Add min-integrity: none to ai-moderator workflow

[Copilot]

The ai-moderator workflow was missing an integrity level configuration for its GitHub tool, which defaults to a more restrictive setting that can filter events from non-collaborators — exactly the population this workflow is designed to moderate.

Changes

• ai-moderator.md: Added min-integrity: none to the github tool config so the workflow processes events from all users regardless of their repository relationship
• ai-moderator.lock.yml: Recompiled to reflect the updated frontmatter

tools:
  github:
    mode: local
    read-only: true
    toolsets: [default]
    min-integrity: none  # added

[pelikhan]

@copilot merge main and recompile

[Copilot]

Pull request overview

Updates the ai-moderator agentic workflow’s GitHub tool guard policy so it can process events authored by non-collaborators (the intended moderation target).

Changes:

• Add min-integrity: none to the tools.github configuration in ai-moderator.md.
• Recompile ai-moderator.lock.yml so the generated MCP gateway guard policy reflects the updated integrity setting (and associated generated wiring).

Show a summary per file

File	Description
.github/workflows/ai-moderator.md	Adds min-integrity: none to relax integrity filtering for moderation events.
.github/workflows/ai-moderator.lock.yml	Regenerated workflow output reflecting updated guard policy config and related compiled steps.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 1

[Copilot]

Setting min-integrity: none without also constraining allowed-repos causes the compiled guard policy to default to repos: "all" (see ai-moderator.lock.yml guard-policies block), which can unintentionally grant the workflow’s GitHub MCP access to all repositories reachable by the token (including if GH_AW_GITHUB_TOKEN is a broad PAT). If this workflow only needs to moderate activity in the current repo, explicitly set allowed-repos to the current repository (or a narrow pattern) alongside min-integrity: none to keep cross-repo access minimized.

Suggested change

	min-integrity: none
	min-integrity: none
	allowed-repos:
	- ${{ github.repository }}

[Copilot]

@copilot merge main and recompile

Done — merged main (resolved the lock file conflict) and recompiled all 182 workflows in 4f91405.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)