[integrity] DIFC Integrity-Filtered Events Report — 2026-03-21

[github-actions[bot]]

Executive Summary

In the last 7 days, 1,537 DIFC integrity-filtered events were detected across 95 workflow runs. The most frequently filtered tool was list_issues (1,134 events, 73.8% of all events), and the dominant filter reason was integrity (1,527 events, 99.3%). The AI Moderator and Auto-Triage Issues workflows together account for over 70% of all filtering activity.

The filter rate shows a sharp peak on 2026-03-20 (984 events) driven primarily by high-volume AI Moderator and Auto-Triage runs that batch-enumerate issue lists. The underlying pattern is consistent: scheduled and event-triggered workflows attempt to read issue/PR lists or individual items authored by external contributors, all of which carry integrity_tags: ["none:all"]. Only 10 events (0.65%) were secrecy-filtered, indicating the system is overwhelmingly blocking on integrity rather than confidentiality.

Key Metrics

Metric	Value
Total filtered events	1,537
Unique tools filtered	11
Unique workflows affected	19
Most common filter reason	integrity (99.3%)
Dominant integrity tag	none:all
Busiest day	2026-03-20 (984 events)
Secrecy-filtered events	10 (0.65%)

📈 Events Over Time

The 7-day window shows a highly non-uniform distribution: the vast majority of events (984, 64%) occurred on 2026-03-20, with two lighter activity clusters on 2026-03-18/19 and 2026-03-25/26/27. The 2026-03-20 spike correlates with multiple concurrent high-volume runs of AI Moderator and Auto-Triage Issues, each enumerating 20+ issues per run. The relative quiet on 2026-03-21–24 suggests a scheduling gap or maintenance window.

🔧 Top Filtered Tools

list_issues dominates at 1,134 events — nearly 3× more than search_issues (213). This reflects that AI Moderator and Auto-Triage workflows fetch full issue lists and each item with a contributor's none:all integrity tag generates a separate filtered event. issue_read (143 events) comes from Issue Monster's targeted reads of specific known-low-integrity issues. pull_request_read (24) and search_pull_requests (7) are minority cases from AI Moderator and PR Triage Agent.

🏷️ Filter Reasons and Workflows

99.3% of filtering is integrity-based (tag none:all), meaning content from external contributors that has not yet been approved. Only 10 events (0.65%) involve secrecy filtering (private tag) on search_issues and search_pull_requests, occurring in Workflow Health Manager, Contribution Check, Architecture Diagram Generator, and Auto-Triage Issues.

📋 Per-Workflow Breakdown

Workflow	Filtered Events
AI Moderator	640
Auto-Triage Issues	436
Issue Triage Agent	111
Issue Monster	102
Sub-Issue Closer	100
Dev	50
Architecture Diagram Generator	30
Daily Team Evolution Insights	21
Daily Documentation Healer	9
Daily Documentation Updater	8
Code Simplifier	5
Daily Regulatory Report Generator	5
Daily Secrets Analysis Agent	2
Ubuntu Actions Image Analyzer	3
PR Triage Agent	9
Workflow Health Manager	2
Contribution Check	1
Duplicate Code Detector	1
Semantic Function Refactoring	1

📋 Per-Server Breakdown

MCP Server	Filtered Events
github	1,537

All filtered events originate from the github MCP server — no other server contributed any integrity-filtered events during this period.

💡 Tuning Recommendations

1. AI Moderator — reduce list_issues blast radius: AI Moderator generates 640 filtered events (42% of total) by calling list_issues which returns 20+ items per page, each triggering a separate filter event. Consider adding a pre-filter step that checks contributor association before calling list_issues, or configuring the workflow to only list issues from approved actors. This single change could eliminate ~40% of all filtering noise.

2. Auto-Triage Issues — same pattern: Auto-Triage Issues contributes 436 events (28%) with identical behavior. Both AI Moderator and Auto-Triage should be reviewed together. Adding an integrity promotion step (e.g., a human-approved label or a triage gate) for new issues before they enter the batch list would substantially reduce filtering.

3. Issue Monster — persistent low-integrity issues: Issue Monster runs every 20 minutes and repeatedly encounters the same low-integrity issues (e.g., #21935, #22058, #22092). These issues appear to never be approved. Consider either (a) raising their integrity level after initial human review, or (b) configuring Issue Monster to skip resources with none:all integrity rather than retrying them every cycle.

4. secrecy-filtered search_issues / search_pull_requests (10 events): Four workflows attempt queries that return private-tagged results. Review whether these workflows genuinely need access to private-tagged search results or can operate with public-only data. If private access is required, configure the relevant workflows to explicitly request it via DIFC policy rather than triggering ad-hoc filtering.

5. Investigate the 2026-03-20 spike: The 984-event day warrants closer examination. Multiple high-volume runs coincided. If there was a change to issue volume, contributor activity, or workflow trigger frequency on that date, it should be documented as a known spike rather than ongoing baseline.

6. Issue Triage Agent and Sub-Issue Closer (211 combined events): These two workflows (from large temp files) generated significant filtering volume with deeply nested list operations. Review whether their list enumeration depth can be bounded or short-circuited when encountering none:all tagged resources.

---

Generated by the Daily Integrity Analysis workflow
Analysis window: Last 7 days (2026-03-18 to 2026-03-27) | Repository: github/gh-aw
Run: §23375775703

AI generated by Daily DIFC Integrity-Filtered Events Analyzer · history

• expires on Mar 24, 2026, 9:00 AM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily DIFC Integrity-Filtered Events Analyzer.

A newer discussion is available at Discussion #22253.