fix(auto-triage): lower min-integrity to none to unblock scheduled triage of unlabeled community issues#24214
Closed
fix(auto-triage): lower min-integrity to none to unblock scheduled triage of unlabeled community issues#24214
Conversation
…IFC blocking on scheduled runs Agent-Logs-Url: https://github.com/github/gh-aw/sessions/ef49264b-f130-439f-b22f-55a73c3ceb56 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix auto-triage issues engine failure
fix(auto-triage): lower min-integrity to none to unblock scheduled triage of unlabeled community issues
Apr 3, 2026
pelikhan
approved these changes
Apr 3, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR unblocks the scheduled Auto-Triage Issues workflow by removing an integrity-policy deadlock that prevented reading unlabeled community issues (the very issues the workflow is intended to label).
Changes:
- Lowered GitHub MCP guard policy from
min-integrity: approvedtomin-integrity: nonefor the auto-triage workflow. - Regenerated the compiled workflow lockfile to reflect the updated guard policy in the MCP gateway config.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/auto-triage-issues.md | Updates GitHub MCP tool config to allow reading unlabeled issues (min-integrity: none). |
| .github/workflows/auto-triage-issues.lock.yml | Recompiled output reflecting the new min-integrity value in the generated MCP gateway configuration. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
Auto-Triage Issuesscheduled run was failing with 145 DIFC-filtered events and 6.4M effective tokens consumed before the 15-minute step timeout killed the process. Root cause:min-integrity: approvedon the GitHub MCP creates a chicken-and-egg deadlock —approval-labels: [community]only upgrades integrity for issues that already carry thecommunitylabel, but the workflow's entire purpose is to apply that label to unlabeled community issues.Changes
auto-triage-issues.md: Changemin-integrity: approved→min-integrity: noneon the GitHub MCP tool configauto-triage-issues.lock.yml: Recompiled to reflect updated guard policyThis is safe: the GitHub MCP runs with
GITHUB_READ_ONLY: "1", and all writes flow through thesafeoutputsMCP which already usesaccept: ["*"]with its own rate-limiting (add_labels.max: 10).Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/graphql/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw on x_amd64/link git rev-�� --show-toplevel x_amd64/link /usr/bin/git se 2819268/b045/vetrev-parse .cfg git(http block)https://api.github.com/orgs/test-owner/actions/secrets/usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name json' --ignore-path ../../../.pr**/*.json --global om(http block)https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git .js' --ignore-pagit(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v3/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -test.paniconexit0(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v5/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha copilot/aw-auto-triage-issues-failure(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha list --json /usr/bin/git --workflow nonexistent-workrev-parse --limit git rev-�� --show-toplevel 64/pkg/tool/linuorigin /usr/bin/git --noprofile(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git --write ../../../**/*.jsrev-parse 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -unreachable=falgit /tmp/go-build174rev-parse 2819268/b360/vet--show-toplevel git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v6/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/shared-actions-test2988574423 rev-parse /usr/bin/git --local pull.rebase x_amd64/vet git -C /tmp/gh-aw-test-runs/20260403-023625-13662/test-3220668370 rev-parse /usr/bin/git @{u} HEAD x_amd64/vet git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/TestHashStability_SameInputSameOutput2633520016/001/stability-test.md x_amd64/vet /usr/bin/git --local pull.rebase x_amd64/vet git chec�� .github/workflows/test.md x_amd64/vet /usr/bin/git --verify main x_amd64/vet git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git 3220668370 2819268/b239/vetrev-parse .cfg git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git --noprofile(http block)https://api.github.com/repos/actions/github-script/git/ref/tags/v8/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha get --local es/.bin/sh credential.usern/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha path .prettierignore --log-level=error 2>&1 --local iptables user.name(http block)https://api.github.com/repos/actions/setup-go/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha xterm-color -tests r,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,disp--show-toplevel --local flow-12345 x_amd64/vet git rev-�� --git-dir x_amd64/vet /usr/bin/git --abbrev-ref HEAD x_amd64/vet git(http