Skip to content

fix(repos): default create_repository to private when visibility omitted#2694

Merged
JoannaaKL merged 1 commit into
mainfrom
sammorrowdrums/create-repository-private-default
Jun 15, 2026
Merged

fix(repos): default create_repository to private when visibility omitted#2694
JoannaaKL merged 1 commit into
mainfrom
sammorrowdrums/create-repository-private-default

Conversation

@SamMorrowDrums

Copy link
Copy Markdown
Collaborator

Summary

create_repository previously created a public repository whenever the private parameter was omitted. Because the parameter is optional, agent-driven or automated workflows could unintentionally create public repos, exposing source code, configuration, workflow files, and commit history.

This change makes the secure choice the default: omitting private now creates a private repository. A public repository is only created when private is explicitly set to false.

Changes

  • create_repository now defaults private to true when the parameter is omitted (via OptionalBoolParamWithDefault).
  • Updated the private field description and schema default so the behavior is explicit to callers.
  • Updated the tool snapshot and regenerated docs (README).
  • Tests:
    • Minimal-parameters case now asserts the repo is created private.
    • Added a case asserting private: false still creates a public repo.

Behavior

private value Result
omitted private (new default)
true private
false public

Verification

  • script/lint — 0 issues
  • go test -race ./... — all passing
  • script/generate-docs — README updated
Previously, omitting the `private` parameter on create_repository
defaulted the new repository to public, an insecure default that could
unintentionally expose code, configuration, and history. Omission now
defaults to a private repository; public repositories are only created
when `private` is explicitly set to false.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 15, 2026 13:56
@SamMorrowDrums SamMorrowDrums requested a review from a team as a code owner June 15, 2026 13:56
@SamMorrowDrums

Copy link
Copy Markdown
Collaborator Author

This addresses the insecure default where create_repository produced a public repo when private was omitted.

Decision summary:

  • Omitting private now defaults to a private repository (secure default / fail-closed).
  • A public repo is only created when private is explicitly false.
  • The private field description and JSON schema default now make the default explicit to callers.
private Result
omitted private (new default)
true private
false public

Verified with script/lint (0 issues), go test -race ./... (passing), and script/generate-docs. Tool snapshot and README updated.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the create_repository MCP tool to default to creating private repositories when the optional private parameter is omitted, reducing the risk of unintentionally creating public repos in agent-driven workflows.

Changes:

  • Default private to true at runtime via OptionalBoolParamWithDefault(args, "private", true).
  • Make the default explicit in the tool schema (default: true) and parameter description.
  • Update tests, toolsnapshot, and README documentation to reflect the new default behavior.
Show a summary per file
File Description
README.md Updates create_repository.private docs to state it defaults to private when omitted.
pkg/github/repositories.go Sets schema default for private and changes runtime parsing to default omitted private to true.
pkg/github/repositories_test.go Updates minimal-args test to expect private repo by default and adds an explicit private: false public repo test.
pkg/github/toolsnaps/create_repository.snap Updates snapshot to include default: true and the updated description for private.

Copilot's findings

  • Files reviewed: 4/4 changed files
  • Comments generated: 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants