[P1] Lockdown token failures: Issue Monster, PR Triage Agent, Daily Issues Report, Org Health Report #20643
Description
Problem
Four high-frequency agentic workflows continue to fail due to lockdown mode requiring GH_AW_GITHUB_TOKEN which is not configured as a repository secret. This is an ongoing issue (Day 16+).
Previous tracking issue #20315 was auto-closed on 2026-03-11 (expiry). This is a fresh tracking issue.
Affected Workflows
| Workflow | Frequency | Last Failure | Run # | Impact |
|---|---|---|---|---|
| Issue Monster | Every 30 min | 2026-03-12T07:25Z | #2733 | Issue tracking down — ~50+ failures/day |
| PR Triage Agent | Every 6h | 2026-03-12T06:24Z | #196 | PR triage not running |
| Daily Issues Report | Daily | 2026-03-12T01:59Z | #130 | Daily metrics missing |
| Org Health Report | Weekly | 2026-03-09T08:26Z | #28 | Weekly org health missing |
Error Message
Lockdown mode is enabled (lockdown: true) but no custom GitHub token is configured.
Please configure one of the following as a repository secret:
- GH_AW_GITHUB_TOKEN (recommended)
- GH_AW_GITHUB_MCP_SERVER_TOKEN (alternative)
- Custom github-token in your workflow frontmatter
See: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/auth.mdx
Root Cause
These workflows use lockdown: true in their MCP configuration (which requires GitHub API access via a fine-grained PAT), but GH_AW_GITHUB_TOKEN is not set as a repository secret.
Fix Options
Option 1 (Recommended): Configure GH_AW_GITHUB_TOKEN secret
gh aw secrets set GH_AW_GITHUB_TOKEN --value "YOUR_FINE_GRAINED_PAT"The PAT needs: issues: read/write, pull_requests: read/write, contents: read.
Option 2: Remove lockdown: true from affected workflow frontmatter (reduces security posture).
Option 3: Add github-token: $\{\{ secrets.GITHUB_TOKEN }} to the affected workflows' MCP config.
History
- Previous tracking issues [P1] Lockdown token failures: Issue Monster, PR Triage Agent, Daily Issues Report #20315 (Mar 10), [aw] Issue Monster failed #18919, [aw] PR Triage Agent failed #18952 — all expired/closed
- NO CURRENT FIX PATH — manual admin intervention required to provision the token
- Ongoing since ~Feb 25, 2026 (Day 16+)
References
- §22991093860 — Issue Monster run Add --mcp flag to init command for Copilot Agent MCP configuration #2733 (today)
- §22989408565 — PR Triage Agent run MCP Network Permissions Test Results - Proxy Isolation Validation #196 (today)
- Docs: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/auth.mdx
Related to Workflow Health Manager - Meta-Orchestrator - Issue Group #19352
Generated by Workflow Health Manager - Meta-Orchestrator · ◷
- expires on Mar 13, 2026, 7:45 AM UTC