Rename detect-repo-visibility to determine-automatic-lockdown with custom token requirement

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Author: Copilot

…ions/setup/js/detect_repo_visibility.cjs …etup/js/determine_automatic_lockdown.cjsactions/setup/js/detect_repo_visibility.cjs renamed to actions/setup/js/determine_automatic_lockdown.cjs actions/setup/js/detect_repo_visibility.cjs renamed to actions/setup/js/determine_automatic_lockdown.cjs

@@ -2,7 +2,10 @@
 /// <reference types="@actions/github-script" />
 
 /**
- * Detects repository visibility and sets lockdown mode for GitHub MCP server.
+ * Determines automatic lockdown mode for GitHub MCP server based on repository visibility.
+ *
+ * This function only applies when a custom GitHub MCP server token is defined
+ * (GH_AW_GITHUB_MCP_SERVER_TOKEN) and for public repositories.
  *
  * For public repositories, lockdown mode should be enabled (true) to prevent
  * the GitHub token from accessing private repositories, which could leak
@@ -16,12 +19,12 @@
  * @param {any} core - GitHub Actions core library
  * @returns {Promise<void>}
  */
-async function detectRepoVisibility(github, context, core) {
+async function determineAutomaticLockdown(github, context, core) {
   try {
-    core.info("Detecting repository visibility for GitHub MCP lockdown configuration");
+    core.info("Determining automatic lockdown mode for GitHub MCP server");
 
     const { owner, repo } = context.repo;
-    core.info(`Checking visibility for repository: ${owner}/${repo}`);
+    core.info(`Checking repository: ${owner}/${repo}`);
 
     // Fetch repository information
     const { data: repository } = await github.rest.repos.get({
@@ -39,21 +42,24 @@ async function detectRepoVisibility(github, context, core) {
     // Public repos should have lockdown enabled to prevent token from accessing private repos
     const shouldLockdown = !isPrivate;
 
-    core.info(`Setting GitHub MCP lockdown: ${shouldLockdown}`);
+    core.info(`Automatic lockdown mode determined: ${shouldLockdown}`);
     core.setOutput("lockdown", shouldLockdown.toString());
     core.setOutput("visibility", visibility);
 
     if (shouldLockdown) {
+      core.info("Automatic lockdown mode enabled for public repository");
       core.warning("GitHub MCP lockdown mode enabled for public repository. " + "This prevents the GitHub token from accessing private repositories.");
+    } else {
+      core.info("Automatic lockdown mode disabled for private/internal repository");
     }
   } catch (error) {
     const errorMessage = error instanceof Error ? error.message : String(error);
-    core.error(`Failed to detect repository visibility: ${errorMessage}`);
+    core.error(`Failed to determine automatic lockdown mode: ${errorMessage}`);
     // Default to lockdown mode for safety
     core.setOutput("lockdown", "true");
     core.setOutput("visibility", "unknown");
-    core.warning("Failed to detect repository visibility. Defaulting to lockdown mode for security.");
+    core.warning("Failed to determine repository visibility. Defaulting to lockdown mode for security.");
   }
 }
 
-module.exports = detectRepoVisibility;
+module.exports = determineAutomaticLockdown;

…setup/js/detect_repo_visibility.test.cjs …js/determine_automatic_lockdown.test.cjsactions/setup/js/detect_repo_visibility.test.cjs renamed to actions/setup/js/determine_automatic_lockdown.test.cjs actions/setup/js/detect_repo_visibility.test.cjs renamed to actions/setup/js/determine_automatic_lockdown.test.cjs

@@ -1,10 +1,10 @@
 import { describe, it, expect, beforeEach, vi } from "vitest";
 
-describe("detect_repo_visibility", () => {
+describe("determine_automatic_lockdown", () => {
   let mockContext;
   let mockGithub;
   let mockCore;
-  let detectRepoVisibility;
+  let determineAutomaticLockdown;
 
   beforeEach(async () => {
     vi.resetModules();
@@ -35,7 +35,7 @@ describe("detect_repo_visibility", () => {
     };
 
     // Import the module
-    detectRepoVisibility = (await import("./detect_repo_visibility.cjs")).default;
+    determineAutomaticLockdown = (await import("./determine_automatic_lockdown.cjs")).default;
   });
 
   it("should set lockdown to true for public repository", async () => {
@@ -46,7 +46,7 @@ describe("detect_repo_visibility", () => {
       },
     });
 
-    await detectRepoVisibility(mockGithub, mockContext, mockCore);
+    await determineAutomaticLockdown(mockGithub, mockContext, mockCore);
 
     expect(mockGithub.rest.repos.get).toHaveBeenCalledWith({
       owner: "test-owner",
@@ -65,7 +65,7 @@ describe("detect_repo_visibility", () => {
       },
     });
 
-    await detectRepoVisibility(mockGithub, mockContext, mockCore);
+    await determineAutomaticLockdown(mockGithub, mockContext, mockCore);
 
     expect(mockGithub.rest.repos.get).toHaveBeenCalledWith({
       owner: "test-owner",
@@ -84,7 +84,7 @@ describe("detect_repo_visibility", () => {
       },
     });
 
-    await detectRepoVisibility(mockGithub, mockContext, mockCore);
+    await determineAutomaticLockdown(mockGithub, mockContext, mockCore);
 
     expect(mockCore.setOutput).toHaveBeenCalledWith("lockdown", "false");
     expect(mockCore.setOutput).toHaveBeenCalledWith("visibility", "internal");
@@ -94,12 +94,12 @@ describe("detect_repo_visibility", () => {
     const error = new Error("API request failed");
     mockGithub.rest.repos.get.mockRejectedValue(error);
 
-    await detectRepoVisibility(mockGithub, mockContext, mockCore);
+    await determineAutomaticLockdown(mockGithub, mockContext, mockCore);
 
-    expect(mockCore.error).toHaveBeenCalledWith("Failed to detect repository visibility: API request failed");
+    expect(mockCore.error).toHaveBeenCalledWith("Failed to determine automatic lockdown mode: API request failed");
     expect(mockCore.setOutput).toHaveBeenCalledWith("lockdown", "true");
     expect(mockCore.setOutput).toHaveBeenCalledWith("visibility", "unknown");
-    expect(mockCore.warning).toHaveBeenCalledWith(expect.stringContaining("Failed to detect repository visibility"));
+    expect(mockCore.warning).toHaveBeenCalledWith(expect.stringContaining("Failed to determine repository visibility"));
   });
 
   it("should infer visibility from private field when visibility field is missing", async () => {
@@ -110,7 +110,7 @@ describe("detect_repo_visibility", () => {
       },
     });
 
-    await detectRepoVisibility(mockGithub, mockContext, mockCore);
+    await determineAutomaticLockdown(mockGithub, mockContext, mockCore);
 
     expect(mockCore.setOutput).toHaveBeenCalledWith("lockdown", "true");
     expect(mockCore.setOutput).toHaveBeenCalledWith("visibility", "public");
@@ -124,12 +124,13 @@ describe("detect_repo_visibility", () => {
       },
     });
 
-    await detectRepoVisibility(mockGithub, mockContext, mockCore);
+    await determineAutomaticLockdown(mockGithub, mockContext, mockCore);
 
-    expect(mockCore.info).toHaveBeenCalledWith("Detecting repository visibility for GitHub MCP lockdown configuration");
-    expect(mockCore.info).toHaveBeenCalledWith("Checking visibility for repository: test-owner/test-repo");
+    expect(mockCore.info).toHaveBeenCalledWith("Determining automatic lockdown mode for GitHub MCP server");
+    expect(mockCore.info).toHaveBeenCalledWith("Checking repository: test-owner/test-repo");
     expect(mockCore.info).toHaveBeenCalledWith("Repository visibility: public");
     expect(mockCore.info).toHaveBeenCalledWith("Repository is private: false");
-    expect(mockCore.info).toHaveBeenCalledWith("Setting GitHub MCP lockdown: true");
+    expect(mockCore.info).toHaveBeenCalledWith("Automatic lockdown mode determined: true");
+    expect(mockCore.info).toHaveBeenCalledWith("Automatic lockdown mode enabled for public repository");
   });
 });

pkg/workflow/github_lockdown_autodetect_test.go

@@ -16,33 +16,54 @@ func TestGitHubLockdownAutodetection(t *testing.T) {
 		description        string
 	}{
 		{
-			name: "Auto-detection enabled when lockdown not specified",
+			name: "Auto-determination enabled when lockdown not specified and custom token defined",
 			workflow: `---
 on: issues
 engine: copilot
 tools:
   github:
     mode: local
+    github-token: ${{ secrets.CUSTOM_TOKEN }}
     toolsets: [default]
 ---
 
 # Test Workflow
 
-Test automatic lockdown detection.
+Test automatic lockdown determination with custom token.
 `,
 			expectedDetectStep: true,
 			expectedLockdown:   "auto",
-			description:        "When lockdown is not specified, detection step should be added and lockdown should use step output",
+			description:        "When lockdown is not specified and custom token is defined, determination step should be added",
 		},
 		{
-			name: "No auto-detection when lockdown explicitly set to true",
+			name: "No auto-determination when no custom token",
+			workflow: `---
+on: issues
+engine: copilot
+tools:
+  github:
+    mode: local
+    toolsets: [default]
+---
+
+# Test Workflow
+
+Test without custom token - should not add determination step.
+`,
+			expectedDetectStep: false,
+			expectedLockdown:   "false",
+			description:        "When no custom token is defined, no determination step should be added",
+		},
+		{
+			name: "No auto-determination when lockdown explicitly set to true",
 			workflow: `---
 on: issues
 engine: copilot
 tools:
   github:
     mode: local
     lockdown: true
+    github-token: ${{ secrets.CUSTOM_TOKEN }}
     toolsets: [default]
 ---
 
