Feature: allow restricting Copilot CLI built-in tools via frontmatter #23198
Description
Summary
The compiled awf command always includes --allow-all-tools and --allow-all-paths, giving the agent unrestricted access to all Copilot CLI built-in tools (file read, file write, file edit, terminal/bash, etc.). There's no frontmatter option to restrict which built-in tools are available.
Why this matters
For review-only agents (e.g., documentation reviewers), the agent only needs to read files and post review comments. It doesn't need file-write or file-edit capabilities. Granting --allow-all-tools unnecessarily expands the attack surface for prompt injection — a manipulated agent could write files to disk even when the workflow author only intended it to read.
Relevant lock file context
# archie.lock.yml ~line 639
sudo -E awf --env-all --container-workdir "\${GITHUB_WORKSPACE}" \\
--allow-all-tools \\
--allow-all-paths \\
--enable-host-access \\
-- /bin/bash -c '/usr/local/bin/copilot ...'Proposed solution
Add a frontmatter key to control which Copilot CLI built-in tools are enabled:
tools:
copilot:
allow: [read, bash] # only file-read and bash, no file-write/editOr alternatively, a deny-list:
tools:
copilot:
deny: [write, edit] # disable file modification toolsThis would compile to --allow-tools read,bash (or equivalent) instead of --allow-all-tools.
Impact
All gh-aw workflows currently get --allow-all-tools regardless of their actual needs. This is especially relevant for pull_request_target workflows operating on untrusted PR content.
Environment
- gh-aw v0.64.1