diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml
index ff4dd388f0..28e48e9636 100644
--- a/.github/workflows/agent-performance-analyzer.lock.yml
+++ b/.github/workflows/agent-performance-analyzer.lock.yml
@@ -166,13 +166,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Install gh-aw extension
@@ -472,7 +473,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml
index 38cd4fe484..0d94e1a7f8 100644
--- a/.github/workflows/ai-moderator.lock.yml
+++ b/.github/workflows/ai-moderator.lock.yml
@@ -171,13 +171,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -360,7 +361,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml
index a54d3d3819..02261e762d 100644
--- a/.github/workflows/archie.lock.yml
+++ b/.github/workflows/archie.lock.yml
@@ -209,13 +209,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -367,7 +368,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml
index f6b02297c5..8c93bd7c65 100644
--- a/.github/workflows/artifacts-summary.lock.yml
+++ b/.github/workflows/artifacts-summary.lock.yml
@@ -154,13 +154,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -328,7 +329,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=actions,repos",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml
index 841f577163..23d80f9d7d 100644
--- a/.github/workflows/audit-workflows.lock.yml
+++ b/.github/workflows/audit-workflows.lock.yml
@@ -223,13 +223,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -428,7 +429,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml
index c96e8d88c0..dd6de7fe68 100644
--- a/.github/workflows/blog-auditor.lock.yml
+++ b/.github/workflows/blog-auditor.lock.yml
@@ -150,13 +150,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcr.microsoft.com/playwright/mcp
- name: Write Safe Outputs Config
@@ -322,7 +323,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml
index 6a32436a17..27b9a34075 100644
--- a/.github/workflows/brave.lock.yml
+++ b/.github/workflows/brave.lock.yml
@@ -187,13 +187,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -363,7 +364,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml
index 9d225adead..e0c89e2857 100644
--- a/.github/workflows/breaking-change-checker.lock.yml
+++ b/.github/workflows/breaking-change-checker.lock.yml
@@ -151,13 +151,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -346,7 +347,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=repos",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/campaign-generator.lock.yml b/.github/workflows/campaign-generator.lock.yml
index f56043ffe8..3140a2c47b 100644
--- a/.github/workflows/campaign-generator.lock.yml
+++ b/.github/workflows/campaign-generator.lock.yml
@@ -166,13 +166,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -385,7 +386,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/campaign-manager.lock.yml b/.github/workflows/campaign-manager.lock.yml
index fcee11da11..dac0ae6190 100644
--- a/.github/workflows/campaign-manager.lock.yml
+++ b/.github/workflows/campaign-manager.lock.yml
@@ -166,13 +166,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Write Safe Outputs Config
run: |
mkdir -p /tmp/gh-aw/safeoutputs
@@ -529,7 +530,7 @@ jobs:
"url": "https://api.githubcopilot.com/mcp/",
"headers": {
"Authorization": "Bearer \${GITHUB_PERSONAL_ACCESS_TOKEN}",
- "X-MCP-Lockdown": "${{ steps.detect-repo-visibility.outputs.lockdown }}",
+ "X-MCP-Lockdown": "${{ steps.determine-automatic-lockdown.outputs.lockdown }}",
"X-MCP-Readonly": "true",
"X-MCP-Toolsets": "context,repos,issues,pull_requests,actions,projects"
},
diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml
index 1bcb7eb2cd..ab0c72b863 100644
--- a/.github/workflows/changeset.lock.yml
+++ b/.github/workflows/changeset.lock.yml
@@ -191,13 +191,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml
index 2dfb210ca5..9c9c79a769 100644
--- a/.github/workflows/ci-coach.lock.yml
+++ b/.github/workflows/ci-coach.lock.yml
@@ -207,13 +207,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -391,7 +392,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml
index 33184ca027..193dd22aac 100644
--- a/.github/workflows/ci-doctor.lock.yml
+++ b/.github/workflows/ci-doctor.lock.yml
@@ -179,13 +179,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcp/fetch
- name: Write Safe Outputs Config
@@ -410,7 +411,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml
index 94abcbfdce..4ba6921e01 100644
--- a/.github/workflows/cli-consistency-checker.lock.yml
+++ b/.github/workflows/cli-consistency-checker.lock.yml
@@ -152,13 +152,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcp/fetch
- name: Write Safe Outputs Config
@@ -347,7 +348,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml
index 1985b2c19e..65e1aae92d 100644
--- a/.github/workflows/cli-version-checker.lock.yml
+++ b/.github/workflows/cli-version-checker.lock.yml
@@ -164,13 +164,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -357,7 +358,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml
index 39ce9ea267..5d75545aa1 100644
--- a/.github/workflows/cloclo.lock.yml
+++ b/.github/workflows/cloclo.lock.yml
@@ -257,13 +257,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcr.microsoft.com/playwright/mcp
- name: Write Safe Outputs Config
@@ -479,7 +480,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml
index bddc32aed2..334a756dd4 100644
--- a/.github/workflows/commit-changes-analyzer.lock.yml
+++ b/.github/workflows/commit-changes-analyzer.lock.yml
@@ -152,13 +152,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -324,7 +325,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml
index 2a6b40e154..ec669fa7b2 100644
--- a/.github/workflows/copilot-agent-analysis.lock.yml
+++ b/.github/workflows/copilot-agent-analysis.lock.yml
@@ -183,13 +183,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -355,7 +356,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml
index 74993be5c1..53b5993a26 100644
--- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml
+++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml
@@ -220,13 +220,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -423,7 +424,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml
index 10182b7125..adc333460e 100644
--- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml
+++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml
@@ -188,13 +188,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -362,7 +363,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml
index d9cfce74b3..a0741144b2 100644
--- a/.github/workflows/copilot-session-insights.lock.yml
+++ b/.github/workflows/copilot-session-insights.lock.yml
@@ -209,13 +209,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -410,7 +411,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml
index a29644ad67..b86523d99d 100644
--- a/.github/workflows/craft.lock.yml
+++ b/.github/workflows/craft.lock.yml
@@ -188,13 +188,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -394,7 +395,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml
index 890cb01ba6..b690b5acb1 100644
--- a/.github/workflows/daily-assign-issue-to-user.lock.yml
+++ b/.github/workflows/daily-assign-issue-to-user.lock.yml
@@ -150,13 +150,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -357,7 +358,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=issues,pull_requests,repos",
"ghcr.io/github/github-mcp-server:v0.26.3"
@@ -1049,17 +1050,4 @@ jobs:
setupGlobals(core, github, context, exec, io);
const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs');
await main();
- - name: Assign To User
- id: assign_to_user
- if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'assign_to_user'))
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
- env:
- GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/tmp/gh-aw/actions/assign_to_user.cjs');
- await main();
diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml
index d5e72e20f0..7205aa7312 100644
--- a/.github/workflows/daily-choice-test.lock.yml
+++ b/.github/workflows/daily-choice-test.lock.yml
@@ -143,13 +143,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -294,7 +295,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml
index f2c84ee005..ac60fc6a03 100644
--- a/.github/workflows/daily-cli-performance.lock.yml
+++ b/.github/workflows/daily-cli-performance.lock.yml
@@ -164,13 +164,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -395,7 +396,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml
index 2ef671e069..5ce9c7bd3d 100644
--- a/.github/workflows/daily-code-metrics.lock.yml
+++ b/.github/workflows/daily-code-metrics.lock.yml
@@ -198,13 +198,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -399,7 +400,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml
index 8336eb5376..9c7f6d3ab9 100644
--- a/.github/workflows/daily-copilot-token-report.lock.yml
+++ b/.github/workflows/daily-copilot-token-report.lock.yml
@@ -218,13 +218,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -421,7 +422,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml
index 0d5bd9e5d2..a64ff60fed 100644
--- a/.github/workflows/daily-doc-updater.lock.yml
+++ b/.github/workflows/daily-doc-updater.lock.yml
@@ -157,13 +157,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -339,7 +340,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml
index 5d19274066..8937cce110 100644
--- a/.github/workflows/daily-fact.lock.yml
+++ b/.github/workflows/daily-fact.lock.yml
@@ -137,13 +137,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml
index 2408a6e9f2..6b7cea8cb6 100644
--- a/.github/workflows/daily-file-diet.lock.yml
+++ b/.github/workflows/daily-file-diet.lock.yml
@@ -218,13 +218,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -442,7 +443,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml
index 8bfcb6fdff..14c51d0710 100644
--- a/.github/workflows/daily-firewall-report.lock.yml
+++ b/.github/workflows/daily-firewall-report.lock.yml
@@ -221,13 +221,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -441,7 +442,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml
index 3375b6cff7..e330e66e8a 100644
--- a/.github/workflows/daily-issues-report.lock.yml
+++ b/.github/workflows/daily-issues-report.lock.yml
@@ -204,13 +204,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml
index 63d31c8cfb..ed58d3a48d 100644
--- a/.github/workflows/daily-malicious-code-scan.lock.yml
+++ b/.github/workflows/daily-malicious-code-scan.lock.yml
@@ -151,13 +151,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -366,7 +367,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=repos,code_security",
"ghcr.io/github/github-mcp-server:v0.26.3"
@@ -1047,7 +1048,6 @@ jobs:
needs:
- activation
- agent
- - safe_outputs
if: (always()) && (needs.agent.result != 'skipped')
runs-on: ubuntu-slim
permissions:
@@ -1140,53 +1140,3 @@ jobs:
const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs');
await main();
- safe_outputs:
- needs: agent
- if: (!cancelled()) && (needs.agent.result != 'skipped')
- runs-on: ubuntu-slim
- permissions:
- contents: read
- security-events: write
- timeout-minutes: 15
- env:
- GH_AW_ENGINE_ID: "copilot"
- GH_AW_TRACKER_ID: "malicious-code-scan"
- GH_AW_WORKFLOW_ID: "daily-malicious-code-scan"
- GH_AW_WORKFLOW_NAME: "Daily Malicious Code Scan Agent"
- steps:
- - name: Checkout actions folder
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
- with:
- sparse-checkout: |
- actions
- persist-credentials: false
- - name: Setup Scripts
- uses: ./actions/setup
- with:
- destination: /tmp/gh-aw/actions
- - name: Download agent output artifact
- continue-on-error: true
- uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
- with:
- name: agent-output
- path: /tmp/gh-aw/safeoutputs/
- - name: Setup agent output environment variable
- run: |
- mkdir -p /tmp/gh-aw/safeoutputs/
- find "/tmp/gh-aw/safeoutputs/" -type f -print
- echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV"
- - name: Create Code Scanning Alert
- id: create_code_scanning_alert
- if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_code_scanning_alert'))
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
- env:
- GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
- GH_AW_WORKFLOW_FILENAME: "daily-malicious-code-scan"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/tmp/gh-aw/actions/create_code_scanning_alert.cjs');
- await main();
-
diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml
index 3e4b8042f8..5069f030af 100644
--- a/.github/workflows/daily-multi-device-docs-tester.lock.yml
+++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml
@@ -154,13 +154,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcr.microsoft.com/playwright/mcp
- name: Write Safe Outputs Config
@@ -376,7 +377,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml
index 23f89393a3..1bd711bcf8 100644
--- a/.github/workflows/daily-news.lock.yml
+++ b/.github/workflows/daily-news.lock.yml
@@ -216,13 +216,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcp/fetch
- name: Write Safe Outputs Config
@@ -419,7 +420,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml
index 70d4a9385a..63e2dec8bf 100644
--- a/.github/workflows/daily-performance-summary.lock.yml
+++ b/.github/workflows/daily-performance-summary.lock.yml
@@ -194,13 +194,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml
index 36dc7101dd..ff0473929b 100644
--- a/.github/workflows/daily-repo-chronicle.lock.yml
+++ b/.github/workflows/daily-repo-chronicle.lock.yml
@@ -195,13 +195,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -398,7 +399,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,discussions",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml
index 0d87c822ec..0d26cead69 100644
--- a/.github/workflows/daily-team-status.lock.yml
+++ b/.github/workflows/daily-team-status.lock.yml
@@ -164,13 +164,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -359,7 +360,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml
index e8ee60cb04..b06325f891 100644
--- a/.github/workflows/daily-workflow-updater.lock.yml
+++ b/.github/workflows/daily-workflow-updater.lock.yml
@@ -151,13 +151,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -335,7 +336,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml
index dd6c9342c6..7ef1feb144 100644
--- a/.github/workflows/deep-report.lock.yml
+++ b/.github/workflows/deep-report.lock.yml
@@ -205,13 +205,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml
index ae85d03eae..affe20e73a 100644
--- a/.github/workflows/dependabot-go-checker.lock.yml
+++ b/.github/workflows/dependabot-go-checker.lock.yml
@@ -154,13 +154,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcp/fetch
- name: Write Safe Outputs Config
@@ -387,7 +388,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,dependabot",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml
index 837b7e88d8..e110a1c88f 100644
--- a/.github/workflows/dev-hawk.lock.yml
+++ b/.github/workflows/dev-hawk.lock.yml
@@ -181,13 +181,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -356,7 +357,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=pull_requests,actions,repos",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml
index 8531a30e1b..625409cd04 100644
--- a/.github/workflows/dev.lock.yml
+++ b/.github/workflows/dev.lock.yml
@@ -151,13 +151,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -309,7 +310,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=issues",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml
index ff7c7d4cbc..c3336c60a3 100644
--- a/.github/workflows/developer-docs-consolidator.lock.yml
+++ b/.github/workflows/developer-docs-consolidator.lock.yml
@@ -176,13 +176,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -410,7 +411,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml
index 6a21550d7d..2f61778085 100644
--- a/.github/workflows/dictation-prompt.lock.yml
+++ b/.github/workflows/dictation-prompt.lock.yml
@@ -154,13 +154,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -338,7 +339,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml
index 4ccca64858..4351cd6947 100644
--- a/.github/workflows/docs-noob-tester.lock.yml
+++ b/.github/workflows/docs-noob-tester.lock.yml
@@ -154,13 +154,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcr.microsoft.com/playwright/mcp
- name: Write Safe Outputs Config
@@ -357,7 +358,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/docs-quality-maintenance-project67.campaign.lock.yml b/.github/workflows/docs-quality-maintenance-project67.campaign.lock.yml
index 66880d8eb6..459b36879c 100644
--- a/.github/workflows/docs-quality-maintenance-project67.campaign.lock.yml
+++ b/.github/workflows/docs-quality-maintenance-project67.campaign.lock.yml
@@ -164,13 +164,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -411,7 +412,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions,code_security",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml
index d426b172b6..5984ef408a 100644
--- a/.github/workflows/duplicate-code-detector.lock.yml
+++ b/.github/workflows/duplicate-code-detector.lock.yml
@@ -158,13 +158,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
diff --git a/.github/workflows/example-custom-error-patterns.lock.yml b/.github/workflows/example-custom-error-patterns.lock.yml
index db9a822402..ea4b416967 100644
--- a/.github/workflows/example-custom-error-patterns.lock.yml
+++ b/.github/workflows/example-custom-error-patterns.lock.yml
@@ -137,13 +137,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Setup MCPs
@@ -167,7 +168,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml
index e3264fe1ab..46047bca0a 100644
--- a/.github/workflows/example-permissions-warning.lock.yml
+++ b/.github/workflows/example-permissions-warning.lock.yml
@@ -140,13 +140,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Setup MCPs
@@ -168,7 +169,7 @@ jobs:
"-e",
"GITHUB_PERSONAL_ACCESS_TOKEN",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml
index 4c7227cd87..d661e540a2 100644
--- a/.github/workflows/example-workflow-analyzer.lock.yml
+++ b/.github/workflows/example-workflow-analyzer.lock.yml
@@ -152,13 +152,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Install gh-aw extension
@@ -345,7 +346,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml
index 7f60bddaf9..39f855b033 100644
--- a/.github/workflows/firewall-escape.lock.yml
+++ b/.github/workflows/firewall-escape.lock.yml
@@ -164,13 +164,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcp/fetch
- name: Setup MCPs
@@ -194,7 +195,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml
index ca3a187f8a..476ef67454 100644
--- a/.github/workflows/firewall.lock.yml
+++ b/.github/workflows/firewall.lock.yml
@@ -140,13 +140,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcp/fetch
- name: Setup MCPs
@@ -170,7 +171,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml
index edada08964..38d790c4ab 100644
--- a/.github/workflows/github-mcp-structural-analysis.lock.yml
+++ b/.github/workflows/github-mcp-structural-analysis.lock.yml
@@ -193,13 +193,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -394,7 +395,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=all",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml
index 23c837ab38..18618b5eaf 100644
--- a/.github/workflows/github-mcp-tools-report.lock.yml
+++ b/.github/workflows/github-mcp-tools-report.lock.yml
@@ -167,13 +167,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Write Safe Outputs Config
run: |
mkdir -p /tmp/gh-aw/safeoutputs
@@ -393,7 +394,7 @@ jobs:
"url": "https://api.githubcopilot.com/mcp/",
"headers": {
"Authorization": "Bearer $GITHUB_MCP_SERVER_TOKEN",
- "X-MCP-Lockdown": "${{ steps.detect-repo-visibility.outputs.lockdown }}",
+ "X-MCP-Lockdown": "${{ steps.determine-automatic-lockdown.outputs.lockdown }}",
"X-MCP-Readonly": "true",
"X-MCP-Toolsets": "all"
}
diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml
index fcc2beb563..525ad8dd90 100644
--- a/.github/workflows/glossary-maintainer.lock.yml
+++ b/.github/workflows/glossary-maintainer.lock.yml
@@ -180,13 +180,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -364,7 +365,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml
index ec73494087..7280c5a9f0 100644
--- a/.github/workflows/go-fan.lock.yml
+++ b/.github/workflows/go-fan.lock.yml
@@ -174,13 +174,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -346,7 +347,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/go-file-size-reduction-project64.campaign.lock.yml b/.github/workflows/go-file-size-reduction-project64.campaign.lock.yml
index c809c65289..a0e66832b4 100644
--- a/.github/workflows/go-file-size-reduction-project64.campaign.lock.yml
+++ b/.github/workflows/go-file-size-reduction-project64.campaign.lock.yml
@@ -164,13 +164,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -411,7 +412,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions,code_security",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml
index 9ad67482a4..78e8403837 100644
--- a/.github/workflows/go-logger.lock.yml
+++ b/.github/workflows/go-logger.lock.yml
@@ -173,13 +173,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -355,7 +356,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml
index 30be7db4f7..50a0d5ac0d 100644
--- a/.github/workflows/go-pattern-detector.lock.yml
+++ b/.github/workflows/go-pattern-detector.lock.yml
@@ -152,13 +152,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcp/ast-grep:latest
- name: Write Safe Outputs Config
@@ -355,7 +356,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml
index 97228b34a9..f447eda801 100644
--- a/.github/workflows/grumpy-reviewer.lock.yml
+++ b/.github/workflows/grumpy-reviewer.lock.yml
@@ -197,13 +197,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -430,7 +431,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=pull_requests,repos",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml
index 00ec880503..24a5c33a03 100644
--- a/.github/workflows/hourly-ci-cleaner.lock.yml
+++ b/.github/workflows/hourly-ci-cleaner.lock.yml
@@ -181,13 +181,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -365,7 +366,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/human-ai-collaboration.lock.yml b/.github/workflows/human-ai-collaboration.lock.yml
index 9dd691a26c..dbbce3b1f4 100644
--- a/.github/workflows/human-ai-collaboration.lock.yml
+++ b/.github/workflows/human-ai-collaboration.lock.yml
@@ -160,13 +160,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -355,7 +356,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=repos,issues,search",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/incident-response.lock.yml b/.github/workflows/incident-response.lock.yml
index 834fe74f54..8b3d4709f9 100644
--- a/.github/workflows/incident-response.lock.yml
+++ b/.github/workflows/incident-response.lock.yml
@@ -175,13 +175,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -507,7 +508,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=repos,issues,pull_requests,search",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml
index 8f894db014..89ecf25494 100644
--- a/.github/workflows/instructions-janitor.lock.yml
+++ b/.github/workflows/instructions-janitor.lock.yml
@@ -157,13 +157,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -339,7 +340,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/intelligence.lock.yml b/.github/workflows/intelligence.lock.yml
index 7bc242509a..357ed38ca0 100644
--- a/.github/workflows/intelligence.lock.yml
+++ b/.github/workflows/intelligence.lock.yml
@@ -210,13 +210,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -434,7 +435,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=repos,issues,search",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml
index 258800fe73..d39405b7ee 100644
--- a/.github/workflows/issue-arborist.lock.yml
+++ b/.github/workflows/issue-arborist.lock.yml
@@ -156,13 +156,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
diff --git a/.github/workflows/issue-classifier.lock.yml b/.github/workflows/issue-classifier.lock.yml
index 213e632b39..eccd353835 100644
--- a/.github/workflows/issue-classifier.lock.yml
+++ b/.github/workflows/issue-classifier.lock.yml
@@ -159,13 +159,14 @@ jobs:
setupGlobals(core, github, context, exec, io);
const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs');
await main();
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -318,7 +319,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml
index 64dfec6f21..131809c93f 100644
--- a/.github/workflows/issue-monster.lock.yml
+++ b/.github/workflows/issue-monster.lock.yml
@@ -161,13 +161,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -357,7 +358,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/issue-template-optimizer.lock.yml b/.github/workflows/issue-template-optimizer.lock.yml
index 155569bb59..19783c1868 100644
--- a/.github/workflows/issue-template-optimizer.lock.yml
+++ b/.github/workflows/issue-template-optimizer.lock.yml
@@ -163,13 +163,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -347,7 +348,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml
index 0dbc02052a..4b465bf06f 100644
--- a/.github/workflows/issue-triage-agent.lock.yml
+++ b/.github/workflows/issue-triage-agent.lock.yml
@@ -129,13 +129,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -326,7 +327,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=issues,labels",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml
index 16f6e074d8..d3bbee5e36 100644
--- a/.github/workflows/jsweep.lock.yml
+++ b/.github/workflows/jsweep.lock.yml
@@ -177,13 +177,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -361,7 +362,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml
index acc4eeadb0..2ade2a98a6 100644
--- a/.github/workflows/layout-spec-maintainer.lock.yml
+++ b/.github/workflows/layout-spec-maintainer.lock.yml
@@ -153,13 +153,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -337,7 +338,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml
index 73f5031818..3a8f90eea1 100644
--- a/.github/workflows/lockfile-stats.lock.yml
+++ b/.github/workflows/lockfile-stats.lock.yml
@@ -161,13 +161,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -333,7 +334,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml
index 030ce6d4b3..e777c1526f 100644
--- a/.github/workflows/mcp-inspector.lock.yml
+++ b/.github/workflows/mcp-inspector.lock.yml
@@ -213,13 +213,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/github-mcp-server:v0.26.3 mcp/arxiv-mcp-server mcp/ast-grep:latest mcp/context7 mcp/memory mcp/notion
- name: Write Safe Outputs Config
@@ -549,7 +550,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml
index 5995bb4024..24f824671d 100644
--- a/.github/workflows/mergefest.lock.yml
+++ b/.github/workflows/mergefest.lock.yml
@@ -175,13 +175,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -345,7 +346,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=pull_requests,repos",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml
index 61d5cdd5a1..ff328b9f11 100644
--- a/.github/workflows/metrics-collector.lock.yml
+++ b/.github/workflows/metrics-collector.lock.yml
@@ -158,13 +158,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Install gh-aw extension
env:
GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
@@ -202,7 +203,7 @@ jobs:
"url": "https://api.githubcopilot.com/mcp/",
"headers": {
"Authorization": "Bearer \${GITHUB_PERSONAL_ACCESS_TOKEN}",
- "X-MCP-Lockdown": "${{ steps.detect-repo-visibility.outputs.lockdown }}",
+ "X-MCP-Lockdown": "${{ steps.determine-automatic-lockdown.outputs.lockdown }}",
"X-MCP-Readonly": "true",
"X-MCP-Toolsets": "context,repos,issues,pull_requests"
},
diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml
index 186973ccf8..aeb3d7378d 100644
--- a/.github/workflows/notion-issue-summary.lock.yml
+++ b/.github/workflows/notion-issue-summary.lock.yml
@@ -157,13 +157,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcp/notion
- name: Write Safe Outputs Config
@@ -296,7 +297,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/org-wide-rollout.lock.yml b/.github/workflows/org-wide-rollout.lock.yml
index 3cd5faf810..206195a6f1 100644
--- a/.github/workflows/org-wide-rollout.lock.yml
+++ b/.github/workflows/org-wide-rollout.lock.yml
@@ -182,13 +182,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -514,7 +515,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=repos,issues,pull_requests,search",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml
index 96b6e75d77..dc3d80b0bb 100644
--- a/.github/workflows/pdf-summary.lock.yml
+++ b/.github/workflows/pdf-summary.lock.yml
@@ -223,13 +223,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -381,7 +382,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml
index 995c345fed..4c27f1f342 100644
--- a/.github/workflows/plan.lock.yml
+++ b/.github/workflows/plan.lock.yml
@@ -188,13 +188,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -440,7 +441,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,discussions",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/playground-org-project-update-issue.lock.yml b/.github/workflows/playground-org-project-update-issue.lock.yml
index 88dc686db3..f540cea07a 100644
--- a/.github/workflows/playground-org-project-update-issue.lock.yml
+++ b/.github/workflows/playground-org-project-update-issue.lock.yml
@@ -148,13 +148,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -359,7 +360,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,projects",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/playground-snapshots-refresh.lock.yml b/.github/workflows/playground-snapshots-refresh.lock.yml
index 750a1a2ad9..e89508bbc5 100644
--- a/.github/workflows/playground-snapshots-refresh.lock.yml
+++ b/.github/workflows/playground-snapshots-refresh.lock.yml
@@ -166,13 +166,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -350,7 +351,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml
index 66d574cf8d..e7e7884d76 100644
--- a/.github/workflows/poem-bot.lock.yml
+++ b/.github/workflows/poem-bot.lock.yml
@@ -205,13 +205,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -894,7 +895,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml
index da3265932a..7a6aeb07fa 100644
--- a/.github/workflows/portfolio-analyst.lock.yml
+++ b/.github/workflows/portfolio-analyst.lock.yml
@@ -221,13 +221,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -431,7 +432,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml
index 6b60964348..3d3f05b23e 100644
--- a/.github/workflows/pr-nitpick-reviewer.lock.yml
+++ b/.github/workflows/pr-nitpick-reviewer.lock.yml
@@ -216,13 +216,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -501,7 +502,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=pull_requests,repos",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml
index 7c9dae381c..4324a57e17 100644
--- a/.github/workflows/prompt-clustering-analysis.lock.yml
+++ b/.github/workflows/prompt-clustering-analysis.lock.yml
@@ -235,13 +235,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -411,7 +412,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=repos,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml
index 864157e84d..9c0166633d 100644
--- a/.github/workflows/python-data-charts.lock.yml
+++ b/.github/workflows/python-data-charts.lock.yml
@@ -193,13 +193,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Install gh-aw extension
@@ -419,7 +420,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml
index af798b6cc1..4eadfc3ec2 100644
--- a/.github/workflows/q.lock.yml
+++ b/.github/workflows/q.lock.yml
@@ -254,13 +254,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -481,7 +482,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions,discussions",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml
index 1579e10e7b..cbea20cd0d 100644
--- a/.github/workflows/release.lock.yml
+++ b/.github/workflows/release.lock.yml
@@ -161,13 +161,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -340,7 +341,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml
index 9b9d64a137..a25bdfb683 100644
--- a/.github/workflows/repo-tree-map.lock.yml
+++ b/.github/workflows/repo-tree-map.lock.yml
@@ -155,13 +155,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -329,7 +330,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml
index c592f036b1..bc5c51590d 100644
--- a/.github/workflows/repository-quality-improver.lock.yml
+++ b/.github/workflows/repository-quality-improver.lock.yml
@@ -181,13 +181,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -355,7 +356,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml
index 1b1dce1c5a..65a03b8162 100644
--- a/.github/workflows/research.lock.yml
+++ b/.github/workflows/research.lock.yml
@@ -158,13 +158,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -332,7 +333,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml
index fac1e5f338..4196d3690d 100644
--- a/.github/workflows/safe-output-health.lock.yml
+++ b/.github/workflows/safe-output-health.lock.yml
@@ -187,13 +187,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -363,7 +364,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml
index 4db38711db..05b9d41eb1 100644
--- a/.github/workflows/schema-consistency-checker.lock.yml
+++ b/.github/workflows/schema-consistency-checker.lock.yml
@@ -165,13 +165,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Write Safe Outputs Config
run: |
mkdir -p /tmp/gh-aw/safeoutputs
@@ -329,7 +330,7 @@ jobs:
"url": "https://api.githubcopilot.com/mcp/",
"headers": {
"Authorization": "Bearer $GITHUB_MCP_SERVER_TOKEN",
- "X-MCP-Lockdown": "${{ steps.detect-repo-visibility.outputs.lockdown }}",
+ "X-MCP-Lockdown": "${{ steps.determine-automatic-lockdown.outputs.lockdown }}",
"X-MCP-Readonly": "true",
"X-MCP-Toolsets": "context,repos,issues,pull_requests,discussions"
}
diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml
index 95420adf21..4538b5270e 100644
--- a/.github/workflows/scout.lock.yml
+++ b/.github/workflows/scout.lock.yml
@@ -246,13 +246,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcp/arxiv-mcp-server mcp/context7
- name: Write Safe Outputs Config
@@ -431,7 +432,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml
index 0a399a92f4..204bdba9ec 100644
--- a/.github/workflows/security-compliance.lock.yml
+++ b/.github/workflows/security-compliance.lock.yml
@@ -165,13 +165,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -360,7 +361,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=repos,search,code_security",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml
index 1805f4b51f..0effbcc82e 100644
--- a/.github/workflows/security-fix-pr.lock.yml
+++ b/.github/workflows/security-fix-pr.lock.yml
@@ -165,13 +165,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -347,7 +348,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,code_security,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml
index 27b0224ce0..1075084e3b 100644
--- a/.github/workflows/semantic-function-refactor.lock.yml
+++ b/.github/workflows/semantic-function-refactor.lock.yml
@@ -150,13 +150,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -381,7 +382,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml
index f1f58c0366..7a3643ba4c 100644
--- a/.github/workflows/slide-deck-maintainer.lock.yml
+++ b/.github/workflows/slide-deck-maintainer.lock.yml
@@ -180,13 +180,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcr.microsoft.com/playwright/mcp
- name: Write Safe Outputs Config
@@ -364,7 +365,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml
index 9e295b1d70..b3a3f34c24 100644
--- a/.github/workflows/smoke-claude.lock.yml
+++ b/.github/workflows/smoke-claude.lock.yml
@@ -199,13 +199,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcr.microsoft.com/playwright/mcp
- name: Write Safe Outputs Config
@@ -467,7 +468,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=repos,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/smoke-codex-firewall.lock.yml b/.github/workflows/smoke-codex-firewall.lock.yml
index 80ebac68d7..8b4ae9ca5f 100644
--- a/.github/workflows/smoke-codex-firewall.lock.yml
+++ b/.github/workflows/smoke-codex-firewall.lock.yml
@@ -172,13 +172,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml
index 45c3a285fb..f6cfc6a287 100644
--- a/.github/workflows/smoke-codex.lock.yml
+++ b/.github/workflows/smoke-codex.lock.yml
@@ -195,13 +195,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcr.microsoft.com/playwright/mcp
