Fix release workflow: clarify MCP tool call syntax to prevent agent bypass #12613

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

pelikhan merged 4 commits into main from copilot/investigate-mcp-safe-outputs

Jan 29, 2026

.github/workflows/release.lock.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

.github/workflows/release.md

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -474,30 +474,32 @@ Dependency updates and internal improvements to keep things running smoothly.
  
    **HOW TO CALL THE TOOL:**

    The `update_release` tool is an **MCP (Model Context Protocol) tool**, not a bash command or file operation. To call it:

    The `update_release` tool is an **MCP (Model Context Protocol) tool**, not a bash command or file operation.

    1. **Use the MCP tool call syntax** - The tool is registered as `update_release` (or `safeoutputs___update_release`)

    2. **DO NOT write JSON files manually** - Writing files like `/tmp/gh-aw/safeoutputs/update_release_001.json` will NOT work

    3. **DO NOT use bash to simulate tool calls** - The tool must be called through the MCP protocol

    **✅ CORRECT - Call the MCP tool directly:**

    **Example Tool Call:**

    ```javascript

    update_release({

      tag: "v0.37.26",

      operation: "prepend",

      body: "## 🌟 Release Highlights\n\n[Your complete markdown highlights here]"

    })

    ```

    safeoutputs/update_release(

      tag="v0.38.1",

      operation="prepend",

      body="## 🌟 Release Highlights\n\n[Your complete markdown highlights here]"

    )

    ```

    **❌ INCORRECT - DO NOT:**

    - Write JSON files manually (e.g., `/tmp/gh-aw/safeoutputs/update_release_001.json`)

    - Use bash to simulate tool calls

    - Create scripts that write to outputs.jsonl

    - Use any file operations - the MCP tool handles everything

    **Required Parameters:**

    - `tag` - Release tag from `${RELEASE_TAG}` environment variable (e.g., "v0.30.2")

    - `tag` - Release tag from `${RELEASE_TAG}` environment variable (e.g., "v0.38.1")

    - `operation` - Must be `"prepend"` to add before existing notes

    - `body` - Complete markdown content (include all formatting, emojis, links)

    **IMPORTANT**: This is a real tool call through MCP, NOT a bash command or file write operation. The tool will automatically write to the correct output file (`/opt/gh-aw/safeoutputs/outputs.jsonl`).

    **IMPORTANT**: The tool is accessed via the MCP gateway as `safeoutputs/update_release`. When you call this tool, the MCP server automatically writes to `/opt/gh-aw/safeoutputs/outputs.jsonl`.

