Skip to content

Comments

Fix GitHub App multi-repo token handling for MCP server#18159

Merged
pelikhan merged 5 commits intomainfrom
copilot/fix-issue-read-tool-availability-again
Feb 24, 2026
Merged

Fix GitHub App multi-repo token handling for MCP server#18159
pelikhan merged 5 commits intomainfrom
copilot/fix-issue-read-tool-availability-again

Conversation

Copy link
Contributor

Copilot AI commented Feb 24, 2026
edited
Loading

  • Add hasGitHubApp(githubTool any) bool helper to mcp_github_config.go, consistent with existing helpers (getGitHubToken, getGitHubLockdown, etc.)
  • Update generateGitHubMCPLockdownDetectionStep to use hasGitHubApp(githubTool) instead of data.ParsedTools.GitHub.App != nil
  • Update mcp_renderer.go shouldUseStepOutput check to use hasGitHubApp(githubTool)
  • Update mcp_environment.go app token and lockdown env var checks to use hasGitHubApp(githubTool)
  • Build, lint, and tests verified passing
Original prompt

This section details on the original issue you should resolve

<issue_title>GitHub MCP issue_read tool unavailable when app token is scoped to multiple repositories</issue_title>
<issue_description>## Summary

When tools.github.app.repositories contains multiple repositories, the GitHub MCP issue_read tool becomes unavailable to the agent. The agent falls back to unauthenticated CLI/curl calls, which fail on private repos. Single-repo tokens work correctly.

Reproduction

Working configuration (single repo):

tools:
    github:
        toolsets: [issues]
        allowed: [issue_read]
        read-only: true
        app:
            app-id: ${{ secrets.CODE_REVIEW_APP_ID }}
            private-key: ${{ secrets.CODE_REVIEW_APP_PRIVATE_KEY }}
            owner: 'microsoft'
            repositories: ['vscode-engineering']

Broken configuration (two repos — only change):

tools:
    github:
        toolsets: [issues]
        allowed: [issue_read]
        read-only: true
        app:
            app-id: ${{ secrets.CODE_REVIEW_APP_ID }}
            private-key: ${{ secrets.CODE_REVIEW_APP_PRIVATE_KEY }}
            owner: 'microsoft'
            repositories: ['vscode', 'vscode-engineering']

Both compile successfully. The lock file diff between the two is minimal — only the repositories: value changes:

- repositories: vscode-engineering
+ repositories: vscode,vscode-engineering

This change appears in all three actions/create-github-app-token steps (agent, safe_outputs, conclusion). No other differences.

Evidence

Working run (single repo)

Run: 22346404501
Commit: dc74a432 ("Test only on vscode-engineering")
Result: Agent successfully called MCP issue_read on microsoft/vscode-engineering#1905

Failing run (two repos)

Run: 22346782685
Commit: 3c33ea38 ("compile with two repos")
Result: Agent could not use MCP tools at all ❌

Agent log from the failing run:

● Task: Read issue via gh CLI
  ● Get issue 1905 details from vscode-engineering repo
    $ gh issue view 1905 --repo microsoft/vscode-engineering --json
    title,body,labels,assignees,state,number 2>&1 || echo "FAILED"
    └ 5 lines...
● Task: Fetch issue via GitHub API
  ● Fetch GitHub issue data for issue 1905
    $ curl -s "https://api.github.com/repos/microsoft/vscode-engineering/issues/1905" 2>&1 | head -200
    └ 6 lines...
The repository is private and I cannot access the issue via unauthenticated API.
✗ missing_data
  Tool 'missing_data' does not exist.

The agent never attempted to use issue_read — it went straight to CLI/curl, suggesting the MCP tool wasn't available or the token was not passed through.

Lock File Analysis

The compiled lock file is structurally correct in both cases. The token generation step uses actions/create-github-app-token@v2.2.1:

- name: Generate GitHub App token
  id: github-mcp-app-token
  uses: actions/create-github-app-token@v2.2.1
  with:
    app-id: ${{ secrets.CODE_REVIEW_APP_ID }}
    private-key: ${{ secrets.CODE_REVIEW_APP_PRIVATE_KEY }}
    owner: microsoft
    repositories: vscode,vscode-engineering      # ← this format is valid per action docs
    permission-contents: read
    permission-issues: read

The token is then passed as GITHUB_MCP_SERVER_TOKEN to the agent job and wired into the MCP config:

{
  "mcpServers": {
    "github": {
      "type": "stdio",
      "container": "ghcr.io/github/github-mcp-server:v0.31.0",
      "env": {
        "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_MCP_SERVER_TOKEN}",
        "GITHUB_READ_ONLY": "1",
        "GITHUB_TOOLSETS": "issues"
      }
    }
  }
}

The plumbing is identical between the working and failing runs — only the repositories value differs.