- name: Write Safe Outputs Config
diff --git a/.github/workflows/smoke-copilot-no-firewall.lock.yml b/.github/workflows/smoke-copilot-no-firewall.lock.yml
index dbaf06b365..c78f6bab11 100644
--- a/.github/workflows/smoke-copilot-no-firewall.lock.yml
+++ b/.github/workflows/smoke-copilot-no-firewall.lock.yml
@@ -187,13 +187,14 @@ jobs:
# Verify installation
copilot --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcr.microsoft.com/playwright/mcp
- name: Write Safe Outputs Config
@@ -480,7 +481,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/smoke-copilot-playwright.lock.yml b/.github/workflows/smoke-copilot-playwright.lock.yml
index a7c56b7a62..126ec0142b 100644
--- a/.github/workflows/smoke-copilot-playwright.lock.yml
+++ b/.github/workflows/smoke-copilot-playwright.lock.yml
@@ -207,13 +207,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcr.microsoft.com/playwright/mcp
- name: Write Safe Outputs Config
@@ -573,7 +574,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml
index f5532c18fa..b92969da4c 100644
--- a/.github/workflows/smoke-copilot.lock.yml
+++ b/.github/workflows/smoke-copilot.lock.yml
@@ -188,13 +188,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -458,7 +459,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/smoke-detector.lock.yml b/.github/workflows/smoke-detector.lock.yml
index a246ad159d..7f1be928b3 100644
--- a/.github/workflows/smoke-detector.lock.yml
+++ b/.github/workflows/smoke-detector.lock.yml
@@ -223,13 +223,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -456,7 +457,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/smoke-srt-custom-config.lock.yml b/.github/workflows/smoke-srt-custom-config.lock.yml
index e599e97f5c..728ef9e877 100644
--- a/.github/workflows/smoke-srt-custom-config.lock.yml
+++ b/.github/workflows/smoke-srt-custom-config.lock.yml
@@ -148,13 +148,14 @@ jobs:
echo "Sandbox Runtime installed successfully"
- name: Install GitHub Copilot CLI
run: npm install --silent @github/copilot@0.0.374
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Setup MCPs
@@ -178,7 +179,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/smoke-srt.lock.yml b/.github/workflows/smoke-srt.lock.yml
index c7198e9195..265af4a637 100644
--- a/.github/workflows/smoke-srt.lock.yml
+++ b/.github/workflows/smoke-srt.lock.yml
@@ -164,13 +164,14 @@ jobs:
echo "Sandbox Runtime installed successfully"
- name: Install GitHub Copilot CLI
run: npm install --silent @github/copilot@0.0.374
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -286,7 +287,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/spec-kit-execute.lock.yml b/.github/workflows/spec-kit-execute.lock.yml
index 0c2b29ee7c..c58c3cde80 100644
--- a/.github/workflows/spec-kit-execute.lock.yml
+++ b/.github/workflows/spec-kit-execute.lock.yml
@@ -170,13 +170,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Write Safe Outputs Config
run: |
mkdir -p /tmp/gh-aw/safeoutputs
@@ -345,7 +346,7 @@ jobs:
"url": "https://api.githubcopilot.com/mcp/",
"headers": {
"Authorization": "Bearer \${GITHUB_PERSONAL_ACCESS_TOKEN}",
- "X-MCP-Lockdown": "${{ steps.detect-repo-visibility.outputs.lockdown }}",
+ "X-MCP-Lockdown": "${{ steps.determine-automatic-lockdown.outputs.lockdown }}",
"X-MCP-Readonly": "true",
"X-MCP-Toolsets": "context,repos,issues,pull_requests"
},
diff --git a/.github/workflows/spec-kit-executor.lock.yml b/.github/workflows/spec-kit-executor.lock.yml
index 4a65d6f29a..87a7aefd82 100644
--- a/.github/workflows/spec-kit-executor.lock.yml
+++ b/.github/workflows/spec-kit-executor.lock.yml
@@ -171,13 +171,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -355,7 +356,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/speckit-dispatcher.lock.yml b/.github/workflows/speckit-dispatcher.lock.yml
index 821ffec06f..0754d066b7 100644
--- a/.github/workflows/speckit-dispatcher.lock.yml
+++ b/.github/workflows/speckit-dispatcher.lock.yml
@@ -210,13 +210,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -483,7 +484,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml
index 2d04ebaae9..cd0455cad8 100644
--- a/.github/workflows/static-analysis-report.lock.yml
+++ b/.github/workflows/static-analysis-report.lock.yml
@@ -186,13 +186,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -362,7 +363,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml
index c674bea9c9..2ce9f6306b 100644
--- a/.github/workflows/sub-issue-closer.lock.yml
+++ b/.github/workflows/sub-issue-closer.lock.yml
@@ -149,13 +149,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -366,7 +367,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=issues",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml
index 541b0fb374..e9b2bfcbed 100644
--- a/.github/workflows/super-linter.lock.yml
+++ b/.github/workflows/super-linter.lock.yml
@@ -175,13 +175,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -370,7 +371,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml
index 96455ee8e6..173350bad5 100644
--- a/.github/workflows/technical-doc-writer.lock.yml
+++ b/.github/workflows/technical-doc-writer.lock.yml
@@ -190,13 +190,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -439,7 +440,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml
index d5a72974aa..da00715ef3 100644
--- a/.github/workflows/terminal-stylist.lock.yml
+++ b/.github/workflows/terminal-stylist.lock.yml
@@ -159,13 +159,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -333,7 +334,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=repos",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml
index 060d926abb..b2bc58335f 100644
--- a/.github/workflows/tidy.lock.yml
+++ b/.github/workflows/tidy.lock.yml
@@ -198,13 +198,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -430,7 +431,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml
index 1d3ca7195d..fcbba1b64a 100644
--- a/.github/workflows/typist.lock.yml
+++ b/.github/workflows/typist.lock.yml
@@ -161,13 +161,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -333,7 +334,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml
index 95df4d15f0..3fff8c8da6 100644
--- a/.github/workflows/unbloat-docs.lock.yml
+++ b/.github/workflows/unbloat-docs.lock.yml
@@ -206,13 +206,14 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3 mcr.microsoft.com/playwright/mcp
- name: Write Safe Outputs Config
@@ -453,7 +454,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml
index 6f1c9ca2fb..739d33b7af 100644
--- a/.github/workflows/video-analyzer.lock.yml
+++ b/.github/workflows/video-analyzer.lock.yml
@@ -165,13 +165,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -360,7 +361,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml
index f4fb4b2505..a12803902f 100644
--- a/.github/workflows/weekly-issue-summary.lock.yml
+++ b/.github/workflows/weekly-issue-summary.lock.yml
@@ -173,13 +173,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -376,7 +377,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=issues",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml
index 9e01ce8070..f0e88251a8 100644
--- a/.github/workflows/workflow-generator.lock.yml
+++ b/.github/workflows/workflow-generator.lock.yml
@@ -164,13 +164,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -383,7 +384,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml
index 1a9dd738a6..760f01a230 100644
--- a/.github/workflows/workflow-health-manager.lock.yml
+++ b/.github/workflows/workflow-health-manager.lock.yml
@@ -164,13 +164,14 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
- - name: Detect repository visibility for GitHub MCP lockdown
- id: detect-repo-visibility
+ - name: Determine automatic lockdown mode for GitHub MCP server
+ id: determine-automatic-lockdown
+ if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
- const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
- await detectRepoVisibility(github, context, core);
+ const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
+ await determineAutomaticLockdown(github, context, core);
- name: Downloading container images
run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.26.3
- name: Write Safe Outputs Config
@@ -454,7 +455,7 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
- "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}",
"-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions",
"ghcr.io/github/github-mcp-server:v0.26.3"
diff --git a/actions/setup/js/detect_repo_visibility.cjs b/actions/setup/js/determine_automatic_lockdown.cjs
similarity index 64%
rename from actions/setup/js/detect_repo_visibility.cjs
rename to actions/setup/js/determine_automatic_lockdown.cjs
index 607978a678..c75f34c147 100644
--- a/actions/setup/js/detect_repo_visibility.cjs
+++ b/actions/setup/js/determine_automatic_lockdown.cjs
@@ -2,7 +2,10 @@
///
/**
- * Detects repository visibility and sets lockdown mode for GitHub MCP server.
+ * Determines automatic lockdown mode for GitHub MCP server based on repository visibility.
+ *
+ * This function only applies when a custom GitHub MCP server token is defined
+ * (GH_AW_GITHUB_MCP_SERVER_TOKEN) and for public repositories.
*
* For public repositories, lockdown mode should be enabled (true) to prevent
* the GitHub token from accessing private repositories, which could leak
@@ -16,12 +19,12 @@
* @param {any} core - GitHub Actions core library
* @returns {Promise}
*/
-async function detectRepoVisibility(github, context, core) {
+async function determineAutomaticLockdown(github, context, core) {
try {
- core.info("Detecting repository visibility for GitHub MCP lockdown configuration");
+ core.info("Determining automatic lockdown mode for GitHub MCP server");
const { owner, repo } = context.repo;
- core.info(`Checking visibility for repository: ${owner}/${repo}`);
+ core.info(`Checking repository: ${owner}/${repo}`);
// Fetch repository information
const { data: repository } = await github.rest.repos.get({
@@ -39,21 +42,24 @@ async function detectRepoVisibility(github, context, core) {
// Public repos should have lockdown enabled to prevent token from accessing private repos
const shouldLockdown = !isPrivate;
- core.info(`Setting GitHub MCP lockdown: ${shouldLockdown}`);
+ core.info(`Automatic lockdown mode determined: ${shouldLockdown}`);
core.setOutput("lockdown", shouldLockdown.toString());
core.setOutput("visibility", visibility);
if (shouldLockdown) {
+ core.info("Automatic lockdown mode enabled for public repository");
core.warning("GitHub MCP lockdown mode enabled for public repository. " + "This prevents the GitHub token from accessing private repositories.");
+ } else {
+ core.info("Automatic lockdown mode disabled for private/internal repository");
}
} catch (error) {
const errorMessage = error instanceof Error ? error.message : String(error);
- core.error(`Failed to detect repository visibility: ${errorMessage}`);
+ core.error(`Failed to determine automatic lockdown mode: ${errorMessage}`);
// Default to lockdown mode for safety
core.setOutput("lockdown", "true");
core.setOutput("visibility", "unknown");
- core.warning("Failed to detect repository visibility. Defaulting to lockdown mode for security.");
+ core.warning("Failed to determine repository visibility. Defaulting to lockdown mode for security.");
}
}
-module.exports = detectRepoVisibility;
+module.exports = determineAutomaticLockdown;
diff --git a/actions/setup/js/detect_repo_visibility.test.cjs b/actions/setup/js/determine_automatic_lockdown.test.cjs
similarity index 73%
rename from actions/setup/js/detect_repo_visibility.test.cjs
rename to actions/setup/js/determine_automatic_lockdown.test.cjs
index 37e4a55a96..75df08b24d 100644
--- a/actions/setup/js/detect_repo_visibility.test.cjs
+++ b/actions/setup/js/determine_automatic_lockdown.test.cjs
@@ -1,10 +1,10 @@
import { describe, it, expect, beforeEach, vi } from "vitest";
-describe("detect_repo_visibility", () => {
+describe("determine_automatic_lockdown", () => {
let mockContext;
let mockGithub;
let mockCore;
- let detectRepoVisibility;
+ let determineAutomaticLockdown;
beforeEach(async () => {
vi.resetModules();
@@ -35,7 +35,7 @@ describe("detect_repo_visibility", () => {
};
// Import the module
- detectRepoVisibility = (await import("./detect_repo_visibility.cjs")).default;
+ determineAutomaticLockdown = (await import("./determine_automatic_lockdown.cjs")).default;
});
it("should set lockdown to true for public repository", async () => {
@@ -46,7 +46,7 @@ describe("detect_repo_visibility", () => {
},
});
- await detectRepoVisibility(mockGithub, mockContext, mockCore);
+ await determineAutomaticLockdown(mockGithub, mockContext, mockCore);
expect(mockGithub.rest.repos.get).toHaveBeenCalledWith({
owner: "test-owner",
@@ -65,7 +65,7 @@ describe("detect_repo_visibility", () => {
},
});
- await detectRepoVisibility(mockGithub, mockContext, mockCore);
+ await determineAutomaticLockdown(mockGithub, mockContext, mockCore);
expect(mockGithub.rest.repos.get).toHaveBeenCalledWith({
owner: "test-owner",
@@ -84,7 +84,7 @@ describe("detect_repo_visibility", () => {
},
});
- await detectRepoVisibility(mockGithub, mockContext, mockCore);
+ await determineAutomaticLockdown(mockGithub, mockContext, mockCore);
expect(mockCore.setOutput).toHaveBeenCalledWith("lockdown", "false");
expect(mockCore.setOutput).toHaveBeenCalledWith("visibility", "internal");
@@ -94,12 +94,12 @@ describe("detect_repo_visibility", () => {
const error = new Error("API request failed");
mockGithub.rest.repos.get.mockRejectedValue(error);
- await detectRepoVisibility(mockGithub, mockContext, mockCore);
+ await determineAutomaticLockdown(mockGithub, mockContext, mockCore);
- expect(mockCore.error).toHaveBeenCalledWith("Failed to detect repository visibility: API request failed");
+ expect(mockCore.error).toHaveBeenCalledWith("Failed to determine automatic lockdown mode: API request failed");
expect(mockCore.setOutput).toHaveBeenCalledWith("lockdown", "true");
expect(mockCore.setOutput).toHaveBeenCalledWith("visibility", "unknown");
- expect(mockCore.warning).toHaveBeenCalledWith(expect.stringContaining("Failed to detect repository visibility"));
+ expect(mockCore.warning).toHaveBeenCalledWith(expect.stringContaining("Failed to determine repository visibility"));
});
it("should infer visibility from private field when visibility field is missing", async () => {
@@ -110,7 +110,7 @@ describe("detect_repo_visibility", () => {
},
});
- await detectRepoVisibility(mockGithub, mockContext, mockCore);
+ await determineAutomaticLockdown(mockGithub, mockContext, mockCore);
expect(mockCore.setOutput).toHaveBeenCalledWith("lockdown", "true");
expect(mockCore.setOutput).toHaveBeenCalledWith("visibility", "public");
@@ -124,12 +124,13 @@ describe("detect_repo_visibility", () => {
},
});
- await detectRepoVisibility(mockGithub, mockContext, mockCore);
+ await determineAutomaticLockdown(mockGithub, mockContext, mockCore);
- expect(mockCore.info).toHaveBeenCalledWith("Detecting repository visibility for GitHub MCP lockdown configuration");
- expect(mockCore.info).toHaveBeenCalledWith("Checking visibility for repository: test-owner/test-repo");
+ expect(mockCore.info).toHaveBeenCalledWith("Determining automatic lockdown mode for GitHub MCP server");
+ expect(mockCore.info).toHaveBeenCalledWith("Checking repository: test-owner/test-repo");
expect(mockCore.info).toHaveBeenCalledWith("Repository visibility: public");
expect(mockCore.info).toHaveBeenCalledWith("Repository is private: false");
- expect(mockCore.info).toHaveBeenCalledWith("Setting GitHub MCP lockdown: true");
+ expect(mockCore.info).toHaveBeenCalledWith("Automatic lockdown mode determined: true");
+ expect(mockCore.info).toHaveBeenCalledWith("Automatic lockdown mode enabled for public repository");
});
});
diff --git a/docs/src/content/docs/guides/security.md b/docs/src/content/docs/guides/security.md
index ef54d0822b..81c0b63e74 100644
--- a/docs/src/content/docs/guides/security.md
+++ b/docs/src/content/docs/guides/security.md
@@ -250,23 +250,25 @@ The compiler generates per-tool Squid proxies; MCP egress is forced through ipta
#### Automatic GitHub Lockdown on Public Repositories
-When using the GitHub MCP tool in public repositories, lockdown mode is **automatically enabled by default** to prevent accidental data leakage. This security feature restricts the GitHub token from accessing private repositories, ensuring that workflows running in public repositories cannot inadvertently expose sensitive information.
+When using the GitHub MCP tool with a custom token (`GH_AW_GITHUB_MCP_SERVER_TOKEN`), lockdown mode is **automatically determined based on repository visibility** to prevent accidental data leakage. This security feature restricts the GitHub token from accessing private repositories when running in public repositories.
-**How Automatic Detection Works:**
+**How Automatic Determination Works:**
-The system automatically detects repository visibility at workflow runtime:
+When `GH_AW_GITHUB_MCP_SERVER_TOKEN` is defined, the system automatically determines lockdown mode at workflow runtime based on repository visibility:
- **Public repositories**: Lockdown mode is automatically enabled. The GitHub MCP server limits surfaced content to items authored by users with push access to the repository.
- **Private/internal repositories**: Lockdown mode is automatically disabled since there's no risk of exposing private repository access.
- **Detection failure**: If repository visibility cannot be determined, the system defaults to lockdown mode for maximum security.
-**No Configuration Required:**
+**When using default `GITHUB_TOKEN`**: Automatic determination is skipped and lockdown defaults to disabled (no restriction).
+
+**Minimal Configuration:**
```yaml wrap
tools:
github:
- # Lockdown is automatically enabled for public repos
- # No explicit configuration needed
+ # Lockdown is automatically determined for public repos
+ # when GH_AW_GITHUB_MCP_SERVER_TOKEN is defined
```
**Manual Override (Optional):**
@@ -287,10 +289,10 @@ Explicitly setting `lockdown: false` in a public repository disables this securi
**Security Benefits:**
-- **Prevents token scope leakage**: Even if a GitHub token has access to private repositories, lockdown mode prevents that access from being used in public repository workflows
+- **Prevents token scope leakage**: When using a custom token with private repository access, lockdown mode prevents that access from being used in public repository workflows
- **Defense in depth**: Adds an additional layer of protection beyond token scoping
-- **Automatic and transparent**: Works without any configuration changes
-- **Safe by default**: Failures default to the most secure setting
+- **Automatic and transparent**: Works automatically when `GH_AW_GITHUB_MCP_SERVER_TOKEN` is defined
+- **Safe by default**: Detection failures default to the most secure setting
See also: [GitHub MCP Tool Configuration](/gh-aw/reference/tools/#github-tools-github) for complete tool configuration options.
diff --git a/docs/src/content/docs/reference/tools.md b/docs/src/content/docs/reference/tools.md
index d6c5cd743c..831965784a 100644
--- a/docs/src/content/docs/reference/tools.md
+++ b/docs/src/content/docs/reference/tools.md
@@ -110,16 +110,16 @@ Setup: `gh aw secrets set GH_AW_GITHUB_TOKEN --value ""`
**Read-Only**: Default behavior; restricts to read operations unless write operations configured.
-**Lockdown**: Automatically enabled for public repositories to prevent accidental data leakage. Filters public repository content to items from users with push access. Private repositories are unaffected.
+**Lockdown**: Automatically determined based on repository visibility when using a custom token (`GH_AW_GITHUB_MCP_SERVER_TOKEN`). Filters public repository content to items from users with push access. Private repositories are unaffected.
-- **Automatic (default)**: Lockdown is automatically enabled for public repositories and disabled for private/internal repositories
-- **Manual override**: Explicitly set `lockdown: true` or `lockdown: false` to override automatic detection
+- **Automatic (default)**: When `GH_AW_GITHUB_MCP_SERVER_TOKEN` is defined, lockdown is automatically enabled for public repositories and disabled for private/internal repositories
+- **Manual override**: Explicitly set `lockdown: true` or `lockdown: false` to override automatic determination
```yaml wrap
tools:
github:
- # Option 1: Automatic (recommended) - no configuration needed
- # Lockdown automatically enabled for public repos
+ # Option 1: Automatic (recommended) - determined at runtime
+ # Lockdown automatically enabled for public repos when GH_AW_GITHUB_MCP_SERVER_TOKEN is set
# Option 2: Explicit override
lockdown: true # Force enable
diff --git a/pkg/workflow/github_lockdown_autodetect_test.go b/pkg/workflow/github_lockdown_autodetect_test.go
index 922146be51..afd66dc6ff 100644
--- a/pkg/workflow/github_lockdown_autodetect_test.go
+++ b/pkg/workflow/github_lockdown_autodetect_test.go
@@ -13,10 +13,11 @@ func TestGitHubLockdownAutodetection(t *testing.T) {
workflow string
expectedDetectStep bool
expectedLockdown string // "auto" means use step output expression, "true" means hardcoded true, "false" means not present
+ expectIfCondition bool // true if step should have if: condition
description string
}{
{
- name: "Auto-detection enabled when lockdown not specified",
+ name: "Auto-determination enabled when lockdown not specified",
workflow: `---
on: issues
engine: copilot
@@ -28,14 +29,15 @@ tools:
# Test Workflow
-Test automatic lockdown detection.
+Test automatic lockdown determination.
`,
expectedDetectStep: true,
expectedLockdown: "auto",
- description: "When lockdown is not specified, detection step should be added and lockdown should use step output",
+ expectIfCondition: true,
+ description: "When lockdown is not specified, determination step should be added with if condition",
},
{
- name: "No auto-detection when lockdown explicitly set to true",
+ name: "No auto-determination when lockdown explicitly set to true",
workflow: `---
on: issues
engine: copilot
@@ -52,10 +54,11 @@ Test with explicit lockdown enabled.
`,
expectedDetectStep: false,
expectedLockdown: "true",
- description: "When lockdown is explicitly true, no detection step and lockdown should be hardcoded",
+ expectIfCondition: false,
+ description: "When lockdown is explicitly true, no determination step and lockdown should be hardcoded",
},
{
- name: "No auto-detection when lockdown explicitly set to false",
+ name: "No auto-determination when lockdown explicitly set to false",
workflow: `---
on: issues
engine: copilot
@@ -72,10 +75,11 @@ Test with explicit lockdown disabled.
`,
expectedDetectStep: false,
expectedLockdown: "false",
- description: "When lockdown is explicitly false, no detection step and no lockdown setting",
+ expectIfCondition: false,
+ description: "When lockdown is explicitly false, no determination step and no lockdown setting",
},
{
- name: "Auto-detection with remote mode",
+ name: "Auto-determination with remote mode",
workflow: `---
on: issues
engine: copilot
@@ -87,11 +91,12 @@ tools:
# Test Workflow
-Test auto-detection with remote GitHub MCP.
+Test auto-determination with remote GitHub MCP.
`,
expectedDetectStep: true,
expectedLockdown: "auto",
- description: "Auto-detection should work with remote mode too",
+ expectIfCondition: true,
+ description: "Auto-determination should work with remote mode",
},
}
@@ -125,19 +130,26 @@ Test auto-detection with remote GitHub MCP.
yaml := string(lockContent)
// Check if detection step is present
- detectStepPresent := strings.Contains(yaml, "Detect repository visibility for GitHub MCP lockdown") &&
- strings.Contains(yaml, "detect-repo-visibility") &&
- strings.Contains(yaml, "detect_repo_visibility.cjs")
+ detectStepPresent := strings.Contains(yaml, "Determine automatic lockdown mode for GitHub MCP server") &&
+ strings.Contains(yaml, "determine-automatic-lockdown") &&
+ strings.Contains(yaml, "determine_automatic_lockdown.cjs")
if detectStepPresent != tt.expectedDetectStep {
t.Errorf("%s: Detection step presence = %v, want %v", tt.description, detectStepPresent, tt.expectedDetectStep)
}
+ // Check if the step has the if condition when expected
+ if tt.expectIfCondition && detectStepPresent {
+ if !strings.Contains(yaml, "if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''") {
+ t.Errorf("%s: Expected if condition for GH_AW_GITHUB_MCP_SERVER_TOKEN", tt.description)
+ }
+ }
+
// Check lockdown configuration based on expected value
switch tt.expectedLockdown {
case "auto":
// Should use step output expression
- if !strings.Contains(yaml, "steps.detect-repo-visibility.outputs.lockdown") {
+ if !strings.Contains(yaml, "steps.determine-automatic-lockdown.outputs.lockdown") {
t.Errorf("%s: Expected lockdown to use step output expression", tt.description)
}
case "true":
@@ -169,7 +181,7 @@ tools:
# Test Workflow
-Test automatic lockdown detection with Claude.
+Test automatic lockdown determination with Claude.
