Skip to content

lockdown: used only of one of user tokens is set#15509

Merged
dsyme merged 13 commits intomainfrom
ld1
Feb 13, 2026
Merged

lockdown: used only of one of user tokens is set#15509
dsyme merged 13 commits intomainfrom
ld1

Conversation

@dsyme
Copy link
Contributor

@dsyme dsyme commented Feb 13, 2026

Summary

  • Add explicit validation for lockdown mode requirements
  • Improve security for workflows using GitHub tokens in public repositories
  • Provide clearer guidance on configuring GH_AW_GITHUB_TOKEN

Key Changes

  • Update determine_automatic_lockdown.cjs to require token for public repository lockdown
  • Add new validation step for lockdown mode configuration
  • Update documentation to clarify lockdown mode and token requirements
  • Enhance runtime checks for lockdown mode configuration

Security Improvements

  • Prevent accidental exposure of tokens in public repositories
  • Require explicit token configuration when lockdown mode is enabled
  • Provide informative error messages for misconfigured workflows

Copilot AI review requested due to automatic review settings February 13, 2026 20:38
Copilot AI reviewed Feb 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates GitHub MCP “lockdown mode” behavior and documentation to require/encourage explicit token configuration (GH_AW_GITHUB_TOKEN) and adds runtime steps intended to validate lockdown requirements.

Changes:

  • Adjusts automatic lockdown detection to only enable lockdown for public repos when GH_AW_GITHUB_TOKEN is present.
  • Adds a new “Validate lockdown mode requirements” step when tools.github.lockdown: true is explicitly set.
  • Updates docs and regenerates many workflow lockfiles to reflect the new steps/env wiring.

