diff --git a/docs/src/content/docs/reference/github-tools.md b/docs/src/content/docs/reference/github-tools.md index 206af5b4a5..23b89943a1 100644 --- a/docs/src/content/docs/reference/github-tools.md +++ b/docs/src/content/docs/reference/github-tools.md @@ -57,10 +57,6 @@ tools: ## Guard Policies -:::caution[Experimental Feature] -Guard policy fields (`repos` and `min-integrity`) are experimental and may change in future releases. Using either field emits a compilation warning. -::: - Restrict which repositories and integrity levels the GitHub MCP server can access during agent execution. Guard policies apply fine-grained access control at the MCP gateway level. For **public repositories** without explicit guard policy configuration, `min-integrity: approved` is applied automatically at runtime, ensuring content is filtered to owners, members, and collaborators even without additional authentication. See [Automatic Minimum-Integrity Protection](/gh-aw/reference/lockdown-mode/#automatic-minimum-integrity-protection) for details. diff --git a/docs/src/content/docs/reference/glossary.md b/docs/src/content/docs/reference/glossary.md index b1ad6bb6a5..564628c10d 100644 --- a/docs/src/content/docs/reference/glossary.md +++ b/docs/src/content/docs/reference/glossary.md @@ -69,10 +69,7 @@ Capabilities that an AI agent can use during workflow execution. Tools are confi ### Guard Policy -An experimental access control configuration for the GitHub MCP server that restricts which repositories and content integrity levels the agent can read. Configured via `tools.github.repos` (repository scope: `"all"`, `"public"`, or a list of patterns) and `tools.github.min-integrity` (minimum required integrity level). Both fields are required when either is specified. Integrity levels by trust: `merged` (content reachable from the main branch) > `approved` (owners, members, collaborators) > `unapproved` (contributors) > `none` (first-time users). See [GitHub Tools Reference](/gh-aw/reference/github-tools/#guard-policies). - -> [!NOTE] -> Guard policy fields are experimental and may change in future releases. Using either field emits a compilation warning. +An access control configuration for the GitHub MCP server that restricts which repositories and content integrity levels the agent can read. Configured via `tools.github.repos` (repository scope: `"all"`, `"public"`, or a list of patterns) and `tools.github.min-integrity` (minimum required integrity level). Both fields are required when either is specified. Integrity levels by trust: `merged` (content reachable from the main branch) > `approved` (owners, members, collaborators) > `unapproved` (contributors) > `none` (first-time users). See [GitHub Tools Reference](/gh-aw/reference/github-tools/#guard-policies). ## Security and Outputs diff --git a/pkg/workflow/compiler.go b/pkg/workflow/compiler.go index 4d6b44d2b2..48a96b7333 100644 --- a/pkg/workflow/compiler.go +++ b/pkg/workflow/compiler.go @@ -273,15 +273,6 @@ func (c *Compiler) validateWorkflowData(workflowData *WorkflowData, markdownPath c.IncrementWarningCount() } - // Emit experimental warning for tools.github guard policy (repos/min-integrity) - if workflowData.ParsedTools != nil && workflowData.ParsedTools.GitHub != nil { - github := workflowData.ParsedTools.GitHub - if github.Repos != nil || github.MinIntegrity != "" { - fmt.Fprintln(os.Stderr, console.FormatWarningMessage("Using experimental feature: tools.github guard policy (repos/min-integrity)")) - c.IncrementWarningCount() - } - } - // Validate workflow_run triggers have branch restrictions log.Printf("Validating workflow_run triggers for branch restrictions") if err := c.validateWorkflowRunBranches(workflowData, markdownPath); err != nil { diff --git a/pkg/workflow/guard_policy_experimental_warning_test.go b/pkg/workflow/guard_policy_experimental_warning_test.go index c68860ce30..91028bec71 100644 --- a/pkg/workflow/guard_policy_experimental_warning_test.go +++ b/pkg/workflow/guard_policy_experimental_warning_test.go @@ -13,16 +13,16 @@ import ( "github.com/github/gh-aw/pkg/testutil" ) -// TestGuardPolicyExperimentalWarning tests that the tools.github guard policy -// (repos/min-integrity) emits an experimental warning when enabled. -func TestGuardPolicyExperimentalWarning(t *testing.T) { +// TestGuardPolicyNoExperimentalWarning tests that the tools.github guard policy +// (repos/min-integrity) does not emit an experimental warning, as the feature +// is no longer considered experimental. +func TestGuardPolicyNoExperimentalWarning(t *testing.T) { tests := []struct { - name string - content string - expectWarning bool + name string + content string }{ { - name: "guard policy enabled produces experimental warning", + name: "guard policy enabled does not produce experimental warning", content: `--- on: workflow_dispatch engine: copilot @@ -36,7 +36,6 @@ permissions: # Test Workflow `, - expectWarning: true, }, { name: "no guard policy does not produce experimental warning", @@ -49,7 +48,6 @@ permissions: # Test Workflow `, - expectWarning: false, }, { name: "github tool without guard policy does not produce experimental warning", @@ -66,10 +64,9 @@ permissions: # Test Workflow `, - expectWarning: false, }, { - name: "guard policy with repos array produces experimental warning", + name: "guard policy with repos array does not produce experimental warning", content: `--- on: workflow_dispatch engine: copilot @@ -84,7 +81,6 @@ permissions: # Test Workflow `, - expectWarning: true, }, } @@ -118,24 +114,9 @@ permissions: return } - expectedMessage := "Using experimental feature: tools.github guard policy (repos/min-integrity)" - - if tt.expectWarning { - if !strings.Contains(stderrOutput, expectedMessage) { - t.Errorf("Expected warning containing '%s', got stderr:\n%s", expectedMessage, stderrOutput) - } - } else { - if strings.Contains(stderrOutput, expectedMessage) { - t.Errorf("Did not expect warning '%s', but got stderr:\n%s", expectedMessage, stderrOutput) - } - } - - // Verify warning count includes guard policy warning - if tt.expectWarning { - warningCount := compiler.GetWarningCount() - if warningCount == 0 { - t.Error("Expected warning count > 0 but got 0") - } + unexpectedMessage := "Using experimental feature: tools.github guard policy (repos/min-integrity)" + if strings.Contains(stderrOutput, unexpectedMessage) { + t.Errorf("Did not expect experimental warning '%s', but got stderr:\n%s", unexpectedMessage, stderrOutput) } }) }