From 6d25af807f8bdcd0cf3a0636b70dd3f58bff8e47 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Sat, 28 Feb 2026 19:12:29 +0000
Subject: [PATCH 1/2] docs: document guard policies for GitHub tools (repos +
 min-integrity)

Add Guard Policies section to github-tools.md documenting the `repos`
and `min-integrity` frontmatter fields under `tools.github:`, merged
in commit 60f482a8 (#18589) on 2026-02-27 with no public docs.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../content/docs/reference/github-tools.md    | 75 +++++++++++++++++++
 1 file changed, 75 insertions(+)

diff --git a/docs/src/content/docs/reference/github-tools.md b/docs/src/content/docs/reference/github-tools.md
index f95ac5ac504..2006a8b93f6 100644
--- a/docs/src/content/docs/reference/github-tools.md
+++ b/docs/src/content/docs/reference/github-tools.md
@@ -55,6 +55,81 @@ tools:
     mode: local
 ```
 
+## Guard Policies
+
+Restrict which repositories and integrity levels the GitHub MCP server can access during agent execution. Guard policies apply fine-grained access control at the MCP gateway level.
+
+```yaml wrap
+tools:
+  github:
+    mode: remote
+    toolsets: [default]
+    repos: "all"
+    min-integrity: reader
+```
+
+Both `repos` and `min-integrity` are required when either is specified.
+
+### `repos`
+
+Specifies which repositories the agent can access through GitHub tools:
+
+- `"all"` — All repositories accessible by the configured token
+- `"public"` — Public repositories only
+- Array of patterns — Specific repositories and wildcards:
+  - `"owner/repo"` — Exact repository match
+  - `"owner/*"` — All repositories under an owner
+  - `"owner/prefix*"` — Repositories with a name prefix under an owner
+
+Patterns must be lowercase. Wildcards are only permitted at the end of the repository name component.
+
+```yaml wrap
+tools:
+  github:
+    mode: remote
+    toolsets: [default]
+    repos:
+      - "myorg/*"
+      - "partner/shared-repo"
+      - "myorg/api-*"
+    min-integrity: writer
+```
+
+### `min-integrity`
+
+Sets the minimum integrity level required for repository access:
+
+| Level | Description |
+|-------|-------------|
+| `none` | No integrity requirements |
+| `reader` | Read-level integrity |
+| `writer` | Write-level integrity |
+| `merged` | Merged-level integrity |
+
+### Examples
+
+**Restrict to public repositories only:**
+
+```yaml wrap
+tools:
+  github:
+    repos: "public"
+    min-integrity: none
+```
+
+**Restrict to repositories in multiple organizations:**
+
+```yaml wrap
+tools:
+  github:
+    mode: remote
+    toolsets: [repos, issues]
+    repos:
+      - "frontend-org/*"
+      - "backend-org/*"
+    min-integrity: writer
+```
+
 ## Lockdown Mode for Public Repositories
 
 Lockdown Mode is a security feature that filters public repository content to only show issues, PRs, and comments from users with push access. Automatically enabled for public repositories when using custom tokens. See [Lockdown Mode](/gh-aw/reference/lockdown-mode/) for complete documentation.

From 5676d56e27fd716d44d901983368b071cfd28ebc Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Sat, 28 Feb 2026 19:14:24 +0000
Subject: [PATCH 2/2] ci: trigger CI checks