Skip to content

[refactoring] Expand github-guard-policy.md adoption to all GitHub MCP workflows #33691

Description

@github-actions

Problem

138 workflows (89% of workflows using GitHub MCP tools) don't import shared/github-guard-policy.md. This means:

  • Each workflow must define approval labels independently
  • Policy changes require updating 138+ workflow files
  • Inconsistent approval behavior across workflows

Current State

  • 155 workflows use GitHub MCP tools (66.5% of all workflows)
  • Only 17 workflows (11%) import shared/github-guard-policy.md
  • 138 workflows either duplicate approval labels inline or omit them entirely

What is github-guard-policy.md?

Provides standard approval labels (cookie, community) that allow issues and PRs from community contributors to bypass the min-integrity check when the GitHub MCP server performs tool calls.

Current implementation (5 lines):

---
tools:
  github:
    approval-labels: [cookie, community]
---

Proposed Solution

  1. Audit all 138 workflows - Identify which need approval label configuration
  2. Add import to all GitHub MCP workflows - Make it standard practice
  3. Update AGENTS.md - Document when to import github-guard-policy.md

Migration Path

Phase 1: High-priority workflows (issue/PR automation, moderation, security)

  • ai-moderator.md
  • bot-detection.md
  • contribution-check.md
  • code-scanning-fixer.md
  • (and ~30 others with community interaction)

Phase 2: Medium-priority workflows (daily reports, analysis)

  • All workflows in daily-*.md that use GitHub tools
  • All workflows with slash_command or label_command triggers

Phase 3: Remaining workflows

  • Smoke tests, experiments, low-frequency workflows

Example Before/After

Before (duplicated in many workflows):

tools:
  github:
    mode: local
    read-only: true
    toolsets: [default]
    approval-labels: [cookie, community]  # ← duplicated

After (centralized):

imports:
  - shared/github-guard-policy.md  # ← standard import
  - shared/otlp.md
tools:
  github:
    mode: local
    read-only: true
    toolsets: [default]
    # approval-labels inherited from github-guard-policy.md

Impact

  • Workflows affected: 138
  • Line savings: ~3-5 lines × 138 = 414-690 lines
  • Maintenance benefit: Single source of truth for approval policy
  • Security benefit: Consistent approval behavior across all workflows

Sample Workflows Missing Import

View 20 workflows without github-guard-policy.md
  • ab-testing-advisor.md
  • ai-moderator.md
  • approach-validator.md
  • archie.md
  • artifacts-summary.md
  • aw-portfolio-yield.md
  • bot-detection.md
  • breaking-change-checker.md
  • ci-coach.md
  • ci-doctor.md
  • claude-code-user-docs-review.md
  • code-scanning-fixer.md
  • code-simplifier.md
  • codex-github-remote-mcp-test.md
  • commit-changes-analyzer.md
  • contribution-check.md
  • copilot-cli-deep-research.md
  • copilot-opt.md
  • copilot-pr-merged-report.md
  • copilot-session-insights.md

References

  • Current policy: .github/workflows/shared/github-guard-policy.md
  • Analysis: §26206419572

Generated by 🔍 Workflow Skill Extractor · ● 1.6M ·

  • expires on May 23, 2026, 5:08 AM UTC

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions