Harden shared MCP allowlists for high-risk servers and document wildcard policy

[Copilot]

The shared MCP catalog had 8 servers configured with allowed: ["*"], including high-privilege surfaces. This change applies least-privilege to the highest-risk servers and makes wildcard usage explicit and reviewable where retained.

• High-risk MCPs moved to explicit allowlists

  • Updated shared/mcp/azure.md, shared/mcp/jupyter.md, and shared/mcp/semgrep.md to replace wildcard access with enumerated tool lists aligned to current workflow usage and read-oriented operations.

• Wildcard policy documented per server

  • Added inline security-decision comments across all 8 audited files to explain whether wildcard is restricted or intentionally retained:
    • Restricted: azure, jupyter, semgrep
    • Retained with rationale: brave, microsoft-docs, markitdown, skillz, tavily

• Generated workflow outputs updated

  • Recompiled affected lockfiles so compiled MCP tool filters match updated shared imports.

# before
allowed: ["*"]

# after (example: semgrep)
allowed:
  - semgrep_rule_schema
  - get_supported_languages
  - semgrep_scan
  - semgrep_scan_local
  - semgrep_scan_with_custom_rule
  - semgrep_findings

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/xremote.upstream.url env 693608605 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh pr list --repo github/gh-aw --state all --author app/github-actions --search created:2026-05-11T23:58:00Z..2026-05-12T00:05:00Z --limit 1 --json number --jq .[0].number GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote.origin.url (http block)
• https://api.github.com/orgs/owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/owner/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/owner/actions/secrets --jq .secrets[].name ithub/workflows show 70a730020b5232cd-d ath ../../../.pr/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile x_amd64/vet $name) { has/tmp/go-build1703377694/b528/_pkg_.a infocmp -1 re infocmp bin/node l ache/go/1.25.8/x-C de git (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/owner/actions/secrets --jq .secrets[].name 081947e8:.github/workflows/brave.lock.yml --jq ache/uv/0.11.15/x86_64/sh --objects url /usr/bin/infocmp/tmp/go-build4261139908/b512/_pkg_.a infocmp -1 json' --ignore-p-p infocmp p/bin/bash xterm-color infocmp om/testowner/tes/tmp/gh-aw-test-runs/20260519-193938-57235/test-source-field-variant-3071887463/-s infocmp (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name ithub/workflows -f modules/@npmcli/run-script/lib/node-gyp-bin/sh -f owner=github ed } } /usr/bin/gh api re -f (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name q "All matched files use Prettier code style"; then \ echo "JSON files are not formatted. Run 'infocmp --jq es/.bin/node runs/20260519-19/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile git-upload-pack -o /usr/bin/infocmp/tmp/go-build4261139908/b530/_pkg_.a infocmp -1 re infocmp k/_temp/uv-pytho-lang=go1.25 3358215494 (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv ithub/workflows/ai-moderator.md -trimpath .cfg -p main -lang=go1.25 git -C 21402920/001 show /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/asm l -c=4 -nolocalimports /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/asm (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv /var/run/docker.sock" GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS="" if [[ "${DOCKER_HOST:-}" =~ ^tcp:// gh sh /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile =receive /usr/bin/git er: String!, $naxterm-color (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv che/go-build/b6/b68a587c8bac1aaefe39217e5ac7ca937b62b67d2a8b28a0ab8ac243fe33ac49-d /lib/jspawnhelper (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv architecture-guardian.md t.go 4499414/b496=> /tmp/go-build204gh b/gh-aw/pkg/filerepo 64/bin/go /opt/hostedtoolcowner/test-repo -uns�� faultBranchFromLsRemoteWithRealGitmain_branch281-s faultBranchFromLsRemoteWithRealGitmain_branch281-w 64/pkg/tool/linux_amd64/compile s GO111MODULE 64/bin/go 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv ed_at, event: .event, headBranch: .head_branch, gh tartedAt,updatedAt,event,headBranch,headSha,displayTitle ./../.prettierig/usr/bin/git nly /usr/bin/infocmp--get-regexp sh m/_n�� 3938-57235/test-703695233/.github/workflows infocmp ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet ummary.lock.yml sh sv ache/go/1.25.8/x--jq (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv 1133/001/stability-test.md GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/xremote.upstream.url -uns�� 2934-32039/test-865135081/.github/workflows /tmp/go-build2024499414/b063/vet.cfg .cfg GOSUMDB GOWORK 64/bin/go ER_HOST_PATH_PR (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv g/typeutil/convert.go g/typeutil/convert_test.go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq /opt/hostedtoolcache/node/24.14.1/x64/bin/node d-objects.md GO111MODULE x_amd64/vet node ent.�� f/tags/v6 md sv -json .cfg x_amd64/link git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv se 4499414/b445/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOSUMDB GOWORK 64/bin/go ache/go/1.25.8/xconfig -uns�� ExpressionCompilremote.origin.url /tmp/go-build2024499414/b093/vet.cfg 64/pkg/tool/linux_amd64/compile /tmp/go-build204git -trimpath 64/bin/go 64/pkg/tool/linucurrent (local changes) (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv -unreachable=false /tmp/go-build2024499414/b140/vet.cfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv -unreachable=false /tmp/go-build2024499414/b095/vet.cfg 4499414/b302/vet.cfg GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.8/xorigin -ato�� 430463796/.github/workflows -buildtags 1/x64/bin/node url -ifaceassert -nilfunc e/git (http block)
• https://api.github.com/repos/actions/download-artifact/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv */*.ts' '**/*.jsremote.origin.url git ules/.bin/node /tmp/gh-aw-test-git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv -o /dev/null (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows/ai-moderator.md x_amd64/vet 4499414/b577/vet.cfg -json GO111MODULE x_amd64/vet git -C waysRecompiles3721402920/001 config /usr/bin/gh remote.origin.urgh GO111MODULE x_amd64/vet gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 -buildtags (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 4VLbwOV/E9bhyDc7/tmp/go-build2024499414/b215/vet.cfg env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv .github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9.0.0
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 0CScPGtRq9nb env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE 3zwFfZPDi-tf env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/- --jq [.object.sha, .object.type] | @tsv xterm-color 4499414/b563/str--jq 1/x64/bin/sh t0 k/gh-aw/gh-aw/pk-1 (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /v3.0.0 -buildtags 1/x64/bin/node _DOCKER_HOST_PATgh -ifaceassert -nilfunc ortcfg t-ha�� ithub/workflows/architecture-guardian.md g/stats/spec_test.go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 3431-46745/test-3052303974 bash e/git ithub/workflows url /usr/local/sbin//repos/actions/github-script/git/ref/tags/v9 e/git -c che/go-build/05/05d324e9a155b1bf6e2124d3f639ec4695df8067bd23dfdbf7df08d7736c21be-d sh Name,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle k/gh-aw/gh-aw/.ggh infocmp me: String!) { /repos/actions/github-script/git/ref/tags/v9 /opt/hostedtoolc--jq (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 3938-57235/test-365836313 gh res.lock.yml rror --jq /usr/libexec/doc-L 1139908/b487/impcurrent (local changes) -c che/go-build/05/base (original) /usr/libexec/doc-L /opt/hostedtoolcnew (upstream) /workflows/bravegh /bin/java /usr/bin/sed /opt/hostedtoolc--jq (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv -unreachable=false /tmp/go-build2024499414/b045/vet.cfg 4499414/b521/errormessage.test GOSUMDB GOWORK 64/bin/go _PATH_PREFIX_AR e=/t�� 2934-32039/test-1003224001 /tmp/go-build2024499414/b224/vet.cfg r: $owner, name: $name) { hasDiscussionsEnabled } } m0s -trimpath (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv -unreachable=false /tmp/go-build2024499414/b080/vet.cfg x_amd64/link -json GO111MODULE 64/bin/go x_amd64/link -1 licyMinIntegrityOnlymin-integrity_only_defaults_repo2321562686/0remote.upstream.url go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile url GO111MODULE 64/bin/go 9E/PSZlURlsEOgGBxbB_ghY/WLE_8P6---jq (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9.0.0 --revs clusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --thin --delta-base-off/opt/hostedtoolcache/node/24.14.1/x64/bin/npm -q git 4499�� /tmp/gh-aw-test-runs/20260519-192934-32039/test-910986014/.github/workflows 4499414/b547/_testmain.go .0/x64/bin/go remote.upstream.ls GO111MODULE x_amd64/vet gh (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv -unreachable=false /tmp/go-build2024499414/b048/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/link GOSUMDB GOWORK 64/bin/go ache/go/1.25.8/x--jq -uns�� RequiresMinIntegrity1577282171/001 /tmp/go-build2024499414/b092/vet.cfg 4499414/b507/importcfg.link /tmp/go-build204git -trimpath 64/bin/go B0CScPGtRq9nb/gYcurrent (local changes) (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv -bool stmain.