diff --git a/.changeset/patch-auto-detect-github-mcp-lockdown.md b/.changeset/patch-auto-detect-github-mcp-lockdown.md
new file mode 100644
index 00000000000..be18e3c5f5b
--- /dev/null
+++ b/.changeset/patch-auto-detect-github-mcp-lockdown.md
@@ -0,0 +1,11 @@
+---
+"gh-aw": patch
+---
+
+Auto-detect GitHub MCP lockdown based on repository visibility.
+
+When the GitHub tool is enabled and `lockdown` is not specified, the
+compiler inserts a detection step that sets `lockdown: true` for public
+repositories and `false` for private/internal repositories. The detection
+defaults to lockdown on API failure for safety.
+
diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml
index 5f09a44f2b6..186d33f0835 100644
--- a/.github/workflows/agent-performance-analyzer.lock.yml
+++ b/.github/workflows/agent-performance-analyzer.lock.yml
@@ -183,6 +183,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -510,6 +517,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml
index a653694b82d..5ab70467872 100644
--- a/.github/workflows/ai-moderator.lock.yml
+++ b/.github/workflows/ai-moderator.lock.yml
@@ -191,6 +191,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -401,6 +408,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml
index 614a9484660..ea6e9d0aba1 100644
--- a/.github/workflows/archie.lock.yml
+++ b/.github/workflows/archie.lock.yml
@@ -227,6 +227,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -406,6 +413,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml
index 98fbfd2ac1c..b2505b53a9e 100644
--- a/.github/workflows/artifacts-summary.lock.yml
+++ b/.github/workflows/artifacts-summary.lock.yml
@@ -174,6 +174,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -369,6 +376,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=actions,repos",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml
index 9c4a25f127d..e691a6d5831 100644
--- a/.github/workflows/audit-workflows.lock.yml
+++ b/.github/workflows/audit-workflows.lock.yml
@@ -243,6 +243,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -469,6 +476,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml
index e5461993f63..c0babb3f05b 100644
--- a/.github/workflows/blog-auditor.lock.yml
+++ b/.github/workflows/blog-auditor.lock.yml
@@ -171,6 +171,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -365,6 +372,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml
index 3bfd14577a6..f6fafcd7b9f 100644
--- a/.github/workflows/brave.lock.yml
+++ b/.github/workflows/brave.lock.yml
@@ -206,6 +206,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -404,6 +411,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml
index 8994ac2c7b3..68be6b0f14c 100644
--- a/.github/workflows/breaking-change-checker.lock.yml
+++ b/.github/workflows/breaking-change-checker.lock.yml
@@ -171,6 +171,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -387,6 +394,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=repos",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/campaign-generator.lock.yml b/.github/workflows/campaign-generator.lock.yml
index 3157f55bc44..3719e597f20 100644
--- a/.github/workflows/campaign-generator.lock.yml
+++ b/.github/workflows/campaign-generator.lock.yml
@@ -185,6 +185,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -425,6 +432,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/campaign-manager.lock.yml b/.github/workflows/campaign-manager.lock.yml
index 2931b1c16d5..a38ac105771 100644
--- a/.github/workflows/campaign-manager.lock.yml
+++ b/.github/workflows/campaign-manager.lock.yml
@@ -183,6 +183,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Write Safe Outputs Config
run: |
mkdir -p /tmp/gh-aw/safeoutputs
@@ -564,6 +571,7 @@ jobs:
"url": "https://api.githubcopilot.com/mcp/",
"headers": {
"Authorization": "Bearer \${GITHUB_PERSONAL_ACCESS_TOKEN}",
+ "X-MCP-Lockdown": "${{ steps.detect-repo-visibility.outputs.lockdown }}",
"X-MCP-Readonly": "true",
"X-MCP-Toolsets": "context,repos,issues,pull_requests,actions,projects"
},
diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml
index e860551b885..b62026b99ce 100644
--- a/.github/workflows/changeset.lock.yml
+++ b/.github/workflows/changeset.lock.yml
@@ -212,6 +212,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml
index 30f547fa8f0..73c153fb122 100644
--- a/.github/workflows/ci-coach.lock.yml
+++ b/.github/workflows/ci-coach.lock.yml
@@ -225,6 +225,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -430,6 +437,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml
index 3e4e78df07f..54ae0256265 100644
--- a/.github/workflows/ci-doctor.lock.yml
+++ b/.github/workflows/ci-doctor.lock.yml
@@ -197,6 +197,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -450,6 +457,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml
index a7f313a4489..1b435d06049 100644
--- a/.github/workflows/cli-consistency-checker.lock.yml
+++ b/.github/workflows/cli-consistency-checker.lock.yml
@@ -170,6 +170,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -387,6 +394,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml
index b3c77946e87..a58b7ddcf9d 100644
--- a/.github/workflows/cli-version-checker.lock.yml
+++ b/.github/workflows/cli-version-checker.lock.yml
@@ -185,6 +185,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -399,6 +406,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml
index b79bbf5af50..7b0e92b7537 100644
--- a/.github/workflows/cloclo.lock.yml
+++ b/.github/workflows/cloclo.lock.yml
@@ -276,6 +276,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -520,6 +527,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/close-old-discussions.lock.yml b/.github/workflows/close-old-discussions.lock.yml
index 7911d5a618f..57a67036bbb 100644
--- a/.github/workflows/close-old-discussions.lock.yml
+++ b/.github/workflows/close-old-discussions.lock.yml
@@ -199,6 +199,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml
index 84594bff919..929e934b7c6 100644
--- a/.github/workflows/commit-changes-analyzer.lock.yml
+++ b/.github/workflows/commit-changes-analyzer.lock.yml
@@ -173,6 +173,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -366,6 +373,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml
index 06aa1cc5de3..7c075b022d8 100644
--- a/.github/workflows/copilot-agent-analysis.lock.yml
+++ b/.github/workflows/copilot-agent-analysis.lock.yml
@@ -203,6 +203,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -396,6 +403,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml
index a013ac06e62..20b10c7d4fd 100644
--- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml
+++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml
@@ -238,6 +238,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -462,6 +469,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml
index 4806ab2561d..a2955473209 100644
--- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml
+++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml
@@ -206,6 +206,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -401,6 +408,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml
index 4d03420b78d..876ddab0e66 100644
--- a/.github/workflows/copilot-session-insights.lock.yml
+++ b/.github/workflows/copilot-session-insights.lock.yml
@@ -229,6 +229,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -451,6 +458,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml
index 15fdf775621..86c77ce9777 100644
--- a/.github/workflows/craft.lock.yml
+++ b/.github/workflows/craft.lock.yml
@@ -207,6 +207,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -434,6 +441,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml
index a1d8afd26be..6e71844c2b0 100644
--- a/.github/workflows/daily-assign-issue-to-user.lock.yml
+++ b/.github/workflows/daily-assign-issue-to-user.lock.yml
@@ -169,6 +169,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -397,6 +404,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=issues,pull_requests,repos",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml
index e177c96e9a1..f127c213216 100644
--- a/.github/workflows/daily-choice-test.lock.yml
+++ b/.github/workflows/daily-choice-test.lock.yml
@@ -165,6 +165,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -306,6 +313,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml
index 27522f231c6..8b9732cec28 100644
--- a/.github/workflows/daily-code-metrics.lock.yml
+++ b/.github/workflows/daily-code-metrics.lock.yml
@@ -216,6 +216,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -409,6 +416,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml
index 093b6da2d87..ced564e1ee3 100644
--- a/.github/workflows/daily-copilot-token-report.lock.yml
+++ b/.github/workflows/daily-copilot-token-report.lock.yml
@@ -236,6 +236,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -460,6 +467,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml
index beea58511ec..115bca37618 100644
--- a/.github/workflows/daily-doc-updater.lock.yml
+++ b/.github/workflows/daily-doc-updater.lock.yml
@@ -178,6 +178,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -381,6 +388,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml
index 4b2ed8d6d30..3cf77b80800 100644
--- a/.github/workflows/daily-fact.lock.yml
+++ b/.github/workflows/daily-fact.lock.yml
@@ -156,6 +156,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml
index ebdb4f1eaac..cebeb940d06 100644
--- a/.github/workflows/daily-file-diet.lock.yml
+++ b/.github/workflows/daily-file-diet.lock.yml
@@ -237,6 +237,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -482,6 +489,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml
index 0b1ea9b2c82..2f7becf12fa 100644
--- a/.github/workflows/daily-firewall-report.lock.yml
+++ b/.github/workflows/daily-firewall-report.lock.yml
@@ -239,6 +239,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -470,6 +477,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml
index d5b0e78c74a..ef1c2794fb6 100644
--- a/.github/workflows/daily-issues-report.lock.yml
+++ b/.github/workflows/daily-issues-report.lock.yml
@@ -223,6 +223,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml
index a1e894e6cae..1a54e64ecd4 100644
--- a/.github/workflows/daily-malicious-code-scan.lock.yml
+++ b/.github/workflows/daily-malicious-code-scan.lock.yml
@@ -170,6 +170,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -406,6 +413,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=repos,code_security",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml
index b14525a268f..10c7bf2214d 100644
--- a/.github/workflows/daily-multi-device-docs-tester.lock.yml
+++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml
@@ -175,6 +175,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -419,6 +426,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml
index 0d6bdd25245..d39fb2a6433 100644
--- a/.github/workflows/daily-news.lock.yml
