Add MCP tool naming guidance to security-fix-pr workflow

[Copilot]

The security-fix-pr workflow referenced GitHub MCP tools without the required github___ prefix, causing "required tools not available" errors at runtime.

Changes

• Added tool naming guidelines explaining the github___ prefix requirement for GitHub MCP tools
• Updated tool references to use correct naming:
  • list_code_scanning_alerts → github___list_code_scanning_alerts
  • get_code_scanning_alert → github___get_code_scanning_alert
  • get_file_contents → github___get_file_contents

Example

**Tool Usage**: When using GitHub MCP tools:
- Tool names use triple underscores: `github___` (e.g., `github___list_code_scanning_alerts`)

## Workflow Steps

- Call `github___list_code_scanning_alerts` with parameters...
- Get details using `github___get_code_scanning_alert`...

This matches the pattern established in code-scanning-fixer.md (PR #12020) and ensures consistent MCP tool naming across security workflows using the code_security toolset.

Original prompt

Fix MCP tools not being avaialble:
required tools github___list_code_scanning_alerts and github___get_code_scanning_alert are not available in this workflow's toolset.
https://github.com/githubnext/gh-aw/actions/runs/21396225920/job/61595142791

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[mnkiefer]

@copilot They workflows probably need to add these extra into toolset: github: [code_security]. Otherwise they wouldn't be acccessible?

[github-actions]

Smoke Test Results

Overall: PARTIAL PASS (6/7 tests)

Test	Status
File Writing	✅
Bash Tool	✅
Safe Inputs GH CLI	✅
GitHub MCP	✅
Discussion Query	✅
Serena MCP	✅
Playwright	❌

PRs: #12022, #12017
Merged: #12020, #12005

§21396771525

AI generated by Smoke Copilot

[Copilot]

@copilot They workflows probably need to add these extra into toolset: github: [code_security]. Otherwise they wouldn't be acccessible?

The code_security toolset is already configured in the workflow frontmatter (line 19):

tools:
  github:
    toolsets: [context, repos, code_security, pull_requests]

The issue wasn't missing toolsets - it was that the workflow instructions referenced tools without the github___ prefix. The toolset mapping is correct and includes both list_code_scanning_alerts and get_code_scanning_alert tools. The fix was to update the instructions to use github___list_code_scanning_alerts instead of just list_code_scanning_alerts so the Copilot agent calls the tools with the correct names.

[mnkiefer]

@copilot But other workflows don't need to mention their MCP tools so specifically? i.e. projects, etc. Why this one?

[Copilot]

@copilot But other workflows don't need to mention their MCP tools so specifically? i.e. projects, etc. Why this one?

Good question! The difference is in how the workflow instructions are written:

Workflows like auto-triage-issues.md use generic language:

• "Fetch unlabeled issues using GitHub tools"
• "Apply labels using the add_labels tool"

The agent figures out which MCP tools to use on its own.

Security workflows like security-fix-pr.md and code-scanning-fixer.md explicitly tell the agent which tool to call:

• "Call github___list_code_scanning_alerts with the following parameters..."
• "Get details using github___get_code_scanning_alert..."

When instructions explicitly mention a tool name, they need the github___ prefix so the agent knows the exact tool to use. This is especially important for less common tools like code scanning APIs where the agent might not automatically know which tool to call.

The guidance was added to prevent "required tools not available" errors when the instructions say list_code_scanning_alerts but the actual tool is github___list_code_scanning_alerts.