

@copilot use codex

Copilot AI reviewed Feb 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adjusts the Issue Monster agentic workflow to avoid failing on lockdown validation in repos without custom GitHub tokens, while adding explicit guidance to skip suspicious/harmful issues before assignment.

Changes:

  • Removed tools.github.lockdown: true from the Issue Monster workflow prompt to rely on default token behavior.
  • Added a “Security Screening” step instructing the agent to skip issues containing prompt injection, malicious requests, secret harvesting, supply-chain manipulation, etc.
  • Recompiled the locked workflow to remove explicit lockdown validation and set GITHUB_LOCKDOWN_MODE based on automatic lockdown detection output.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/issue-monster.md Removes forced lockdown mode and adds pre-assignment security screening guidance for issue selection.
.github/workflows/issue-monster.lock.yml Removes explicit lockdown validation/injection and wires automatic lockdown detection into MCP server config.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions github-actions bot mentioned this pull request Feb 20, 2026
Closed
@pelikhan
fix: switch issue-monster engine from copilot to codex
a767c8c 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 20, 2026

@copilot use codex

Done in commit a767c8c — switched the engine from copilot (with model: gpt-5.1-codex-mini) to codex.

Copilot AI changed the title fix: remove lockdown from issue-monster workflow and add security screening fix: remove lockdown from issue-monster workflow, add security screening, and switch to codex engine Feb 20, 2026
Copilot AI requested a review from pelikhan February 20, 2026 11:47
@pelikhan
Copy link
Contributor

pelikhan commented Feb 20, 2026

@copilot merge main and recompile

@pelikhan
chore: merge main and recompile all workflows
20200ba 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 20, 2026
edited
Loading

@copilot merge main and recompile

Done in commit 20200ba — merged origin/main, rebuilt the binary, and recompiled all 153 workflow lock files.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw 5zy3j5b/VLqiV3ky-C (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build1299087065/b062/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/access_log.go /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/actionlint.go (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build1299087065/b279/importcfg -embedcfg /tmp/go-build1299087065/b279/embedcfg -pack (http block)
  • https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha ./cmd/gh-aw (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title fix: remove lockdown from issue-monster workflow, add security screening, and switch to codex engine fix: remove lockdown from issue-monster workflow, add security screening, switch to codex engine, and merge main Feb 20, 2026
@pelikhan
Copy link
Contributor

pelikhan commented Feb 20, 2026

@copilot merge main and recompile

Copy link
Contributor Author

Copilot AI commented Feb 20, 2026
edited
Loading

@copilot merge main and recompile

The branch is already up to date with origin/main — no new commits have landed on main since the last merge. All 153 workflow lock files were already recompiled in the previous merge commit (20200ba).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@pelikhan pelikhan closed this Feb 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[agentics] Issue Monster failed

3 participants

@pelikhan