Skip to content
Open
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .github/aw/github-mcp-server.md
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,8 @@ The following toolsets are recommended as defaults for typical agentic workflows
| `get_code_scanning_alert` | Get details of a specific code scanning alert | `owner`, `repo`, `alert_number` |
| `list_code_scanning_alerts` | List code scanning alerts for a repository | `owner`, `repo`, `state`, `severity` |

When calling `list_code_scanning_alerts` in workflow prompts/templates, always bound requests with `state: open` and `severity: critical,high`.

---

### dependabot
Expand Down Expand Up @@ -368,4 +370,3 @@ Most toolsets work with the default `GITHUB_TOKEN` in GitHub Actions. Exceptions
- `projects` — Requires a PAT with `project` scope
- `security_advisories` (write) — Requires `security-events: write` permission
- `actions` (write for `actions_run_trigger`) — Requires `actions: write` permission

2 changes: 2 additions & 0 deletions .github/skills/github-mcp-server/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,8 @@ This section maps individual tools to their respective toolsets to help with mig
- `get_code_scanning_alert` - Get details of a specific alert
- `create_code_scanning_alert` - Create a code scanning alert

When invoking `list_code_scanning_alerts` from workflow prompts/templates, always include `state: open` and `severity: critical,high`.

### Discussions Toolset
- `list_discussions` - List discussions in a repository
- `create_discussion` - Create a new discussion
Expand Down
2 changes: 2 additions & 0 deletions docs/src/content/docs/guides/mcps.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,8 @@ The GitHub MCP server is built into agentic workflows and provides comprehensive
| `code_security` | Security alerts | `list_code_scanning_alerts` |
| `users` | User profiles | `get_me` ⚠️, `get_user`, `list_users` |

When calling `list_code_scanning_alerts` from workflow prompts, always bound the request with `state: open` and `severity: critical,high`.

The `default` toolset includes: `context`, `repos`, `issues`, `pull_requests`. When used in workflows, `[default]` expands to action-friendly toolsets that work with GitHub Actions tokens. Note: The `users` toolset is not included by default as GitHub Actions tokens do not support user operations.

> [!WARNING]
Expand Down
51 changes: 51 additions & 0 deletions pkg/cli/code_scanning_prompt_bounds_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
//go:build !integration

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot delete this test file

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done — the file has been deleted in the latest commit.


package cli

import (
"os"
"path/filepath"
"strings"
"testing"
)

const codeScanningAlertGuardLineWindow = 8

func TestListCodeScanningAlertsPromptBounds(t *testing.T) {
paths := []string{
filepath.Join("..", "..", ".github", "workflows", "github-mcp-structural-analysis.md"),
filepath.Join("..", "..", ".github", "aw", "github-mcp-server.md"),
filepath.Join("..", "..", ".github", "skills", "github-mcp-server", "SKILL.md"),
}

for _, path := range paths {
t.Run(path, func(t *testing.T) {
content, err := os.ReadFile(path)
if err != nil {
t.Fatalf("failed to read %s: %v", path, err)
}
text := string(content)
if !strings.Contains(text, "list_code_scanning_alerts") {
t.Skipf("%s does not reference list_code_scanning_alerts", path)
}

lines := strings.Split(text, "\n")
hasBoundedReference := false
for i, line := range lines {
if !strings.Contains(line, "list_code_scanning_alerts") {
continue
}
start := max(0, i-codeScanningAlertGuardLineWindow)
end := min(len(lines), i+codeScanningAlertGuardLineWindow+1)
window := strings.Join(lines[start:end], "\n")
if strings.Contains(window, "state: open") && strings.Contains(window, "severity: critical,high") {
hasBoundedReference = true
break
}
}
if !hasBoundedReference {
t.Fatalf("%s must include state: open and severity: critical,high near list_code_scanning_alerts", path)
}
})
}
}
Loading