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/link -errorsas -ifaceassert -nilfunc ache/go/1.25.8/x64/pkg/tool/linumyorg -ato�� ository }} o 1/x64/bin/node -errorsas -ifaceassert -nilfunc e/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv -unreachable=falid,name,path,state GoFiles,IgnoredGoFiles,IgnoredOt-c=4 4499414/b312/vet.cfg GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.8/xorigin -uns�� /ref/tags/v9.0.0 /tmp/go-build2024499414/b107/vet.cfg 64/pkg/tool/linux_amd64/link /tmp/go-build204git -trimpath 64/bin/go 64/pkg/tool/linuconfig (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv g_.a -trimpath 4499414/b315/vet.cfg -p er -lang=go1.25 /opt/hostedtoolc--jq -ato�� /ref/tags/v9 -buildtags 1/x64/bin/node -errorsas -ifaceassert -nilfunc ortcfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv mpiledOutput1173@{u} config cal/bin/node remote.upstream.infocmp r r: $owner, name:xterm-color bash k/gh�� 1197163965/.github/workflows on cfg /../../.prettiergit erignore es/.bin/sh sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 4d1ccd7736c50590d314a4c4a13a8878081947e8:.github-c=4 gh bin/node .md r /usr/bin/infocmp H_AW_DOCKER_HOST_PATH_PREFIX_AR k/gh�� analyze on .cfg /../../.prettiergh erignore --output sh (http block)
• https://api.github.com/repos/aws-actions/configure-aws-credentials/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv bility_SameInputSameOutput1194971133/001/stability-test.md --auto clusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --detach CgoFiles,CXXFile-1 64/bin/go gh api /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 4499414/b569/_pkg_.a --stdin 4499414/b569=> --exclude-hiddenrunc --all --quiet /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu-buildtags -o ErrorFormatting1896527287/001 -trimpath /usr/bin/git url github.com/githubranch -lang=go1.25 git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv licyTrustedUsersRequiresMinIntegrity3147560072/001 -importcfg /opt/hostedtoolcache/node/24.14.1/x64/bin/node l -w -buildmode=exe node /tmp�� /ref/tags/v9 -extld=gcc sv k/gh-aw/gh-aw/.ggrep config uality-reviewer.^From [0-9a-f]\{40\} node (http block)
• https://api.github.com/repos/azure/login/git/ref/tags/v2
  • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv /tmp/go-build2024499414/b530/largefunc.test l /usr/bin/git -s -w -buildmode=exe git -C /tmp/gh-aw-test-runs/20260519-192934-32039/test--errorsas l /usr/bin/git remote.upstream./usr/lib/git-core/git GO111MODULE x_amd64/vet git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv tructions-test-2677203374/.github/workflows show /usr/lib/git-core/git-receive-pack url infocmp /usr/bin/git git-receive-pack /tmp�� ithub-script/git/ref/tags/v9 git bject.type] | @tsv js/**/*.json' --/usr/lib/git-core/git config (http block)
  • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 -buildtags ache/node/24.14.1/x64/bin/node -errorsas -ifaceassert -nilfunc ache/node/24.14.--jq s-81�� /ref/tags/v9 --auto sv --detach node modules/@npmcli/run git (http block)
• https://api.github.com/repos/docker/login-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv 4499414/b568/_pkg_.a go 4499414/b568=> -json b/gh-aw/pkg/sync-1 64/bin/go git -C aV59/B4DWBi5MrU_koT8xaV59 config om/testorg/testrepo.git remote.origin.urgit CgoFiles,CXXFileadd x_amd64/vet 4499414/b568/importcfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 l sv echo "��� JSON finfocmp infocmp yml git push�� origin main /usr/bin/infocmp js/**/*.json' --git gh er: String!, $na. infocmp (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv -instructions-test-194660794 -buildtags kflows/test-workflow.lock.yml -errorsas -ifaceassert -nilfunc git add . -tests /usr/bin/git js/**/*.json' --git node (http block)
• https://api.github.com/repos/docker/metadata-action/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ithub-script/gitremote.origin.url --jq ck.yml 4499414/b575/timgit -importcfg (http block)
• https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9.0.0remote.origin.url --jq bject.type] | @tsv 4499414/b575/_pkgit -trimpath ache/node/24.14./home/REDACTED/work/gh-aw/gh-aw/.github/workflows d4dabce5 tion�� ithub-script/gitremote.upstream.url --jq repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } k/gh-aw/gh-aw/.ggit config /usr/bin/git infocmp (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch json ]; then \ remote.upstream.url /opt/hostedtoolcache/go/1.25.8/xowner=github k/gh-aw/gh-aw/actions/setup/js/n-f nore -trimpath om/upstream/repo/home/REDACTED/work/gh-aw/gh-aw/.github/workflows infocmp -1 te '**/*.cjs' '*remote.origin.url git mance.lock.yml workflow/data/acgit test@example.com-C ed } } git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv /actions/secrets -buildtags 1/x64/bin/node -errorsas -ifaceassert -nilfunc /tmp/go-build202--jq t-ha�� ithub/workflows/agent-persona-ex-f -test.v=true /usr/bin/git url -test.run=^Test -test.short=true/repos/actions/github-script/git/ref/tags/v9 git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv "prettier" --wriremote.origin.url ache/go/1.25.8/x64/pkg/tool/linuconfig /home/REDACTED/work/gh-aw/gh-aw/actions/node_modules/.bin/sh rror security repository(ownexterm-color sh -c tcp://172.30.0.5:2375" GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS="" if [[ "${DOCKER_HOST:-}" =~ ^tcp://gh '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitcustom_branch3007460620/001' 451946/b580/vet.cfg late-expressionsgh owner (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 --write sv l --ignore-path ../../../.prettiview sh -c /ref/tags/v9 =my-default r: $owner, name: $name) { hasDiscussionsEnabled } } /repos/actions/ggh --jq /usr/bin/git /opt/hostedtoolc--jq (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -unreachable=false /tmp/go-build2024499414/b402/vet-c=4 tartedAt,updatedAt,event,headBranch,headSha,displayTitle GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc--jq -ato�� -bool (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config 1/x64/bin/node remote.upstream.git git son bash t-ha�� ring2661948477/001/test2.md infocmp 1/x64/bin/node rite '**/*.cjs' gh docker-compose kflows.lock.yml node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv rite '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path sh k/gh-aw/gh-aw/actions/node_modules/.bin/sh docs.md sh sv /usr/lib/php/ses--jq ghcr�� heck '**/*.cjs' '**/*.ts' '**/*.json' --ignore-p--repo gh .cfg /ref/tags/v9 --jq sv node (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv se 4499414/b456/vet.cfg tartedAt,updatedAt,event,headBranch,headSha,displayTitle -errorsas -ifaceassert -nilfunc 64/pkg/tool/linu--jq -ato�� g_.a -buildtags .cfg -errorsas -ifaceassert -nilfunc e/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv edOutput1115846604/001 show 1/x64/bin/node xterm-color /opt/hostedtoolcapi $name) { has/repos/actions/github-script/git/ref/tags/v9 bash t-ha�� SameOutput2240022451/001/stability-test.md infocmp cfg rite '**/*.cjs' gh /opt/hostedtoolcapi .lock.yml node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv util.test gh ortcfg.link docs.md --jq sv snuMJCPlM-tBNP9Lremote.origin.url ache�� 2311492599/.github/workflows security 3836177ee5c1ce93225bf230b97dd66b0dbd9e1334c4047125e4fbfdbce04c00-d -nxv GH_AW_DOCKER_HOSconfig sv node (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-05-12 GOMOD GOMODCACHE 64/pkg/tool/linu/tmp/go-build2024499414/b547/_testmain.go env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-19 GOMOD GOMODCACHE x_amd64/link env ty-test.md GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE kK/TWhNdG8HkMg5GkZiXSSr/K3F9xdJeremote.origin.url (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-02-18 GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url env -json GO111MODULE .test GOINSECURE GOMOD GOMODCACHE .test (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name 4499414/b013/vet.cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuAdd workflow env y_only_defaults_repo2321562686/0remote.origin.url GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 4499414/b033/vet.cfg 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuorigin (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name config /usr/bin/infocmp remote.upstream.infocmp --jq ache/node/24.14.xterm-color infocmp -1 rite '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettiergh k/gh-aw/gh-aw/.github/workflows k/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/node from .github/aw git --jq r: $owner, name:--get infocmp (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name .cfg x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE b/gh-aw/tmp GOMODCACHE pBvTgXO/DnQKkYlYorigin (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name config 64/pkg/tool/linux_amd64/vet remote.upstream.git ache/node/24.14.remote ock.yml 64/pkg/tool/linux_amd64/vet -C rite '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path config bin/sh remote.origin.urgit = get && echo "pinit ode-gyp-bin/sh /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu^remote\..*\.gh-resolved$ (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1234567890
  • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, k/gh-aw/gh-aw/.gpkg/workflow/safe_outputs_config_helpers_test.go config nt-public-approvpkg/workflow/safe_outputs_default_create_issue_test.go l --jq /usr/bin/gh lsb_release -a on' --ignore-pat-errorsas gh /usr/bin/gh url --jq ed } } /usr/bin/gh (http block)
  • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, ath ../../../.pr**/*.json git-receive-pack--ignore-path _modules/.bin/sh../../../.prettierignore /home/REDACTED/.ca/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/gh /opt/hostedtoolc-bool infocmp er on' --ignore-pat-errorsas /opt/hostedtoolc-ifaceassert cal/bin/bash /ref/tags/v9 git sv infocmp (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE .test GOINSECURE GOMOD GOMODCACHE .test 0244�� plorer.md GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-test.v=true (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote.upstream.url (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name gh 64/pkg/tool/linux_amd64/vet /repos/actions/ggit --jq ode-gyp-bin/node--get 64/pkg/tool/linuremote.origin.url -C b/workflows config cal/bin/sh remote.upstream.git = get && echo "premote ache/node/24.14.1/x64/bin/npx go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name 4499414/b006/vet.cfg 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linurev-parse (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 .cfg .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/xorigin (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name config ache/node/24.14.1/x64/bin/npx remote.origin.urgit git /usr/bin/infocmpadd gh api /repos/github/gh-aw on ck json ]; then \ git erignore k/gh-aw/gh-aw/actions/setup/js/nxterm-color gh (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name l_test.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE sY5xy3c/9ezsDU_Vstatus (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 .cfg 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ylQP4Z8/vCNYLdc7remote.origin.url epOn�� mpiledOutput1568530570/001 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/xremote.origin.url (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name show k/gh-aw/gh-aw/actions/setup/js/node_modules/.bin-nilfunc */*.json' '!../.git --jq cal/bin/bash infocmp ache�� xterm-color gh k/gh-aw/gh-aw/actions/node_modules/.bin/node rkflow/js/**/*.jgit --jq erignore infocmp (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name 4499414/b007/vet.cfg 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu--auto (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 4499414/b040/vet.cfg .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/xorigin (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name ghcr.io/github/serena-mcp-server:latest k/gh-aw/gh-aw/actions/setup/node_modules/.bin/no-nilfunc */*.json' '!../.git kflow.test m.lock.yml bash ache�� 3431-46745/test-source-field-variant-349863656/.github/workflows infocmp k/gh-aw/gh-aw/node_modules/.bin/node rkflow/js/**/*.jgit node erignore gh (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name o orutil.test GOINSECURE GOMOD GOMODCACHE orutil.test 0244�� rdian.md GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE igFiles,SwigCXXFremote GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 .cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/xremote.origin.url (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name -f k/gh-aw/gh-aw/actions/node_modules/.bin/node -f owner=github -f bash ache�� ithub/workflows gh k/gh-aw/node_modules/.bin/node rkflow/js/**/*.jgit --jq erignore infocmp (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/vet env -json .cfg x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
  • Triggering command: /tmp/go-build2024499414/b477/cli.test /tmp/go-build2024499414/b477/cli.test -test.testlogfile=/tmp/go-build2024499414/b477/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /tmp/go-build136451946/b477/cli.test /tmp/go-build136451946/b477/cli.test -test.testlogfile=/tmp/go-build136451946/b477/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true ignore-path ../.npx ormessage.test DiscussionsEnabl--check git -C js/**/*.json' --**/*.json show x_amd64/asm url x_amd64/vet de x_amd64/asm (http block)
  • Triggering command: /tmp/go-build3799259582/b477/cli.test /tmp/go-build3799259582/b477/cli.test -test.testlogfile=/tmp/go-build3799259582/b477/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true 34 -buildtags /opt/hostedtoolcnpx prettier --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr--ignore-path gh api js/**/*.json' --ignore-path ../../../.prettierignore --jq x_amd64/compile 066630/001 -tests bject.type] | @t--check x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/dev
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/dev --jq [.object.sha, .object.type] | @tsv /tmp/go-build2093950493/b001/_pkg_.a (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/dev --jq [.object.sha, .object.type] | @tsv iEKB/UQP2ARhfQO4T-rPmiEKB go /usr/bin/git -json GO111MODULE x_amd64/vet git 4499�� /tmp/compile-instructions-test-2430463796/.github/workflows 4499414/b566/_testmain.go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link remote.origin.urinfocmp GO111MODULE x_amd64/vet /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu--jq (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/dev --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 -tests bject.type] | @tsv w/js/**/*.json' git config x_amd64/cgo git init�� /usr/bin/gh x_amd64/cgo /usr/bin/git ath ../../../.prinfocmp show odules/npm/node_xterm-color git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv -aw/git/ref/tags/v2.0.0 /dev/null ache/node/24.14.1/x64/bin/node 3686954825/001' 3686954825/001' x_amd64/link ache/node/24.14.1/x64/bin/node 7493�� (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv 'value' |� secrets.TOKEN -goversion /usr/bin/git -c=4 -nolocalimports -importcfg git ls-r�� --symref origin er: String!, $name: String!) { new (upstream) ithub/workflows config kflows/daily-subxterm-color infocmp (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv /tmp/TestHashConsistency_GoAndJavaScript1969077451/001/test-simple-frontmatter.md -goversion /usr/bin/infocmp -c=4 -nolocalimports -importcfg infocmp -1 rt DOCKER_HOST="" GH_AW_DOCKER_Hremote.upstream.url infocmp /usr/bin/git 47310013/001' 47310013/001' 64/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv 770640217/.github/workflows 4499414/b054/vet.cfg 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/xremote2 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv yphen3734936892/001' yphen3734936892/001' er: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabl/repos/actions/github-script/git/ref/tags/v9 remote.origin.ur/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet --jq bject.type] | @t-bool uname ode_�� ache/go/1.25.8/x-errorsas gh sh /ref/tags/v9 --jq sv git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv json' --ignore-p-p --jq node /tmp/gh-aw-test-node l /usr/bin/git gh ules�� 081947e8:.github-c=4 --jq .1/x64/codeql/to-importcfg user.name b.com/github/gh-/tmp/js-hash-test-3952360152/test-hash.js /usr/bin/git .1/x64/codeql/tools/linux64/java/bin/java (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv d-objects.md GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json .cfg x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv 597298708/001 597298708/002/work ules/.bin/sh name ache/go/1.25.8/x-1 sv dotyBDsAzJ_WEypI9E/PSZlURlsEOgGB-buildtags ules�� */*.ts' '**/*.json' --ignore-pat-errorsas config x_amd64/vet url --auto ml x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv ty-test.md --jq n-dir/node #!/bin/bash expogit infocmp om/org1/repo1.gi/tmp/TestGuardPolicyBlockedUsersExpressionCompiledOutput1935685595/001 git 1/x6�� ub/workflows --ignore-submodules 64/bin/node user.email test@example.com-1 /usr/bin/git bash (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv lGitmaster_branc-p lGitmaster_brancmain x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv Gitcustom_branch3686954825/001' Gitcustom_branch3686954825/001' x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env aw.test GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv /workflows GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env ub/workflows GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv s.md -nolocalimports -importcfg /tmp/go-build2024499414/b559/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/stats/statvar.go /home/REDACTED/work/gh-aw/gh-aw/pkg/stats/spec_test.go env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv lGitmaster_branch1597298708/001' lGitmaster_branch1597298708/001' /usr/bin/infocmp url --package-lock-oapi r: $owner, name:/repos/actions/github-script/git/ref/tags/v9 infocmp ules�� ub/workflows eloper-action-main/dist/ripgrep/-ifaceassert 1/x64/bin/npx l git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv Gitmaster_branch2981364082/001' Gitmaster_branch2981364082/001' tions/setup/node_modules/.bin/sh../../../.prettierignore waysRecompiles32git git /usr/bin/gh git add ub/workflows -v h json; \ cp .git/opt/hostedtoolcache/node/24.14.1/x64/bin/node --jq /usr/bin/git bash (http block)
• https://api.github.com/repos/github/gh-aw/issues/17
  • Triggering command: /usr/bin/gh gh api repos/github/gh-aw/issues/17 go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api repos/github/gh-aw/issues/17 infocmp -1 xterm-color gh nt-all-merged.lock.yml /repos/actions/c/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet nly ed } } lsb_release er on' --ignore-pat-errorsas in/dist/ripgrep/-ifaceassert (http block)
  • Triggering command: /usr/bin/gh gh api repos/github/gh-aw/issues/17 gh api ath ../../../.pr**/*.json --jq er 0Z /usr/bin/gh repository(owne-bool gh api on' --ignore-pat-errorsas --jq cal/bin/bash /repos/actions/ggit --jq /usr/bin/git gh (http block)
• https://api.github.com/repos/google-github-actions/auth/git/ref/tags/v2
  • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv GOMODCACHE go clusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle -json GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu^remote\..*\.gh-resolved$ -o /tmp/go-build2024499414/b550/_pkg_.a s/12346/artifacts ache/node/24.14.1/x64/bin/node -p github.com/githu-500 -lang=go1.25 ache/node/24.14.1/x64/bin/node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv -test.paniconexit0 -test.v=true ache/node/24.14.1/x64/bin/node -test.timeout=10gh -test.run=^Test -test.short=true/repos/actions/github-script/git/ref/tags/v9 ache/node/24.14.--jq 3385�� 325625898/001 --initial-branch=master /usr/bin/infocmp js/**/*.json' --head git 64/bin/git infocmp (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv 1354476816/.github/workflows 4499414/b073/vet.cfg 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuremote2 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv 771905ddec8a6081-d 5 me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } h ../../../.pret/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link ache/go/1.25.8/x-o $name) { has/tmp/go-build136451946/b547/parser.test rustc ode_�� k/gh-aw/gh-aw gh stylist.lock.yml-buildmode=exe d -n 10 --jq (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv re --jq n-dir/git 3358215494 l /usr/bin/gh gh api 081947e8:docs/as-c=4 --jq k/_temp/uv-pytho-importcfg /repos/actions/gnode --jq _id":222}] t4StJtk/fgblrTe8hnoKuXO_g4RX (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE igFiles,SwigCXXFremote GOMODCACHE REDACTED.test 0244�� 2823081328 GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote.origin.url (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion remote.origin.urgh r -d bash k/gh�� 1197163965/.gith--limit on 1/x64/bin/node /../../.prettiergit erignore r: $owner, name: $name) { has--get sh (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion (http block)
• https://api.github.com/repos/org/repo/pulls/1
  • Triggering command: /usr/bin/gh gh api repos/org/repo/pulls/1 go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api repos/org/repo/pulls/1 infocmp estl�� ath ../../../.pr**/*.json infocmp modules/@npmcli/run-script/lib/node-gyp-bin/node tion 64/pkg/tool/linu-atomic ed } } pip er on' --ignore-pat-errorsas numpy rcer.lock.yml xterm-color ache/go/1.25.8/xconfig (http block)
  • Triggering command: /usr/bin/gh gh api repos/org/repo/pulls/1 gh api ath ../../../.pr**/*.json --jq rgo/bin/git /ref/tags/v9 git-upload-pack -atomic sv gh api re --jq odules/npm/node_-nilfunc /tmp/gh-aw-test-git remote /usr/bin/git gh (http block)
• https://api.github.com/repos/owner/repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/owner/repo/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/owner/repo/actions/secrets --jq .secrets[].name k/gh-aw/gh-aw/.github/workflows config _modules/.bin/node url bg9oPhCYT65zxsAe-o sv bPRiJnY_ePg_ -C re show 63da9b5f3447834c-d re --log-level=egit ache/go/1.25.8/xconfig modules/@npmcli/user.email git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/owner/repo/actions/secrets --jq .secrets[].name led-with-env-template-expressions-in-body.md git-receive-pack /usr/bin/gh DiscussionsEnabl/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile infocmp /usr/bin/git gh api json' --ignore-p-p --jq 1/x64/bin/git /tmp/gh-aw-test-git config /usr/bin/git gh (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-remote-workflow --limit 30 --repo owner/repo 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath env -json GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/xsh (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config ature-coverage.lock.yml remote.origin.ur/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile ache/go/1.25.8/x-o ed } } git -C re config me: String!) { -lang=go1.25 remote.origin.urgit /opt/hostedtoolc-C (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name 081947e8:.github/workflows/brave.lock.yml --jq ache/node/24.14.1/x64/bin/sh git-upload-pack /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile ols/codeql.jar .git infocmp -1 re gh /usr/bin/infocmp-lang=go1.25 /repos/actions/gnode l /usr/bin/gh infocmp (http block)
• https://api.github.com/repos/test/repo
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch -json GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/xsh -uns�� s/1234567890 /tmp/go-build2024499414/b232/vet-nolocalimports umber, url: .html_url, status: .-importcfg GOSUMDB GOWORK 64/bin/go 4499414/b507/linters.test (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch 4da568d2b78b781983e88e93e21b6f91facd4914e29e3015remote.origin.url format:cjs /opt/hostedtoolcache/uv/0.11.15/x86_64/sh ithub/workflows --jq erignore sh -c /ref/tags/v9 git sv te '../../../**/gh -v /usr/bin/git fi echo "$GH_AW_--jq (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch 4b025677fd8b42a59de4cf55ff3cfea32b6868ce6d8e1be7remote.upstream.url gh ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -news.lock.yml owner/test-repo bject.type] | @tprintf '%s' "$1" ache/go/1.25.8/xsh -c 1139908/b541/_pkg_.a gh 1139908/b541=> d/mcp/brave.md --jq sv sh (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