Possible Root Causes

  1. Token generation succeeds but with reduced scope: actions/create-github-app-token may produce a token that doesn't cover all listed repos when the app's installation spans multiple repos.
  2. GitHub MCP server (github-mcp-server:v0.31.0) doesn't handle multi-repo tokens: The server may check the token's repo scope and fail if more than one is listed.
  3. Token generation step fails silently: The step may error internally but still produce a partial/empty output, causing the MCP server to start without auth.

The GitHub App (CODE_REVIEW) IS installed on both repos — confirmed by the single-repo runs working independently with either vscode or vscode-engineering.

Use Case

Cross-repository triage workflow in microsoft/vscode-engineering that reads issues from both microsoft/vscode and microsoft/vscode-engineering (repo is specified at dispatch time via repo_name input).

Environment

  • gh-aw: v0.50.0
  • github-mcp-server: v0.31.0
  • actions/create-github-app-token...

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@pelikhan
fix: improve GitHub App multi-repo token handling for MCP server
a86aaef 
- Use YAML block scalar (newline-separated) for multiple repositories in
  actions/create-github-app-token, improving clarity and explicit formatting
- Add GH_AW_GITHUB_APP_CONFIGURED env var to lockdown detection step when
  a GitHub App is configured (values: 'single' or 'multi')
- Update determine_automatic_lockdown.cjs to recognize single-repo GitHub
  App tokens as custom tokens for lockdown on public repos; multi-repo app
  tokens are excluded from lockdown to preserve cross-repo access
- Update test to expect the new block scalar format for multiple repos

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix GitHub MCP issue_read tool availability for multiple repositories Improve GitHub App multi-repo token handling for MCP lockdown and lock file clarity Feb 24, 2026
@pelikhan
Copy link
Contributor

pelikhan commented Feb 24, 2026

@copilot do not generate determine-automatic-lockdown when tools.github.app is used. document this.

@pelikhan
fix: skip determine-automatic-lockdown when tools.github.app is confi…
31beec6 
…gured

GitHub App tokens are already scoped to specific repositories via the app
installation, so the automatic lockdown detection step is unnecessary and
should not be generated.

Changes:
- generateGitHubMCPLockdownDetectionStep: return early when GitHub App is configured
- mcp_renderer.go: set shouldUseStepOutput=false when app is configured
- mcp_environment.go: skip GITHUB_MCP_LOCKDOWN env var when app is configured
- determine_automatic_lockdown.cjs: remove GH_AW_GITHUB_APP_CONFIGURED complexity
  (step no longer runs when app is configured)
- Add test: TestGitHubMCPAppTokenNoLockdownDetectionStep

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 24, 2026
edited
Loading

@copilot do not generate determine-automatic-lockdown when tools.github.app is used. document this.

Done in 31beec6. When tools.github.app is configured, the determine-automatic-lockdown step is now skipped entirely — GitHub App tokens are already scoped to specific repositories via the app installation, so automatic lockdown detection is unnecessary. The GITHUB_MCP_LOCKDOWN env var and LockdownFromStep flag are also suppressed in this case. The determine_automatic_lockdown.cjs JSDoc now documents that this script is not invoked when tools.github.app is set.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha w/js/**/*.json&#39; --ignore-path (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha ignore-path ../../../.prettierignore (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha w/js/**/*.json&#39; --ignore-path (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha ignore-path ../../../.prettierignore (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha on&#39; --ignore-path ../../../.pret.prettierignore (http block)
  • https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha g_.a (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha ath ../../../.pr**/*.json (http block)
  • https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha g_.a (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha ath ../../../.pr**/*.json (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title Improve GitHub App multi-repo token handling for MCP lockdown and lock file clarity Fix GitHub App multi-repo token handling for MCP server Feb 24, 2026
@pelikhan
Copy link
Contributor

pelikhan commented Feb 24, 2026

@copilot update the compiler to NOT generate the automatic lockdown step when tools.github.app is set.

Copy link
Contributor Author

Copilot AI commented Feb 24, 2026

@copilot update the compiler to NOT generate the automatic lockdown step when tools.github.app is set.

This was already implemented in 31beec6. The generateGitHubMCPLockdownDetectionStep function returns early when data.ParsedTools.GitHub.App != nil, and both shouldUseStepOutput in mcp_renderer.go and the GITHUB_MCP_LOCKDOWN env var in mcp_environment.go are suppressed when a GitHub App is configured.

@pelikhan pelikhan marked this pull request as ready for review February 24, 2026 15:27
Copilot AI review requested due to automatic review settings February 24, 2026 15:27
pelikhan
pelikhan reviewed Feb 24, 2026
View reviewed changes
Copy link
Contributor

@pelikhan pelikhan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot you should use the merged tools for any logic involving tools.github.app

Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes GitHub App multi-repository token handling for the MCP server. When tools.github.app.repositories contains multiple repositories, the previous comma-separated inline format is replaced with a YAML block scalar format for better clarity. Additionally, the automatic lockdown detection step is now skipped when GitHub Apps are configured, since GitHub App tokens are already repository-scoped.

Changes:

  • Modified repository formatting in GitHub App token minting to use YAML block scalar format (|-) for multiple repositories instead of comma-separated values
  • Disabled automatic lockdown detection when GitHub App is configured, as app tokens are inherently scoped to specific repositories
  • Updated environment variable and step output logic to skip GITHUB_MCP_LOCKDOWN references when GitHub App is used

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file
File Description
pkg/workflow/safe_outputs_app.go Changed multi-repository formatting from comma-separated to block scalar YAML format; removed unused strings import
pkg/workflow/safe_outputs_app_test.go Updated test assertions to verify block scalar format for multiple repositories
pkg/workflow/mcp_github_config.go Added logic to skip automatic lockdown detection step when GitHub App is configured
pkg/workflow/mcp_renderer.go Modified shouldUseStepOutput logic to exclude GitHub App configurations
pkg/workflow/mcp_environment.go Prevented GITHUB_MCP_LOCKDOWN environment variable from being added when GitHub App is configured
pkg/workflow/github_mcp_app_token_test.go Added comprehensive test to verify lockdown detection is not generated with GitHub Apps
actions/setup/js/determine_automatic_lockdown.cjs Updated JSDoc to document that script is not invoked when GitHub App is configured

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pelikhan
refactor: use merged tools (raw map) for tools.github.app checks via …
1fd49dd 
…hasGitHubApp helper

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 24, 2026
edited
Loading

@copilot you should use the merged tools for any logic involving tools.github.app

Done in 1fd49dd. Added hasGitHubApp(githubTool any) bool to mcp_github_config.go following the same pattern as getGitHubToken, getGitHubLockdown, etc. All three checks now use hasGitHubApp(githubTool) with the raw merged-tools value from data.Tools["github"] instead of data.ParsedTools.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 64/bin/go git t-12�� k/gh-aw/gh-aw/.github/workflows/ai-moderator.md rev-parse /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile QcDs/RccYqQqTSKBgit GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE erignore env -json GO111MODULE eTags}} GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha ry=1 GO111MODULE 4598508/b387/_pkg_.a GOINSECURE GOMOD GOMODCACHE go env -json (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -json GO111MODULE bin/node GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha g_.a GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE ole GOMODCACHE go env 4012-27445/test-2218196093/.github/workflows GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE ortcfg (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha vaScript2495729804/001/test-simp-s GO111MODULE /opt/hostedtoolcache/go/1.25.0/x-buildmode=exe GOINSECURE GOMOD GOMODCACHE go env runs/20260224-154012-27445/test-1888043226/.github/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go l GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 4598508/b297/vet.cfg GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha /tmp/gh-aw-test-runs/20260224-154012-27445/test-1928208489 rev-parse /usr/bin/git @{u} --check 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -mod=readonly -f 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 1808836305/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha sistency_GoAndJavaScript2495729804/001/test-complex-frontmatter-with-tools.md -buildtags ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -errorsas -ifaceassert -nilfunc ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet rev-�� --show-toplevel -tests /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE erignore env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha ck &#39;scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE u69dtnPwupbS env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha bot-detection.md GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE go t-ha�� SameOutput2566363834/001/stability-test.md GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha g_.a 4598508/b125/vet.cfg /opt/hostedtoolcache/go/1.25.0/x-test.short=true GOINSECURE GOMOD GOMODCACHE go env snY6xQzyS GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go l GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE h GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env tmatter-with-nes-p GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 7033837/b366/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 b/gh-aw/pkg/slic-V=full GOMODCACHE go env 7Es4/dlTADjkgtX2GOSUMDB GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 7033837/b403/importcfg (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 1442234986/.gith-errorsas GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha &#34;prettier&#34; --wriGOINSECURE git 64/bin/go --show-toplevel x_amd64/compile otOrdering497878prettier node /hom�� --write ../../../**/*.js**/*.json /prettier --ignore-path ../../../.prettilist /usr/bin/git go (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha &#34;prettier&#34; --wriGOINSECURE git 64/bin/go tierignore x_amd64/compile /usr/bin/git node /hom�� --write ../../../**/*.js**/*.json /node --ignore-path ../../../.pretti-c /usr/bin/git go (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 7033837/b388/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 7033837/b372/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build3704598508/b381/cli.test /tmp/go-build3704598508/b381/cli.test -test.testlogfile=/tmp/go-build3704598508/b381/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go m/_n�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@pelikhan pelikhan merged commit c373f2b into main Feb 24, 2026
43 checks passed
@pelikhan pelikhan deleted the copilot/fix-issue-read-tool-availability-again branch February 24, 2026 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

GitHub MCP issue_read tool unavailable when app token is scoped to multiple repositories

2 participants

@pelikhan