Skip to content

chore: set min-integrity on issue-triage agentic workflow#66207

Merged
DeagleGross merged 1 commit into
dotnet:mainfrom
DeagleGross:dmkorolev/issuetriage-minintegrity
Apr 8, 2026
Merged

chore: set min-integrity on issue-triage agentic workflow#66207
DeagleGross merged 1 commit into
dotnet:mainfrom
DeagleGross:dmkorolev/issuetriage-minintegrity

Conversation

@DeagleGross
Copy link
Copy Markdown
Member

@DeagleGross DeagleGross commented Apr 8, 2026

Today depending on the rights of the user creating issue, workflow may decide to not post the results, since user does not have collaborator role on the repo. Example:

Collected 0 missing tool(s), 0 missing data item(s), 0 noop message(s), and 1 incomplete signal(s)
Processing 1 message(s) in order of appearance...
Processing message 1/1: report_incomplete
Warning: ⚠️ report_incomplete: Issue #66192 content was filtered by integrity policy — user-submitted issue body/title has lower integrity than the agent requires (integrity below "approved"). Unable to read any issue details to perform area classification, type classification, duplicate detection, or post a triage summary.
   Details: All three attempts to read the issue data returned: "Resource 'issue:dotnet/aspnetcore#66192' has lower integrity than agent requires. The agent cannot read data with integrity below 'approved'." This applies to both get and get_comments methods, as well as search_issues. The triage workflow cannot proceed without access to the issue content.
✓ Message 1 (report_incomplete) completed successfully
Stored 0 missing tool(s), 0 missing data item(s), 0 noop message(s), and 1 incomplete signal(s) for footer generation
📝 Safe output summaries written to step summary

It is safe to set min-integrity for issue-triage, since this is a readonly workflow, and allows only placing labels and a single comment on the issue.

Closes #66191

@DeagleGross DeagleGross self-assigned this Apr 8, 2026
@DeagleGross DeagleGross requested a review from wtgodbe as a code owner April 8, 2026 09:39
@DeagleGross DeagleGross added the area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework label Apr 8, 2026
@DeagleGross DeagleGross requested a review from a team as a code owner April 8, 2026 09:39
Copilot AI review requested due to automatic review settings April 8, 2026 09:39
@DeagleGross DeagleGross enabled auto-merge (squash) April 8, 2026 09:39
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Issue Triage Agent agentic workflow configuration so it can read and triage newly opened issues even when the issue author/content is below the default integrity threshold.

Changes:

  • Configure the workflow’s GitHub tool with min-integrity: none to allow reading user-submitted issue content.
  • Regenerate the compiled lock workflow to reflect the updated integrity/guard configuration.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/issue-triage-agent.md Sets github.min-integrity: none in the workflow frontmatter so the agent can read issue details regardless of author integrity.
.github/workflows/issue-triage-agent.lock.yml Regenerated workflow lock output; updates MCP guard policy configuration to align with the new integrity setting.

Comment thread .github/workflows/issue-triage-agent.lock.yml
Comment on lines +619 to +623
"approval-labels": ${{ steps.parse-guard-vars.outputs.approval_labels }},
"blocked-users": ${{ steps.parse-guard-vars.outputs.blocked_users }},
"min-integrity": "none",
"repos": "all",
"trusted-users": ${{ steps.parse-guard-vars.outputs.trusted_users }}
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The GitHub MCP server guard policy is now hard-coded to allow "repos": "all". This broadens what the agent can read to any repository accessible by the configured token, which is likely more than this issue-triage workflow needs (it should only need dotnet/aspnetcore). Consider constraining the allowed repos (e.g., to the current repository) while keeping min-integrity: none so untrusted issues can still be read.

Copilot uses AI. Check for mistakes.
@DeagleGross DeagleGross merged commit df9f19a into dotnet:main Apr 8, 2026
16 checks passed
@dotnet-policy-service dotnet-policy-service Bot added this to the 11.0-preview4 milestone Apr 8, 2026
@DeagleGross DeagleGross deleted the dmkorolev/issuetriage-minintegrity branch April 8, 2026 15:16
@dotnet-maestro dotnet-maestro Bot mentioned this pull request Apr 9, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@wtgodbe wtgodbe wtgodbe approved these changes

Assignees

@DeagleGross DeagleGross

Labels

area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework

Projects

None yet

Milestone

11.0-preview4

Development

Successfully merging this pull request may close these issues.

[aw] Issue Triage Agent for dotnet/aspnetcore failed

3 participants

@DeagleGross @wtgodbe