[integrity] DIFC Integrity-Filtered Events Report — 2026-03-29

[github-actions[bot]]

Executive Summary

In the last 7 days, 221 DIFC integrity-filtered events were detected across 22 workflow runs spanning 10 distinct workflows. The most frequently filtered tool was search_issues (111 events), closely followed by list_issues (100 events). The dominant filter reason was integrity (152 events, 68.8%), indicating that the most common cause is content from users with no existing trust relationship (none:all tag) rather than explicitly unapproved content.

The event distribution shows an increasing trend over the 3-day window — from 51 on Mar 27 to 92 on Mar 28, then moderating to 78 on Mar 29. The Auto-Triage Issues workflow accounts for 60% (132 events) of all filtered events, reflecting its broad intake of community-submitted issues. A long tail of persistent unresolved issues from ~26 unique external contributors keeps re-surfacing across multiple workflow runs, amplifying the total count.

Key Metrics

Metric	Value
Total filtered events	221
Unique tools filtered	4
Unique workflows affected	10
Unique users blocked	26
Most common filter reason	integrity (68.8%)
Busiest day	2026-03-28 (92 events)
Most active workflow	Auto-Triage Issues (132 events, 60%)
Top blocked user	szabta89 (38 events)

📈 Events Over Time

The 3-day period shows a spike on 2026-03-28 (92 events) driven by the Sub-Issue Closer and Auto-Triage workflows, which process batch queues of open issues. The dip on 2026-03-27 (51 events) likely reflects fewer workflow triggers over the weekend. Events on 2026-03-29 remain elevated at 78, suggesting a stable backlog of unresolved low-integrity issues continuing to be encountered by multiple workflows.

🔧 Top Filtered Tools

search_issues (111) and list_issues (100) dominate, comprising 95% of all events. Both tools are used by the issue-processing workflows to enumerate open issues in the repository — the filter fires when results include issues authored by users with insufficient trust level. issue_read (7) and pull_request_read (3) represent direct lookups of specific resources that also happen to have low integrity. All filtered events originate from a single MCP server: github.

🏷️ Filter Reasons and Tags

All 221 events carry the none:all integrity tag, indicating issues from users with no established trust association. 69 events (31.2%) additionally carry unapproved:all, flagging content that was explicitly reviewed and not approved. There are no secrecy-tagged events — this is a pure integrity signal (untrusted contributor content), not a confidentiality concern. No false-positive pattern (e.g., internal team members being filtered) is visible in the data.

📋 Per-Workflow Breakdown

Workflow	Filtered Events
Auto-Triage Issues	132
Sub-Issue Closer	36
AI Moderator	22
Dev	13
Workflow Health Manager - Meta-Orchestrator	9
Daily Team Evolution Insights	3
Smoke Copilot	2
Release	2
Smoke Claude	1
Daily Documentation Updater	1

📋 Per-Server Breakdown

MCP Server	Filtered Events
github	221

All DIFC filtering originates exclusively from the github MCP server — no other servers are involved.

👤 Per-User Breakdown (Top 26)

Author Login	Filtered Events
szabta89	38
danielmeppiel	32
deyaaeldeen	27
mnkiefer	22
johnpreed	15
TiggySravan	9
veverkap	9
Henry-Shan	9
eaftan	8
grahame-white	7
samuelkahessay	6
srgibbs99	5
Esomoire-consultancy-Company	5
lpcox	4
bryanchen-d	4
bindsi	3
dbudym-cs	3
camposbrunocampos	3
mlinksva	3
benvillalobos	1
arezero	1
strawgate	1
benissimo	1
Corb3nik	1
j-srodka	1
unknown	3

🔍 Per-User Analysis

The top 4 users (szabta89, danielmeppiel, deyaaeldeen, mnkiefer) account for 54% of all filtered events (119/221). These are repeat offenders whose open issues appear across multiple workflow runs and multiple tool calls within each run. No bot accounts or automated actors are among the blocked users — all are human contributors whose issues either lack the approved integrity label or are authored by users with NONE or CONTRIBUTOR GitHub association. The Esomoire-consultancy-Company account (5 events) is notable as a NONE-association account that persistently appears in search results for Dev and Daily Documentation Updater workflows.

💡 Tuning Recommendations

1. Approve or close long-standing community issues: Issues from szabta89, danielmeppiel, deyaaeldeen, and mnkiefer are blocked across 22+ runs. Review these open issues and either apply the approved integrity label (if valid) or close stale ones — this would eliminate ~54% of filtered events immediately.

2. Add none:all pass-through for read-only triage workflows: The Auto-Triage Issues and Sub-Issue Closer workflows need to read community issues to label them — by design. Consider configuring these workflows with a lower minimum-integrity threshold (e.g., minimum_integrity: none) so they can process issues from external contributors without being blocked. This is safe since both workflows write labels, not code.

3. Investigate Dev workflow: The Dev workflow (13 events, 2 runs, both failure) does not need to triage community issues. Review its prompt to ensure it is not inadvertently fetching untrusted issue content when reporting on repository state.

4. Whitelist or fast-track CONTRIBUTOR association users: 69 events (31%) carry unapproved:all and belong to CONTRIBUTOR-associated accounts (szabta89, mnkiefer, eaftan). These contributors have merged code before — their issues should likely be reviewed promptly for approved labeling.

5. Monitor Smoke workflows: Smoke Copilot and Smoke Claude each had filtered events (2 and 1 respectively), which is unexpected for smoke/validation workflows. Review whether the smoke workflow prompts include issue reads that could be tightened.

6. Filter stability check for Mar 28 spike: The 92-event spike on 2026-03-28 coincides with the Sub-Issue Closer (19 events) and Auto-Triage Issues (multiple runs). No new issue volume is evident — the spike appears driven by the same backlog of low-integrity issues being iterated on multiple workflow schedules. No further investigation needed unless the spike persists beyond this week.

---

Generated by the Daily Integrity Analysis workflow
Analysis window: 2026-03-27 to 2026-03-29 | Repository: github/gh-aw
Run: https://github.com/github/gh-aw/actions/runs/23717775390

AI generated by Daily DIFC Integrity-Filtered Events Analyzer · history

• expires on Apr 1, 2026, 8:20 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily DIFC Integrity-Filtered Events Analyzer.

A newer discussion is available at Discussion #23580.