Skip to content

Fix issue triage repository guard#3089

Open
RickWinter wants to merge 1 commit into
microsoft:mainfrom
RickWinter:rickwinter-fix-issue-triage-agent
Open

Fix issue triage repository guard#3089
RickWinter wants to merge 1 commit into
microsoft:mainfrom
RickWinter:rickwinter-fix-issue-triage-agent

Conversation

@RickWinter

Copy link
Copy Markdown
Member

What does this PR do?

The Issue Triage Agent fails before startup because the MCP gateway accepts explicit repository allowlists only as arrays. Change the GitHub tool guard from a scalar repository expression to ["microsoft/mcp"], preserving least-privilege access while producing a valid gateway policy.

Regenerate the gh-aw lock workflow with strict compilation. The generated policy now emits "repos": ["microsoft/mcp"].

GitHub issue number?

Fixes: #3040

Pre-merge Checklist

  • Required for All PRs
    • Read contribution guidelines
    • PR title clearly describes the change
    • Commit history is clean with descriptive messages (cleanup guide)
    • Added comprehensive tests for new/modified functionality (validated with strict gh-aw compilation)
    • Created a changelog entry if the change falls among the following: new feature, bug fix, UI/UX update, breaking change, or updated dependencies. Follow the changelog entry guide (N/A, internal workflow fix)
  • For MCP tool changes:
    • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
    • Updated servers/Azure.Mcp.Server/README.md and/or servers/Fabric.Mcp.Server/README.md documentation
    • Validate README.md changes running the script ./eng/scripts/Process-PackageReadMe.ps1. See Package README
    • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
    • For tools with new names, including new tools or renamed tools, update consolidated-tools.json
    • For renamed tools, follow the Tool Rename Checklist and tag the PR with the breaking-change label
    • For new tools associated with Azure services or publicly available tools/APIs/products, add URL to documentation in the PR description
  • Extra steps for Azure MCP Server tool changes:
    • Updated command list in servers/Azure.Mcp.Server/docs/azmcp-commands.md
    • Ran ./eng/scripts/Update-AzCommandsMetadata.ps1 to update tool metadata in azmcp-commands.md (required for CI)
    • Updated test prompts in servers/Azure.Mcp.Server/docs/e2eTestPrompts.md
    • For Community (non-Microsoft team member) PRs:
      • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
      • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

The MCP tool and Azure MCP Server checklist sections are not applicable because this changes only repository automation.

Invoking Livetests

Copilot submitted PRs are not trustworthy by default. Users with write access to the repo need to validate the contents of this PR before leaving a comment with the text /azp run mcp - pullrequest - live. This will trigger the necessary livetest workflows to complete required validation.

Encode the explicit repository allowlist as an array so the MCP gateway can initialize the GitHub guard policy.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Copilot-Session: 6e1020e5-dc4b-4e1e-8004-01f33a6b3977
Copilot AI review requested due to automatic review settings July 17, 2026 21:06
@RickWinter
RickWinter requested review from a team as code owners July 17, 2026 21:06
@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
Successfully started running 1 pipeline(s).
There may be pipelines that require an authorized user to comment /azp run to run.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Issue Triage Agent’s GitHub MCP guard configuration to use an explicit repository allowlist array (as required by the MCP gateway policy format), and regenerates the compiled lock workflow so the emitted policy contains "repos": ["microsoft/mcp"].

Changes:

  • Change allowed-repos from a scalar expression to an explicit array containing microsoft/mcp.
  • Regenerate the issue-triage-agent.lock.yml output so the MCP gateway config emits repos as an array and updates derived guard-policy values accordingly.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/issue-triage-agent.md Switches the GitHub tool guard allowed-repos to an explicit array (["microsoft/mcp"]) to satisfy gateway policy expectations.
.github/workflows/issue-triage-agent.lock.yml Regenerated compiled workflow reflecting the new guard policy ("repos": ["microsoft/mcp"]) and related derived policy strings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[aw] Issue Triage Agent failed

2 participants