This PR hardens shared MCP server configurations by replacing wildcards on selected high-risk servers with explicit allowlists and documenting why remaining wildcards are retained.

Changes:

• Restricts Azure, Jupyter, and Semgrep MCP servers to explicit tool allowlists.
• Adds inline security-decision comments for retained wildcard configurations.
• Regenerates affected workflow lockfiles so compiled MCP tool filters and hashes are updated.

Show a summary per file

File	Description
.github/workflows/shared/mcp/azure.md	Replaces Azure wildcard with explicit read-oriented tool allowlist.
.github/workflows/shared/mcp/jupyter.md	Replaces Jupyter wildcard with notebook create/read/execute tool allowlist.
.github/workflows/shared/mcp/semgrep.md	Replaces Semgrep wildcard with explicit scan/schema/findings tools.
.github/workflows/shared/mcp/brave.md	Documents rationale for retaining wildcard.
.github/workflows/shared/mcp/markitdown.md	Documents rationale for retaining wildcard.
.github/workflows/shared/mcp/microsoft-docs.md	Documents rationale for retaining wildcard.
.github/workflows/shared/mcp/skillz.md	Documents rationale for retaining wildcard.
.github/workflows/shared/mcp/tavily.md	Documents rationale for retaining wildcard.
.github/workflows/daily-semgrep-scan.lock.yml	Updates compiled Semgrep MCP tool filter.
.github/workflows/brave.lock.yml	Regenerates compiled workflow metadata/hash output.
.github/workflows/daily-news.lock.yml	Regenerates compiled workflow metadata/hash output.
.github/workflows/mcp-inspector.lock.yml	Regenerates compiled workflow metadata/hash output.
.github/workflows/pdf-summary.lock.yml	Regenerates compiled workflow metadata/hash output.
.github/workflows/research.lock.yml	Regenerates compiled workflow metadata/hash output.
.github/workflows/scout.lock.yml	Regenerates compiled workflow metadata/hash output.
.github/workflows/smoke-claude.lock.yml	Regenerates compiled workflow metadata/hash output.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 16/16 changed files
• Comments generated: 1