block)/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel /opt/hostedtoolcache/node/24.14.0/x64/bin/node /usr/bin/git github.event.issgit x_amd64/vet /usr/bin/git git merg�� 84482124/custom/workflows d59ca333847e87ba51402549320e046180d69d49 /usr/bin/git --git-dir x_amd64/vet /bin/sh git(http block)https://api.github.com/repos/actions/setup-node/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /repos/actions/github-script/git/ref/tags/v8 --jq /usr/bin/git --local pull.rebase x_amd64/vet git chec�� .github/workflows/test.md x_amd64/vet 2819268/b457/vet.cfg --abbrev-ref HEAD x_amd64/vet git(http block)/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/mkdir --show-toplevel E03IKOxFokRP /usr/bin/git N1/TAL6N4ToIXkWLkXMQ3-H/pSzKQaSHe5hITblEtuWY -p /tmp/gh-aw git 3b4ceb545a00b57c447f8e9593dcab90e3cbc064dbdb2645-d --show-toplevel x_amd64/vet /usr/lib/git-cor--show-toplevel git(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha -test.paniconexit0 -test.v=true /usr/bin/git -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel git -C /tmp/gh-aw-test-runs/20260403-023625-13662/test-3220668370 rev-parse /usr/bin/git @{u} HEAD x_amd64/vet git(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha licyBlockedUsersExpressionCompiledOutput1160188274/001 /tmp/go-build1742819268/b248/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile l(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha 3625-13662/test-3220668370 /tmp/go-build1742819268/b245/vet.cfg 2819268/b424/parser.test h ../../../.pretgit(http block)https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts/usr/bin/gh gh run download 1 --dir test-logs/run-1(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts/usr/bin/gh gh run download 12345 --dir test-logs/run-12345 .cfg 64/pkg/tool/linux_amd64/vet 0 -j ACCEPT 64/pkg/tool/linux_amd64/vet --no�� 1486108913/.github/workflows(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts/usr/bin/gh gh run download 12346 --dir test-logs/run-12346 .cfg 64/pkg/tool/linux_amd64/vet INVALID,NEW -j DROP 64/pkg/tool/linux_amd64/vet --no�� --noprofile(http block)https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts/usr/bin/gh gh run download 2 --dir test-logs/run-2(http block)https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts/usr/bin/gh gh run download 3 --dir test-logs/run-3(http block)https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts/usr/bin/gh gh run download 4 --dir test-logs/run-4(http block)https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts/usr/bin/gh gh run download 5 --dir test-logs/run-5(http block)https://api.github.com/repos/github/gh-aw/actions/workflows/usr/bin/gh gh workflow list --json name,state,path json' --ignore-p-errorsas --global e/git(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git itbranch_with_hygit itbranch_with_hyrev-parse 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linutest@example.com /usr/bin/git thub/workflows --others 64/pkg/tool/linu--verify git(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha te '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore .cfg 64/pkg/tool/linux_amd64/vet(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha get --local x_amd64/vet commit.gpgsign(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha ilure --local x_amd64/vet commit.gpgsign(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha ../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore --local x_amd64/vet pull.rebase(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha ../pkg/workflow/-errorsas pported.go x_amd64/vet pull.rebase(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha ilure --local x_amd64/vet pull.rebase(http block)https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha te '**/*.cjs' '**/*.ts' '**/*.jsremote.origin.url .cfg At,event,headBranch,headSha,displayTitle(http block)https://api.github.com/repos/nonexistent/repo/actions/runs/12345/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion(http block)https://api.github.com/repos/owner/repo/actions/workflows/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo ache/go/1.25.0/x-nilfunc http.https://git/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo k/_temp/ghcca-no-nilfunc http.https://git/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet(http block)https://api.github.com/repos/owner/repo/contents/file.md/tmp/go-build1742819268/b396/cli.test /tmp/go-build1742819268/b396/cli.test -test.testlogfile=/tmp/go-build1742819268/b396/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true HooksPath(http block)https://api.github.com/repos/test-owner/test-repo/actions/secrets/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name json' --ignore-path ../../../.pr**/*.json --global p/bin/git(http block)If you need me to access, download, or install something from one of these locations, you can either: