githubnext · pelikhan · Dec 30, 2025 · Dec 30, 2025 · Dec 30, 2025 · Dec 30, 2025
diff --git a/.github/aw/schemas/agentic-workflow.json b/.github/aw/schemas/agentic-workflow.json
@@ -3441,8 +3441,8 @@
                     },
                     {
                       "type": "string",
-                      "pattern": "^[0-9]+[dDwWmMyY]$",
-                      "description": "Relative time (e.g., '7d', '2w', '1m', '1y')"
+                      "pattern": "^[0-9]+[hHdDwWmMyY]$",
+                      "description": "Relative time (e.g., '2h', '7d', '2w', '1m', '1y')"
                     }
                   ],
                   "description": "Time until the issue expires and should be automatically closed. Supports integer (days) or relative time format. When set, a maintenance workflow will be generated."
@@ -3599,11 +3599,11 @@
                     },
                     {
                       "type": "string",
-                      "pattern": "^[0-9]+[dDwWmMyY]$",
-                      "description": "Relative time (e.g., '7d', '2w', '1m', '1y')"
+                      "pattern": "^[0-9]+[hHdDwWmMyY]$",
+                      "description": "Relative time (e.g., '2h', '7d', '2w', '1m', '1y')"
                     }
                   ],
-                  "description": "Time until the discussion expires and should be automatically closed. Supports integer (days) or relative time format like '7d' (7 days), '2w' (2 weeks), '1m' (1 month), '1y' (1 year). When set, a maintenance workflow will be generated."
+                  "description": "Time until the discussion expires and should be automatically closed. Supports integer (days) or relative time format like '2h' (2 hours), '7d' (7 days), '2w' (2 weeks), '1m' (1 month), '1y' (1 year). When set, a maintenance workflow will be generated."
                 }
               },
               "additionalProperties": false,
@@ -3969,8 +3969,8 @@
                     },
                     {
                       "type": "string",
-                      "pattern": "^[0-9]+[dDwWmMyY]$",
-                      "description": "Relative time (e.g., '7d', '2w', '1m', '1y')"
+                      "pattern": "^[0-9]+[hHdDwWmMyY]$",
+                      "description": "Relative time (e.g., '2h', '7d', '2w', '1m', '1y')"
                     }
                   ],
                   "description": "Time until the pull request expires and should be automatically closed (only for same-repo PRs without target-repo). Supports integer (days) or relative time format."

diff --git a/.github/workflows/agentics-maintenance.yml b/.github/workflows/agentics-maintenance.yml
@@ -27,12 +27,13 @@
 # 
 # The workflow is generated when any workflow uses the 'expires' field
 # in create-discussions or create-issues safe-outputs configuration.
+# Schedule frequency is automatically determined by the shortest expiration time.
 #
 name: Agentics Maintenance
 
 on:
   schedule:
-    - cron: "0 0 * * *"  # Daily at midnight UTC
+    - cron: "37 */2 * * *"  # Every 2 hours (based on minimum expires: 1 days)
   workflow_dispatch:
 
 permissions: {}

diff --git a/.github/workflows/smoke-claude.md b/.github/workflows/smoke-claude.md
@@ -39,7 +39,7 @@ safe-outputs:
     add-comment:
       hide-older-comments: true
     create-issue:
-      expires: 1d
+      expires: 2h
     add-labels:
       allowed: [smoke-claude]
     messages:

diff --git a/.github/workflows/smoke-codex-firewall.md b/.github/workflows/smoke-codex-firewall.md
@@ -22,7 +22,7 @@ safe-outputs:
     add-comment:
       hide-older-comments: true
     create-issue:
-      expires: 1d
+      expires: 2h
     add-labels:
       allowed: [smoke-codex-firewall]
     hide-comment:

diff --git a/.github/workflows/smoke-codex.md b/.github/workflows/smoke-codex.md
@@ -33,7 +33,7 @@ safe-outputs:
     add-comment:
       hide-older-comments: true
     create-issue:
-      expires: 1d
+      expires: 2h
     add-labels:
       allowed: [smoke-codex]
     hide-comment:

diff --git a/.github/workflows/smoke-copilot-playwright.md b/.github/workflows/smoke-copilot-playwright.md
@@ -47,7 +47,7 @@ safe-outputs:
     add-comment:
       hide-older-comments: true
     create-issue:
-      expires: 1d
+      expires: 2h
     add-labels:
       allowed: [smoke-copilot]
     messages:

diff --git a/.github/workflows/smoke-copilot.md b/.github/workflows/smoke-copilot.md
@@ -30,7 +30,7 @@ safe-outputs:
     add-comment:
       hide-older-comments: true
     create-issue:
-      expires: 1d
+      expires: 2h
     add-labels:
       allowed: [smoke-copilot]
     messages:

diff --git a/.github/workflows/smoke-detector.md b/.github/workflows/smoke-detector.md
@@ -39,7 +39,7 @@ safe-outputs:
     target: "*"
     hide-older-comments: true
   create-issue:
-    expires: 1d
+    expires: 2h
     title-prefix: "[smoke-detector] "
     labels: [smoke-test, investigation]
   messages:

diff --git a/actions/setup/js/add_comment.cjs b/actions/setup/js/add_comment.cjs
@@ -559,7 +559,6 @@ async function main(config = {}) {
     // Add metadata for tracking (includes comment ID, item number, and repo info)
     // This is used by the handler manager to track comments with unresolved temp IDs
     try {
-      // @ts-ignore - Add tracking metadata to comment object (works with both REST and GraphQL responses)
       comment._tracking = {
         commentId: comment.id,
         itemNumber: itemNumber,

diff --git a/actions/setup/js/add_labels.cjs b/actions/setup/js/add_labels.cjs
@@ -5,7 +5,7 @@ const { processSafeOutput } = require("./safe_output_processor.cjs");
 const { validateLabels } = require("./safe_output_validator.cjs");
 const { getErrorMessage } = require("./error_helpers.cjs");
 
-async function main(handlerConfig = {}) {
+async function main(config = {}) {
   // Use shared processor for common steps
   const result = await processSafeOutput(
     {
@@ -17,9 +17,9 @@ async function main(handlerConfig = {}) {
       supportsIssue: true,
       envVars: {
         // Config values now passed via config object, not env vars
-        allowed: undefined,
-        maxCount: undefined,
-        target: undefined,
+        allowed: null,
+        maxCount: null,
+        target: null,
       },
     },
     {
@@ -38,7 +38,7 @@ async function main(handlerConfig = {}) {
         return content;
       },
     },
-    handlerConfig // Pass handler config as third parameter
+    config // Pass handler config as third parameter
   );
 
   if (!result.success) {

diff --git a/actions/setup/js/safe_output_handler_manager.cjs b/actions/setup/js/safe_output_handler_manager.cjs
@@ -99,7 +99,7 @@ async function loadHandlers(config) {
  *
  * @param {Map<string, Function>} messageHandlers - Map of message handler functions
  * @param {Array<Object>} messages - Array of safe output messages
- * @returns {Promise<{success: boolean, results: Array<any>, temporaryIdMap: Object, outputsWithUnresolvedIds: Array<any>}>}
+ * @returns {Promise<{success: boolean, results: Array<any>, temporaryIdMap: Map, pendingUpdates: Array<any>}>}
  */
 async function processMessages(messageHandlers, messages) {
   const results = [];
@@ -387,7 +387,6 @@ async function processSyntheticUpdates(github, context, trackedOutputs, temporar
       const contentToCheck = getContentToCheck(tracked.type, tracked.message);
 
       // Check if the content still has unresolved IDs (some may now be resolved)
-      // @ts-ignore - hasUnresolvedTemporaryIds handles null values
       const stillHasUnresolved = hasUnresolvedTemporaryIds(contentToCheck, temporaryIdMap);
       const resolvedCount = temporaryIdMap.size - tracked.originalTempIdMapSize;
 
@@ -398,7 +397,6 @@ async function processSyntheticUpdates(github, context, trackedOutputs, temporar
 
         try {
           // Replace temporary ID references with resolved values
-          // @ts-ignore - replaceTemporaryIdReferences handles null values
           const updatedContent = replaceTemporaryIdReferences(contentToCheck, temporaryIdMap, tracked.result.repo);
 
           // Update based on the original type

diff --git a/actions/setup/js/update_runner.cjs b/actions/setup/js/update_runner.cjs
@@ -30,9 +30,8 @@ const { getErrorMessage } = require("./error_helpers.cjs");
  * @property {boolean} supportsStatus - Whether this type supports status updates
  * @property {boolean} supportsOperation - Whether this type supports operation (append/prepend/replace)
  * @property {(item: any, index: number) => string} renderStagedItem - Function to render item for staged preview
- * @property {(github: any, context: any, targetNumber: number, updateData: any, handlerConfig?: any) => Promise<any>} executeUpdate - Function to execute the update API call
+ * @property {(github: any, context: any, targetNumber: number, updateData: any) => Promise<any>} executeUpdate - Function to execute the update API call
  * @property {(result: any) => string} getSummaryLine - Function to generate summary line for an updated item
- * @property {any} [handlerConfig] - Optional handler configuration object passed from handler manager
  */
 
 /**

diff --git a/docs/src/content/docs/guides/security.md b/docs/src/content/docs/guides/security.md
@@ -248,6 +248,52 @@ mcp-servers:
 
 The compiler generates per-tool Squid proxies; MCP egress is forced through iptables. Only listed domains are reachable. Applies to `mcp.container` stdio servers only.
 
