Conversation
There was a problem hiding this comment.
Pull request overview
Adds a GitHub agentic workflow to automatically triage newly opened/reopened issues using the gh-aw compiled workflow plus a Markdown prompt source.
Changes:
- Added an agentic issue-triage prompt definition (
.md) and its compiled workflow lockfile (.lock.yml). - Marked generated lock workflows as linguist-generated (and configured a merge driver) via
.gitattributes.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| .github/workflows/issue-triage.md | Defines the issue triage agent instructions and frontmatter configuration. |
| .github/workflows/issue-triage.lock.yml | Adds the compiled GitHub Actions workflow that runs the agent, safe-outputs handler, and threat detection. |
| .gitattributes | Marks *.lock.yml as generated and configures merge behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - Use the `update_issue` tool to apply the labels to the issue | ||
| - DO NOT communicate directly with users | ||
| - If no labels are clearly applicable, do not apply any labels |
There was a problem hiding this comment.
Step 7 instructs using the update_issue tool to apply labels, but this workflow’s allowed write tools are the safe-outputs tools (notably add_labels). With the GitHub MCP server running in read-only mode, an update_issue call will fail and labels won’t get applied. Update the instructions to use add_labels (and ensure the label application step aligns with the safe-outputs tool names).
| - Use the `update_issue` tool to apply the labels to the issue | |
| - DO NOT communicate directly with users | |
| - If no labels are clearly applicable, do not apply any labels | |
| - Use the `add-labels` safe output to specify which labels should be applied to the issue; do not call write-capable GitHub tools such as `update_issue` in this workflow | |
| - DO NOT communicate directly with users | |
| - If no labels are clearly applicable, leave the `add-labels` safe output empty so that no labels are applied |
| discussions: write | ||
| issues: write | ||
| pull-requests: write | ||
| outputs: | ||
| activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} | ||
| matched_command: '' | ||
| steps: |
There was a problem hiding this comment.
This workflow requests discussions: write and pull-requests: write in pre_activation, even though it only triggers on issues and the steps shown here only need to add a reaction / check membership. To follow least-privilege (and match other workflows in this repo), drop unnecessary permissions and keep only what’s required (likely issues: write for the reaction + whatever minimal read is needed for membership checks).
| discussions: write | |
| issues: write | |
| pull-requests: write | |
| outputs: | |
| activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} | |
| matched_command: '' | |
| steps: | |
| issues: write | |
| members: read | |
| outputs: | |
| activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} | |
| matched_command: '' | |
| steps: | |
| steps: |
| discussions: write | ||
| issues: write | ||
| pull-requests: write |
There was a problem hiding this comment.
safe_outputs requests discussions: write and pull-requests: write, but the safe output tools configured for this workflow are add_comment and add_labels on issues. Consider configuring safe-outputs to disable discussions support (the generated tools metadata indicates safe-outputs.add-comment.discussions: false is supported) and reduce job permissions to only what’s required (typically issues: write).
| discussions: write | |
| issues: write | |
| pull-requests: write | |
| issues: write |
| # Set svg to binary type, as SVG is unlikely to be editted by hand. Can be treated as checked in blob | ||
| *.svg binary | ||
|
|
||
| .github/workflows/*.lock.yml linguist-generated=true merge=ours No newline at end of file |
There was a problem hiding this comment.
Setting merge=ours for .github/workflows/*.lock.yml will cause future PR updates to compiled workflow lock files to be discarded when merging into the default branch (the target branch becomes "ours"). For generated workflow lock files this can leave the repo running an out-of-date workflow. Consider removing merge=ours and keeping only linguist-generated=true (or adopt a regeneration step on main if you want to avoid merge conflicts).
| .github/workflows/*.lock.yml linguist-generated=true merge=ours | |
| .github/workflows/*.lock.yml linguist-generated=true |
| # If in a public repo, setting `lockdown: false` allows | ||
| # reading issues, pull requests and comments from 3rd-parties | ||
| # If in a private repo this has no particular effect. | ||
| lockdown: false |
There was a problem hiding this comment.
Trailing whitespace after lockdown: false can create noisy diffs and fails some linters. Please remove the extra spaces.
| lockdown: false | |
| lockdown: false |
| sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.20.2 --skip-pull --enable-api-proxy \ | ||
| -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log |
There was a problem hiding this comment.
The agent execution is configured with awf --env-all and the Copilot CLI flags --allow-all-tools --allow-all-paths. Since this workflow can post a public issue comment via safe outputs, prompt injection could potentially lead to data exfiltration if the agent can read environment variables (including tokens) or arbitrary files/paths. Consider tightening the configuration to an explicit allowlist of tools/paths and avoid passing all env vars into the sandbox unless required (principle of least privilege).
| sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.20.2 --skip-pull --enable-api-proxy \ | |
| -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log | |
| sudo -E awf --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.20.2 --skip-pull --enable-api-proxy \ | |
| -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log |
Add agentic workflow issue-triage