From 1f32546404b65b484d1ce4d73f45c49e36e477dd Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 22 Mar 2026 17:07:25 +0000
Subject: [PATCH] fix: disable min-integrity enforcement in PR AI Slop Review
 workflow

After updating to gh-aw v0.62.5, the compiled workflow introduced automatic
integrity-based lockdown via the determine-automatic-lockdown step. When only
the default GITHUB_TOKEN is available (no PAT configured), this script sets
GITHUB_MCP_GUARD_MIN_INTEGRITY to 'approved', which blocks the agent from
reading PR content from external contributors (they have lower-than-approved
integrity).

Fix: Set GITHUB_MCP_GUARD_MIN_INTEGRITY to empty string and remove the
min-integrity guard-policy from the GitHub MCP server config so the agent
can read all incoming PR content, which is the entire purpose of this workflow.

The repo restriction (GITHUB_MCP_GUARD_REPOS) is kept intact.

Note: gh aw compile is not available in this environment (private extension,
403 Forbidden), so this is a direct manual edit to the lock file as an
exception to the normal compile-based workflow.

Co-authored-by: Tunglies <77394545+Tunglies@users.noreply.github.com>
Agent-Logs-Url: https://github.com/clash-verge-rev/clash-verge-rev/sessions/24bdd1b4-1def-43ff-b676-a4f73ba9b267
---
 .github/workflows/pr-ai-slop-review.lock.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/pr-ai-slop-review.lock.yml b/.github/workflows/pr-ai-slop-review.lock.yml
index 8a2b5aeaf..0de206996 100644
--- a/.github/workflows/pr-ai-slop-review.lock.yml
+++ b/.github/workflows/pr-ai-slop-review.lock.yml
@@ -477,7 +477,7 @@ jobs:
           GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
           GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
           GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
-          GITHUB_MCP_GUARD_MIN_INTEGRITY: ${{ steps.determine-automatic-lockdown.outputs.min_integrity }}
+          GITHUB_MCP_GUARD_MIN_INTEGRITY: ""
           GITHUB_MCP_GUARD_REPOS: ${{ steps.determine-automatic-lockdown.outputs.repos }}
           GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
         run: |
@@ -513,7 +513,6 @@ jobs:
                 },
                 "guard-policies": {
                   "allow-only": {
-                    "min-integrity": "$GITHUB_MCP_GUARD_MIN_INTEGRITY",
                     "repos": "$GITHUB_MCP_GUARD_REPOS"
                   }
                 }