From 72066515c0d0699527c2d2272094bbf9aec4e4bf Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Mar 2026 03:06:08 +0000 Subject: [PATCH 1/3] Initial plan From 58a91572faa52eb5e3b8623227b7ac8eea2d8767 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Mar 2026 03:16:34 +0000 Subject: [PATCH 2/3] fix: remove experimental warning for tools.github guard policy (repos/min-integrity) Co-authored-by: dsyme <7204669+dsyme@users.noreply.github.com> --- .../content/docs/reference/github-tools.md | 4 -- docs/src/content/docs/reference/glossary.md | 5 +-- pkg/workflow/compiler.go | 9 ---- .../guard_policy_experimental_warning_test.go | 43 +++++++------------ 4 files changed, 16 insertions(+), 45 deletions(-) diff --git a/docs/src/content/docs/reference/github-tools.md b/docs/src/content/docs/reference/github-tools.md index 206af5b4a5d..23b89943a1d 100644 --- a/docs/src/content/docs/reference/github-tools.md +++ b/docs/src/content/docs/reference/github-tools.md @@ -57,10 +57,6 @@ tools: ## Guard Policies -:::caution[Experimental Feature] -Guard policy fields (`repos` and `min-integrity`) are experimental and may change in future releases. Using either field emits a compilation warning. -::: - Restrict which repositories and integrity levels the GitHub MCP server can access during agent execution. Guard policies apply fine-grained access control at the MCP gateway level. For **public repositories** without explicit guard policy configuration, `min-integrity: approved` is applied automatically at runtime, ensuring content is filtered to owners, members, and collaborators even without additional authentication. See [Automatic Minimum-Integrity Protection](/gh-aw/reference/lockdown-mode/#automatic-minimum-integrity-protection) for details. diff --git a/docs/src/content/docs/reference/glossary.md b/docs/src/content/docs/reference/glossary.md index b1ad6bb6a52..564628c10df 100644 --- a/docs/src/content/docs/reference/glossary.md +++ b/docs/src/content/docs/reference/glossary.md @@ -69,10 +69,7 @@ Capabilities that an AI agent can use during workflow execution. Tools are confi ### Guard Policy -An experimental access control configuration for the GitHub MCP server that restricts which repositories and content integrity levels the agent can read. Configured via `tools.github.repos` (repository scope: `"all"`, `"public"`, or a list of patterns) and `tools.github.min-integrity` (minimum required integrity level). Both fields are required when either is specified. Integrity levels by trust: `merged` (content reachable from the main branch) > `approved` (owners, members, collaborators) > `unapproved` (contributors) > `none` (first-time users). See [GitHub Tools Reference](/gh-aw/reference/github-tools/#guard-policies). - -> [!NOTE] -> Guard policy fields are experimental and may change in future releases. Using either field emits a compilation warning. +An access control configuration for the GitHub MCP server that restricts which repositories and content integrity levels the agent can read. Configured via `tools.github.repos` (repository scope: `"all"`, `"public"`, or a list of patterns) and `tools.github.min-integrity` (minimum required integrity level). Both fields are required when either is specified. Integrity levels by trust: `merged` (content reachable from the main branch) > `approved` (owners, members, collaborators) > `unapproved` (contributors) > `none` (first-time users). See [GitHub Tools Reference](/gh-aw/reference/github-tools/#guard-policies). ## Security and Outputs diff --git a/pkg/workflow/compiler.go b/pkg/workflow/compiler.go index 4d6b44d2b2b..48a96b73339 100644 --- a/pkg/workflow/compiler.go +++ b/pkg/workflow/compiler.go @@ -273,15 +273,6 @@ func (c *Compiler) validateWorkflowData(workflowData *WorkflowData, markdownPath c.IncrementWarningCount() } - // Emit experimental warning for tools.github guard policy (repos/min-integrity) - if workflowData.ParsedTools != nil && workflowData.ParsedTools.GitHub != nil { - github := workflowData.ParsedTools.GitHub - if github.Repos != nil || github.MinIntegrity != "" { - fmt.Fprintln(os.Stderr, console.FormatWarningMessage("Using experimental feature: tools.github guard policy (repos/min-integrity)")) - c.IncrementWarningCount() - } - } - // Validate workflow_run triggers have branch restrictions log.Printf("Validating workflow_run triggers for branch restrictions") if err := c.validateWorkflowRunBranches(workflowData, markdownPath); err != nil { diff --git a/pkg/workflow/guard_policy_experimental_warning_test.go b/pkg/workflow/guard_policy_experimental_warning_test.go index c68860ce309..29ddb98f0df 100644 --- a/pkg/workflow/guard_policy_experimental_warning_test.go +++ b/pkg/workflow/guard_policy_experimental_warning_test.go @@ -13,16 +13,16 @@ import ( "github.com/github/gh-aw/pkg/testutil" ) -// TestGuardPolicyExperimentalWarning tests that the tools.github guard policy -// (repos/min-integrity) emits an experimental warning when enabled. -func TestGuardPolicyExperimentalWarning(t *testing.T) { +// TestGuardPolicyNoExperimentalWarning tests that the tools.github guard policy +// (repos/min-integrity) does not emit an experimental warning, as the feature +// is no longer considered experimental. +func TestGuardPolicyNoExperimentalWarning(t *testing.T) { tests := []struct { - name string - content string - expectWarning bool + name string + content string }{ { - name: "guard policy enabled produces experimental warning", + name: "guard policy enabled does not produce experimental warning", content: `--- on: workflow_dispatch engine: copilot @@ -36,7 +36,6 @@ permissions: # Test Workflow `, - expectWarning: true, }, { name: "no guard policy does not produce experimental warning", @@ -49,7 +48,6 @@ permissions: # Test Workflow `, - expectWarning: false, }, { name: "github tool without guard policy does not produce experimental warning", @@ -66,10 +64,9 @@ permissions: # Test Workflow `, - expectWarning: false, }, { - name: "guard policy with repos array produces experimental warning", + name: "guard policy with repos array does not produce experimental warning", content: `--- on: workflow_dispatch engine: copilot @@ -84,7 +81,6 @@ permissions: # Test Workflow `, - expectWarning: true, }, } @@ -118,24 +114,15 @@ permissions: return } - expectedMessage := "Using experimental feature: tools.github guard policy (repos/min-integrity)" - - if tt.expectWarning { - if !strings.Contains(stderrOutput, expectedMessage) { - t.Errorf("Expected warning containing '%s', got stderr:\n%s", expectedMessage, stderrOutput) - } - } else { - if strings.Contains(stderrOutput, expectedMessage) { - t.Errorf("Did not expect warning '%s', but got stderr:\n%s", expectedMessage, stderrOutput) - } + unexpectedMessage := "Using experimental feature: tools.github guard policy (repos/min-integrity)" + if strings.Contains(stderrOutput, unexpectedMessage) { + t.Errorf("Did not expect experimental warning '%s', but got stderr:\n%s", unexpectedMessage, stderrOutput) } - // Verify warning count includes guard policy warning - if tt.expectWarning { - warningCount := compiler.GetWarningCount() - if warningCount == 0 { - t.Error("Expected warning count > 0 but got 0") - } + // Verify that no guard policy warning was recorded in the warning count + warningCount := compiler.GetWarningCount() + if warningCount != 0 { + t.Errorf("Expected no warnings but got %d warning(s); stderr:\n%s", warningCount, stderrOutput) } }) } From 68f03d9e5cde800b01f5caa3a52aacf0ea111476 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Mar 2026 03:33:32 +0000 Subject: [PATCH 3/3] fix: remove overly-strict warning count check from guard policy test Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/guard_policy_experimental_warning_test.go | 6 ------ 1 file changed, 6 deletions(-) diff --git a/pkg/workflow/guard_policy_experimental_warning_test.go b/pkg/workflow/guard_policy_experimental_warning_test.go index 29ddb98f0df..91028bec715 100644 --- a/pkg/workflow/guard_policy_experimental_warning_test.go +++ b/pkg/workflow/guard_policy_experimental_warning_test.go @@ -118,12 +118,6 @@ permissions: if strings.Contains(stderrOutput, unexpectedMessage) { t.Errorf("Did not expect experimental warning '%s', but got stderr:\n%s", unexpectedMessage, stderrOutput) } - - // Verify that no guard policy warning was recorded in the warning count - warningCount := compiler.GetWarningCount() - if warningCount != 0 { - t.Errorf("Expected no warnings but got %d warning(s); stderr:\n%s", warningCount, stderrOutput) - } }) } }