You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the last 7 days, 144 DIFC integrity-filtered events were detected across 27 workflow runs spanning 12 distinct workflow types. The most frequently filtered tool was list_issues (83 events, 58%), followed by search_issues (31 events) and pull_request_read (27 events). The dominant filter reason in all cases was integrity — resources with integrity_tags: ["none:all"] (unapproved content authored by external contributors) being blocked from reaching agents that require a minimum integrity level of "approved".
The activity is sharply concentrated on 2026-04-14 (113 of 144 events, 78%), driven by a surge of issue-listing workflows (Dev, Workflow Health Manager, Issue Triage Agent, Sub-Issue Closer) running against a large backlog of externally-opened issues. This is expected behaviour: these workflows are correctly refusing to process untrusted issues until they are approved by a maintainer. Scheduling workflows (Dev, Workflow Health Manager) account for the bulk of filtering, with Dev (28) and The Daily Repository Chronicle (26) as the two top sources.
The week was bimodal: a cluster of 28 events on Apr 10 (triggered by Test Quality Sentinel and Design Decision Gate processing PR #25658 and the Daily Repository Chronicle scanning issues), then a quiet Apr 11–12, followed by a sharp peak of 113 events on Apr 14. The Apr 14 spike is correlated with the Dev and Workflow Health Manager scheduled runs processing a large batch of external issues, plus a heavy wave of Design Decision Gate PR-review runs. No anomalous upward trend is present — the pattern reflects weekend quiescence followed by weekday automation activity.
🔧 Top Filtered Tools
list_issues and search_issues dominate (83 + 31 = 114 events, 79%) — these are bulk retrieval tools used by schedule-based triage and reporting workflows. When a results page includes issues authored by external (NONE association) contributors, every such issue triggers a filter event. pull_request_read accounts for 27 events, all from the Design Decision Gate and smoke-test workflows inspecting copilot-authored PRs where the PR description carries none:all integrity.
🏷️ Filter Reasons and Tags
All 144 events share the same root cause: the agent's minimum integrity requirement (approved) is higher than the resource's integrity label (none:all). Two additional events also carry the unapproved:all tag (indicating the resource was explicitly flagged). There are no secrecy-related filter events, meaning no workflow is attempting to pass secrets or private data to tools that shouldn't receive them. The filtering is entirely driven by the integrity dimension.
📋 Per-Workflow Breakdown
Workflow
Filtered Events
Dev
28
The Daily Repository Chronicle
26
Workflow Health Manager - Meta-Orchestrator
25
Design Decision Gate 🏗️
18
Issue Triage Agent
16
Sub-Issue Closer
16
Daily Team Evolution Insights
4
Daily Copilot PR Merged Report
3
Smoke Copilot
3
Step Name Alignment
2
Smoke Claude
2
Test Quality Sentinel
1
📋 Per-Server Breakdown
MCP Server
Filtered Events
github
144
👤 Per-User Breakdown
Author Login
Filtered Events
yskopets
11
bbonafed
8
JanKrivanek
7
arthurfvives
6
jsquire
6
jtracey93
5
Ray961123
5
pgaskin
5
kthompson
5
tadelesh
4
Yoyokrazy
4
shea-parkes
3
doughgle
3
pelikhan
3
abillingsley
3
sfc-gh-kgaputis
3
johnwilliams-12
2
Copilot
1
🔍 Per-User Analysis
The top contributors to filtered events are all human external contributors (NONE/outside-collaborator association): yskopets (11), bbonafed (8), JanKrivanek (7), arthurfvives (6), jsquire (6). These are GitHub users who opened issues or PRs that were then encountered by scheduled triage/analysis workflows before a maintainer approved them. This is entirely expected: the integrity system correctly prevents agents from acting on unapproved external input.
No single automated bot account (e.g. github-actions[bot], Copilot) is responsible for a disproportionate share. Copilot itself appears with only 1 filtered event, confirming that Copilot-authored PRs are typically approved quickly. The distribution is broad and reflects the repository's normal external contribution velocity.
💡 Tuning Recommendations
list_issues / search_issues bulk filtering is expected — consider pagination hygiene. When triage workflows page through issues and encounter many unapproved ones, each generates a filter event. Consider pre-filtering with state=open&label=approved or using GitHub search qualifiers to narrow queries before passing results to the agent, reducing noise from unapproved issues.
Review Dev and Workflow Health Manager scheduling. These two workflows contributed 53 events (37%) on a single day. If they run daily and scan the full open-issue backlog, filter volume will grow with repository issue count. Adding a date window (e.g. created:>2026-04-07) or label filter can cap the per-run volume.
pull_request_read on copilot/bot PRs. The Design Decision Gate filters on copilot-authored PRs because they haven't yet received an approval label at the time of the run. Consider triggering that workflow only after a maintainer applies an implementation label (already partially implemented), which would ensure the PR has passed integrity review before the agent sees it.
unapproved:all tag monitoring. Five events carried the unapproved:all tag in addition to none:all. Monitor whether this count grows — it may indicate issues that were explicitly flagged as untrusted rather than simply lacking approval.
