diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index e9162f81bc..16ab25da0a 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -26,7 +26,7 @@ # Imports: # - shared/mcp/qmd-docs.md # -# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"394914f5465bdfefb79a2e0ea981b6be025a4e3ee6097fec435765741c63e25c","strict":true} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"bccf86997b5e61ac97e28d9a6979b8c67b2605ba9fe717b26e672688edcf5a15","strict":true} name: "Weekly Blog Post Writer" "on": @@ -82,9 +82,6 @@ jobs: GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" - GITHUB_MCP_LOCKDOWN_EXPLICIT: "true" - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | @@ -405,16 +402,6 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.24.2 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Download container images run: bash ${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.2 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.2 ghcr.io/github/gh-aw-firewall/squid:0.24.2 ghcr.io/github/gh-aw-mcpg:v0.1.17 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension @@ -704,8 +691,6 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} - GITHUB_MCP_GUARD_MIN_INTEGRITY: ${{ steps.determine-automatic-lockdown.outputs.min_integrity }} - GITHUB_MCP_GUARD_REPOS: ${{ steps.determine-automatic-lockdown.outputs.repos }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | @@ -744,7 +729,7 @@ jobs: "guard-policies": { "write-sink": { "accept": [ - "*" + "private:github/gh-aw" ] } } @@ -754,15 +739,16 @@ jobs: "container": "ghcr.io/github/github-mcp-server:v0.32.0", "env": { "GITHUB_HOST": "\${GITHUB_SERVER_URL}", - "GITHUB_LOCKDOWN_MODE": "1", "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", "GITHUB_READ_ONLY": "1", "GITHUB_TOOLSETS": "repos,pull_requests" }, "guard-policies": { "allow-only": { - "min-integrity": "$GITHUB_MCP_GUARD_MIN_INTEGRITY", - "repos": "$GITHUB_MCP_GUARD_REPOS" + "min-integrity": "approved", + "repos": [ + "github/gh-aw" + ] } } }, @@ -775,7 +761,7 @@ jobs: "guard-policies": { "write-sink": { "accept": [ - "*" + "private:github/gh-aw" ] } } @@ -789,7 +775,7 @@ jobs: "guard-policies": { "write-sink": { "accept": [ - "*" + "private:github/gh-aw" ] } } diff --git a/.github/workflows/weekly-blog-post-writer.md b/.github/workflows/weekly-blog-post-writer.md index 223cdf1fb3..b30555ed86 100644 --- a/.github/workflows/weekly-blog-post-writer.md +++ b/.github/workflows/weekly-blog-post-writer.md @@ -18,7 +18,10 @@ tools: edit: bash: ["*"] github: - lockdown: true + lockdown: false + repos: + - github/gh-aw + min-integrity: approved toolsets: - repos - pull_requests