Reviewed changes

Copilot reviewed 154 out of 154 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
pkg/workflow/mcp_github_config.go Adds GH_AW_GITHUB_TOKEN env wiring to automatic detection step and introduces a new lockdown validation step generator.
pkg/workflow/compiler_yaml_main_job.go Wires the new lockdown validation step into the main job step generation.
actions/setup/js/determine_automatic_lockdown.cjs Changes lockdown auto-detection logic to depend on GH_AW_GITHUB_TOKEN presence for public repos.
actions/setup/js/determine_automatic_lockdown.test.cjs Updates/adds tests for the new “token-gated” public repo lockdown behavior.
docs/src/content/docs/reference/lockdown-mode.md Updates lockdown-mode guidance and examples (currently with schema issues noted in review comments).
docs/src/content/docs/reference/auth.mdx Updates auth guidance for GH_AW_GITHUB_TOKEN and mentions lockdown behavior (currently with schema issues noted in review comments).
docs/src/content/docs/introduction/architecture.mdx Updates architecture description of how to enable lockdown (currently with schema issues noted in review comments).
.github/workflows/workflow-skill-extractor.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/workflow-normalizer.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/workflow-health-manager.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/workflow-generator.lock.yml Regenerated lockfile to include “Validate lockdown mode requirements” step.
.github/workflows/weekly-issue-summary.lock.yml Regenerated lockfile to include “Validate lockdown mode requirements” step.
.github/workflows/video-analyzer.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/unbloat-docs.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/ubuntu-image-analyzer.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/typist.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/tidy.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/test-workflow.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/test-project-url-default.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/test-dispatcher.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/test-create-pr-error-handling.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/terminal-stylist.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/technical-doc-writer.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/super-linter.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/sub-issue-closer.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/step-name-alignment.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/static-analysis-report.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/stale-repo-identifier.lock.yml Regenerated lockfile to include “Validate lockdown mode requirements” step.
.github/workflows/smoke-test-tools.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/smoke-temporary-id.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/smoke-project.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/smoke-opencode.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/smoke-copilot.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/smoke-codex.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/smoke-claude.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/slide-deck-maintainer.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/sergo.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/semantic-function-refactor.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/security-review.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/security-compliance.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/schema-consistency-checker.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/safe-output-health.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/research.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/repository-quality-improver.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/repo-tree-map.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/repo-audit-analyzer.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/release.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/refiner.lock.yml Regenerated lockfile to include “Validate lockdown mode requirements” step.
.github/workflows/q.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/python-data-charts.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/prompt-clustering-analysis.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/pr-triage-agent.lock.yml Regenerated lockfile to include “Validate lockdown mode requirements” step.
.github/workflows/pr-nitpick-reviewer.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/portfolio-analyst.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/poem-bot.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/pdf-summary.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/org-health-report.lock.yml Regenerated lockfile to include “Validate lockdown mode requirements” step.
.github/workflows/notion-issue-summary.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/metrics-collector.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/mergefest.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/mcp-inspector.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/lockfile-stats.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/layout-spec-maintainer.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/jsweep.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/issue-triage-agent.lock.yml Regenerated lockfile to include “Validate lockdown mode requirements” step.
.github/workflows/issue-monster.lock.yml Regenerated lockfile to include “Validate lockdown mode requirements” step.
.github/workflows/issue-classifier.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/issue-arborist.lock.yml Regenerated lockfile to include “Validate lockdown mode requirements” step.
.github/workflows/instructions-janitor.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/hourly-ci-cleaner.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/grumpy-reviewer.lock.yml Regenerated lockfile to include “Validate lockdown mode requirements” step.
.github/workflows/gpclean.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/go-pattern-detector.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/go-logger.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/go-fan.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/glossary-maintainer.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/github-remote-mcp-auth-test.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/github-mcp-tools-report.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/github-mcp-structural-analysis.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/functional-pragmatist.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/firewall.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/firewall-escape.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/example-workflow-analyzer.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/example-permissions-warning.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/example-custom-error-patterns.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/duplicate-code-detector.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/draft-pr-cleanup.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/docs-noob-tester.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/discussion-task-miner.lock.yml Regenerated lockfile to include “Validate lockdown mode requirements” step.
.github/workflows/dictation-prompt.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/developer-docs-consolidator.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/dev.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/dev-hawk.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/dependabot-go-checker.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/dependabot-burner.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/delight.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/deep-report.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-workflow-updater.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-testify-uber-super-expert.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-team-status.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-team-evolution-insights.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-syntax-error-quality.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-semgrep-scan.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-secrets-analysis.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-safe-output-optimizer.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-repo-chronicle.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-regulatory.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-performance-summary.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-observability-report.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-news.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-multi-device-docs-tester.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-mcp-concurrency-analysis.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-malicious-code-scan.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-issues-report.lock.yml Regenerated lockfile to include “Validate lockdown mode requirements” step.
.github/workflows/daily-firewall-report.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-file-diet.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-fact.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-doc-updater.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-copilot-token-report.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-compiler-quality.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-code-metrics.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-cli-tools-tester.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-cli-performance.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-choice-test.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/daily-assign-issue-to-user.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/craft.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/copilot-session-insights.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/copilot-pr-prompt-analysis.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/copilot-pr-nlp-analysis.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/copilot-cli-deep-research.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/copilot-agent-analysis.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/commit-changes-analyzer.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/codex-github-remote-mcp-test.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/code-simplifier.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/code-scanning-fixer.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/cloclo.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/cli-version-checker.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/cli-consistency-checker.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/claude-code-user-docs-review.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/ci-doctor.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/ci-coach.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/chroma-issue-indexer.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/changeset.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/breaking-change-checker.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/brave.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/bot-detection.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/blog-auditor.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/auto-triage-issues.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/audit-workflows.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/artifacts-summary.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/archie.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/ai-moderator.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/agent-persona-explorer.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
.github/workflows/agent-performance-analyzer.lock.yml Regenerated lockfile to pass GH_AW_GITHUB_TOKEN into the automatic lockdown detection step.
Comments suppressed due to low confidence (2)

docs/src/content/docs/reference/auth.mdx:136

  • This text refers to lockdown: true being set in “workflow frontmatter”, but lockdown is configured under tools.github.lockdown. Clarifying the correct key/path here will prevent users from adding an unsupported top-level lockdown field.
    docs/src/content/docs/reference/lockdown-mode.md:57
  • The lockdown-mode example places lockdown: true at the top level of the frontmatter, but the actual config key is tools.github.lockdown (not a top-level frontmatter field). Update the example YAML so it matches the schema; otherwise users won’t actually enable lockdown.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@dsyme dsyme changed the title 🔒 Enhance GitHub lockdown mode security configuration lockdown: false by default Feb 13, 2026
@dsyme dsyme requested a review from Copilot February 13, 2026 20:53
Copilot AI reviewed Feb 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 158 out of 158 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@dsyme dsyme changed the title lockdown: false by default lockdown: used only if one of user tokens is set Feb 13, 2026
@dsyme dsyme changed the title lockdown: used only if one of user tokens is set lockdown: used only of one of user tokens is set Feb 13, 2026
@dsyme dsyme requested a review from Copilot February 13, 2026 21:33
Copilot AI reviewed Feb 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 158 out of 158 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@dsyme dsyme merged commit fe858c3 into main Feb 13, 2026
51 checks passed
@dsyme dsyme deleted the ld1 branch February 13, 2026 21:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dsyme