Skip to content

[refactoring] Extract GitHub MCP lockdown configurations into shared components #15950

New issue
New issue
Open
Open
[refactoring] Extract GitHub MCP lockdown configurations into shared components#15950
Labels
cookieIssue Monster Loves Cookies!improvementrefactoringshared-component
@github-actions

Description

@github-actions
github-actions
bot
opened on Feb 15, 2026

Skill Overview

Extract common GitHub MCP lockdown + toolset configurations into reusable shared components. Currently, 13 workflows use lockdown: true, and 42+ workflows use toolsets: [default] with similar patterns. This creates security configuration duplication and makes it harder to standardize GitHub access patterns.

Current Usage

This configuration pattern appears across multiple workflow categories:

Category 1: Default Toolsets (42 workflows)

  • daily-issues-report.md - toolsets: [default, discussions]
  • daily-performance-summary.md - toolsets: [default, discussions]
  • ci-coach.md - toolsets: [default]
  • issue-classifier.md - Likely uses default
  • auto-triage-issues.md - Likely uses default
  • + 37 more workflows using toolsets: [default]

Category 2: PR/Issue Triage (4+ workflows)

  • pr-triage-agent.md - lockdown: true, toolsets: [pull_requests, repos, issues, labels]
  • issue-triage-agent.md - Similar pattern
  • copilot-pr-merged-report.md - PR-focused toolsets
  • breaking-change-checker.md - PR analysis

Category 3: Actions-focused (4+ workflows)

  • daily-cli-performance.md - toolsets: [default, actions]
  • audit-workflows.md - Actions + default
  • ci-doctor.md - Actions toolset
  • agent-performance-analyzer.md - Actions analysis

Common Configuration Patterns

Pattern 1: Default with Lockdown

tools:
  github:
    lockdown: true
    toolsets: [default]

Pattern 2: Default + Discussions

tools:
  github:
    lockdown: true
    toolsets: [default, discussions]

Pattern 3: PR Triage Specialized

tools:
  github:
    lockdown: true
    toolsets: [pull_requests, repos, issues, labels]

Pattern 4: Actions Analysis

tools:
  github:
    toolsets: [default, actions]

Proposed Shared Components

Create 3 shared components for the most common patterns:

Component 1: shared/github-lockdown-default.md (42 workflows)

---
# GitHub MCP - Lockdown with Default Toolsets
# Provides secure GitHub access with standard toolsets

tools:
  github:
    lockdown: true
    toolsets: [default]
---

# GitHub MCP with Lockdown - Default Toolsets

Provides secure GitHub API access with lockdown mode enabled and default toolsets.

**Toolsets included**: repos, issues, pull_requests, search, users, commits

Use this for workflows that need standard GitHub operations with security lockdown.

Component 2: shared/github-lockdown-discussions.md (9 workflows)

---
# GitHub MCP - Lockdown with Discussions

tools:
  github:
    lockdown: true
    toolsets: [default, discussions]
---

# GitHub MCP with Lockdown - Default + Discussions

Adds discussion management capabilities to the default GitHub toolsets.

Use for daily reports and workflows that create/manage GitHub Discussions.

Component 3: shared/github-pr-triage-toolsets.md (4+ workflows)

---
# GitHub MCP - PR Triage Specialized Toolsets

tools:
  github:
    lockdown: true
    toolsets: [pull_requests, repos, issues, labels]
---

# GitHub MCP - PR Triage Toolsets

Specialized configuration for PR triage and analysis workflows.

**Focus**: PR management, issue linking, label operations, repository access

Usage Examples

Before:

---
description: Daily issues report
tools:
  github:
    lockdown: true
    toolsets: [default, discussions]
imports:
  - shared/mood.md
---

**After** (saves 4-5 lines):
````yaml
---
description: Daily issues report
imports:
  - shared/github-lockdown-discussions.md
  - shared/mood.md
---

Impact

  • Workflows affected: 55+ workflows (42 default + 9 discussions + 4 PR triage)
  • Lines saved: ~10 lines per workflow × 55 = ~550 lines
  • Security benefit: Standardizes lockdown mode configuration
  • Maintenance benefit: Update GitHub access patterns in 3 files instead of 55
  • Discoverability: Makes GitHub security patterns more obvious

Implementation Plan

  1. Create shared/github-lockdown-default.md (most common, 42 workflows)
  2. Create shared/github-lockdown-discussions.md (9 workflows)
  3. Create shared/github-pr-triage-toolsets.md (4+ workflows)
  4. Test with 2 workflows per component (6 total tests)
  5. Validate GitHub API access works correctly with each component
  6. Update remaining 49 workflows to use appropriate shared component
  7. Document in AGENTS.md security section
  8. Consider creating additional components for other toolset combinations if demand grows

Related Analysis

This recommendation comes from the Workflow Skill Extractor analysis run on 2026-02-15.

Analysis findings:

  • 154 total workflows analyzed
  • 120 workflows use GitHub MCP (78%)
  • 13 workflows use lockdown mode explicitly
  • 55+ workflows use these 3 specific patterns
  • Potential to save ~550 lines of configuration
  • Improves security posture visibility across all workflows




> Generated by [Workflow Skill Extractor](https://github.com/github/gh-aw/actions/runs/22038871711)
> - [x] expires <!-- gh-aw-expires: 2026-02-17T16:20:17.052Z --> on Feb 17, 2026, 4:20 PM UTC

<!-- gh-aw-agentic-workflow: Workflow Skill Extractor, engine: copilot, run: https://github.com/github/gh-aw/actions/runs/22038871711 -->

<!-- gh-aw-workflow-id: workflow-skill-extractor -->

Metadata

Metadata

Assignees

No one assigned

    Labels

    cookieIssue Monster Loves Cookies!improvementrefactoringshared-component

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions