chore(skills): Improve triage-issue skill (fix false-positives, check changelog, model)

[s1gr1d]

Some fixes because this issue was detected as "prompt injection": #21256

Fixes false-positives in the prompt injection lookup.

The System credentials path pattern matched /root/ anywhere it appeared in a string, which caused false positives on Bun's virtual filesystem paths (e.g. /$bunfs/root/main in stack traces) and any embedded path segment like some/root/folder.
Adds a negative lookbehind (?<!\w) so the pattern only triggers when /root/ appears at the start of a path.

Add changelog check

Adds the changelog investigation explicitly to the skill as this contains valuable information.

Model Change

Previously, the default model Claude Opus 4.7 was used. This is now changed to Opus 4.8.

[chargome]

we could use 4-8 right away?

[s1gr1d]

Doesn't this need even more tokens? 😅

[chargome]

should be way more efficient on token usage than 4.7

[sentry]

Bug: The triage-issue workflow is missing Bash(grep *) and Bash(head *) in its allowedTools list, but the SKILL.md instructs the agent to use these commands for changelog investigation.
_{Severity: HIGH}

Suggested Fix

Add Bash(grep *) and Bash(head *) to the allowedTools list in .github/workflows/triage-issue.yml to permit the agent to execute the commands required for the changelog check.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: .github/workflows/triage-issue.yml#L78

Potential issue: The new changelog investigation step, defined in
`.agents/skills/triage-issue/SKILL.md`, instructs the agent to execute a command using
`grep` and `head`. However, the corresponding workflow file,
`.github/workflows/triage-issue.yml`, does not include `Bash(grep *)` or `Bash(head *)`
in its `allowedTools` configuration. When the agent attempts to run the specified
command, the action will block it because the tools are not whitelisted. This will cause
the changelog investigation feature to fail every time it is triggered, rendering this
new functionality inoperative.

Also affects:

• .agents/skills/triage-issue/SKILL.md:87~89

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[sentry]

Bug: The triage-issue.yml workflow is missing Grep and Read in its allowedTools list, which are required by the new changelog investigation feature and will cause it to fail.
_{Severity: CRITICAL}

Suggested Fix

Add Grep(./**) and Read(./**) to the allowedTools list in .github/workflows/triage-issue.yml to permit the agent to use the tools required for the new changelog investigation feature.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: .github/workflows/triage-issue.yml#L78

Potential issue: The pull request introduces a new "Changelog investigation" feature in
`SKILL.md` that requires the agent to use the `Grep` and `Read` tools. However, the
`allowedTools` list in the `triage-issue.yml` workflow was not updated to include
`Grep(./**)` and `Read(./**)`. The instructions explicitly forbid using `Bash grep/head`
as an alternative. When an issue mentioning a version number is processed, the agent
will attempt to use these un-whitelisted tools, causing the triage workflow to fail.

Also affects:

• .agents/skills/triage-issue/SKILL.md:88~90

[s1gr1d]

The skill can use the Read tool and does not need grep but this was now also updated in the skills markdown to explicitly state this.