No secrecy violations — stable. Zero secrecy-filter events confirm that no workflow is passing secrets or high-secrecy outputs to tools that shouldn't receive them. No action needed on the secrecy dimension.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Executive Summary
In the last 7 days, 144 DIFC integrity-filtered events were detected across 27 workflow runs spanning 12 distinct workflow types. The most frequently filtered tool was
list_issues(83 events, 58%), followed bysearch_issues(31 events) andpull_request_read(27 events). The dominant filter reason in all cases was integrity — resources withintegrity_tags: ["none:all"](unapproved content authored by external contributors) being blocked from reaching agents that require a minimum integrity level of "approved".The activity is sharply concentrated on 2026-04-14 (113 of 144 events, 78%), driven by a surge of issue-listing workflows (
Dev,Workflow Health Manager,Issue Triage Agent,Sub-Issue Closer) running against a large backlog of externally-opened issues. This is expected behaviour: these workflows are correctly refusing to process untrusted issues until they are approved by a maintainer. Scheduling workflows (Dev,Workflow Health Manager) account for the bulk of filtering, withDev(28) andThe Daily Repository Chronicle(26) as the two top sources.Key Metrics
list_issues,search_issues,pull_request_read,issue_read)none:all(144 events)📈 Events Over Time
The week was bimodal: a cluster of 28 events on Apr 10 (triggered by
Test Quality SentinelandDesign Decision Gateprocessing PR #25658 and theDaily Repository Chroniclescanning issues), then a quiet Apr 11–12, followed by a sharp peak of 113 events on Apr 14. The Apr 14 spike is correlated with theDevandWorkflow Health Managerscheduled runs processing a large batch of external issues, plus a heavy wave ofDesign Decision GatePR-review runs. No anomalous upward trend is present — the pattern reflects weekend quiescence followed by weekday automation activity.🔧 Top Filtered Tools
list_issuesandsearch_issuesdominate (83 + 31 = 114 events, 79%) — these are bulk retrieval tools used by schedule-based triage and reporting workflows. When a results page includes issues authored by external (NONE association) contributors, every such issue triggers a filter event.pull_request_readaccounts for 27 events, all from theDesign Decision Gateand smoke-test workflows inspecting copilot-authored PRs where the PR description carriesnone:allintegrity.🏷️ Filter Reasons and Tags
All 144 events share the same root cause: the agent's minimum integrity requirement (
approved) is higher than the resource's integrity label (none:all). Two additional events also carry theunapproved:alltag (indicating the resource was explicitly flagged). There are no secrecy-related filter events, meaning no workflow is attempting to pass secrets or private data to tools that shouldn't receive them. The filtering is entirely driven by the integrity dimension.📋 Per-Workflow Breakdown
📋 Per-Server Breakdown
👤 Per-User Breakdown
🔍 Per-User Analysis
The top contributors to filtered events are all human external contributors (NONE/outside-collaborator association):
yskopets(11),bbonafed(8),JanKrivanek(7),arthurfvives(6),jsquire(6). These are GitHub users who opened issues or PRs that were then encountered by scheduled triage/analysis workflows before a maintainer approved them. This is entirely expected: the integrity system correctly prevents agents from acting on unapproved external input.No single automated bot account (e.g.
github-actions[bot], Copilot) is responsible for a disproportionate share.Copilotitself appears with only 1 filtered event, confirming that Copilot-authored PRs are typically approved quickly. The distribution is broad and reflects the repository's normal external contribution velocity.💡 Tuning Recommendations
list_issues/search_issuesbulk filtering is expected — consider pagination hygiene. When triage workflows page through issues and encounter many unapproved ones, each generates a filter event. Consider pre-filtering withstate=open&label=approvedor using GitHub search qualifiers to narrow queries before passing results to the agent, reducing noise from unapproved issues.Review
DevandWorkflow Health Managerscheduling. These two workflows contributed 53 events (37%) on a single day. If they run daily and scan the full open-issue backlog, filter volume will grow with repository issue count. Adding a date window (e.g.created:>2026-04-07) or label filter can cap the per-run volume.pull_request_readon copilot/bot PRs. TheDesign Decision Gatefilters on copilot-authored PRs because they haven't yet received an approval label at the time of the run. Consider triggering that workflow only after a maintainer applies animplementationlabel (already partially implemented), which would ensure the PR has passed integrity review before the agent sees it.unapproved:alltag monitoring. Five events carried theunapproved:alltag in addition tonone:all. Monitor whether this count grows — it may indicate issues that were explicitly flagged as untrusted rather than simply lacking approval.No secrecy violations — stable. Zero secrecy-filter events confirm that no workflow is passing secrets or high-secrecy outputs to tools that shouldn't receive them. No action needed on the secrecy dimension.
Generated by the Daily Integrity Analysis workflow
Analysis window: Last 7 days | Repository: github/gh-aw
Run: https://github.com/github/gh-aw/actions/runs/24420723142
Beta Was this translation helpful? Give feedback.
All reactions