[integrity] DIFC Integrity-Filtered Events Report — 2026-04-26

[github-actions[bot]]

Executive Summary

In the last 7 days, 115 DIFC integrity-filtered events were detected across 22 workflow runs. The most frequently filtered tool was list_issues (67 events), followed by search_issues (33) and pull_request_read (15). Every single filtered event was caused by an integrity violation — specifically, agents attempting to process GitHub resources (issues and PRs) with integrity tags of none:all or unapproved:all, which fall below the workflow's required trust threshold.

The filtering is concentrated in two high-volume workflows: Sub-Issue Closer (57 events across 2 runs) and Dev (33 events across 2 runs). These workflows consistently encounter user-submitted content that hasn't been approved, which is expected behavior — the DIFC system is operating correctly by blocking agents from acting on unreviewed/untrusted input. The distribution across Apr 25 (53 events) and Apr 26 (62 events) shows a stable, consistent filtering rate with no anomalous spikes.

Key Metrics

Metric	Value
Total filtered events	115
Unique tools filtered	3
Unique workflows affected	9
Most common filter reason	integrity
Busiest day	2026-04-26 (62 events)
Dominant integrity tag	none:all (115 events), unapproved:all (100 events)

📈 Events Over Time

Events are concentrated on two days (Apr 25–26), the full extent of the 7-day window that contained activity. Volume increased slightly from 53 to 62 events (+17%) between the two days — this is driven primarily by Sub-Issue Closer and Dev workflow executions rather than a systematic escalation.

🔧 Top Filtered Tools

All three filtered tools (list_issues, search_issues, pull_request_read) are GitHub MCP server tools. This is expected: workflows that process incoming issues and PRs will naturally encounter content tagged none:all (unreviewed by the integrity system) or unapproved:all (not yet approved). The filtering prevents agents from reading or acting on content from untrusted contributors without approval.

🏷️ Filter Reasons and Tags

100% of filtered events are integrity-related (zero secrecy violations). The dominant tags are none:all (all 115 events) and unapproved:all (100 events). These tags indicate that the triggering resources (GitHub issues and PRs) were created by contributors who have not yet been vetted — the integrity gate is functioning as designed.

📋 Per-Workflow Breakdown

Workflow	Filtered Events
Sub-Issue Closer	57
Dev	33
Design Decision Gate	10
Daily Community Attribution Updater	6
Smoke Claude	4
Daily Cache Strategy Analyzer	2
Workflow Health Manager - Meta-Orchestrator	1
Daily Team Evolution Insights	1
Code Simplifier	1

📋 Per-Server Breakdown

MCP Server	Filtered Events
github	115

👤 Per-User Breakdown

Author Login	Filtered Events
unknown	15
yskopets	11
danielmeppiel	5
shea-parkes	5
chrizbo	4
jsquire	4
MH0386	4
stefankrzyz	3
johnpreed	3
mlinksva	3
veverkap	3
corymhall	3
askpaisa	3
verkyyi	2
chepa92	2
duncankmckinnon	2
JanKrivanek	2
jfomhover	2
ruokun-niu	2
bindsi	2
benissimo	2
samuelkahessay	2
TiggySravan	2
arezero	2
johnwilliams-12	2
microsasa	2
mvdbos	2
jaroslawgajewski	2
edgeq	2
Corb3nik	2
(28 others)	1 each

🔍 Per-User Analysis

The per-user distribution is broad (45+ unique contributors) with no single user dominating. The leading individual contributor is yskopets (11 events), followed by danielmeppiel and shea-parkes (5 each). These are all human contributors whose issues or PRs triggered the Sub-Issue Closer or Design Decision Gate workflows before being approved. The 15 events listed as "unknown" correspond to pull_request_read calls where the triggering author login was not surfaced in the filtered event metadata. No automated bot accounts (e.g., github-actions[bot]) appear in the filtered events, confirming that filtering is driven by human contributors submitting new content — expected behavior.

💡 Tuning Recommendations

1. Sub-Issue Closer (57 events / 50% of total): This workflow calls list_issues in bulk on open issues across the repository. Consider adding an integrity pre-filter step to skip issues below the approved threshold before calling the GitHub MCP tool, reducing noise and improving efficiency.

2. Dev workflow (33 events): Review the workflow prompt to determine if it can narrow its search_issues scope to approved or member-authored issues only. Adding author_association: MEMBER,OWNER,COLLABORATOR filtering at the MCP query level would significantly reduce filtered events.

3. unknown author logins (15 events / 13%): These appear in pull_request_read events without author attribution. Confirm that the MCP server is returning author_login for PR resources; if not, this may be a gap in the gateway's event metadata collection.

4. unapproved:all tag prevalence (100/115 events): This high rate is expected for a public repository with external contributors. If the approval queue grows, consider automating trust elevation for contributors with a track record (e.g., multiple merged PRs).

5. No secrecy violations: The absence of secrecy-tagged filtering is positive — no workflow is inadvertently passing confidential data to tools that shouldn't see it. This baseline should be monitored daily; any appearance of secrecy violations would warrant immediate investigation.

6. Stable rate, no spike: With only 2 active days in the window and a modest day-over-day increase, there is no urgent action required. Continue monitoring daily to detect if any single workflow begins accumulating filtered events at an accelerating rate.

---

Generated by the Daily Integrity Analysis workflow
Analysis window: Last 7 days | Repository: github/gh-aw
Run: https://github.com/github/gh-aw/actions/runs/24965818195

Generated by Daily DIFC Integrity-Filtered Events Analyzer · ● 3M · ◷

• expires on Apr 29, 2026, 8:55 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-04-29T20:55:19.460Z.

Closed by Workflow