    **WARNING**: If you don't call the `update_release` tool properly through MCP, the release notes will NOT be updated!

    **WARNING**: If you don't call the MCP tool properly, the release notes will NOT be updated!

    **Documentation Base URLs:**

    - User docs: `https://githubnext.github.io/gh-aw/`

pkg/cli/templates/github-agentic-workflows.md

-Original file line number
+Diff line change
@@ Expand Up / @@ -482,6 +482,17 @@ The YAML frontmatter supports these fields: @@
             target-repo: "owner/repo"           # Optional: cross-repository
         ```
         When using `safe-outputs.close-pull-request`, the main job does **not** need `pull-requests: write` permission since PR closing is handled by a separate job with appropriate permissions.
+      - `mark-pull-request-as-ready-for-review:` - Mark draft PRs as ready for review
+        ```yaml
+        safe-outputs:
+          mark-pull-request-as-ready-for-review:
+            max: 1                              # Optional: max operations (default: 1)
+            target: "*"                         # Optional: "triggering" (default), "*", or number
+            required-labels: [automated]        # Optional: only mark PRs with these labels
+            required-title-prefix: "[bot]"      # Optional: only mark PRs with this prefix
+            target-repo: "owner/repo"           # Optional: cross-repository
+        ```
+        When using `safe-outputs.mark-pull-request-as-ready-for-review`, the main job does **not** need `pull-requests: write` permission since marking as ready is handled by a separate job with appropriate permissions.
       - `add-labels:` - Safe label addition to issues or PRs
         ```yaml
         safe-outputs:
@@ Expand Down Expand Up / @@ -532,6 +543,26 @@ The YAML frontmatter supports these fields: @@
             target-repo: "owner/repo"          # Optional: cross-repository
         ```
         Links issues as sub-issues using GitHub's parent-child relationships. Agent output includes `parent_issue_number` and `sub_issue_number`. Use with `create-issue` temporary IDs or existing issue numbers.
+      - `create-project:` - Create GitHub Projects V2
+        ```yaml
+        safe-outputs:
+          create-project:
+            max: 1                          # Optional: max projects (default: 1)
+            github-token: ${{ secrets.PROJECTS_PAT }}  # Optional: token with projects:write
+            target-owner: "org-or-user"     # Optional: owner for created projects
+            title-prefix: "[ai] "           # Optional: prefix for project titles
+        ```
+        Not supported for cross-repository operations.
+      - `copy-project:` - Copy GitHub Projects V2
+        ```yaml
+        safe-outputs:
+          copy-project:
+            max: 1                          # Optional: max copies (default: 1)
+            github-token: ${{ secrets.PROJECTS_PAT }}  # Optional: token with projects:write
+            source-project: "https://github.com/orgs/myorg/projects/42"  # Optional: source project URL
+            target-owner: "org-or-user"     # Optional: owner for copied project
+        ```
+        Not supported for cross-repository operations.
       - `update-project:` - Manage GitHub Projects boards
         ```yaml
         safe-outputs:
@@ Expand All / @@ -551,6 +582,14 @@ The YAML frontmatter supports these fields: @@
         {"type": "update_project", "project": "https://github.com/orgs/myorg/projects/42", "content_type": "draft_issue", "draft_title": "Task title", "draft_body": "Task description", "fields": {"Status": "Todo"}}
         ```
+        Not supported for cross-repository operations.
+      - `create-project-status-update:` - Create GitHub project status updates
+        ```yaml
+        safe-outputs:
+          create-project-status-update:
+            max: 10                         # Optional: max status updates (default: 10)
+            github-token: ${{ secrets.PROJECTS_PAT }}  # Optional: token with projects:write
+        ```
         Not supported for cross-repository operations.
       - `push-to-pull-request-branch:` - Push changes to PR branch
         ```yaml
@@ Expand Down Expand Up / @@ -610,6 +649,13 @@ The YAML frontmatter supports these fields: @@
             max: 50                         # Optional: max findings (default: unlimited)
         ```
         Severity levels: error, warning, info, note.
+      - `autofix-code-scanning-alert:` - Add autofixes to code scanning alerts
+        ```yaml
+        safe-outputs:
+          autofix-code-scanning-alert:
+            max: 10                         # Optional: max autofixes (default: 10)
+        ```
+        Provides automated fixes for code scanning alerts.
       - `create-agent-session:` - Create GitHub Copilot agent sessions
         ```yaml
         safe-outputs:
@@ Expand Down Expand Up / @@ -663,6 +709,15 @@ The YAML frontmatter supports these fields: @@
           missing-tool:
         ```
         The missing-tool safe-output allows agents to report when they need tools or functionality not currently available. This is automatically enabled by default and helps track feature requests from agents.
+      - `missing-data:` - Report missing data required to complete tasks (auto-enabled)
+        ```yaml
+        safe-outputs:
+          missing-data:
+            create-issue: true              # Optional: create issues for missing data (default: true)
+            title-prefix: "[missing data]"  # Optional: prefix for issue titles
+            labels: [data-request]          # Optional: labels for created issues
+        ```
+        The missing-data safe-output allows agents to report when required data or information is unavailable. This is automatically enabled by default. When `create-issue` is true, missing data reports create or update GitHub issues for tracking.
       **Global Safe Output Configuration:**
       - `github-token:` - Custom GitHub token for all safe output jobs
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix release workflow: clarify MCP tool call syntax to prevent agent bypass #12613

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!