-
Notifications
You must be signed in to change notification settings - Fork 4k
Expand file tree
/
Copy pathrecommended.yaml
More file actions
127 lines (109 loc) · 3.14 KB
/
recommended.yaml
File metadata and controls
127 lines (109 loc) · 3.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
version: "1"
description: "GitHub MCP — recommended policy. Rate limits on writes, blocks destructive ops, reads allowed freely."
default: allow
tools:
# Destructive — blocked entirely
delete_file:
hide: true
rules:
- action: deny
on_deny: "File deletion blocked by policy"
# High-risk writes — tight limits
merge_pull_request:
rules:
- name: "burst-limit"
rate_limit: "2/minute"
on_deny: "Slow down — max 2 merges per minute"
- name: "hourly-cap"
rate_limit: "10/hour"
on_deny: "Hourly merge limit (10) reached"
push_files:
rules:
- name: "burst-limit"
rate_limit: "3/minute"
on_deny: "Slow down — max 3 pushes per minute"
- name: "hourly-cap"
rate_limit: "20/hour"
on_deny: "Hourly push limit (20) reached"
create_or_update_file:
rules:
- name: "rate-limit"
rate_limit: "30/hour"
on_deny: "Max 30 file writes per hour"
# Execution — rate limited
actions_run_trigger:
rules:
- name: "rate-limit"
rate_limit: "5/hour"
on_deny: "Max 5 workflow triggers per hour"
# Repository management — moderate limits
create_repository:
rules:
- name: "rate-limit"
rate_limit: "5/hour"
on_deny: "Max 5 repository creations per hour"
fork_repository:
rules:
- name: "rate-limit"
rate_limit: "5/hour"
on_deny: "Max 5 forks per hour"
# PR and issue writes — reasonable throughput
create_pull_request:
rules:
- name: "rate-limit"
rate_limit: "20/hour"
on_deny: "Max 20 PR creations per hour"
update_pull_request:
rules:
- name: "rate-limit"
rate_limit: "30/hour"
on_deny: "Max 30 PR updates per hour"
update_pull_request_branch:
rules:
- name: "rate-limit"
rate_limit: "20/hour"
on_deny: "Max 20 branch updates per hour"
issue_write:
rules:
- name: "rate-limit"
rate_limit: "30/hour"
on_deny: "Max 30 issue writes per hour"
add_issue_comment:
rules:
- name: "rate-limit"
rate_limit: "30/hour"
on_deny: "Max 30 issue comments per hour"
# Branch creation
create_branch:
rules:
- name: "rate-limit"
rate_limit: "20/hour"
on_deny: "Max 20 branch creations per hour"
# Copilot tools — limited
assign_copilot_to_issue:
rules:
- name: "rate-limit"
rate_limit: "10/hour"
on_deny: "Max 10 Copilot assignments per hour"
request_copilot_review:
rules:
- name: "rate-limit"
rate_limit: "10/hour"
on_deny: "Max 10 Copilot review requests per hour"
create_pull_request_with_copilot:
rules:
- name: "rate-limit"
rate_limit: "10/hour"
on_deny: "Max 10 Copilot PR creations per hour"
# Gist writes
create_gist:
rules:
- name: "rate-limit"
rate_limit: "20/hour"
on_deny: "Max 20 gist creations per hour"
# Global safety net
"*":
rules:
- name: "global-rate-limit"
rate_limit: "120/minute"
on_deny: "Global rate limit — max 120 tool calls per minute"