@@ -52,17 +73,18 @@ Test with explicit lockdown enabled.
 `,
 			expectedDetectStep: false,
 			expectedLockdown:   "true",
-			description:        "When lockdown is explicitly true, no detection step and lockdown should be hardcoded",
+			description:        "When lockdown is explicitly true, no determination step and lockdown should be hardcoded",
 		},
 		{
-			name: "No auto-detection when lockdown explicitly set to false",
+			name: "No auto-determination when lockdown explicitly set to false",
 			workflow: `---
 on: issues
 engine: copilot
 tools:
   github:
     mode: local
     lockdown: false
+    github-token: ${{ secrets.CUSTOM_TOKEN }}
     toolsets: [default]
 ---
 
@@ -72,26 +94,27 @@ Test with explicit lockdown disabled.
 `,
 			expectedDetectStep: false,
 			expectedLockdown:   "false",
-			description:        "When lockdown is explicitly false, no detection step and no lockdown setting",
+			description:        "When lockdown is explicitly false, no determination step and no lockdown setting",
 		},
 		{
-			name: "Auto-detection with remote mode",
+			name: "Auto-determination with remote mode and custom token",
 			workflow: `---
 on: issues
 engine: copilot
 tools:
   github:
     mode: remote
+    github-token: ${{ secrets.CUSTOM_TOKEN }}
     toolsets: [default]
 ---
 
 # Test Workflow
 
-Test auto-detection with remote GitHub MCP.
+Test auto-determination with remote GitHub MCP and custom token.
 `,
 			expectedDetectStep: true,
 			expectedLockdown:   "auto",
-			description:        "Auto-detection should work with remote mode too",
+			description:        "Auto-determination should work with remote mode when custom token is defined",
 		},
 	}
 
@@ -125,9 +148,9 @@ Test auto-detection with remote GitHub MCP.
 			yaml := string(lockContent)
 
 			// Check if detection step is present
-			detectStepPresent := strings.Contains(yaml, "Detect repository visibility for GitHub MCP lockdown") &&
-				strings.Contains(yaml, "detect-repo-visibility") &&
-				strings.Contains(yaml, "detect_repo_visibility.cjs")
+			detectStepPresent := strings.Contains(yaml, "Determine automatic lockdown mode for GitHub MCP server") &&
+				strings.Contains(yaml, "determine-automatic-lockdown") &&
+				strings.Contains(yaml, "determine_automatic_lockdown.cjs")
 
 			if detectStepPresent != tt.expectedDetectStep {
 				t.Errorf("%s: Detection step presence = %v, want %v", tt.description, detectStepPresent, tt.expectedDetectStep)
@@ -137,7 +160,7 @@ Test auto-detection with remote GitHub MCP.
 			switch tt.expectedLockdown {
 			case "auto":
 				// Should use step output expression
-				if !strings.Contains(yaml, "steps.detect-repo-visibility.outputs.lockdown") {
+				if !strings.Contains(yaml, "steps.determine-automatic-lockdown.outputs.lockdown") {
 					t.Errorf("%s: Expected lockdown to use step output expression", tt.description)
 				}
 			case "true":
@@ -164,12 +187,13 @@ engine: claude
 tools:
   github:
     mode: local
+    github-token: ${{ secrets.CUSTOM_TOKEN }}
     toolsets: [default]
 ---
 
 # Test Workflow
 
-Test automatic lockdown detection with Claude.
+Test automatic lockdown determination with Claude and custom token.
 `
 
 	// Create temporary directory for test
@@ -200,15 +224,15 @@ Test automatic lockdown detection with Claude.
 	yaml := string(lockContent)
 
 	// Check if detection step is present
-	detectStepPresent := strings.Contains(yaml, "Detect repository visibility for GitHub MCP lockdown") &&
-		strings.Contains(yaml, "detect-repo-visibility")
+	detectStepPresent := strings.Contains(yaml, "Determine automatic lockdown mode for GitHub MCP server") &&
+		strings.Contains(yaml, "determine-automatic-lockdown")
 
 	if !detectStepPresent {
-		t.Error("Detection step should be present for Claude engine")
+		t.Error("Determination step should be present for Claude engine with custom token")
 	}
 
 	// Check if lockdown uses step output expression
-	if !strings.Contains(yaml, "steps.detect-repo-visibility.outputs.lockdown") {
+	if !strings.Contains(yaml, "steps.determine-automatic-lockdown.outputs.lockdown") {
 		t.Error("Expected lockdown to use step output expression for Claude engine")
 	}
 }

pkg/workflow/mcp_renderer.go

@@ -45,16 +45,24 @@ func (r *MCPConfigRendererUnified) RenderGitHubMCP(yaml *strings.Builder, github
 
