Skip to content

[integrity-audit] Integrity Filtering Audit — github/gh-aw (2026-04-08) #3401

Open
Open
[integrity-audit] Integrity Filtering Audit — github/gh-aw (2026-04-08)#3401
Labels
automationintegrity-audit
@github-actions

Description

@github-actions
github-actions
bot
opened on Apr 8, 2026

Integrity Filtering Audit — github/gh-aw

Audit period: Last 24 hours (2026-04-07T22:34Z – 2026-04-08T22:34Z)
Runs analyzed: 30 completed runs in github/gh-aw
Runs with artifacts: 0
Agent invocations with MCP Gateway activity: 0

Findings Summary

Severity Count Description
🔴 Critical 0 None
🟡 Warning 0 None
🟢 Info 2 No agent jobs ran; no DIFC events to analyze
Critical Findings

None.

Warnings

None.

Informational

I-1: No MCP Gateway agent invocations occurred in the audit window. Of the 30 workflow runs examined:

  • 14 were skipped — workflow trigger conditions not met (e.g., Security Review Agent, Archie, Documentation Unbloat, /cloclo, Mergefest, Resource Summarizer Agent, Plan Command, ACE Editor Session, PR Nitpick Reviewer, Scout, Q, Grumpy Code Reviewer — 12 unique runs plus 2 Mergefest duplicates)
  • 14 were action_required — runs requiring manual deployment protection approval; no jobs executed
  • 2 ran successfully but neither invoked an agent:
    • Content Moderation (run 24162181377) — ran a blocklist check via actions/github-script; user lpcox was not in the blocklist; no DIFC pipeline involved
    • AI Moderator (run 24162181349) — pre_activation job ran bot-skip check (passed), but the agent job was skipped; unlock cleanup job ran; no DIFC pipeline involved

No artifacts (mcp-logs/rpc-messages.jsonl, mcp-gateway.log, etc.) were uploaded by any run.

Runs Analyzed

Run Workflow Branch Agent Invoked DIFC Events Artifacts Status
24162181377 Content Moderation main ❌ no agent 0 None ✅ success
24162181349 AI Moderator main ❌ agent skipped 0 None ✅ success
24162181368 Security Review Agent 🔒 main None ⏭️ skipped
24162025239 PR Nitpick Reviewer 🔍 main None ⏸️ action_required
24162025186 Grumpy Code Reviewer 🔥 main None ⏸️ action_required
24162025202 AI Moderator main None ⏸️ action_required
24162021613 Doc Build - Deploy copilot/add-guidance-slash-commands None ⏸️ action_required
24161962219 PR Nitpick Reviewer 🔍 copilot/add-guidance-slash-commands None ⏸️ action_required
(21 additional skipped/action_required runs omitted for brevity) None ⏭️/⏸️

Recommendations

  1. No immediate action required — The audit period contains no MCP Gateway agent invocations, so there is nothing to remediate from an integrity filtering perspective.

  2. Future audit coverage: The action_required protection gates (14 runs) mean agents haven't been approved to run yet. Once deployment approvals are granted and agent jobs start running, ensure all agent workflows:

    • Use tools.github for GitHub API access (integrity proxy built-in since v0.67.0)
    • Upload mcp-logs as artifacts so future audits can inspect rpc-messages.jsonl and mcp-gateway.log
    • Reference shared/mcp-api-routing.md for reusable agent prompt language that restricts API access exclusively through the MCP Gateway

  3. Re-run this audit after any successful agent job completes to verify DIFC filtering is active and no guard errors or direct API bypass attempts occur.

Generated by Integrity Filtering Audit · ● 708.5K ·

  • expires on Apr 15, 2026, 10:39 PM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    automationintegrity-audit

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions