Add daily AllowOnly guard smoke test workflow#1729
Merged
Conversation
Adds a daily agentic workflow that validates AllowOnly guard policy enforcement through the MCP Gateway. Tests: - In-scope repo access (github/gh-aw*, both gh-aw-mcpg and gh-aw) - Out-of-scope repo blocking (octocat/Hello-World) - Global API blocking (search_repositories, search_users) - Integrity filtering (min-integrity: approved) Guard policy: repos=["github/gh-aw*"], min-integrity=approved Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a daily agentic smoke test workflow (smoke-allowonly.md and its compiled smoke-allowonly.lock.yml) that validates the AllowOnly guard policy enforcement through the MCP Gateway. The workflow tests that repository-scoped access control (github/gh-aw* wildcard) and minimum integrity requirements (approved) are correctly enforced by the GitHub Guard.
Changes:
- New
smoke-allowonly.mdagentic workflow definition with frontmatter configuring guard policies (repos: ["github/gh-aw*"],min-integrity: approved), toolsets, and a detailed 4-part test plan covering in-scope access, out-of-scope blocking, global API blocking, and integrity filtering validation. - New auto-generated
smoke-allowonly.lock.ymlcompiled from the.mdfile using gh-aw v0.57.1, with SHA-pinned actions, full job definitions (pre_activation, activation, agent, safe_outputs, conclusion, update_cache_memory), and the MCP Gateway configuration includingguard-policiesfor the GitHub MCP server.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/smoke-allowonly.md |
Source agentic workflow defining the AllowOnly guard smoke test plan, frontmatter config (repos, min-integrity, toolsets, permissions), and structured test output template |
.github/workflows/smoke-allowonly.lock.yml |
Auto-generated compiled workflow (gh-aw v0.57.1) with full GitHub Actions job definitions, MCP Gateway config with guard-policies, safe outputs, threat detection, and cache memory management |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a daily agentic workflow (
smoke-allowonly.md) that validates AllowOnly guard policy enforcement through the MCP Gateway.Guard Policy
["github/gh-aw*"](wildcard match)approved(OWNER, MEMBER, COLLABORATOR only)Test Coverage
In-Scope Access (expected: allowed)
list_issues,list_pull_requests,list_commits,get_file_contents,list_branches,search_codeagainstgithub/gh-aw-mcpglist_issues,get_file_contentsagainstgithub/gh-awOut-of-Scope Blocking (expected: blocked)
octocat/Hello-WorldGlobal API Blocking (expected: blocked)
search_repositories,search_usersIntegrity Filtering (expected: filtered)
Frontmatter
Uses
reposandmin-integrityfields directly ontools.githubper the gh-aw compiler format:Related