 	// Get lockdown value - use detected value if lockdown wasn't explicitly set
 	lockdown := getGitHubLockdown(githubTool)
-	if !hasGitHubLockdownExplicitlySet(githubTool) {
+	
+	// Check if automatic lockdown determination step will be generated
+	// This requires: lockdown not explicitly set AND custom token configured
+	customGitHubToken := getGitHubToken(githubTool)
+	toplevelToken := workflowData.GitHubToken
+	hasCustomToken := customGitHubToken != "" || toplevelToken != ""
+	shouldUseStepOutput := !hasGitHubLockdownExplicitlySet(githubTool) && hasCustomToken
+	
+	if shouldUseStepOutput {
 		// Use the detected lockdown value from the step output
 		// This will be evaluated at runtime based on repository visibility
 		lockdown = true // This is a placeholder - actual value comes from step output
 	}
 
 	toolsets := getGitHubToolsets(githubTool)
 
-	mcpRendererLog.Printf("Rendering GitHub MCP: type=%s, read_only=%t, lockdown=%t (explicit=%t), toolsets=%v, format=%s",
-		githubType, readOnly, lockdown, hasGitHubLockdownExplicitlySet(githubTool), toolsets, r.options.Format)
+	mcpRendererLog.Printf("Rendering GitHub MCP: type=%s, read_only=%t, lockdown=%t (explicit=%t, custom_token=%t, use_step=%t), toolsets=%v, format=%s",
+		githubType, readOnly, lockdown, hasGitHubLockdownExplicitlySet(githubTool), hasCustomToken, shouldUseStepOutput, toolsets, r.options.Format)
 
 	if r.options.Format == "toml" {
 		r.renderGitHubTOML(yaml, githubTool, workflowData)
@@ -76,7 +84,7 @@ func (r *MCPConfigRendererUnified) RenderGitHubMCP(yaml *strings.Builder, github
 		RenderGitHubMCPRemoteConfig(yaml, GitHubMCPRemoteOptions{
 			ReadOnly:           readOnly,
 			Lockdown:           lockdown,
-			LockdownFromStep:   !hasGitHubLockdownExplicitlySet(githubTool),
+			LockdownFromStep:   shouldUseStepOutput,
 			Toolsets:           toolsets,
 			AuthorizationValue: authValue,
 			IncludeToolsField:  r.options.IncludeCopilotFields,
@@ -91,7 +99,7 @@ func (r *MCPConfigRendererUnified) RenderGitHubMCP(yaml *strings.Builder, github
 		RenderGitHubMCPDockerConfig(yaml, GitHubMCPDockerOptions{
 			ReadOnly:           readOnly,
 			Lockdown:           lockdown,
-			LockdownFromStep:   !hasGitHubLockdownExplicitlySet(githubTool),
+			LockdownFromStep:   shouldUseStepOutput,
 			Toolsets:           toolsets,
 			DockerImageVersion: githubDockerImageVersion,
 			CustomArgs:         customArgs,
@@ -481,9 +489,9 @@ func RenderGitHubMCPDockerConfig(yaml *strings.Builder, options GitHubMCPDockerO
 	}
 
 	if options.LockdownFromStep {
-		// Use lockdown value from step output (detected based on repository visibility)
+		// Use lockdown value from step output (determined based on repository visibility)
 		yaml.WriteString("                  \"-e\",\n")
-		yaml.WriteString("                  \"GITHUB_LOCKDOWN_MODE=${{ steps.detect-repo-visibility.outputs.lockdown == 'true' && '1' || '0' }}\",\n")
+		yaml.WriteString("                  \"GITHUB_LOCKDOWN_MODE=${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}\",\n")
 	} else if options.Lockdown {
 		// Use explicit lockdown value from configuration
 		yaml.WriteString("                  \"-e\",\n")
@@ -579,8 +587,8 @@ func RenderGitHubMCPRemoteConfig(yaml *strings.Builder, options GitHubMCPRemoteO
 
 	// Add X-MCP-Lockdown header if lockdown mode is enabled
 	if options.LockdownFromStep {
-		// Use lockdown value from step output (detected based on repository visibility)
-		headers["X-MCP-Lockdown"] = "${{ steps.detect-repo-visibility.outputs.lockdown }}"
+		// Use lockdown value from step output (determined based on repository visibility)
+		headers["X-MCP-Lockdown"] = "${{ steps.determine-automatic-lockdown.outputs.lockdown }}"
 	} else if options.Lockdown {
 		// Use explicit lockdown value from configuration
 		headers["X-MCP-Lockdown"] = "true"