+#### Automatic GitHub Lockdown on Public Repositories
+
+When using the GitHub MCP tool in public repositories, lockdown mode is **automatically enabled by default** to prevent accidental data leakage. This security feature restricts the GitHub token from accessing private repositories, ensuring that workflows running in public repositories cannot inadvertently expose sensitive information.
+
+**How Automatic Detection Works:**
+
+The system automatically detects repository visibility at workflow runtime:
+
+- **Public repositories**: Lockdown mode is automatically enabled. The GitHub MCP server limits surfaced content to items authored by users with push access to the repository.
+- **Private/internal repositories**: Lockdown mode is automatically disabled since there's no risk of exposing private repository access.
+- **Detection failure**: If repository visibility cannot be determined, the system defaults to lockdown mode for maximum security.
+
+**No Configuration Required:**
+
+```yaml wrap
+tools:
+  github:
+    # Lockdown is automatically enabled for public repos
+    # No explicit configuration needed
+```
+
+**Manual Override (Optional):**
+
+You can explicitly set lockdown mode if needed:
+
+```yaml wrap
+tools:
+  github:
+    lockdown: true   # Force enable lockdown
+    # or
+    lockdown: false  # Explicitly disable (use with caution in public repos)
+```
+
+:::caution[Disabling Lockdown in Public Repositories]
+Explicitly setting `lockdown: false` in a public repository disables this security protection. Only do this if you fully understand the implications and have other controls in place to prevent data leakage.
+:::
+
+**Security Benefits:**
+
+- **Prevents token scope leakage**: Even if a GitHub token has access to private repositories, lockdown mode prevents that access from being used in public repository workflows
+- **Defense in depth**: Adds an additional layer of protection beyond token scoping
+- **Automatic and transparent**: Works without any configuration changes
+- **Safe by default**: Failures default to the most secure setting
+
+See also: [GitHub MCP Tool Configuration](/gh-aw/reference/tools/#github-tools-github) for complete tool configuration options.
+
 ### Agent Security and Prompt Injection Defense
 
 #### Sanitized Context Text Usage

diff --git a/docs/src/content/docs/reference/frontmatter-full.md b/docs/src/content/docs/reference/frontmatter-full.md
@@ -1147,7 +1147,9 @@ tools:
     read-only: true
 
     # Enable lockdown mode to limit content surfaced from public repositories (only
-    # items authored by users with push access). Default: false
+    # items authored by users with push access)
+    # Default: Automatically enabled for public repositories, disabled for private/internal repositories
+    # Set explicitly to override automatic detection
     # (optional)
     lockdown: true
 
@@ -1604,7 +1606,7 @@ safe-outputs:
     # Option 1: Number of days until expires
     expires: 1
 
-    # Option 2: Relative time (e.g., '7d', '2w', '1m', '1y')
+    # Option 2: Relative time (e.g., '2h', '7d', '2w', '1m', '1y'; hours <24 = 1 day)
     expires: "example-value"
 
   # Option 2: Enable issue creation with default configuration
@@ -1737,7 +1739,7 @@ safe-outputs:
     # Option 1: Number of days until expires
     expires: 1
 
-    # Option 2: Relative time (e.g., '7d', '2w', '1m', '1y')
+    # Option 2: Relative time (e.g., '2h', '7d', '2w', '1m', '1y'; hours <24 = 1 day)
     expires: "example-value"
 
   # Option 2: Enable discussion creation with default configuration
@@ -2027,7 +2029,7 @@ safe-outputs:
     # Option 1: Number of days until expires
     expires: 1
 
-    # Option 2: Relative time (e.g., '7d', '2w', '1m', '1y')
+    # Option 2: Relative time (e.g., '2h', '7d', '2w', '1m', '1y'; hours <24 = 1 day)
     expires: "example-value"
 
   # Option 2: Enable pull request creation with default configuration