+++ b/.github/workflows/daily-news.lock.yml
@@ -233,6 +233,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -458,6 +465,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml
index e1567d8fdfe..ea82abd86ec 100644
--- a/.github/workflows/daily-performance-summary.lock.yml
+++ b/.github/workflows/daily-performance-summary.lock.yml
@@ -213,6 +213,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml
index 73fe239b1df..427c61ccf00 100644
--- a/.github/workflows/daily-repo-chronicle.lock.yml
+++ b/.github/workflows/daily-repo-chronicle.lock.yml
@@ -213,6 +213,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -437,6 +444,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,discussions",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml
index d47aaeba0cb..67237463c60 100644
--- a/.github/workflows/daily-team-status.lock.yml
+++ b/.github/workflows/daily-team-status.lock.yml
@@ -183,6 +183,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -399,6 +406,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml
index e89ada462b6..a5ef68c3489 100644
--- a/.github/workflows/daily-workflow-updater.lock.yml
+++ b/.github/workflows/daily-workflow-updater.lock.yml
@@ -170,6 +170,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -375,6 +382,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml
index 9f3f9bd8dfd..edecb983b36 100644
--- a/.github/workflows/deep-report.lock.yml
+++ b/.github/workflows/deep-report.lock.yml
@@ -223,6 +223,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml
index 95676bfa2ac..a72a6cdd886 100644
--- a/.github/workflows/dependabot-go-checker.lock.yml
+++ b/.github/workflows/dependabot-go-checker.lock.yml
@@ -171,6 +171,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -426,6 +433,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,dependabot",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml
index 1c31686f905..75e786bf6f5 100644
--- a/.github/workflows/dev-hawk.lock.yml
+++ b/.github/workflows/dev-hawk.lock.yml
@@ -200,6 +200,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -396,6 +403,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=pull_requests,actions,repos",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml
index f3e30d3b59c..0d6bde29dc3 100644
--- a/.github/workflows/dev.lock.yml
+++ b/.github/workflows/dev.lock.yml
@@ -171,6 +171,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -350,6 +357,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=issues",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml
index 0612c1a9fe5..84bc45f3a7d 100644
--- a/.github/workflows/developer-docs-consolidator.lock.yml
+++ b/.github/workflows/developer-docs-consolidator.lock.yml
@@ -196,6 +196,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -451,6 +458,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml
index e16ade3faab..b4aa21b5ff5 100644
--- a/.github/workflows/dictation-prompt.lock.yml
+++ b/.github/workflows/dictation-prompt.lock.yml
@@ -173,6 +173,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -378,6 +385,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml
index b19380afa90..36c3f653381 100644
--- a/.github/workflows/docs-noob-tester.lock.yml
+++ b/.github/workflows/docs-noob-tester.lock.yml
@@ -173,6 +173,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -398,6 +405,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml
index fb3f16c4307..456148ef96a 100644
--- a/.github/workflows/duplicate-code-detector.lock.yml
+++ b/.github/workflows/duplicate-code-detector.lock.yml
@@ -179,6 +179,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml
index c696340f6e4..54ccfb75105 100644
--- a/.github/workflows/example-permissions-warning.lock.yml
+++ b/.github/workflows/example-permissions-warning.lock.yml
@@ -159,6 +159,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -208,6 +215,8 @@ jobs:
"-e",
"GITHUB_PERSONAL_ACCESS_TOKEN",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml
index a72dfa9ae9e..1b7ed47bbd1 100644
--- a/.github/workflows/example-workflow-analyzer.lock.yml
+++ b/.github/workflows/example-workflow-analyzer.lock.yml
@@ -172,6 +172,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -386,6 +393,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml
index b6bc38c21ae..166c0ad09f6 100644
--- a/.github/workflows/firewall-escape.lock.yml
+++ b/.github/workflows/firewall-escape.lock.yml
@@ -182,6 +182,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -234,6 +241,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml
index f05d98c8283..4d705aed8ab 100644
--- a/.github/workflows/firewall.lock.yml
+++ b/.github/workflows/firewall.lock.yml
@@ -159,6 +159,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -211,6 +218,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml
index 9a8681d55fe..128afe5b235 100644
--- a/.github/workflows/github-mcp-structural-analysis.lock.yml
+++ b/.github/workflows/github-mcp-structural-analysis.lock.yml
@@ -211,6 +211,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -433,6 +440,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=all",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml
index 89a173fbb2a..7b756f2060c 100644
--- a/.github/workflows/github-mcp-tools-report.lock.yml
+++ b/.github/workflows/github-mcp-tools-report.lock.yml
@@ -185,6 +185,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Write Safe Outputs Config
run: |
mkdir -p /tmp/gh-aw/safeoutputs
@@ -404,6 +411,7 @@ jobs:
"url": "https://api.githubcopilot.com/mcp/",
"headers": {
"Authorization": "Bearer $GITHUB_MCP_SERVER_TOKEN",
+ "X-MCP-Lockdown": "${{ steps.detect-repo-visibility.outputs.lockdown }}",
"X-MCP-Readonly": "true",
"X-MCP-Toolsets": "all"
}
diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml
index 6f16e613ea3..798cd1768bb 100644
--- a/.github/workflows/glossary-maintainer.lock.yml
+++ b/.github/workflows/glossary-maintainer.lock.yml
@@ -198,6 +198,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -403,6 +410,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml
index 9d2786f8227..d016f80aa27 100644
--- a/.github/workflows/go-fan.lock.yml
+++ b/.github/workflows/go-fan.lock.yml
@@ -194,6 +194,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -387,6 +394,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/go-file-size-reduction-project64.campaign.g.lock.yml b/.github/workflows/go-file-size-reduction-project64.campaign.g.lock.yml
index c10bc7726ee..d74e7c4f30e 100644
--- a/.github/workflows/go-file-size-reduction-project64.campaign.g.lock.yml
+++ b/.github/workflows/go-file-size-reduction-project64.campaign.g.lock.yml
@@ -170,6 +170,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -463,6 +470,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml
index 0cfeb035d56..86e44e2012a 100644
--- a/.github/workflows/go-logger.lock.yml
+++ b/.github/workflows/go-logger.lock.yml
@@ -194,6 +194,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -397,6 +404,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml
index d82ec207dc9..4ff3a7f8818 100644
--- a/.github/workflows/go-pattern-detector.lock.yml
+++ b/.github/workflows/go-pattern-detector.lock.yml
@@ -173,6 +173,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -398,6 +405,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml
index 3c907b283ee..9ebd999a11a 100644
--- a/.github/workflows/grumpy-reviewer.lock.yml
+++ b/.github/workflows/grumpy-reviewer.lock.yml
@@ -217,6 +217,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -471,6 +478,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=pull_requests,repos",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml
index ddc00b21e75..ef0f3c27091 100644
--- a/.github/workflows/hourly-ci-cleaner.lock.yml
+++ b/.github/workflows/hourly-ci-cleaner.lock.yml
@@ -199,6 +199,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -404,6 +411,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/human-ai-collaboration.lock.yml b/.github/workflows/human-ai-collaboration.lock.yml
index 71316f10535..761db269655 100644
--- a/.github/workflows/human-ai-collaboration.lock.yml
+++ b/.github/workflows/human-ai-collaboration.lock.yml
@@ -180,6 +180,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -396,6 +403,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=repos,issues,search",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/incident-response.lock.yml b/.github/workflows/incident-response.lock.yml
index 222d8f164d5..a401a5e3186 100644
--- a/.github/workflows/incident-response.lock.yml
+++ b/.github/workflows/incident-response.lock.yml
@@ -194,6 +194,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -547,6 +554,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=repos,issues,pull_requests,search",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml
index 5697a1251a3..56692c8b07d 100644
--- a/.github/workflows/instructions-janitor.lock.yml
+++ b/.github/workflows/instructions-janitor.lock.yml
@@ -178,6 +178,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -381,6 +388,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/intelligence.lock.yml b/.github/workflows/intelligence.lock.yml
index 5b0f8e15d75..7c2bc6aec5d 100644
--- a/.github/workflows/intelligence.lock.yml
+++ b/.github/workflows/intelligence.lock.yml
@@ -230,6 +230,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -475,6 +482,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=repos,issues,search",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml
index 81dd5743dde..dcfac16d00f 100644
--- a/.github/workflows/issue-arborist.lock.yml
+++ b/.github/workflows/issue-arborist.lock.yml
@@ -178,6 +178,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
diff --git a/.github/workflows/issue-classifier.lock.yml b/.github/workflows/issue-classifier.lock.yml
index 2e230ebc413..3e398848128 100644
--- a/.github/workflows/issue-classifier.lock.yml
+++ b/.github/workflows/issue-classifier.lock.yml
@@ -156,6 +156,13 @@ jobs:
setupGlobals(core, github, context, exec, io);
const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs');
await main();
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -336,6 +343,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml
index a2d389ccfb3..9cf580bdca0 100644
--- a/.github/workflows/issue-monster.lock.yml
+++ b/.github/workflows/issue-monster.lock.yml
@@ -179,6 +179,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -396,6 +403,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/issue-template-optimizer.lock.yml b/.github/workflows/issue-template-optimizer.lock.yml
index b772a2561a4..5a2baccabe3 100644
--- a/.github/workflows/issue-template-optimizer.lock.yml
+++ b/.github/workflows/issue-template-optimizer.lock.yml
@@ -181,6 +181,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -386,6 +393,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml
index e153933f05c..792004bc9cd 100644
--- a/.github/workflows/issue-triage-agent.lock.yml
+++ b/.github/workflows/issue-triage-agent.lock.yml
@@ -150,6 +150,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -368,6 +375,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=issues,labels",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml
index 53b3596d04b..8cc8ff47a05 100644
--- a/.github/workflows/jsweep.lock.yml
+++ b/.github/workflows/jsweep.lock.yml
@@ -195,6 +195,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -400,6 +407,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml
index e66b78b4f3d..09c72705bad 100644
--- a/.github/workflows/layout-spec-maintainer.lock.yml
+++ b/.github/workflows/layout-spec-maintainer.lock.yml
@@ -175,6 +175,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -380,6 +387,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml
index 188b41e7e20..f2c73d8f6c9 100644
--- a/.github/workflows/lockfile-stats.lock.yml
+++ b/.github/workflows/lockfile-stats.lock.yml
@@ -182,6 +182,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -375,6 +382,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml
index 29a33b2c272..d09dc00ef0d 100644
--- a/.github/workflows/mcp-inspector.lock.yml
+++ b/.github/workflows/mcp-inspector.lock.yml
@@ -231,6 +231,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -560,6 +567,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
@@ -661,7 +670,7 @@ jobs:
"get_doc"
],
"args": [
- "@sentry/mcp-server@0.24.0"
+ "@sentry/mcp-server@0.26.0"
],
"env": {
"OPENAI_API_KEY": "${{ secrets.SENTRY_OPENAI_API_KEY }}",
diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml
index 65005d56e86..9f1ee408253 100644
--- a/.github/workflows/mergefest.lock.yml
+++ b/.github/workflows/mergefest.lock.yml
@@ -194,6 +194,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -385,6 +392,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=pull_requests,repos",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml
index b172d936ea9..4153ea1bbde 100644
--- a/.github/workflows/metrics-collector.lock.yml
+++ b/.github/workflows/metrics-collector.lock.yml
@@ -175,6 +175,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Install gh-aw extension
env:
GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
@@ -212,6 +219,7 @@ jobs:
"url": "https://api.githubcopilot.com/mcp/",
"headers": {
"Authorization": "Bearer \${GITHUB_PERSONAL_ACCESS_TOKEN}",
+ "X-MCP-Lockdown": "${{ steps.detect-repo-visibility.outputs.lockdown }}",
"X-MCP-Readonly": "true",
"X-MCP-Toolsets": "context,repos,issues,pull_requests"
},
diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml
index 1fa1804ef67..fd17843bab2 100644
--- a/.github/workflows/notion-issue-summary.lock.yml
+++ b/.github/workflows/notion-issue-summary.lock.yml
@@ -176,6 +176,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -320,6 +327,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/org-wide-rollout.lock.yml b/.github/workflows/org-wide-rollout.lock.yml
index d716bd5b69c..41492a3528b 100644
--- a/.github/workflows/org-wide-rollout.lock.yml
+++ b/.github/workflows/org-wide-rollout.lock.yml
@@ -201,6 +201,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -554,6 +561,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=repos,issues,pull_requests,search",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml
index cf5ac6b68fb..6e6cc3b9bb8 100644
--- a/.github/workflows/pdf-summary.lock.yml
+++ b/.github/workflows/pdf-summary.lock.yml
@@ -242,6 +242,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -421,6 +428,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml
index 8f3104077e2..7d48ee39624 100644
--- a/.github/workflows/plan.lock.yml
+++ b/.github/workflows/plan.lock.yml
@@ -206,6 +206,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -479,6 +486,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,discussions",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/playground-org-project-update-issue.lock.yml b/.github/workflows/playground-org-project-update-issue.lock.yml
index 23c32598ddb..c2e779a0df2 100644
--- a/.github/workflows/playground-org-project-update-issue.lock.yml
+++ b/.github/workflows/playground-org-project-update-issue.lock.yml
@@ -167,6 +167,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -424,6 +431,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,projects",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/playground-snapshots-refresh.lock.yml b/.github/workflows/playground-snapshots-refresh.lock.yml
index 2a405ee8637..f8c19291749 100644
--- a/.github/workflows/playground-snapshots-refresh.lock.yml
+++ b/.github/workflows/playground-snapshots-refresh.lock.yml
@@ -185,6 +185,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -390,6 +397,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml
index 1e3519632b2..22ce7d18baa 100644
--- a/.github/workflows/poem-bot.lock.yml
+++ b/.github/workflows/poem-bot.lock.yml
@@ -224,6 +224,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -934,6 +941,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml
index f537a2c5f8c..545374bda6c 100644
--- a/.github/workflows/portfolio-analyst.lock.yml
+++ b/.github/workflows/portfolio-analyst.lock.yml
@@ -239,6 +239,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -470,6 +477,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml
index a66ff90a469..63f8f0c8ebc 100644
--- a/.github/workflows/pr-nitpick-reviewer.lock.yml
+++ b/.github/workflows/pr-nitpick-reviewer.lock.yml
@@ -235,6 +235,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -541,6 +548,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=pull_requests,repos",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml
index 3546065b977..8c5fdadff1f 100644
--- a/.github/workflows/prompt-clustering-analysis.lock.yml
+++ b/.github/workflows/prompt-clustering-analysis.lock.yml
@@ -255,6 +255,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -452,6 +459,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=repos,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml
index 23f90284ad9..66de4c3052f 100644
--- a/.github/workflows/python-data-charts.lock.yml
+++ b/.github/workflows/python-data-charts.lock.yml
@@ -211,6 +211,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -458,6 +465,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml
index c3e70521540..2b35b755425 100644
--- a/.github/workflows/q.lock.yml
+++ b/.github/workflows/q.lock.yml
@@ -271,6 +271,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -519,6 +526,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions,discussions",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml
index 24509a2114d..a34f7cbcb3e 100644
--- a/.github/workflows/release.lock.yml
+++ b/.github/workflows/release.lock.yml
@@ -179,6 +179,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -379,6 +386,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml
index 6f7214c0f03..40af8f2ea1e 100644
--- a/.github/workflows/repo-tree-map.lock.yml
+++ b/.github/workflows/repo-tree-map.lock.yml
@@ -174,6 +174,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -369,6 +376,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml
index 4f0b0ce94dc..d5f16b187c0 100644
--- a/.github/workflows/repository-quality-improver.lock.yml
+++ b/.github/workflows/repository-quality-improver.lock.yml
@@ -199,6 +199,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -394,6 +401,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml
index 29dec4849f9..5e0d37ea057 100644
--- a/.github/workflows/research.lock.yml
+++ b/.github/workflows/research.lock.yml
@@ -177,6 +177,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -372,6 +379,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml
index c786e354f72..b0f28623a45 100644
--- a/.github/workflows/safe-output-health.lock.yml
+++ b/.github/workflows/safe-output-health.lock.yml
@@ -207,6 +207,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -404,6 +411,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml
index c216b5e6ac9..c914018223d 100644
--- a/.github/workflows/schema-consistency-checker.lock.yml
+++ b/.github/workflows/schema-consistency-checker.lock.yml
@@ -185,6 +185,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Write Safe Outputs Config
run: |
mkdir -p /tmp/gh-aw/safeoutputs
@@ -342,6 +349,7 @@ jobs:
"url": "https://api.githubcopilot.com/mcp/",
"headers": {
"Authorization": "Bearer $GITHUB_MCP_SERVER_TOKEN",
+ "X-MCP-Lockdown": "${{ steps.detect-repo-visibility.outputs.lockdown }}",
"X-MCP-Readonly": "true",
"X-MCP-Toolsets": "context,repos,issues,pull_requests,discussions"
}
diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml
index f51a358a9bd..11b6ddb3955 100644
--- a/.github/workflows/scout.lock.yml
+++ b/.github/workflows/scout.lock.yml
@@ -267,6 +267,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -475,6 +482,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml
index d47f2e47b81..8d24508b73e 100644
--- a/.github/workflows/security-compliance.lock.yml
+++ b/.github/workflows/security-compliance.lock.yml
@@ -185,6 +185,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -401,6 +408,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=repos,search,code_security",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml
index 2ffdb91919b..3621b30b99f 100644
--- a/.github/workflows/security-fix-pr.lock.yml
+++ b/.github/workflows/security-fix-pr.lock.yml
@@ -186,6 +186,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -389,6 +396,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,code_security,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml
index fcf3abc6aac..ea4254707dd 100644
--- a/.github/workflows/semantic-function-refactor.lock.yml
+++ b/.github/workflows/semantic-function-refactor.lock.yml
@@ -171,6 +171,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -423,6 +430,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml
index e39c4eb5c7d..958bcfc76a5 100644
--- a/.github/workflows/slide-deck-maintainer.lock.yml
+++ b/.github/workflows/slide-deck-maintainer.lock.yml
@@ -199,6 +199,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -405,6 +412,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml
index d3eabe1e998..45c7a163814 100644
--- a/.github/workflows/smoke-claude.lock.yml
+++ b/.github/workflows/smoke-claude.lock.yml
@@ -220,6 +220,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -510,6 +517,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=repos,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/smoke-codex-firewall.lock.yml b/.github/workflows/smoke-codex-firewall.lock.yml
index 04c0b21369b..01cb18d9ce4 100644
--- a/.github/workflows/smoke-codex-firewall.lock.yml
+++ b/.github/workflows/smoke-codex-firewall.lock.yml
@@ -193,6 +193,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml
index fb7938b15c3..004bec57241 100644
--- a/.github/workflows/smoke-codex.lock.yml
+++ b/.github/workflows/smoke-codex.lock.yml
@@ -216,6 +216,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
diff --git a/.github/workflows/smoke-copilot-no-firewall.lock.yml b/.github/workflows/smoke-copilot-no-firewall.lock.yml
index 7214bb67804..edf977c0a2f 100644
--- a/.github/workflows/smoke-copilot-no-firewall.lock.yml
+++ b/.github/workflows/smoke-copilot-no-firewall.lock.yml
@@ -206,6 +206,13 @@ jobs:
# Verify installation
copilot --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -521,6 +528,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/smoke-copilot-playwright.lock.yml b/.github/workflows/smoke-copilot-playwright.lock.yml
index 6929df9a986..ff906031497 100644
--- a/.github/workflows/smoke-copilot-playwright.lock.yml
+++ b/.github/workflows/smoke-copilot-playwright.lock.yml
@@ -226,6 +226,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -614,6 +621,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml
index 65bef79fe16..ffe258d2e9a 100644
--- a/.github/workflows/smoke-copilot.lock.yml
+++ b/.github/workflows/smoke-copilot.lock.yml
@@ -207,6 +207,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -498,6 +505,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/smoke-detector.lock.yml b/.github/workflows/smoke-detector.lock.yml
index 547b4e1759b..ffbe8b016c1 100644
--- a/.github/workflows/smoke-detector.lock.yml
+++ b/.github/workflows/smoke-detector.lock.yml
@@ -243,6 +243,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -497,6 +504,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/smoke-srt-custom-config.lock.yml b/.github/workflows/smoke-srt-custom-config.lock.yml
index 0a15b414ecc..a65105868da 100644
--- a/.github/workflows/smoke-srt-custom-config.lock.yml
+++ b/.github/workflows/smoke-srt-custom-config.lock.yml
@@ -167,6 +167,13 @@ jobs:
echo "Sandbox Runtime installed successfully"
- name: Install GitHub Copilot CLI
run: npm install --silent @github/copilot@0.0.372
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -218,6 +225,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/smoke-srt.lock.yml b/.github/workflows/smoke-srt.lock.yml
index e2c1655efc2..24863d34a3e 100644
--- a/.github/workflows/smoke-srt.lock.yml
+++ b/.github/workflows/smoke-srt.lock.yml
@@ -183,6 +183,13 @@ jobs:
echo "Sandbox Runtime installed successfully"
- name: Install GitHub Copilot CLI
run: npm install --silent @github/copilot@0.0.372
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -326,6 +333,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/spec-kit-execute.lock.yml b/.github/workflows/spec-kit-execute.lock.yml
index 25f90b0a7cf..76a6411dcfc 100644
--- a/.github/workflows/spec-kit-execute.lock.yml
+++ b/.github/workflows/spec-kit-execute.lock.yml
@@ -189,6 +189,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Write Safe Outputs Config
run: |
mkdir -p /tmp/gh-aw/safeoutputs
@@ -357,6 +364,7 @@ jobs:
"url": "https://api.githubcopilot.com/mcp/",
"headers": {
"Authorization": "Bearer \${GITHUB_PERSONAL_ACCESS_TOKEN}",
+ "X-MCP-Lockdown": "${{ steps.detect-repo-visibility.outputs.lockdown }}",
"X-MCP-Readonly": "true",
"X-MCP-Toolsets": "context,repos,issues,pull_requests"
},
diff --git a/.github/workflows/spec-kit-executor.lock.yml b/.github/workflows/spec-kit-executor.lock.yml
index ff52806ef8e..2595a59a66c 100644
--- a/.github/workflows/spec-kit-executor.lock.yml
+++ b/.github/workflows/spec-kit-executor.lock.yml
@@ -190,6 +190,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -395,6 +402,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/speckit-dispatcher.lock.yml b/.github/workflows/speckit-dispatcher.lock.yml
index ddc3b765cc5..2bae58c53cc 100644
--- a/.github/workflows/speckit-dispatcher.lock.yml
+++ b/.github/workflows/speckit-dispatcher.lock.yml
@@ -229,6 +229,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -523,6 +530,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml
index c7b0add88b6..5122d43f678 100644
--- a/.github/workflows/static-analysis-report.lock.yml
+++ b/.github/workflows/static-analysis-report.lock.yml
@@ -204,6 +204,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -401,6 +408,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml
index bfffd44b42b..6095658f5df 100644
--- a/.github/workflows/sub-issue-closer.lock.yml
+++ b/.github/workflows/sub-issue-closer.lock.yml
@@ -169,6 +169,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -407,6 +414,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=issues",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml
index 5d98dcb5277..50d208a3376 100644
--- a/.github/workflows/super-linter.lock.yml
+++ b/.github/workflows/super-linter.lock.yml
@@ -193,6 +193,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -409,6 +416,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml
index 74b4beb52bf..6146372a96d 100644
--- a/.github/workflows/technical-doc-writer.lock.yml
+++ b/.github/workflows/technical-doc-writer.lock.yml
@@ -208,6 +208,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -478,6 +485,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml
index bb8329c978a..cb993e91048 100644
--- a/.github/workflows/terminal-stylist.lock.yml
+++ b/.github/workflows/terminal-stylist.lock.yml
@@ -180,6 +180,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -375,6 +382,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=repos",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml
index d57b4ec2f74..334248d0cbb 100644
--- a/.github/workflows/tidy.lock.yml
+++ b/.github/workflows/tidy.lock.yml
@@ -217,6 +217,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -470,6 +477,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml
index d5811f3d925..7714250597d 100644
--- a/.github/workflows/typist.lock.yml
+++ b/.github/workflows/typist.lock.yml
@@ -182,6 +182,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -375,6 +382,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml
index 605cf4c4697..88fc6cc4269 100644
--- a/.github/workflows/unbloat-docs.lock.yml
+++ b/.github/workflows/unbloat-docs.lock.yml
@@ -227,6 +227,13 @@ jobs:
awf --version
- name: Install Claude Code CLI
run: npm install -g --silent @anthropic-ai/claude-code@2.0.76
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -496,6 +503,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml
index a1fa4e17c54..41a9101f413 100644
--- a/.github/workflows/video-analyzer.lock.yml
+++ b/.github/workflows/video-analyzer.lock.yml
@@ -184,6 +184,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -400,6 +407,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml
index b30b36b73b0..27acf24a16e 100644
--- a/.github/workflows/weekly-issue-summary.lock.yml
+++ b/.github/workflows/weekly-issue-summary.lock.yml
@@ -194,6 +194,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -418,6 +425,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=issues",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml
index ced2d1ae09b..7c39d93b2a8 100644
--- a/.github/workflows/workflow-generator.lock.yml
+++ b/.github/workflows/workflow-generator.lock.yml
@@ -183,6 +183,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Downloading container images
run: |
set -e
@@ -423,6 +430,8 @@ jobs:
"-e",
"GITHUB_READ_ONLY=1",
"-e",
+ "GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}",
+ "-e",
"GITHUB_TOOLSETS=context,repos,issues,pull_requests",
"ghcr.io/github/github-mcp-server:v0.26.3"
],
diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml
index e55b2d7bcf4..b7a3dc64597 100644
--- a/.github/workflows/workflow-health-manager.lock.yml
+++ b/.github/workflows/workflow-health-manager.lock.yml
@@ -182,6 +182,13 @@ jobs:
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash
which awf
awf --version
+ - name: Detect repository visibility for GitHub MCP lockdown
+ id: detect-repo-visibility
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ with:
+ script: |
+ const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');
+ await detectRepoVisibility(github, context, core);
- name: Write Safe Outputs Config
run: |
mkdir -p /tmp/gh-aw/safeoutputs
@@ -456,6 +463,7 @@ jobs:
"url": "https://api.githubcopilot.com/mcp/",
"headers": {
"Authorization": "Bearer \${GITHUB_PERSONAL_ACCESS_TOKEN}",
+ "X-MCP-Lockdown": "${{ steps.detect-repo-visibility.outputs.lockdown }}",
"X-MCP-Readonly": "true",
"X-MCP-Toolsets": "context,repos,issues,pull_requests,actions"
},
diff --git a/actions/setup/js/detect_repo_visibility.cjs b/actions/setup/js/detect_repo_visibility.cjs
new file mode 100644
index 00000000000..9789261a720
--- /dev/null
+++ b/actions/setup/js/detect_repo_visibility.cjs
@@ -0,0 +1,64 @@
+// @ts-check
+///
+
+/**
+ * Detects repository visibility and sets lockdown mode for GitHub MCP server.
+ *
+ * For public repositories, lockdown mode should be enabled (true) to prevent
+ * the GitHub token from accessing private repositories, which could leak
+ * sensitive information.
+ *
+ * For private repositories, lockdown mode is not necessary (false) as there
+ * is no risk of exposing private repository access.
+ *
+ * @param {any} github - GitHub API client
+ * @param {any} context - GitHub context
+ * @param {any} core - GitHub Actions core library
+ * @returns {Promise}
+ */
+async function detectRepoVisibility(github, context, core) {
+ try {
+ core.info("Detecting repository visibility for GitHub MCP lockdown configuration");
+
+ const { owner, repo } = context.repo;
+ core.info(`Checking visibility for repository: ${owner}/${repo}`);
+
+ // Fetch repository information
+ const { data: repository } = await github.rest.repos.get({
+ owner,
+ repo,
+ });
+
+ const isPrivate = repository.private;
+ const visibility = repository.visibility || (isPrivate ? "private" : "public");
+
+ core.info(`Repository visibility: ${visibility}`);
+ core.info(`Repository is private: ${isPrivate}`);
+
+ // Set lockdown based on visibility
+ // Public repos should have lockdown enabled to prevent token from accessing private repos
+ const shouldLockdown = !isPrivate;
+
+ core.info(`Setting GitHub MCP lockdown: ${shouldLockdown}`);
+ core.setOutput("lockdown", shouldLockdown.toString());
+ core.setOutput("visibility", visibility);
+
+ if (shouldLockdown) {
+ core.warning(
+ "GitHub MCP lockdown mode enabled for public repository. " +
+ "This prevents the GitHub token from accessing private repositories."
+ );
+ }
+ } catch (error) {
+ const errorMessage = error instanceof Error ? error.message : String(error);
+ core.error(`Failed to detect repository visibility: ${errorMessage}`);
+ // Default to lockdown mode for safety
+ core.setOutput("lockdown", "true");
+ core.setOutput("visibility", "unknown");
+ core.warning(
+ "Failed to detect repository visibility. Defaulting to lockdown mode for security."
