Lockdown mode doesn't work from GitHub Actions GITHUB_TOKEN or other S2S tokens without `administration: read`

[dsyme]

Describe the bug

When the MCP server runs in lockdown mode (triggered via the X-MCP-Lockdown HTTP header) and the authenticating token is a GitHub Actions GITHUB_TOKEN or a GitHub App server-to-server installation token (ghs_ prefix), lockdown mode incorrectly blocks all content on public repositories rather than filtering based on contributor trust.

The lockdown implementation determines whether content is safe by querying the GitHub GraphQL API for the content author's repository collaborator permission (WRITE, ADMIN, or MAINTAIN). This query requires the viewer to have admin or write access to the repository to enumerate collaborators. A GITHUB_TOKEN with read-all permissions — or any App installation token without administration: read — returns an empty collaborator list for every user queried, causing all content to be treated as unsafe and blocked.

At some level this shouldn't fail - it seems GITHUB_TOKEN has the ability to work out an arbitrary user's permission level (example in github public repo, example in githubnext public repo). These use

GET /repos/OWNER/REPO/collaborators/USER/permission

And this appears to give the necessary information, enough information for the GitHub MCP to correctly implement its "lockdown mode". It may be the GraphQL approach used is more efficient, but in practice we should fall back to an approach that works for bots as well.

Additionally:

• github-actions[bot] and other GitHub App bot identities are not included in the hardcoded trustedBotLogins list (only copilot is trusted).
• Bot accounts (e.g. dependabot[bot], renovate[bot]) never appear in the repository.collaborators GraphQL field regardless of App installation permissions, so any content authored by bots on public repos is always blocked.

Affected version

v0.32.0

Steps to reproduce the behavior

1. Set up the remote MCP server using a GitHub App installation token (ghs_...) or a GITHUB_TOKEN with read-all permissions targeting a public repository.
2. Send an MCP request with the X-MCP-Lockdown: true header to call get_issue or get_issue_comments on an issue in that public repository authored by an external contributor.
3. Observe the response: "access to issue details is restricted by lockdown mode".
4. Repeat for an issue authored by a user with push access to the repo — same error.

Expected vs actual behavior

Expected: Lockdown mode filters out content authored by untrusted external contributors (those without push access to the repository), while allowing content authored by collaborators with write/admin/maintain permissions. GitHub Actions workflows and GitHub App tokens should be able to use lockdown mode as intended.

Actual: On public repositories, lockdown mode blocks all content regardless of the author's actual permission level. The repository.collaborators GraphQL query returns an empty result when the authenticating token lacks admin/write repository access, so every author appears to have no push access and is denied. This makes lockdown mode completely unusable for the common CI/CD case of a GitHub Actions workflow token or a read-scoped App installation token.

[dsyme]

The GitHub Actions workflow file https://github.com/githubnext/gh-aw-test/blob/main/.github/workflows/mcp-lockdown-mode-proof.yml confirms this bug

Bug confirmation:

Some snippets of log of a run is below

2026-03-06T16:33:16.9134313Z Current runner version: '2.332.0'
....
2026-03-06T16:33:48.2820858Z ##[group]Run ./github-mcp-server http \
2026-03-06T16:33:48.2821228Z �[36;1m./github-mcp-server http \�[0m
2026-03-06T16:33:48.2821484Z �[36;1m  --port 8082 \�[0m
2026-03-06T16:33:48.2821707Z �[36;1m  --lockdown-mode \�[0m
2026-03-06T16:33:48.2821943Z �[36;1m  --log-file server.log &�[0m
2026-03-06T16:33:48.2822178Z �[36;1mSERVER_PID=$!�[0m
2026-03-06T16:33:48.2822434Z �[36;1mecho "SERVER_PID=$SERVER_PID" >> "$GITHUB_ENV"�[0m
2026-03-06T16:33:48.2822731Z �[36;1m�[0m
2026-03-06T16:33:48.2822911Z �[36;1m# Wait for the server to be ready�[0m
2026-03-06T16:33:48.2823184Z �[36;1mecho "Waiting for server to start..."�[0m
2026-03-06T16:33:48.2823443Z �[36;1mfor i in $(seq 1 30); do�[0m
2026-03-06T16:33:48.2823883Z �[36;1m  if curl -s -o /dev/null -w "%{http_code}" http://localhost:8082/ | grep -qE '2[0-9]{2}|405'; then�[0m
2026-03-06T16:33:48.2824350Z �[36;1m    echo "Server is ready after ${i}s"�[0m
2026-03-06T16:33:48.2824607Z �[36;1m    break�[0m
2026-03-06T16:33:48.2824820Z �[36;1m  fi�[0m
2026-03-06T16:33:48.2824984Z �[36;1m  sleep 1�[0m
2026-03-06T16:33:48.2825159Z �[36;1mdone�[0m
2026-03-06T16:33:48.2868619Z shell: /usr/bin/bash -e {0}
2026-03-06T16:33:48.2868840Z env:
2026-03-06T16:33:48.2869305Z   GITHUB_PERSONAL_ACCESS_TOKEN: ***
2026-03-06T16:33:48.2869556Z ##[endgroup]
2026-03-06T16:33:48.2936367Z Waiting for server to start...
2026-03-06T16:34:23.5446652Z ##[group]Run echo "=== Sending MCP initialize request ==="
2026-03-06T16:34:23.5447086Z �[36;1mecho "=== Sending MCP initialize request ==="�[0m
2026-03-06T16:34:23.5447650Z �[36;1mINIT_RESPONSE=$(curl -s -X POST http://localhost:8082/ \�[0m
...
2026-03-06T16:34:23.5934962Z === Calling issue_read (method: get) on a public repo issue created by an admin ===
2026-03-06T16:34:23.5935687Z This targets github/github-mcp-server#1 (a public repo).
2026-03-06T16:34:23.5936381Z With GITHUB_TOKEN read-all, the collaborators GraphQL query returns
2026-03-06T16:34:24.3201034Z empty results, so lockdown will treat ALL authors as unsafe.
2026-03-06T16:34:24.3201510Z 
2026-03-06T16:34:24.3201668Z issue_read response:
2026-03-06T16:34:24.3215456Z event: message
2026-03-06T16:34:24.3216451Z data: {"jsonrpc":"2.0","id":2,"result":{"content":[{"type":"text","text":"access to issue details is restricted by lockdown mode"}],"isError":true}}
2026-03-06T16:34:24.3217347Z 
2026-03-06T16:34:24.3236195Z 
2026-03-06T16:34:24.3236626Z ********************************************
2026-03-06T16:34:24.3237205Z * BUG CONFIRMED: Lockdown mode blocked     *
2026-03-06T16:34:24.3237779Z * access even though the issue author may   *
2026-03-06T16:34:24.3238392Z * be a legitimate collaborator. The         *
2026-03-06T16:34:24.3239026Z * GITHUB_TOKEN cannot enumerate             *
2026-03-06T16:34:24.3239869Z * collaborators via the GraphQL API.        *
2026-03-06T16:34:24.3240416Z ********************************************
...
2026-03-06T16:34:24.5932177Z === Calling issue_read WITHOUT lockdown header (control test) ===
2026-03-06T16:34:24.5932950Z This confirms the token itself works fine for reading issues.
2026-03-06T16:34:24.5933375Z 
2026-03-06T16:34:24.9103882Z issue_read (no lockdown) response:
2026-03-06T16:34:24.9118072Z event: message
2026-03-06T16:34:24.9122541Z data: {"jsonrpc":"2.0","id":4,"result":{"content":[{"type":"text","text":"{\"number\":44,\"title\":\"Test PR for Claude Review Comments\",\"body\":\"This PR is for testing test-claude-create-pull-request-review-comment. Please add review comments.\",\"state\":\"closed\",\"html_url\":\"https://github.com/githubnext/gh-aw-test/pull/44\",\"user\":{\"login\":\"dsyme\",\"id\":7204669,\"profile_url\":\"https://github.com/dsyme\",\"avatar_url\":\"https://avatars.githubusercontent.com/u/7204669?v=4\"},\"author_association\":\"CONTRIBUTOR\",\"comments\":2,\"reactions\":{\"total_count\":0,\"+1\":0,\"-1\":0,\"laugh\":0,\"confused\":0,\"heart\":0,\"hooray\":0,\"rocket\":0,\"eyes\":0},\"created_at\":\"2025-09-11T18:53:46Z\",\"updated_at\":\"2025-09-11T19:08:12Z\",\"closed_at\":\"2025-09-11T19:07:16Z\",\"closed_by\":\"dsyme\"}"}]}}
2026-03-06T16:34:24.9126658Z 
2026-03-06T16:34:24.9155340Z SUCCESS: Issue retrieved without lockdown — token works fine.
...