Remove lockdown: false from all agentic workflows

[Copilot]

lockdown: false was explicitly set in several agentic workflows, opting out of lockdown mode. This removes those overrides and replaces them with explicit guard policy configuration where needed.

Changes

• Removed lockdown: false from github: tool config in:
  • .github/workflows/daily-syntax-error-quality.md
  • .github/workflows/contribution-check.md
  • .github/workflows/scout.md
  • .github/workflows/plan.md
• Added repos: all and min-integrity: none to the github: tool config in contribution-check.md, plan.md, and scout.md to explicitly opt into the most permissive guard policy using the new syntax
• Recompiled corresponding .lock.yml files

Original prompt

Remove "lockdown: false" from all agentic workflows in this repo.

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

[pelikhan]

@copilot set min-integrity: none

[Copilot]

Done in 9e9bb30. Added repos: all and min-integrity: none to the github: tools config in contribution-check.md.

[pelikhan]

@copilot set min-integrity: none

[Copilot]

Done in 9e9bb30. Added repos: all and min-integrity: none to the github: tools config in plan.md.

[pelikhan]

@copilot set min-integrity: none

[Copilot]

Done in 9e9bb30. Added repos: all and min-integrity: none to the github: tools config in scout.md.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ai-moderator.md archie.md artifacts-summarrev-parse audi�� auto-triage-issues.md blog-auditor.md bot-detection.md brave.md breaking-change-build changeset.md ci-coach.md (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ota=5% yHigh=170M (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha cp .github/aw/acremote.origin.url (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha k/gh-aw/gh-aw/.github/workflows (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility /home/REDACTED/work/_temp/runtime--f (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility k/gh-aw/gh-aw/.gremote.origin.url rev-parse r: $owner, name: $name) { hasDiscussionsEnabled } } l (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha ithub/workflows (http block)
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha ithub/workflows /home/REDACTED/worowner=github $name) { hasDiscussionsEnabled } } l /home/REDACTED/wor-V=full ed } } bash /usr�� k/gh-aw/gh-aw/.github/workflows /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/blog-auditor.md repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } /home/REDACTED/worgit /home/REDACTED/wor-C /home/REDACTED/wor/home/REDACTED/work/gh-aw/gh-aw/.github/workflows infocmp (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Removes explicit lockdown: false overrides from agentic workflow GitHub tool configs and updates affected workflows to use explicit guard policy configuration, with regenerated lockfiles reflecting the new settings.

Changes:

• Removed lockdown: false from GitHub tool configuration in multiple agentic workflow specs.
• Added explicit guard policy inputs (repos: all, min-integrity: none) where the workflows still need permissive access under the new syntax.
• Recompiled the corresponding .lock.yml files (including removal of automatic lockdown-determination steps where now unnecessary).

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/scout.md	Removes lockdown: false and sets explicit permissive guard policy inputs.
.github/workflows/scout.lock.yml	Regenerated lockfile reflecting explicit guard policy settings and updated MCP config/steps.
.github/workflows/plan.md	Removes lockdown: false and sets explicit permissive guard policy inputs.
.github/workflows/plan.lock.yml	Regenerated lockfile reflecting explicit guard policy settings and updated MCP config/steps.
.github/workflows/daily-syntax-error-quality.md	Removes lockdown: false from GitHub tool config.
.github/workflows/daily-syntax-error-quality.lock.yml	Regenerated lockfile metadata to match updated frontmatter.
.github/workflows/contribution-check.md	Removes lockdown: false and sets explicit permissive guard policy inputs.
.github/workflows/contribution-check.lock.yml	Regenerated lockfile reflecting explicit guard policy settings and updated MCP config/steps.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.