+ );
+ }
+}
+
+module.exports = detectRepoVisibility;
diff --git a/actions/setup/js/detect_repo_visibility.test.cjs b/actions/setup/js/detect_repo_visibility.test.cjs
new file mode 100644
index 00000000000..9e9dccf4810
--- /dev/null
+++ b/actions/setup/js/detect_repo_visibility.test.cjs
@@ -0,0 +1,145 @@
+import { describe, it, expect, beforeEach, vi } from "vitest";
+
+describe("detect_repo_visibility", () => {
+ let mockContext;
+ let mockGithub;
+ let mockCore;
+ let detectRepoVisibility;
+
+ beforeEach(async () => {
+ vi.resetModules();
+
+ // Setup mock context
+ mockContext = {
+ repo: {
+ owner: "test-owner",
+ repo: "test-repo",
+ },
+ };
+
+ // Setup mock GitHub API
+ mockGithub = {
+ rest: {
+ repos: {
+ get: vi.fn(),
+ },
+ },
+ };
+
+ // Setup mock core
+ mockCore = {
+ info: vi.fn(),
+ warning: vi.fn(),
+ error: vi.fn(),
+ setOutput: vi.fn(),
+ };
+
+ // Import the module
+ detectRepoVisibility = (await import("./detect_repo_visibility.cjs")).default;
+ });
+
+ it("should set lockdown to true for public repository", async () => {
+ mockGithub.rest.repos.get.mockResolvedValue({
+ data: {
+ private: false,
+ visibility: "public",
+ },
+ });
+
+ await detectRepoVisibility(mockGithub, mockContext, mockCore);
+
+ expect(mockGithub.rest.repos.get).toHaveBeenCalledWith({
+ owner: "test-owner",
+ repo: "test-repo",
+ });
+ expect(mockCore.setOutput).toHaveBeenCalledWith("lockdown", "true");
+ expect(mockCore.setOutput).toHaveBeenCalledWith("visibility", "public");
+ expect(mockCore.warning).toHaveBeenCalledWith(
+ expect.stringContaining("GitHub MCP lockdown mode enabled")
+ );
+ });
+
+ it("should set lockdown to false for private repository", async () => {
+ mockGithub.rest.repos.get.mockResolvedValue({
+ data: {
+ private: true,
+ visibility: "private",
+ },
+ });
+
+ await detectRepoVisibility(mockGithub, mockContext, mockCore);
+
+ expect(mockGithub.rest.repos.get).toHaveBeenCalledWith({
+ owner: "test-owner",
+ repo: "test-repo",
+ });
+ expect(mockCore.setOutput).toHaveBeenCalledWith("lockdown", "false");
+ expect(mockCore.setOutput).toHaveBeenCalledWith("visibility", "private");
+ expect(mockCore.warning).not.toHaveBeenCalled();
+ });
+
+ it("should set lockdown to false for internal repository", async () => {
+ mockGithub.rest.repos.get.mockResolvedValue({
+ data: {
+ private: true,
+ visibility: "internal",
+ },
+ });
+
+ await detectRepoVisibility(mockGithub, mockContext, mockCore);
+
+ expect(mockCore.setOutput).toHaveBeenCalledWith("lockdown", "false");
+ expect(mockCore.setOutput).toHaveBeenCalledWith("visibility", "internal");
+ });
+
+ it("should handle API failure and default to lockdown mode", async () => {
+ const error = new Error("API request failed");
+ mockGithub.rest.repos.get.mockRejectedValue(error);
+
+ await detectRepoVisibility(mockGithub, mockContext, mockCore);
+
+ expect(mockCore.error).toHaveBeenCalledWith(
+ "Failed to detect repository visibility: API request failed"
+ );
+ expect(mockCore.setOutput).toHaveBeenCalledWith("lockdown", "true");
+ expect(mockCore.setOutput).toHaveBeenCalledWith("visibility", "unknown");
+ expect(mockCore.warning).toHaveBeenCalledWith(
+ expect.stringContaining("Failed to detect repository visibility")
+ );
+ });
+
+ it("should infer visibility from private field when visibility field is missing", async () => {
+ mockGithub.rest.repos.get.mockResolvedValue({
+ data: {
+ private: false,
+ // visibility field not present
+ },
+ });
+
+ await detectRepoVisibility(mockGithub, mockContext, mockCore);
+
+ expect(mockCore.setOutput).toHaveBeenCalledWith("lockdown", "true");
+ expect(mockCore.setOutput).toHaveBeenCalledWith("visibility", "public");
+ });
+
+ it("should log appropriate info messages", async () => {
+ mockGithub.rest.repos.get.mockResolvedValue({
+ data: {
+ private: false,
+ visibility: "public",
+ },
+ });
+
+ await detectRepoVisibility(mockGithub, mockContext, mockCore);
+
+ expect(mockCore.info).toHaveBeenCalledWith(
+ "Detecting repository visibility for GitHub MCP lockdown configuration"
+ );
+ expect(mockCore.info).toHaveBeenCalledWith(
+ "Checking visibility for repository: test-owner/test-repo"
+ );
+ expect(mockCore.info).toHaveBeenCalledWith("Repository visibility: public");
+ expect(mockCore.info).toHaveBeenCalledWith("Repository is private: false");
+ expect(mockCore.info).toHaveBeenCalledWith("Setting GitHub MCP lockdown: true");
+ });
+});
diff --git a/actions/setup/js/package-lock.json b/actions/setup/js/package-lock.json
index 9b72b3977df..e4090cb2b2f 100644
--- a/actions/setup/js/package-lock.json
+++ b/actions/setup/js/package-lock.json
@@ -261,11 +261,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.25.12.tgz",
"integrity": "sha512-Hhmwd6CInZ3dwpuGTF8fJG6yoWmsToE+vYgD4nytZVxcu1ulHpUQRAB1UJ8+N1Am3Mz4+xOByoQoSZf4D+CpkA==",
- "cpu": ["ppc64"],
+ "cpu": [
+ "ppc64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["aix"],
+ "os": [
+ "aix"
+ ],
"engines": {
"node": ">=18"
}
@@ -274,11 +278,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.25.12.tgz",
"integrity": "sha512-VJ+sKvNA/GE7Ccacc9Cha7bpS8nyzVv0jdVgwNDaR4gDMC/2TTRc33Ip8qrNYUcpkOHUT5OZ0bUcNNVZQ9RLlg==",
- "cpu": ["arm"],
+ "cpu": [
+ "arm"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["android"],
+ "os": [
+ "android"
+ ],
"engines": {
"node": ">=18"
}
@@ -287,11 +295,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.25.12.tgz",
"integrity": "sha512-6AAmLG7zwD1Z159jCKPvAxZd4y/VTO0VkprYy+3N2FtJ8+BQWFXU+OxARIwA46c5tdD9SsKGZ/1ocqBS/gAKHg==",
- "cpu": ["arm64"],
+ "cpu": [
+ "arm64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["android"],
+ "os": [
+ "android"
+ ],
"engines": {
"node": ">=18"
}
@@ -300,11 +312,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.25.12.tgz",
"integrity": "sha512-5jbb+2hhDHx5phYR2By8GTWEzn6I9UqR11Kwf22iKbNpYrsmRB18aX/9ivc5cabcUiAT/wM+YIZ6SG9QO6a8kg==",
- "cpu": ["x64"],
+ "cpu": [
+ "x64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["android"],
+ "os": [
+ "android"
+ ],
"engines": {
"node": ">=18"
}
@@ -313,11 +329,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.25.12.tgz",
"integrity": "sha512-N3zl+lxHCifgIlcMUP5016ESkeQjLj/959RxxNYIthIg+CQHInujFuXeWbWMgnTo4cp5XVHqFPmpyu9J65C1Yg==",
- "cpu": ["arm64"],
+ "cpu": [
+ "arm64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["darwin"],
+ "os": [
+ "darwin"
+ ],
"engines": {
"node": ">=18"
}
@@ -326,11 +346,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.25.12.tgz",
"integrity": "sha512-HQ9ka4Kx21qHXwtlTUVbKJOAnmG1ipXhdWTmNXiPzPfWKpXqASVcWdnf2bnL73wgjNrFXAa3yYvBSd9pzfEIpA==",
- "cpu": ["x64"],
+ "cpu": [
+ "x64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["darwin"],
+ "os": [
+ "darwin"
+ ],
"engines": {
"node": ">=18"
}
@@ -339,11 +363,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.25.12.tgz",
"integrity": "sha512-gA0Bx759+7Jve03K1S0vkOu5Lg/85dou3EseOGUes8flVOGxbhDDh/iZaoek11Y8mtyKPGF3vP8XhnkDEAmzeg==",
- "cpu": ["arm64"],
+ "cpu": [
+ "arm64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["freebsd"],
+ "os": [
+ "freebsd"
+ ],
"engines": {
"node": ">=18"
}
@@ -352,11 +380,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.25.12.tgz",
"integrity": "sha512-TGbO26Yw2xsHzxtbVFGEXBFH0FRAP7gtcPE7P5yP7wGy7cXK2oO7RyOhL5NLiqTlBh47XhmIUXuGciXEqYFfBQ==",
- "cpu": ["x64"],
+ "cpu": [
+ "x64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["freebsd"],
+ "os": [
+ "freebsd"
+ ],
"engines": {
"node": ">=18"
}
@@ -365,11 +397,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.25.12.tgz",
"integrity": "sha512-lPDGyC1JPDou8kGcywY0YILzWlhhnRjdof3UlcoqYmS9El818LLfJJc3PXXgZHrHCAKs/Z2SeZtDJr5MrkxtOw==",
- "cpu": ["arm"],
+ "cpu": [
+ "arm"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"],
+ "os": [
+ "linux"
+ ],
"engines": {
"node": ">=18"
}
@@ -378,11 +414,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.25.12.tgz",
"integrity": "sha512-8bwX7a8FghIgrupcxb4aUmYDLp8pX06rGh5HqDT7bB+8Rdells6mHvrFHHW2JAOPZUbnjUpKTLg6ECyzvas2AQ==",
- "cpu": ["arm64"],
+ "cpu": [
+ "arm64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"],
+ "os": [
+ "linux"
+ ],
"engines": {
"node": ">=18"
}
@@ -391,11 +431,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.25.12.tgz",
"integrity": "sha512-0y9KrdVnbMM2/vG8KfU0byhUN+EFCny9+8g202gYqSSVMonbsCfLjUO+rCci7pM0WBEtz+oK/PIwHkzxkyharA==",
- "cpu": ["ia32"],
+ "cpu": [
+ "ia32"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"],
+ "os": [
+ "linux"
+ ],
"engines": {
"node": ">=18"
}
@@ -404,11 +448,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.25.12.tgz",
"integrity": "sha512-h///Lr5a9rib/v1GGqXVGzjL4TMvVTv+s1DPoxQdz7l/AYv6LDSxdIwzxkrPW438oUXiDtwM10o9PmwS/6Z0Ng==",
- "cpu": ["loong64"],
+ "cpu": [
+ "loong64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"],
+ "os": [
+ "linux"
+ ],
"engines": {
"node": ">=18"
}
@@ -417,11 +465,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.25.12.tgz",
"integrity": "sha512-iyRrM1Pzy9GFMDLsXn1iHUm18nhKnNMWscjmp4+hpafcZjrr2WbT//d20xaGljXDBYHqRcl8HnxbX6uaA/eGVw==",