`
// Create temporary directory for test
@@ -200,15 +212,20 @@ Test automatic lockdown detection with Claude.
yaml := string(lockContent)
// Check if detection step is present
- detectStepPresent := strings.Contains(yaml, "Detect repository visibility for GitHub MCP lockdown") &&
- strings.Contains(yaml, "detect-repo-visibility")
+ detectStepPresent := strings.Contains(yaml, "Determine automatic lockdown mode for GitHub MCP server") &&
+ strings.Contains(yaml, "determine-automatic-lockdown")
if !detectStepPresent {
- t.Error("Detection step should be present for Claude engine")
+ t.Error("Determination step should be present for Claude engine")
+ }
+
+ // Check if the step has the if condition
+ if !strings.Contains(yaml, "if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''") {
+ t.Error("Expected if condition for GH_AW_GITHUB_MCP_SERVER_TOKEN in determination step")
}
// Check if lockdown uses step output expression
- if !strings.Contains(yaml, "steps.detect-repo-visibility.outputs.lockdown") {
+ if !strings.Contains(yaml, "steps.determine-automatic-lockdown.outputs.lockdown") {
t.Error("Expected lockdown to use step output expression for Claude engine")
}
}
diff --git a/pkg/workflow/mcp_renderer.go b/pkg/workflow/mcp_renderer.go
index 38f9a2a8d5..51fca136bc 100644
--- a/pkg/workflow/mcp_renderer.go
+++ b/pkg/workflow/mcp_renderer.go
@@ -45,7 +45,12 @@ func (r *MCPConfigRendererUnified) RenderGitHubMCP(yaml *strings.Builder, github
// Get lockdown value - use detected value if lockdown wasn't explicitly set
lockdown := getGitHubLockdown(githubTool)
- if !hasGitHubLockdownExplicitlySet(githubTool) {
+
+ // Check if automatic lockdown determination step will be generated
+ // The step is always generated when lockdown is not explicitly set
+ shouldUseStepOutput := !hasGitHubLockdownExplicitlySet(githubTool)
+
+ if shouldUseStepOutput {
// Use the detected lockdown value from the step output
// This will be evaluated at runtime based on repository visibility
lockdown = true // This is a placeholder - actual value comes from step output
@@ -53,8 +58,8 @@ func (r *MCPConfigRendererUnified) RenderGitHubMCP(yaml *strings.Builder, github
toolsets := getGitHubToolsets(githubTool)
- mcpRendererLog.Printf("Rendering GitHub MCP: type=%s, read_only=%t, lockdown=%t (explicit=%t), toolsets=%v, format=%s",
- githubType, readOnly, lockdown, hasGitHubLockdownExplicitlySet(githubTool), toolsets, r.options.Format)
+ mcpRendererLog.Printf("Rendering GitHub MCP: type=%s, read_only=%t, lockdown=%t (explicit=%t, use_step=%t), toolsets=%v, format=%s",
+ githubType, readOnly, lockdown, hasGitHubLockdownExplicitlySet(githubTool), shouldUseStepOutput, toolsets, r.options.Format)
if r.options.Format == "toml" {
r.renderGitHubTOML(yaml, githubTool, workflowData)
@@ -76,7 +81,7 @@ func (r *MCPConfigRendererUnified) RenderGitHubMCP(yaml *strings.Builder, github
RenderGitHubMCPRemoteConfig(yaml, GitHubMCPRemoteOptions{
ReadOnly: readOnly,
Lockdown: lockdown,
- LockdownFromStep: !hasGitHubLockdownExplicitlySet(githubTool),
+ LockdownFromStep: shouldUseStepOutput,
Toolsets: toolsets,
AuthorizationValue: authValue,
IncludeToolsField: r.options.IncludeCopilotFields,
@@ -91,7 +96,7 @@ func (r *MCPConfigRendererUnified) RenderGitHubMCP(yaml *strings.Builder, github
RenderGitHubMCPDockerConfig(yaml, GitHubMCPDockerOptions{
ReadOnly: readOnly,
Lockdown: lockdown,
- LockdownFromStep: !hasGitHubLockdownExplicitlySet(githubTool),
+ LockdownFromStep: shouldUseStepOutput,
Toolsets: toolsets,
DockerImageVersion: githubDockerImageVersion,
CustomArgs: customArgs,
@@ -481,9 +486,9 @@ func RenderGitHubMCPDockerConfig(yaml *strings.Builder, options GitHubMCPDockerO
}
if options.LockdownFromStep {
- // Use lockdown value from step output (detected based on repository visibility)
+ // Use lockdown value from step output (determined based on repository visibility)
yaml.WriteString(" \"-e\",\n")
- yaml.WriteString(" \"GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}\",\n")
+ yaml.WriteString(" \"GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}\",\n")
} else if options.Lockdown {
// Use explicit lockdown value from configuration
yaml.WriteString(" \"-e\",\n")
@@ -579,8 +584,8 @@ func RenderGitHubMCPRemoteConfig(yaml *strings.Builder, options GitHubMCPRemoteO
// Add X-MCP-Lockdown header if lockdown mode is enabled
if options.LockdownFromStep {
- // Use lockdown value from step output (detected based on repository visibility)
- headers["X-MCP-Lockdown"] = "${{ steps.detect-repo-visibility.outputs.lockdown }}"
+ // Use lockdown value from step output (determined based on repository visibility)
+ headers["X-MCP-Lockdown"] = "${{ steps.determine-automatic-lockdown.outputs.lockdown }}"
} else if options.Lockdown {
// Use explicit lockdown value from configuration
headers["X-MCP-Lockdown"] = "true"
diff --git a/pkg/workflow/mcp_servers.go b/pkg/workflow/mcp_servers.go
index d86bfa423d..11a2baef8c 100644
--- a/pkg/workflow/mcp_servers.go
+++ b/pkg/workflow/mcp_servers.go
@@ -770,10 +770,11 @@ func replaceExpressionsInPlaywrightArgs(args []string, expressions map[string]st
return strings.Split(replaced, "\n")
}
-// generateGitHubMCPLockdownDetectionStep generates a step to detect repository visibility
-// and set the lockdown mode accordingly. This step is only added when:
+// generateGitHubMCPLockdownDetectionStep generates a step to determine automatic lockdown mode
+// for GitHub MCP server based on repository visibility. This step is added when:
// - GitHub tool is enabled AND
// - lockdown field is not explicitly specified in the workflow configuration
+// The step includes a runtime condition that only executes if GH_AW_GITHUB_MCP_SERVER_TOKEN is defined
func (c *Compiler) generateGitHubMCPLockdownDetectionStep(yaml *strings.Builder, data *WorkflowData) {
// Check if GitHub tool is present
githubTool, hasGitHub := data.Tools["github"]
@@ -783,11 +784,11 @@ func (c *Compiler) generateGitHubMCPLockdownDetectionStep(yaml *strings.Builder,
// Check if lockdown is already explicitly set
if hasGitHubLockdownExplicitlySet(githubTool) {
- mcpServersLog.Print("Lockdown explicitly set in workflow, skipping auto-detection")
+ mcpServersLog.Print("Lockdown explicitly set in workflow, skipping automatic lockdown determination")
return
}
- mcpServersLog.Print("Generating GitHub MCP lockdown auto-detection step")
+ mcpServersLog.Print("Generating automatic lockdown determination step for GitHub MCP server")
// Resolve the latest version of actions/github-script
actionRepo := "actions/github-script"
@@ -800,12 +801,14 @@ func (c *Compiler) generateGitHubMCPLockdownDetectionStep(yaml *strings.Builder,
pinnedAction = fmt.Sprintf("%s@%s", actionRepo, actionVersion)
}
- // Generate the step using the detect_repo_visibility.cjs action
- yaml.WriteString(" - name: Detect repository visibility for GitHub MCP lockdown\n")
- yaml.WriteString(" id: detect-repo-visibility\n")
+ // Generate the step using the determine_automatic_lockdown.cjs action
+ // The step only runs if GH_AW_GITHUB_MCP_SERVER_TOKEN secret is defined
+ yaml.WriteString(" - name: Determine automatic lockdown mode for GitHub MCP server\n")
+ yaml.WriteString(" id: determine-automatic-lockdown\n")
+ yaml.WriteString(" if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''\n")
fmt.Fprintf(yaml, " uses: %s\n", pinnedAction)
yaml.WriteString(" with:\n")
yaml.WriteString(" script: |\n")
- yaml.WriteString(" const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');\n")
- yaml.WriteString(" await detectRepoVisibility(github, context, core);\n")
+ yaml.WriteString(" const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');\n")
+ yaml.WriteString(" await determineAutomaticLockdown(github, context, core);\n")
}