Rename detect-repo-visibility to determine-automatic-lockdown with runtime token check

[Copilot]

Rename detect-repo-visibility to determine-automatic-lockdown with runtime token check

Changes Completed

• Rename JavaScript file from detect_repo_visibility.cjs to determine_automatic_lockdown.cjs
• Rename test file from detect_repo_visibility.test.cjs to determine_automatic_lockdown.test.cjs
• Update function name from detectRepoVisibility to determineAutomaticLockdown
• Add runtime if condition to check for GH_AW_GITHUB_MCP_SERVER_TOKEN
• Add logging to the function (enhanced with more detailed info messages)
• Update all references in Go code
• Update tests to verify runtime condition
• Recompile all workflows with new implementation
• Update documentation

Implementation Details

The automatic lockdown determination step is now generated whenever:

1. GitHub tool is enabled
2. Lockdown is not explicitly set in configuration

The step includes a runtime condition that only executes when GH_AW_GITHUB_MCP_SERVER_TOKEN is defined:

- name: Determine automatic lockdown mode for GitHub MCP server
  id: determine-automatic-lockdown
  if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
  uses: actions/github-script@...
  with:
    script: |
      const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');
      await determineAutomaticLockdown(github, context, core);

This ensures that:

• The step is always present in the workflow (not conditionally generated at compile time)
• The step only runs at runtime if the custom token secret is defined
• No unnecessary API calls when using the default GITHUB_TOKEN
• The determination is done at runtime based on the actual repository environment

Documentation Updates

Updated documentation in:

• docs/src/content/docs/guides/security.md - Clarified that automatic determination only occurs when GH_AW_GITHUB_MCP_SERVER_TOKEN is defined
• docs/src/content/docs/reference/tools.md - Updated lockdown field documentation to reflect runtime determination behavior

Key changes:

• Changed "automatically enabled" to "automatically determined" to be more accurate
• Added explicit mention that automatic determination requires GH_AW_GITHUB_MCP_SERVER_TOKEN
• Clarified that when using default GITHUB_TOKEN, automatic determination is skipped

Original prompt

Rename "detect-repo-visibility" to "determine-automatic-lockdown"

• only applies if custom github mcp server token environment variable is defined and for public repositories
• add logging

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[pelikhan]

@copilot The detection of the custom GitHub environment variable needs to be done as a "if" statement in the step

[Copilot]

@copilot The detection of the custom GitHub environment variable needs to be done as a "if" statement in the step

Done in c79b157. The determination step is now always generated when lockdown is not explicitly set, with an if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != '' condition that checks for the custom token at runtime.

Example generated YAML:

- name: Determine automatic lockdown mode for GitHub MCP server
  id: determine-automatic-lockdown
  if: secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN != ''
  uses: actions/github-script@...

[pelikhan]

@copilot

• recompile
• update docs

[Copilot]

@copilot

• recompile...

Done in 3b8861f:

1. ✅ Recompile: Already done in 9a63cbd - all 126 workflows recompiled with the runtime if: condition
2. ✅ Update docs: Updated documentation in:
   • docs/src/content/docs/guides/security.md - Clarified automatic determination only occurs when GH_AW_GITHUB_MCP_SERVER_TOKEN is defined
   • docs/src/content/docs/reference/tools.md - Updated lockdown field documentation

Key documentation changes:

• Changed "automatically enabled" → "automatically determined" for accuracy
• Added explicit requirement for GH_AW_GITHUB_MCP_SERVER_TOKEN
• Clarified behavior when using default GITHUB_TOKEN (determination skipped)