- "cpu": ["mips64el"],
+ "cpu": [
+ "mips64el"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"],
+ "os": [
+ "linux"
+ ],
"engines": {
"node": ">=18"
}
@@ -430,11 +482,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.25.12.tgz",
"integrity": "sha512-9meM/lRXxMi5PSUqEXRCtVjEZBGwB7P/D4yT8UG/mwIdze2aV4Vo6U5gD3+RsoHXKkHCfSxZKzmDssVlRj1QQA==",
- "cpu": ["ppc64"],
+ "cpu": [
+ "ppc64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"],
+ "os": [
+ "linux"
+ ],
"engines": {
"node": ">=18"
}
@@ -443,11 +499,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.25.12.tgz",
"integrity": "sha512-Zr7KR4hgKUpWAwb1f3o5ygT04MzqVrGEGXGLnj15YQDJErYu/BGg+wmFlIDOdJp0PmB0lLvxFIOXZgFRrdjR0w==",
- "cpu": ["riscv64"],
+ "cpu": [
+ "riscv64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"],
+ "os": [
+ "linux"
+ ],
"engines": {
"node": ">=18"
}
@@ -456,11 +516,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.25.12.tgz",
"integrity": "sha512-MsKncOcgTNvdtiISc/jZs/Zf8d0cl/t3gYWX8J9ubBnVOwlk65UIEEvgBORTiljloIWnBzLs4qhzPkJcitIzIg==",
- "cpu": ["s390x"],
+ "cpu": [
+ "s390x"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"],
+ "os": [
+ "linux"
+ ],
"engines": {
"node": ">=18"
}
@@ -469,11 +533,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.25.12.tgz",
"integrity": "sha512-uqZMTLr/zR/ed4jIGnwSLkaHmPjOjJvnm6TVVitAa08SLS9Z0VM8wIRx7gWbJB5/J54YuIMInDquWyYvQLZkgw==",
- "cpu": ["x64"],
+ "cpu": [
+ "x64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"],
+ "os": [
+ "linux"
+ ],
"engines": {
"node": ">=18"
}
@@ -482,11 +550,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.25.12.tgz",
"integrity": "sha512-xXwcTq4GhRM7J9A8Gv5boanHhRa/Q9KLVmcyXHCTaM4wKfIpWkdXiMog/KsnxzJ0A1+nD+zoecuzqPmCRyBGjg==",
- "cpu": ["arm64"],
+ "cpu": [
+ "arm64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["netbsd"],
+ "os": [
+ "netbsd"
+ ],
"engines": {
"node": ">=18"
}
@@ -495,11 +567,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.25.12.tgz",
"integrity": "sha512-Ld5pTlzPy3YwGec4OuHh1aCVCRvOXdH8DgRjfDy/oumVovmuSzWfnSJg+VtakB9Cm0gxNO9BzWkj6mtO1FMXkQ==",
- "cpu": ["x64"],
+ "cpu": [
+ "x64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["netbsd"],
+ "os": [
+ "netbsd"
+ ],
"engines": {
"node": ">=18"
}
@@ -508,11 +584,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.25.12.tgz",
"integrity": "sha512-fF96T6KsBo/pkQI950FARU9apGNTSlZGsv1jZBAlcLL1MLjLNIWPBkj5NlSz8aAzYKg+eNqknrUJ24QBybeR5A==",
- "cpu": ["arm64"],
+ "cpu": [
+ "arm64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["openbsd"],
+ "os": [
+ "openbsd"
+ ],
"engines": {
"node": ">=18"
}
@@ -521,11 +601,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.25.12.tgz",
"integrity": "sha512-MZyXUkZHjQxUvzK7rN8DJ3SRmrVrke8ZyRusHlP+kuwqTcfWLyqMOE3sScPPyeIXN/mDJIfGXvcMqCgYKekoQw==",
- "cpu": ["x64"],
+ "cpu": [
+ "x64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["openbsd"],
+ "os": [
+ "openbsd"
+ ],
"engines": {
"node": ">=18"
}
@@ -534,11 +618,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.25.12.tgz",
"integrity": "sha512-rm0YWsqUSRrjncSXGA7Zv78Nbnw4XL6/dzr20cyrQf7ZmRcsovpcRBdhD43Nuk3y7XIoW2OxMVvwuRvk9XdASg==",
- "cpu": ["arm64"],
+ "cpu": [
+ "arm64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["openharmony"],
+ "os": [
+ "openharmony"
+ ],
"engines": {
"node": ">=18"
}
@@ -547,11 +635,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.25.12.tgz",
"integrity": "sha512-3wGSCDyuTHQUzt0nV7bocDy72r2lI33QL3gkDNGkod22EsYl04sMf0qLb8luNKTOmgF/eDEDP5BFNwoBKH441w==",
- "cpu": ["x64"],
+ "cpu": [
+ "x64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["sunos"],
+ "os": [
+ "sunos"
+ ],
"engines": {
"node": ">=18"
}
@@ -560,11 +652,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.25.12.tgz",
"integrity": "sha512-rMmLrur64A7+DKlnSuwqUdRKyd3UE7oPJZmnljqEptesKM8wx9J8gx5u0+9Pq0fQQW8vqeKebwNXdfOyP+8Bsg==",
- "cpu": ["arm64"],
+ "cpu": [
+ "arm64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["win32"],
+ "os": [
+ "win32"
+ ],
"engines": {
"node": ">=18"
}
@@ -573,11 +669,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.25.12.tgz",
"integrity": "sha512-HkqnmmBoCbCwxUKKNPBixiWDGCpQGVsrQfJoVGYLPT41XWF8lHuE5N6WhVia2n4o5QK5M4tYr21827fNhi4byQ==",
- "cpu": ["ia32"],
+ "cpu": [
+ "ia32"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["win32"],
+ "os": [
+ "win32"
+ ],
"engines": {
"node": ">=18"
}
@@ -586,11 +686,15 @@
"version": "0.25.12",
"resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.25.12.tgz",
"integrity": "sha512-alJC0uCZpTFrSL0CCDjcgleBXPnCrEAhTBILpeAp7M/OFgoqtAetfBzX0xM00MUsVVPpVjlPuMbREqnZCXaTnA==",
- "cpu": ["x64"],
+ "cpu": [
+ "x64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["win32"],
+ "os": [
+ "win32"
+ ],
"engines": {
"node": ">=18"
}
@@ -870,221 +974,309 @@
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.53.2.tgz",
"integrity": "sha512-yDPzwsgiFO26RJA4nZo8I+xqzh7sJTZIWQOxn+/XOdPE31lAvLIYCKqjV+lNH/vxE2L2iH3plKxDCRK6i+CwhA==",
- "cpu": ["arm"],
+ "cpu": [
+ "arm"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["android"]
+ "os": [
+ "android"
+ ]
},
"node_modules/@rollup/rollup-android-arm64": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.53.2.tgz",
"integrity": "sha512-k8FontTxIE7b0/OGKeSN5B6j25EuppBcWM33Z19JoVT7UTXFSo3D9CdU39wGTeb29NO3XxpMNauh09B+Ibw+9g==",
- "cpu": ["arm64"],
+ "cpu": [
+ "arm64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["android"]
+ "os": [
+ "android"
+ ]
},
"node_modules/@rollup/rollup-darwin-arm64": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.53.2.tgz",
"integrity": "sha512-A6s4gJpomNBtJ2yioj8bflM2oogDwzUiMl2yNJ2v9E7++sHrSrsQ29fOfn5DM/iCzpWcebNYEdXpaK4tr2RhfQ==",
- "cpu": ["arm64"],
+ "cpu": [
+ "arm64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["darwin"]
+ "os": [
+ "darwin"
+ ]
},
"node_modules/@rollup/rollup-darwin-x64": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.53.2.tgz",
"integrity": "sha512-e6XqVmXlHrBlG56obu9gDRPW3O3hLxpwHpLsBJvuI8qqnsrtSZ9ERoWUXtPOkY8c78WghyPHZdmPhHLWNdAGEw==",
- "cpu": ["x64"],
+ "cpu": [
+ "x64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["darwin"]
+ "os": [
+ "darwin"
+ ]
},
"node_modules/@rollup/rollup-freebsd-arm64": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.53.2.tgz",
"integrity": "sha512-v0E9lJW8VsrwPux5Qe5CwmH/CF/2mQs6xU1MF3nmUxmZUCHazCjLgYvToOk+YuuUqLQBio1qkkREhxhc656ViA==",
- "cpu": ["arm64"],
+ "cpu": [
+ "arm64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["freebsd"]
+ "os": [
+ "freebsd"
+ ]
},
"node_modules/@rollup/rollup-freebsd-x64": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.53.2.tgz",
"integrity": "sha512-ClAmAPx3ZCHtp6ysl4XEhWU69GUB1D+s7G9YjHGhIGCSrsg00nEGRRZHmINYxkdoJehde8VIsDC5t9C0gb6yqA==",
- "cpu": ["x64"],
+ "cpu": [
+ "x64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["freebsd"]
+ "os": [
+ "freebsd"
+ ]
},
"node_modules/@rollup/rollup-linux-arm-gnueabihf": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.53.2.tgz",
"integrity": "sha512-EPlb95nUsz6Dd9Qy13fI5kUPXNSljaG9FiJ4YUGU1O/Q77i5DYFW5KR8g1OzTcdZUqQQ1KdDqsTohdFVwCwjqg==",
- "cpu": ["arm"],
+ "cpu": [
+ "arm"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"]
+ "os": [
+ "linux"
+ ]
},
"node_modules/@rollup/rollup-linux-arm-musleabihf": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.53.2.tgz",
"integrity": "sha512-BOmnVW+khAUX+YZvNfa0tGTEMVVEerOxN0pDk2E6N6DsEIa2Ctj48FOMfNDdrwinocKaC7YXUZ1pHlKpnkja/Q==",
- "cpu": ["arm"],
+ "cpu": [
+ "arm"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"]
+ "os": [
+ "linux"
+ ]
},
"node_modules/@rollup/rollup-linux-arm64-gnu": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.53.2.tgz",
"integrity": "sha512-Xt2byDZ+6OVNuREgBXr4+CZDJtrVso5woFtpKdGPhpTPHcNG7D8YXeQzpNbFRxzTVqJf7kvPMCub/pcGUWgBjA==",
- "cpu": ["arm64"],
+ "cpu": [
+ "arm64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"]
+ "os": [
+ "linux"
+ ]
},
"node_modules/@rollup/rollup-linux-arm64-musl": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.53.2.tgz",
"integrity": "sha512-+LdZSldy/I9N8+klim/Y1HsKbJ3BbInHav5qE9Iy77dtHC/pibw1SR/fXlWyAk0ThnpRKoODwnAuSjqxFRDHUQ==",
- "cpu": ["arm64"],
+ "cpu": [
+ "arm64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"]
+ "os": [
+ "linux"
+ ]
},
"node_modules/@rollup/rollup-linux-loong64-gnu": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.53.2.tgz",
"integrity": "sha512-8ms8sjmyc1jWJS6WdNSA23rEfdjWB30LH8Wqj0Cqvv7qSHnvw6kgMMXRdop6hkmGPlyYBdRPkjJnj3KCUHV/uQ==",
- "cpu": ["loong64"],
+ "cpu": [
+ "loong64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"]
+ "os": [
+ "linux"
+ ]
},
"node_modules/@rollup/rollup-linux-ppc64-gnu": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.53.2.tgz",
"integrity": "sha512-3HRQLUQbpBDMmzoxPJYd3W6vrVHOo2cVW8RUo87Xz0JPJcBLBr5kZ1pGcQAhdZgX9VV7NbGNipah1omKKe23/g==",
- "cpu": ["ppc64"],
+ "cpu": [
+ "ppc64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"]
+ "os": [
+ "linux"
+ ]
},
"node_modules/@rollup/rollup-linux-riscv64-gnu": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.53.2.tgz",
"integrity": "sha512-fMjKi+ojnmIvhk34gZP94vjogXNNUKMEYs+EDaB/5TG/wUkoeua7p7VCHnE6T2Tx+iaghAqQX8teQzcvrYpaQA==",
- "cpu": ["riscv64"],
+ "cpu": [
+ "riscv64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"]
+ "os": [
+ "linux"
+ ]
},
"node_modules/@rollup/rollup-linux-riscv64-musl": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.53.2.tgz",
"integrity": "sha512-XuGFGU+VwUUV5kLvoAdi0Wz5Xbh2SrjIxCtZj6Wq8MDp4bflb/+ThZsVxokM7n0pcbkEr2h5/pzqzDYI7cCgLQ==",
- "cpu": ["riscv64"],
+ "cpu": [
+ "riscv64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"]
+ "os": [
+ "linux"
+ ]
},
"node_modules/@rollup/rollup-linux-s390x-gnu": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.53.2.tgz",
"integrity": "sha512-w6yjZF0P+NGzWR3AXWX9zc0DNEGdtvykB03uhonSHMRa+oWA6novflo2WaJr6JZakG2ucsyb+rvhrKac6NIy+w==",
- "cpu": ["s390x"],
+ "cpu": [
+ "s390x"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"]
+ "os": [
+ "linux"
+ ]
},
"node_modules/@rollup/rollup-linux-x64-gnu": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.53.2.tgz",
"integrity": "sha512-yo8d6tdfdeBArzC7T/PnHd7OypfI9cbuZzPnzLJIyKYFhAQ8SvlkKtKBMbXDxe1h03Rcr7u++nFS7tqXz87Gtw==",
- "cpu": ["x64"],
+ "cpu": [
+ "x64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"]
+ "os": [
+ "linux"
+ ]
},
"node_modules/@rollup/rollup-linux-x64-musl": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.53.2.tgz",
"integrity": "sha512-ah59c1YkCxKExPP8O9PwOvs+XRLKwh/mV+3YdKqQ5AMQ0r4M4ZDuOrpWkUaqO7fzAHdINzV9tEVu8vNw48z0lA==",
- "cpu": ["x64"],
+ "cpu": [
+ "x64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["linux"]
+ "os": [
+ "linux"
+ ]
},
"node_modules/@rollup/rollup-openharmony-arm64": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.53.2.tgz",
"integrity": "sha512-4VEd19Wmhr+Zy7hbUsFZ6YXEiP48hE//KPLCSVNY5RMGX2/7HZ+QkN55a3atM1C/BZCGIgqN+xrVgtdak2S9+A==",
- "cpu": ["arm64"],
+ "cpu": [
+ "arm64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["openharmony"]
+ "os": [
+ "openharmony"
+ ]
},
"node_modules/@rollup/rollup-win32-arm64-msvc": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.53.2.tgz",
"integrity": "sha512-IlbHFYc/pQCgew/d5fslcy1KEaYVCJ44G8pajugd8VoOEI8ODhtb/j8XMhLpwHCMB3yk2J07ctup10gpw2nyMA==",
- "cpu": ["arm64"],
+ "cpu": [
+ "arm64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["win32"]
+ "os": [
+ "win32"
+ ]
},
"node_modules/@rollup/rollup-win32-ia32-msvc": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.53.2.tgz",
"integrity": "sha512-lNlPEGgdUfSzdCWU176ku/dQRnA7W+Gp8d+cWv73jYrb8uT7HTVVxq62DUYxjbaByuf1Yk0RIIAbDzp+CnOTFg==",
- "cpu": ["ia32"],
+ "cpu": [
+ "ia32"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["win32"]
+ "os": [
+ "win32"
+ ]
},
"node_modules/@rollup/rollup-win32-x64-gnu": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.53.2.tgz",
"integrity": "sha512-S6YojNVrHybQis2lYov1sd+uj7K0Q05NxHcGktuMMdIQ2VixGwAfbJ23NnlvvVV1bdpR2m5MsNBViHJKcA4ADw==",
- "cpu": ["x64"],
+ "cpu": [
+ "x64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["win32"]
+ "os": [
+ "win32"
+ ]
},
"node_modules/@rollup/rollup-win32-x64-msvc": {
"version": "4.53.2",
"resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.53.2.tgz",
"integrity": "sha512-k+/Rkcyx//P6fetPoLMb8pBeqJBNGx81uuf7iljX9++yNBVRDQgD04L+SVXmXmh5ZP4/WOp4mWF0kmi06PW2tA==",
- "cpu": ["x64"],
+ "cpu": [
+ "x64"
+ ],
"dev": true,
"license": "MIT",
"optional": true,
- "os": ["win32"]
+ "os": [
+ "win32"
+ ]
},
"node_modules/@standard-schema/spec": {
"version": "1.0.0",
@@ -1516,7 +1708,9 @@
"hasInstallScript": true,
"license": "MIT",
"optional": true,
- "os": ["darwin"],
+ "os": [
+ "darwin"
+ ],
"engines": {
"node": "^8.16.0 || ^10.6.0 || >=11.0.0"
}
diff --git a/pkg/workflow/compiler_yaml_main_job.go b/pkg/workflow/compiler_yaml_main_job.go
index dface0e454e..acf30220224 100644
--- a/pkg/workflow/compiler_yaml_main_job.go
+++ b/pkg/workflow/compiler_yaml_main_job.go
@@ -142,6 +142,9 @@ func (c *Compiler) generateMainJobSteps(yaml *strings.Builder, data *WorkflowDat
// GH_AW_SAFE_OUTPUTS is now set at job level, no setup step needed
+ // Add GitHub MCP lockdown detection step if needed
+ c.generateGitHubMCPLockdownDetectionStep(yaml, data)
+
// Add MCP setup
c.generateMCPSetup(yaml, data.Tools, engine, data)
diff --git a/pkg/workflow/github_lockdown_autodetect_test.go b/pkg/workflow/github_lockdown_autodetect_test.go
new file mode 100644
index 00000000000..922146be51e
--- /dev/null
+++ b/pkg/workflow/github_lockdown_autodetect_test.go
@@ -0,0 +1,214 @@
+package workflow
+
+import (
+ "os"
+ "path/filepath"
+ "strings"
+ "testing"
+)
+
+func TestGitHubLockdownAutodetection(t *testing.T) {
+ tests := []struct {
+ name string
+ workflow string
+ expectedDetectStep bool
+ expectedLockdown string // "auto" means use step output expression, "true" means hardcoded true, "false" means not present
+ description string
+ }{
+ {
+ name: "Auto-detection enabled when lockdown not specified",
+ workflow: `---
+on: issues
+engine: copilot
+tools:
+ github:
+ mode: local
+ toolsets: [default]
+---
+
+# Test Workflow
+
+Test automatic lockdown detection.
+`,
+ expectedDetectStep: true,
+ expectedLockdown: "auto",
+ description: "When lockdown is not specified, detection step should be added and lockdown should use step output",
+ },
+ {
+ name: "No auto-detection when lockdown explicitly set to true",
+ workflow: `---
+on: issues
+engine: copilot
+tools:
+ github:
+ mode: local
+ lockdown: true
+ toolsets: [default]
+---
+
+# Test Workflow
+
+Test with explicit lockdown enabled.
+`,
+ expectedDetectStep: false,
+ expectedLockdown: "true",
+ description: "When lockdown is explicitly true, no detection step and lockdown should be hardcoded",
+ },
+ {
+ name: "No auto-detection when lockdown explicitly set to false",
+ workflow: `---
+on: issues
+engine: copilot
+tools:
+ github:
+ mode: local
+ lockdown: false
+ toolsets: [default]
+---
+
+# Test Workflow
+
+Test with explicit lockdown disabled.
+`,
+ expectedDetectStep: false,
+ expectedLockdown: "false",
+ description: "When lockdown is explicitly false, no detection step and no lockdown setting",
+ },
+ {
+ name: "Auto-detection with remote mode",
+ workflow: `---
+on: issues
+engine: copilot
+tools:
+ github:
+ mode: remote
+ toolsets: [default]
+---
+
+# Test Workflow
+
+Test auto-detection with remote GitHub MCP.
+`,
+ expectedDetectStep: true,
+ expectedLockdown: "auto",
+ description: "Auto-detection should work with remote mode too",
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ // Create temporary directory for test
+ tmpDir, err := os.MkdirTemp("", "lockdown-autodetect-test-*")
+ if err != nil {
+ t.Fatalf("Failed to create temp dir: %v", err)
+ }
+ defer os.RemoveAll(tmpDir)
+
+ // Write workflow file
+ workflowPath := filepath.Join(tmpDir, "test-workflow.md")
+ if err := os.WriteFile(workflowPath, []byte(tt.workflow), 0644); err != nil {
+ t.Fatalf("Failed to write workflow file: %v", err)
+ }
+
+ // Compile workflow
+ compiler := NewCompiler(false, "", "test")
+ if err := compiler.CompileWorkflow(workflowPath); err != nil {
+ t.Fatalf("Failed to compile workflow: %v", err)
+ }
+
+ // Read the generated lock file
+ lockPath := strings.TrimSuffix(workflowPath, ".md") + ".lock.yml"
+ lockContent, err := os.ReadFile(lockPath)
+ if err != nil {
+ t.Fatalf("Failed to read lock file: %v", err)
+ }
+ yaml := string(lockContent)
+
+ // Check if detection step is present
+ detectStepPresent := strings.Contains(yaml, "Detect repository visibility for GitHub MCP lockdown") &&
+ strings.Contains(yaml, "detect-repo-visibility") &&
+ strings.Contains(yaml, "detect_repo_visibility.cjs")
+
+ if detectStepPresent != tt.expectedDetectStep {
+ t.Errorf("%s: Detection step presence = %v, want %v", tt.description, detectStepPresent, tt.expectedDetectStep)
+ }
+
+ // Check lockdown configuration based on expected value
+ switch tt.expectedLockdown {
+ case "auto":
+ // Should use step output expression
+ if !strings.Contains(yaml, "steps.detect-repo-visibility.outputs.lockdown") {
+ t.Errorf("%s: Expected lockdown to use step output expression", tt.description)
+ }
+ case "true":
+ // Should have hardcoded GITHUB_LOCKDOWN_MODE=1 or X-MCP-Lockdown: true
+ hasDockerLockdown := strings.Contains(yaml, "GITHUB_LOCKDOWN_MODE=1")
+ hasRemoteLockdown := strings.Contains(yaml, "X-MCP-Lockdown") && strings.Contains(yaml, "\"true\"")
+ if !hasDockerLockdown && !hasRemoteLockdown {
+ t.Errorf("%s: Expected hardcoded lockdown setting", tt.description)
+ }
+ case "false":
+ // Should not have GITHUB_LOCKDOWN_MODE or X-MCP-Lockdown
+ if strings.Contains(yaml, "GITHUB_LOCKDOWN_MODE") || strings.Contains(yaml, "X-MCP-Lockdown") {
+ t.Errorf("%s: Expected no lockdown setting", tt.description)
+ }
+ }
+ })
+ }
+}
+
+func TestGitHubLockdownAutodetectionClaudeEngine(t *testing.T) {
+ workflow := `---
+on: issues
+engine: claude
+tools:
+ github:
+ mode: local
+ toolsets: [default]
+---
+
+# Test Workflow
+
+Test automatic lockdown detection with Claude.
+`
+
+ // Create temporary directory for test
+ tmpDir, err := os.MkdirTemp("", "lockdown-autodetect-claude-test-*")
+ if err != nil {
+ t.Fatalf("Failed to create temp dir: %v", err)
+ }
+ defer os.RemoveAll(tmpDir)
+
+ // Write workflow file
+ workflowPath := filepath.Join(tmpDir, "test-workflow.md")
+ if err := os.WriteFile(workflowPath, []byte(workflow), 0644); err != nil {
+ t.Fatalf("Failed to write workflow file: %v", err)
+ }
+
+ // Compile workflow
+ compiler := NewCompiler(false, "", "test")
+ if err := compiler.CompileWorkflow(workflowPath); err != nil {
+ t.Fatalf("Failed to compile workflow: %v", err)
+ }
+
+ // Read the generated lock file
+ lockPath := strings.TrimSuffix(workflowPath, ".md") + ".lock.yml"
+ lockContent, err := os.ReadFile(lockPath)
+ if err != nil {
+ t.Fatalf("Failed to read lock file: %v", err)
+ }
+ yaml := string(lockContent)
+
+ // Check if detection step is present
+ detectStepPresent := strings.Contains(yaml, "Detect repository visibility for GitHub MCP lockdown") &&
+ strings.Contains(yaml, "detect-repo-visibility")
+
+ if !detectStepPresent {
+ t.Error("Detection step should be present for Claude engine")
+ }
+
+ // Check if lockdown uses step output expression
+ if !strings.Contains(yaml, "steps.detect-repo-visibility.outputs.lockdown") {
+ t.Error("Expected lockdown to use step output expression for Claude engine")
+ }
+}
diff --git a/pkg/workflow/mcp_renderer.go b/pkg/workflow/mcp_renderer.go
index 6c884afdd65..7aaec7816c0 100644
--- a/pkg/workflow/mcp_renderer.go
+++ b/pkg/workflow/mcp_renderer.go
@@ -42,11 +42,19 @@ func NewMCPConfigRenderer(opts MCPRendererOptions) *MCPConfigRendererUnified {
func (r *MCPConfigRendererUnified) RenderGitHubMCP(yaml *strings.Builder, githubTool any, workflowData *WorkflowData) {
githubType := getGitHubType(githubTool)
readOnly := getGitHubReadOnly(githubTool)
+
+ // Get lockdown value - use detected value if lockdown wasn't explicitly set
lockdown := getGitHubLockdown(githubTool)
+ if !hasGitHubLockdownExplicitlySet(githubTool) {
+ // Use the detected lockdown value from the step output
+ // This will be evaluated at runtime based on repository visibility
+ lockdown = true // This is a placeholder - actual value comes from step output
+ }
+
toolsets := getGitHubToolsets(githubTool)
- mcpRendererLog.Printf("Rendering GitHub MCP: type=%s, read_only=%t, lockdown=%t, toolsets=%v, format=%s",
- githubType, readOnly, lockdown, toolsets, r.options.Format)
+ mcpRendererLog.Printf("Rendering GitHub MCP: type=%s, read_only=%t, lockdown=%t (explicit=%t), toolsets=%v, format=%s",
+ githubType, readOnly, lockdown, hasGitHubLockdownExplicitlySet(githubTool), toolsets, r.options.Format)
if r.options.Format == "toml" {
r.renderGitHubTOML(yaml, githubTool, workflowData)
@@ -68,6 +76,7 @@ func (r *MCPConfigRendererUnified) RenderGitHubMCP(yaml *strings.Builder, github
RenderGitHubMCPRemoteConfig(yaml, GitHubMCPRemoteOptions{
ReadOnly: readOnly,
Lockdown: lockdown,
+ LockdownFromStep: !hasGitHubLockdownExplicitlySet(githubTool),
Toolsets: toolsets,
AuthorizationValue: authValue,
IncludeToolsField: r.options.IncludeCopilotFields,
@@ -82,6 +91,7 @@ func (r *MCPConfigRendererUnified) RenderGitHubMCP(yaml *strings.Builder, github
RenderGitHubMCPDockerConfig(yaml, GitHubMCPDockerOptions{
ReadOnly: readOnly,
Lockdown: lockdown,
+ LockdownFromStep: !hasGitHubLockdownExplicitlySet(githubTool),
Toolsets: toolsets,
DockerImageVersion: githubDockerImageVersion,
CustomArgs: customArgs,
@@ -426,6 +436,8 @@ type GitHubMCPDockerOptions struct {
ReadOnly bool
// Lockdown enables lockdown mode for GitHub MCP server (limits content from public repos)
Lockdown bool
+ // LockdownFromStep indicates if lockdown value should be read from step output
+ LockdownFromStep bool
// Toolsets specifies the GitHub toolsets to enable
Toolsets string
// DockerImageVersion specifies the GitHub MCP server Docker image version
@@ -465,7 +477,12 @@ func RenderGitHubMCPDockerConfig(yaml *strings.Builder, options GitHubMCPDockerO
yaml.WriteString(" \"GITHUB_READ_ONLY=1\",\n")
}
- if options.Lockdown {
+ if options.LockdownFromStep {
+ // Use lockdown value from step output (detected based on repository visibility)
+ yaml.WriteString(" \"-e\",\n")
+ yaml.WriteString(" \"GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}\",\n")
+ } else if options.Lockdown {
+ // Use explicit lockdown value from configuration
yaml.WriteString(" \"-e\",\n")
yaml.WriteString(" \"GITHUB_LOCKDOWN_MODE=1\",\n")
}
@@ -520,6 +537,8 @@ type GitHubMCPRemoteOptions struct {
ReadOnly bool
// Lockdown enables lockdown mode for GitHub MCP server (limits content from public repos)
Lockdown bool
+ // LockdownFromStep indicates if lockdown value should be read from step output
+ LockdownFromStep bool
// Toolsets specifies the GitHub toolsets to enable
Toolsets string
// AuthorizationValue is the value for the Authorization header
@@ -556,7 +575,11 @@ func RenderGitHubMCPRemoteConfig(yaml *strings.Builder, options GitHubMCPRemoteO
}
// Add X-MCP-Lockdown header if lockdown mode is enabled
- if options.Lockdown {
+ if options.LockdownFromStep {
+ // Use lockdown value from step output (detected based on repository visibility)
+ headers["X-MCP-Lockdown"] = "${{ steps.detect-repo-visibility.outputs.lockdown }}"
+ } else if options.Lockdown {
+ // Use explicit lockdown value from configuration
headers["X-MCP-Lockdown"] = "true"
}
diff --git a/pkg/workflow/mcp_servers.go b/pkg/workflow/mcp_servers.go
index f3e5e63893a..10f4369ecb0 100644
--- a/pkg/workflow/mcp_servers.go
+++ b/pkg/workflow/mcp_servers.go
@@ -511,6 +511,15 @@ func getGitHubLockdown(githubTool any) bool {
return false // default to lockdown disabled
}
+// hasGitHubLockdownExplicitlySet checks if lockdown field is explicitly set in GitHub tool config
+func hasGitHubLockdownExplicitlySet(githubTool any) bool {
+ if toolConfig, ok := githubTool.(map[string]any); ok {
+ _, exists := toolConfig["lockdown"]
+ return exists
+ }
+ return false
+}
+
// getGitHubToolsets extracts the toolsets configuration from GitHub tool
// Expands "default" to individual toolsets for action-friendly compatibility
func getGitHubToolsets(githubTool any) string {
@@ -729,3 +738,32 @@ func replaceExpressionsInPlaywrightArgs(args []string, expressions map[string]st
// Split back into individual arguments
return strings.Split(replaced, "\n")
}
+
+// generateGitHubMCPLockdownDetectionStep generates a step to detect repository visibility
+// and set the lockdown mode accordingly. This step is only added when:
+// - GitHub tool is enabled AND
+// - lockdown field is not explicitly specified in the workflow configuration
+func (c *Compiler) generateGitHubMCPLockdownDetectionStep(yaml *strings.Builder, data *WorkflowData) {
+ // Check if GitHub tool is present
+ githubTool, hasGitHub := data.Tools["github"]
+ if !hasGitHub || githubTool == false {
+ return
+ }
+
+ // Check if lockdown is already explicitly set
+ if hasGitHubLockdownExplicitlySet(githubTool) {
+ mcpServersLog.Print("Lockdown explicitly set in workflow, skipping auto-detection")
+ return
+ }
+
+ mcpServersLog.Print("Generating GitHub MCP lockdown auto-detection step")
+
+ // Generate the step using the detect_repo_visibility.cjs action
+ yaml.WriteString(" - name: Detect repository visibility for GitHub MCP lockdown\n")
+ yaml.WriteString(" id: detect-repo-visibility\n")
+ yaml.WriteString(" uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1\n")
+ yaml.WriteString(" with:\n")
+ yaml.WriteString(" script: |\n")
+ yaml.WriteString(" const detectRepoVisibility = require('/tmp/gh-aw/actions/detect_repo_visibility.cjs');\n")
+ yaml.WriteString(" await detectRepoVisibility(github, context, core);\n")
+}