Skip to content

Fix release workflow: clarify MCP tool call syntax to prevent agent bypass #12613

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 4 commits into from
Jan 29, 2026
Merged

Fix release workflow: clarify MCP tool call syntax to prevent agent bypass #12613

pelikhan merged 4 commits into from
Jan 29, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 29, 2026
edited
Loading

In workflow run #21493451678, the Copilot agent never called the update_release MCP tool. MCP logs show only a tools/list request, no tools/call. Agent created a workaround script to manually write JSONL but never executed it, leaving /opt/gh-aw/safeoutputs/outputs.jsonl empty.

Root cause: Ambiguous JavaScript-like syntax update_release({...}) in the prompt led the agent to interpret it as needing a script workaround rather than a direct MCP tool call.

Changes

  • Prompt syntax: Changed from update_release({...}) to safeoutputs/update_release(...) matching the proven format in issue-monster.md
  • Examples: Added explicit ✅ CORRECT / ❌ INCORRECT sections showing proper tool call vs forbidden file operations
  • Warnings: Strengthened language against creating workaround scripts
  • Recompiled: release.lock.yml with updated prompt

Before:

update_release({
  tag: "v0.37.26",
  operation: "prepend",
  body: "..."
})

After:

safeoutputs/update_release(
  tag="v0.38.1",
  operation="prepend",
  body="..."
)

The explicit server/tool format removes ambiguity about whether this is a function call requiring implementation vs a direct MCP tool invocation.

Original prompt

Reference: https://github.com/githubnext/gh-aw/actions/runs/21493451678/job/61921884511

Investigate why the MCP safe outputs update release tool was not called.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 2 commits January 29, 2026 21:10
@pelikhan
Initial investigation of MCP safe outputs update_release tool issue
9d74907 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Fix release workflow: clarify MCP tool call syntax for update_release
b8a2703 
The agent was not calling the update_release MCP tool because the example
syntax was ambiguous. Changed from `update_release({...})` to the explicit
`safeoutputs/update_release(...)` format used in other workflows.

This should help the agent understand it needs to make a direct MCP tool
call rather than writing scripts or files manually.

Also added stronger warnings against creating workaround scripts.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Investigate why MCP safe outputs update release tool was not called Fix release workflow: clarify MCP tool call syntax to prevent agent bypass Jan 29, 2026
Copilot AI requested a review from pelikhan January 29, 2026 21:20
@pelikhan pelikhan marked this pull request as ready for review January 29, 2026 23:03
@pelikhan pelikhan merged commit 2484edd into main Jan 29, 2026
50 checks passed
@pelikhan pelikhan deleted the copilot/investigate-mcp-safe-outputs branch January 29, 2026 23:10
@github-actions github-actions bot mentioned this pull request Jan 30, 2026
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan