Problem
138 workflows (89% of workflows using GitHub MCP tools) don't import shared/github-guard-policy.md. This means:
- Each workflow must define approval labels independently
- Policy changes require updating 138+ workflow files
- Inconsistent approval behavior across workflows
Current State
- 155 workflows use GitHub MCP tools (66.5% of all workflows)
- Only 17 workflows (11%) import
shared/github-guard-policy.md
- 138 workflows either duplicate approval labels inline or omit them entirely
What is github-guard-policy.md?
Provides standard approval labels (cookie, community) that allow issues and PRs from community contributors to bypass the min-integrity check when the GitHub MCP server performs tool calls.
Current implementation (5 lines):
---
tools:
github:
approval-labels: [cookie, community]
---
Proposed Solution
- Audit all 138 workflows - Identify which need approval label configuration
- Add import to all GitHub MCP workflows - Make it standard practice
- Update AGENTS.md - Document when to import github-guard-policy.md
Migration Path
Phase 1: High-priority workflows (issue/PR automation, moderation, security)
- ai-moderator.md
- bot-detection.md
- contribution-check.md
- code-scanning-fixer.md
- (and ~30 others with community interaction)
Phase 2: Medium-priority workflows (daily reports, analysis)
- All workflows in
daily-*.md that use GitHub tools
- All workflows with
slash_command or label_command triggers
Phase 3: Remaining workflows
- Smoke tests, experiments, low-frequency workflows
Example Before/After
Before (duplicated in many workflows):
tools:
github:
mode: local
read-only: true
toolsets: [default]
approval-labels: [cookie, community] # ← duplicated
After (centralized):
imports:
- shared/github-guard-policy.md # ← standard import
- shared/otlp.md
tools:
github:
mode: local
read-only: true
toolsets: [default]
# approval-labels inherited from github-guard-policy.md
Impact
- Workflows affected: 138
- Line savings: ~3-5 lines × 138 = 414-690 lines
- Maintenance benefit: Single source of truth for approval policy
- Security benefit: Consistent approval behavior across all workflows
Sample Workflows Missing Import
View 20 workflows without github-guard-policy.md
- ab-testing-advisor.md
- ai-moderator.md
- approach-validator.md
- archie.md
- artifacts-summary.md
- aw-portfolio-yield.md
- bot-detection.md
- breaking-change-checker.md
- ci-coach.md
- ci-doctor.md
- claude-code-user-docs-review.md
- code-scanning-fixer.md
- code-simplifier.md
- codex-github-remote-mcp-test.md
- commit-changes-analyzer.md
- contribution-check.md
- copilot-cli-deep-research.md
- copilot-opt.md
- copilot-pr-merged-report.md
- copilot-session-insights.md
References
- Current policy:
.github/workflows/shared/github-guard-policy.md
- Analysis: §26206419572
Generated by 🔍 Workflow Skill Extractor · ● 1.6M · ◷
Problem
138 workflows (89% of workflows using GitHub MCP tools) don't import
shared/github-guard-policy.md. This means:Current State
shared/github-guard-policy.mdWhat is github-guard-policy.md?
Provides standard approval labels (
cookie,community) that allow issues and PRs from community contributors to bypass the min-integrity check when the GitHub MCP server performs tool calls.Current implementation (5 lines):
Proposed Solution
Migration Path
Phase 1: High-priority workflows (issue/PR automation, moderation, security)
Phase 2: Medium-priority workflows (daily reports, analysis)
daily-*.mdthat use GitHub toolsslash_commandorlabel_commandtriggersPhase 3: Remaining workflows
Example Before/After
Before (duplicated in many workflows):
After (centralized):
Impact
Sample Workflows Missing Import
View 20 workflows without github-guard-policy.md
References
.github/workflows/shared/github-guard-policy.md