From 058f7347c56e65694be5db123947e77a6aed354b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Feb 2026 03:37:15 +0000 Subject: [PATCH 1/3] Initial plan From f62b0a99b798b99f3c862dd616eff6e30b8d2a35 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Feb 2026 04:00:42 +0000 Subject: [PATCH 2/3] fix: correct permissions in example-permissions-warning.md and remove overriding MCP strict default Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/example-permissions-warning.lock.yml | 8 ++++---- .github/workflows/example-permissions-warning.md | 6 +++--- pkg/cli/mcp_tools_readonly.go | 7 +++---- 3 files changed, 10 insertions(+), 11 deletions(-) diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index 54d613147b9..ece95f0e959 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -23,7 +23,7 @@ # # Example workflow demonstrating proper permission provisioning and security best practices # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"94ffd5b85d76a2be5b3602a2babffa5a24d9e2bf59e74b4a81355902bdf06e01"} +# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"01d1af09922718d2833e6d0106d6a9b90b8b2fa26f127a0b8c9c33bbdbbe4ae8"} name: "Example: Properly Provisioned Permissions" "on": @@ -207,9 +207,9 @@ jobs: needs: activation runs-on: ubuntu-latest permissions: - contents: read - issues: read - pull-requests: read + contents: write + issues: write + pull-requests: write env: GH_AW_WORKFLOW_ID_SANITIZED: examplepermissionswarning outputs: diff --git a/.github/workflows/example-permissions-warning.md b/.github/workflows/example-permissions-warning.md index 15631f3c420..fe8840bfacb 100644 --- a/.github/workflows/example-permissions-warning.md +++ b/.github/workflows/example-permissions-warning.md @@ -4,9 +4,9 @@ timeout-minutes: 5 on: workflow_dispatch: permissions: - contents: read - issues: read - pull-requests: read + contents: write + issues: write + pull-requests: write tools: github: toolsets: [repos, issues, pull_requests] diff --git a/pkg/cli/mcp_tools_readonly.go b/pkg/cli/mcp_tools_readonly.go index e8868ff1722..16de0dcda3c 100644 --- a/pkg/cli/mcp_tools_readonly.go +++ b/pkg/cli/mcp_tools_readonly.go @@ -85,10 +85,9 @@ func registerCompileTool(server *mcp.Server, execCmd execCmdFunc) error { mcpLog.Printf("Failed to generate compile tool schema: %v", err) return err } - // Add elicitation default: strict defaults to true (most common case) - if err := AddSchemaDefault(compileSchema, "strict", true); err != nil { - mcpLog.Printf("Failed to add default for strict: %v", err) - } + // Remove elicitation default for strict to preserve frontmatter strict: false settings. + // Without a default, the LLM will omit strict (defaulting to false) and the compiler + // will respect the workflow's frontmatter strict setting as designed. mcp.AddTool(server, &mcp.Tool{ Name: "compile", From 8f71bff624cad22e89f1743b0e7f65c058ab7e76 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Feb 2026 04:19:32 +0000 Subject: [PATCH 3/3] feat: add dangerously-github-MCP-write feature flag to bypass GitHub MCP toolset write permissions check Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../example-permissions-warning.lock.yml | 16 +++++----- .../workflows/example-permissions-warning.md | 31 +++++++++++-------- pkg/constants/constants.go | 4 +++ pkg/workflow/compiler.go | 4 +++ 4 files changed, 34 insertions(+), 21 deletions(-) diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index ece95f0e959..1f89c42effd 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -21,11 +21,11 @@ # # For more information: https://github.github.com/gh-aw/introduction/overview/ # -# Example workflow demonstrating proper permission provisioning and security best practices +# Example workflow demonstrating the dangerously-github-MCP-write feature flag for non-read-only GitHub MCP toolsets # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"01d1af09922718d2833e6d0106d6a9b90b8b2fa26f127a0b8c9c33bbdbbe4ae8"} +# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"ad44c7c71f566018ff0f0321c39db00dda366d0a4f34c5407071865a2cf427f0"} -name: "Example: Properly Provisioned Permissions" +name: "Example: Non-Read-Only GitHub MCP Without Write Permissions" "on": workflow_dispatch: @@ -34,7 +34,7 @@ permissions: {} concurrency: group: "gh-aw-${{ github.workflow }}" -run-name: "Example: Properly Provisioned Permissions" +run-name: "Example: Non-Read-Only GitHub MCP Without Write Permissions" jobs: activation: @@ -207,9 +207,9 @@ jobs: needs: activation runs-on: ubuntu-latest permissions: - contents: write - issues: write - pull-requests: write + contents: read + issues: read + pull-requests: read env: GH_AW_WORKFLOW_ID_SANITIZED: examplepermissionswarning outputs: @@ -271,7 +271,7 @@ jobs: model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", agent_version: "0.0.418", - workflow_name: "Example: Properly Provisioned Permissions", + workflow_name: "Example: Non-Read-Only GitHub MCP Without Write Permissions", experimental: false, supports_tools_allowlist: true, run_id: context.runId, diff --git a/.github/workflows/example-permissions-warning.md b/.github/workflows/example-permissions-warning.md index fe8840bfacb..8661cc37c98 100644 --- a/.github/workflows/example-permissions-warning.md +++ b/.github/workflows/example-permissions-warning.md @@ -1,29 +1,34 @@ --- -description: Example workflow demonstrating proper permission provisioning and security best practices +description: Example workflow demonstrating the dangerously-github-MCP-write feature flag for non-read-only GitHub MCP toolsets timeout-minutes: 5 on: workflow_dispatch: permissions: - contents: write - issues: write - pull-requests: write + contents: read + issues: read + pull-requests: read tools: github: toolsets: [repos, issues, pull_requests] read-only: false strict: false features: - dangerous-permissions-write: true + dangerously-github-MCP-write: true --- -# Example: Properly Provisioned Permissions +# Example: Non-Read-Only GitHub MCP Without Write Permissions -This workflow demonstrates properly configured permissions for GitHub toolsets. +This workflow demonstrates using the `dangerously-github-MCP-write` feature flag to allow +non-read-only GitHub MCP toolsets without declaring write permissions in the frontmatter. -The workflow uses three GitHub toolsets with appropriate write permissions: -- The `repos` toolset requires `contents: write` for repository operations -- The `issues` toolset requires `issues: write` for issue management -- The `pull_requests` toolset requires `pull-requests: write` for PR operations +The workflow uses three GitHub toolsets with `read-only: false`, but only declares read permissions: +- The `repos` toolset would normally require `contents: write` +- The `issues` toolset would normally require `issues: write` +- The `pull_requests` toolset would normally require `pull-requests: write` -All required permissions are properly declared in the frontmatter, so this workflow -compiles without warnings and can execute successfully when dispatched. +By enabling `dangerously-github-MCP-write: true`, the compiler skips the check that +non-read-only GitHub toolsets require write permissions to be declared. This allows the +workflow to compile without warnings even though the declared permissions don't include write access. + +⚠️ Use this feature flag only when you understand the security implications of allowing +the GitHub MCP server to perform write operations without explicit permission declarations. diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index 5ace54421de..629283a1265 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -684,6 +684,10 @@ const ( MCPGatewayFeatureFlag FeatureFlag = "mcp-gateway" // DangerousPermissionsWriteFeatureFlag is the feature flag name for allowing write permissions DangerousPermissionsWriteFeatureFlag FeatureFlag = "dangerous-permissions-write" + // DangerouslyGitHubMCPWriteFeatureFlag is the feature flag name for allowing non-read-only GitHub MCP + // toolsets without requiring write permissions to be declared in the workflow. + // When enabled, the compiler skips the check that non-read-only GitHub toolsets require write permissions. + DangerouslyGitHubMCPWriteFeatureFlag FeatureFlag = "dangerously-github-MCP-write" // DisableXPIAPromptFeatureFlag is the feature flag name for disabling XPIA prompt DisableXPIAPromptFeatureFlag FeatureFlag = "disable-xpia-prompt" // CopilotRequestsFeatureFlag is the feature flag name for enabling copilot-requests mode. diff --git a/pkg/workflow/compiler.go b/pkg/workflow/compiler.go index 900b60290ba..221cbe96932 100644 --- a/pkg/workflow/compiler.go +++ b/pkg/workflow/compiler.go @@ -11,6 +11,7 @@ import ( "time" "github.com/github/gh-aw/pkg/console" + "github.com/github/gh-aw/pkg/constants" "github.com/github/gh-aw/pkg/logger" "github.com/github/gh-aw/pkg/stringutil" ) @@ -249,6 +250,9 @@ func (c *Compiler) validateWorkflowData(workflowData *WorkflowData, markdownPath // Skip validation if permissions exist but GitHub tool was auto-added (not explicit) if hasPermissions && !workflowData.HasExplicitGitHubTool { log.Printf("Skipping permission validation: permissions exist but tools.github not explicitly configured") + } else if isFeatureEnabled(constants.DangerouslyGitHubMCPWriteFeatureFlag, workflowData) { + // Skip validation if the dangerously-github-MCP-write feature flag is enabled + log.Printf("Skipping GitHub MCP permissions validation: dangerously-github-MCP-write feature flag is enabled") } else { // Parse permissions from the workflow data // WorkflowData.Permissions contains the raw YAML string (including "permissions:" prefix)