feat: add daily integrity filtering audit workflow#2439
Merged
Conversation
Daily weekday workflow that audits recent agentic workflow runs in github/gh-aw for DIFC integrity filtering problems. Downloads run artifacts, parses JSONL/gateway logs for anomalies, and creates a summary issue with findings classified by severity. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new gh-aw agentic workflow that runs on weekdays to audit DIFC integrity filtering behavior in recent github/gh-aw workflow runs, and files a summary issue with findings.
Changes:
- Introduces a new
Integrity Filtering Auditworkflow prompt describing how to enumerate runs, download artifacts, analyze DIFC signals, and report findings. - Adds the compiled lock workflow implementing the scheduled run, MCP Gateway setup, and safe-output issue creation.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/integrity-filtering-audit.md | Defines the audit procedure and reporting format for the Copilot-driven workflow. |
| .github/workflows/integrity-filtering-audit.lock.yml | Generated workflow that schedules execution, configures MCP Gateway/guard policies, and processes safe outputs to create an issue. |
Comments suppressed due to low confidence (1)
.github/workflows/integrity-filtering-audit.md:112
- Same quoting issue as above: the glob is inside quotes, so it won't expand and the guard error search will typically return nothing even when matching logs exist. Adjust the command to allow glob expansion safely (or use
find/xargs).
# Example: Find guard errors
grep -iE 'error|failed|blocked|unknown' "$TMPDIR/*/mcp-logs/mcp-gateway.log" 2>/dev/null | head -20
</details>
---
💡 <a href="/github/gh-aw-mcpg/new/main?filename=.github/instructions/*.instructions.md" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Add Copilot custom instructions</a> for smarter, more guided reviews. <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Learn how to get started</a>.
Add 6 gh CLI tests that mirror the github-script tests, routing requests through the proxy via direct URLs: - Tests 7-8: REST list issues (in-scope / out-of-scope) - Tests 9-10: GraphQL issues (in-scope / out-of-scope) - Tests 11-12: search code and get file contents via /api/v3/ prefix Tests 11-12 use /api/v3/ prefix paths to validate StripGHHostPrefix. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
When endpoints like get_file_contents return a single JSON object, the guard wraps it in a 1-item collection for filtering. ToResult() then returns it as [obj] (array), breaking clients expecting the original object shape. Add unwrapSingleObject() to detect when the original response was a single object and unwrap the filtered 1-element array back to the original shape. Skips search envelopes and GraphQL responses which have their own handling. Fixes Test 12 (gh CLI get_file_contents) in the smoke proxy workflow. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Expand smoke-proxy-github-script to test all 25 proxy tool name mappings: - Issues: issue_read (single, comments, labels) + in/out-of-scope - Pull Requests: list_pull_requests, pull_request_read (files, reviews, comments) + in/out-of-scope - Commits: list_commits, get_commit + in/out-of-scope - Branches & Tags: list_branches, list_tags + in/out-of-scope - Releases: list_releases, get_latest_release + in/out-of-scope - Labels: list_labels, get_label + in/out-of-scope - Actions: actions_list (workflows, runs) - User/Global: get_me, search_issues, search_repositories - GraphQL: pullRequests, commit history, search, viewer - Compare: compare refs endpoint - Out-of-scope singles: file contents, commit Uses discovery pattern (query list → extract ID → test detail endpoint) with graceful skip for missing fixtures. Updates agent prompt with full test table, result file list, and evaluation criteria. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ls expectation
- rebuildGraphQLResponse: return {data: null} when all items filtered or
no nodes/edges found, preventing data leak through non-collection
fields like viewer { login }
- injectFieldsIntoQuery: detect inline fragments (... on Type) inside
nodes {} and inject guard fields inside them, fixing GraphQL validation
errors on union types (SearchResultItem)
- Adjust test 33 (list_labels) to accept 0 items as correct DIFC
behavior (labels lack authorship → none integrity → filtered)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- extractSearchQuery: extract search query arg from GraphQL search() queries (inline or variable), enabling the guard to determine repo scope for search_issues/search_code - Add MCP gateway tool call instructions to agent prompt (Part B: 20 MCP tool calls covering in-scope, out-of-scope, and global) - Update issue template with MCP gateway results section and cross-validation between proxy and gateway modes Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
response_paths.rs: arg_repo_full was not updated when query parsing extracted repo from search query string. This caused GraphQL search items to get unscoped labels (issue:#N instead of issue:owner/repo#N), which then failed DIFC integrity checks. Fix: make arg_repo_full mutable and set it from the parsed query repo in both search_issues and search_pull_requests handlers. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This was referenced Mar 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Daily weekday workflow that audits recent agentic workflow runs in github/gh-aw for DIFC integrity filtering problems. Downloads run artifacts, parses JSONL/gateway logs for anomalies, and creates a summary issue with findings classified by severity.