fix: allow pr ai review on unapproved PRs

2026-04-13 05:20:28 +08:00 · 2026-03-24 00:19:59 +08:00 · 2026-03-24 00:19:59 +08:00 · 20aa773339
commit 20aa773339
parent 670d7bae3b
2 changed files with 8 additions and 19 deletions
--- a/.github/workflows/pr-ai-slop-review.lock.yml
+++ b/.github/workflows/pr-ai-slop-review.lock.yml
@ -24,7 +24,7 @@
 # signs of one-shot AI-generated changes, then posts a maintainer-focused
 # comment when the risk is high enough to warrant follow-up.
 #
-# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"3d4fd9eaa234e0aad443087c472ec9d7cc64fb0af9698f9acdaa9ced370bf9f5","compiler_version":"v0.62.5","strict":true,"agent_id":"copilot"}
+# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"0229484736512437359ca62e7d78f88ba090f203e0249982c91a1e04a5512d5a","compiler_version":"v0.62.5","strict":true,"agent_id":"copilot"}

 name: "PR AI Slop Review"
 "on":
@ -61,7 +61,7 @@ jobs:
      title: ${{ steps.sanitized.outputs.title }}
    steps:
      - name: Setup Scripts
-        uses: github/gh-aw-actions/setup@853312c41e88e0d6f51d0e4e0658f3ad7461366a # v0.62.5
+        uses: github/gh-aw-actions/setup@dc50be57c94373431b49d3d0927f318ac2bb5c4c # v0.62.5
        with:
          destination: ${{ runner.temp }}/gh-aw/actions
      - name: Generate agentic run info
@ -272,7 +272,7 @@ jobs:
      output_types: ${{ steps.collect_output.outputs.output_types }}
    steps:
      - name: Setup Scripts
-        uses: github/gh-aw-actions/setup@853312c41e88e0d6f51d0e4e0658f3ad7461366a # v0.62.5
+        uses: github/gh-aw-actions/setup@dc50be57c94373431b49d3d0927f318ac2bb5c4c # v0.62.5
        with:
          destination: ${{ runner.temp }}/gh-aw/actions
      - name: Set runtime paths
@ -322,16 +322,6 @@ jobs:
          GH_HOST: github.com
      - name: Install AWF binary
        run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.24.5
-      - name: Determine automatic lockdown mode for GitHub MCP Server
-        id: determine-automatic-lockdown
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
-        env:
-          GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
-          GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
-        with:
-          script: |
-            const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs');
-            await determineAutomaticLockdown(github, context, core);
      - name: Download container images
        run: bash ${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.5 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.5 ghcr.io/github/gh-aw-firewall/squid:0.24.5 ghcr.io/github/gh-aw-mcpg:v0.1.20 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine
      - name: Write Safe Outputs Config
@ -477,8 +467,6 @@ jobs:
          GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
          GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
          GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
-          GITHUB_MCP_GUARD_MIN_INTEGRITY: ${{ steps.determine-automatic-lockdown.outputs.min_integrity }}
-          GITHUB_MCP_GUARD_REPOS: ${{ steps.determine-automatic-lockdown.outputs.repos }}
          GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
        run: |
          set -eo pipefail
@ -513,8 +501,8 @@ jobs:
                },
                "guard-policies": {
                  "allow-only": {
-                    "min-integrity": "$GITHUB_MCP_GUARD_MIN_INTEGRITY",
-                    "repos": "$GITHUB_MCP_GUARD_REPOS"
+                    "min-integrity": "unapproved",
+                    "repos": "all"
                  }
                }
              },
@ -861,7 +849,7 @@ jobs:
      total_count: ${{ steps.missing_tool.outputs.total_count }}
    steps:
      - name: Setup Scripts
-        uses: github/gh-aw-actions/setup@853312c41e88e0d6f51d0e4e0658f3ad7461366a # v0.62.5
+        uses: github/gh-aw-actions/setup@dc50be57c94373431b49d3d0927f318ac2bb5c4c # v0.62.5
        with:
          destination: ${{ runner.temp }}/gh-aw/actions
      - name: Download agent output artifact
@ -972,7 +960,7 @@ jobs:
      process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
    steps:
      - name: Setup Scripts
-        uses: github/gh-aw-actions/setup@853312c41e88e0d6f51d0e4e0658f3ad7461366a # v0.62.5
+        uses: github/gh-aw-actions/setup@dc50be57c94373431b49d3d0927f318ac2bb5c4c # v0.62.5
        with:
          destination: ${{ runner.temp }}/gh-aw/actions
      - name: Download agent output artifact
--- a/.github/workflows/pr-ai-slop-review.md
+++ b/.github/workflows/pr-ai-slop-review.md
@ -19,6 +19,7 @@ tools:
  github:
    toolsets: [default]
    lockdown: false
+    min-integrity: unapproved

 safe-outputs:
  mentions: false