fix: disable min-integrity enforcement in PR AI Slop Review workflow

After updating to gh-aw v0.62.5, the compiled workflow introduced automatic integrity-based lockdown via the determine-automatic-lockdown step. When only the default GITHUB_TOKEN is available (no PAT configured), this script sets GITHUB_MCP_GUARD_MIN_INTEGRITY to 'approved', which blocks the agent from reading PR content from external contributors (they have lower-than-approved integrity). Fix: Set GITHUB_MCP_GUARD_MIN_INTEGRITY to empty string and remove the min-integrity guard-policy from the GitHub MCP server config so the agent can read all incoming PR content, which is the entire purpose of this workflow. The repo restriction (GITHUB_MCP_GUARD_REPOS) is kept intact. Note: gh aw compile is not available in this environment (private extension, 403 Forbidden), so this is a direct manual edit to the lock file as an exception to the normal compile-based workflow. Co-authored-by: Tunglies <77394545+Tunglies@users.noreply.github.com> Agent-Logs-Url: https://github.com/clash-verge-rev/clash-verge-rev/sessions/24bdd1b4-1def-43ff-b676-a4f73ba9b267
2026-04-13 05:20:28 +08:00 · 2026-03-22 17:07:25 +00:00 · 2026-03-22 17:07:25 +00:00 · 1f32546404
commit 1f32546404
parent beee5c5720
1 changed files with 1 additions and 2 deletions
--- a/.github/workflows/pr-ai-slop-review.lock.yml
+++ b/.github/workflows/pr-ai-slop-review.lock.yml
@ -477,7 +477,7 @@ jobs:
          GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
          GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
          GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
-          GITHUB_MCP_GUARD_MIN_INTEGRITY: ${{ steps.determine-automatic-lockdown.outputs.min_integrity }}
+          GITHUB_MCP_GUARD_MIN_INTEGRITY: ""
          GITHUB_MCP_GUARD_REPOS: ${{ steps.determine-automatic-lockdown.outputs.repos }}
          GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
        run: |
@ -513,7 +513,6 @@ jobs:
                },
                "guard-policies": {
                  "allow-only": {
-                    "min-integrity": "$GITHUB_MCP_GUARD_MIN_INTEGRITY",
                    "repos": "$GITHUB_MCP_GUARD_REPOS"
                  }
                }