Built safe-outputs prompt says to use safeoutputs for all GitHub operations, but GitHub MCP read tools are mounted separately

[samuelkahessay]

Context

Observed on 2026-03-16 while debugging repo-assist workflow_dispatch runs in production. Two targeted runs completed with overall success but produced only missing_data, claiming GH_TOKEN / COPILOT_GITHUB_TOKEN were missing even though the GitHub MCP server was mounted and authenticated.

Still reproducible on local gh-aw main at 610ca8664e9f106b271388ae2b9b75be762ee9ae (v0.57.2-58-g610ca8664).

Our workflow prompt also contained raw gh ... examples, which made the outcome worse. But the upstream issue here is narrower and independent: the built-in gh-aw prompt is internally inconsistent about where GitHub reads are supposed to happen.

Problem

The built safe-outputs prompt tells the model:

gh CLI is NOT authenticated. Use safeoutputs MCP server tools for all GitHub operations - tool calls required.

But gh-aw's own model is:

• GitHub MCP server = GitHub reads
• safe-outputs = GitHub writes / completion signaling

The generated prompt reinforces only the safe-outputs side:

• actions/setup/md/safe_outputs_prompt.md says to use safeoutputs for all GitHub operations
• buildSafeOutputsSections() emits a <safe-output-tools> block listing only safe-output tools
• <github-context> includes event metadata only; it does not tell the model to use GitHub MCP read tools for issues, PRs, Actions, search, or repository reads

So when shell gh is intentionally unauthenticated, the model is told not to use gh, but it is not told where GitHub reads should go. In field runs, that led the agent to conclude auth was missing and call missing_data instead of using the mounted GitHub MCP read tools.

Location

• actions/setup/md/safe_outputs_prompt.md:3
• pkg/workflow/unified_prompt_step.go:606 — buildSafeOutputsSections() function definition
• pkg/workflow/unified_prompt_step.go:738-769 — <safe-output-tools> XML block assembly and closing
• pkg/workflow/prompts/github_context_prompt.md:1-27

Reproduction

1. Create a workflow that enables both GitHub MCP and safe-outputs:

tools:
  github:
    toolsets: [issues, pull_requests, actions]

safe-outputs:
  missing-data: {}

2. Compile the workflow and inspect the generated prompt.
3. Observe that the prompt says to use safeoutputs for all GitHub operations.
4. Observe that the <safe-output-tools> section lists only safe-output tools.
5. Observe that the <github-context> section contains only event metadata, not tool-use guidance.
6. Compare that prompt with the actual mounted runtime tools: GitHub MCP read tools such as list_issues, list_pull_requests, search_issues, pull_request_read, and actions_list are available.

The contradiction is visible from prompt generation alone; no model variance is required to see it.

Expected behavior

When both GitHub MCP and safe-outputs are enabled, the built prompt should clearly separate the two paths:

• GitHub MCP tools for GitHub reads: issues, pull requests, Actions runs, repository contents, search, labels, etc.
• safe-outputs tools for GitHub writes and workflow outputs

The prompt should never say safeoutputs handles "all GitHub operations" because that is false whenever GitHub MCP is enabled.

Evidence

The upstream docs already describe the split correctly:

• docs/src/content/docs/reference/github-tools.md:8-18 documents GitHub MCP as the GitHub API path
• docs/src/content/docs/guides/getting-started-mcp.md:56-57 says the agent can read issues, search repositories, and access pull request information
• docs/src/content/docs/guides/getting-started-mcp.md:106 says GitHub MCP is read-only and write operations go through safe outputs

In two production runs on 2026-03-16, the runtime launched the GitHub MCP server successfully and exposed read tools, but the agent only called safeoutputs.missing_data after checking shell auth. The failure mode was not "GitHub tools missing"; it was "prompt steered the model away from the available read tools."

Proposed fix

1. Change the built safe-outputs intro to describe the real split, for example:

   gh CLI is not authenticated. Use GitHub MCP tools for GitHub reads and safeoutputs tools for GitHub writes.

2. Add a built-in GitHub tool-use section when tools.github is enabled. It should explicitly say:

   • GitHub MCP server is read-only
   • use it for listing, searching, and reading issues / PRs / workflows / repository contents
   • safe-outputs is only for writes and completion signaling

3. Add a regression test for prompt generation so a workflow with both tools.github and safe-outputs cannot emit guidance that assigns all GitHub operations to safeoutputs.

Environment

• Observed in production: repo-assist targeted dispatch runs on 2026-03-16
• Still present on: local main at 610ca8664e9f106b271388ae2b9b75be762ee9ae (v0.57.2-58-g610ca8664)
• Repo: samuelkahessay/prd-to-prod