Skip to content

chore(skills): Improve triage-issue skill (fix false-positives, check changelog, model) #21257

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
s1gr1d merged 4 commits into from
Jun 1, 2026
Merged

chore(skills): Improve triage-issue skill (fix false-positives, check changelog, model) #21257

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
043d143
chore(skills): Improve triage-issue skill
s1gr1d Jun 1, 2026
2604f30
format
s1gr1d Jun 1, 2026
601eda1
use opus 4.8
s1gr1d Jun 1, 2026
ce6e991
update tool use
s1gr1d Jun 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .agents/skills/triage-issue/SKILL.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,12 @@ Cross-repo searches (only when clearly relevant):

**Shell safety:** Strip shell metacharacters from issue-derived search terms before use in commands.

#### Changelog investigation (when a version is mentioned)

If the issue states a version where the problem started (e.g. "works in 7.x, broken since 8.2.0"), **check `CHANGELOG.md`** for that version range.
Use the **Grep** tool (pattern `^## ` on `CHANGELOG.md`) to list version headings, then use the **Read** tool to read the relevant entries. Do NOT use Bash `grep`/`head` — the native Grep/Read tools are read-only and require no extra Bash permissions in CI.
Surface any relevant changelog delta in the triage report under **Root cause** or **Information gaps**. If nothing relevant is found, note that explicitly.

### Step 4: Related Issues & PRs

- Search for duplicate or related issues: `gh api search/issues -X GET -f "q=<terms>+repo:getsentry/sentry-javascript+type:issue"` and use the **Write** tool to save the command output to `search.json` in the workspace root
Expand Down
2 changes: 1 addition & 1 deletion .agents/skills/triage-issue/scripts/detect_prompt_injection.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ def is_non_latin(c: str) -> bool:
(r"\b(admin|developer|system)[\s_-]mode", 8, "Mode manipulation"),

# Sensitive file paths (10 points) - legitimate issues rarely reference these
(r"(~/\.aws/|~/\.ssh/|/root/|/etc/passwd|/etc/shadow)", 10, "System credentials path"),
(r"(~/\.aws/|~/\.ssh/|(?<!\w)/root/|/etc/passwd|/etc/shadow)", 10, "System credentials path"),
(r"(\.aws/credentials|id_rsa|\.ssh/id_)", 10, "Credentials file reference"),

# Environment variable exfiltration (8 points)
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/triage-issue.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ jobs:
Do NOT use `python3 -c` or other inline Python in Bash, only the provided scripts are allowed.
Do NOT attempt to delete (`rm`) temporary files you create.
claude_args: |
--model claude-opus-4-8
--max-turns 50 --allowedTools "Write,Bash(gh api *),Bash(gh pr list *),Bash(npm info *),Bash(npm ls *),Bash(python3 .claude/skills/triage-issue/scripts/post_linear_comment.py *),Bash(python3 .claude/skills/triage-issue/scripts/parse_gh_issues.py *),Bash(python3 .claude/skills/triage-issue/scripts/detect_prompt_injection.py *),Bash(python3 .claude/skills/triage-issue/scripts/write_job_summary.py *)"
Copy link
Copy Markdown
Contributor

@sentry sentry Bot Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The triage-issue workflow is missing Bash(grep *) and Bash(head *) in its allowedTools list, but the SKILL.md instructs the agent to use these commands for changelog investigation.
Severity: HIGH

Suggested Fix

Add Bash(grep *) and Bash(head *) to the allowedTools list in .github/workflows/triage-issue.yml to permit the agent to execute the commands required for the changelog check.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: .github/workflows/triage-issue.yml#L78

Potential issue: The new changelog investigation step, defined in
`.agents/skills/triage-issue/SKILL.md`, instructs the agent to execute a command using
`grep` and `head`. However, the corresponding workflow file,
`.github/workflows/triage-issue.yml`, does not include `Bash(grep *)` or `Bash(head *)`
in its `allowedTools` configuration. When the agent attempts to run the specified
command, the action will block it because the tools are not whitelisted. This will cause
the changelog investigation feature to fail every time it is triggered, rendering this
new functionality inoperative.

Also affects:

  • .agents/skills/triage-issue/SKILL.md:87~89

Did we get this right? 👍 / 👎 to inform future reviews.

Copy link
Copy Markdown
Contributor

@sentry sentry Bot Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The triage-issue.yml workflow is missing Grep and Read in its allowedTools list, which are required by the new changelog investigation feature and will cause it to fail.
Severity: CRITICAL

Suggested Fix

Add Grep(./**) and Read(./**) to the allowedTools list in .github/workflows/triage-issue.yml to permit the agent to use the tools required for the new changelog investigation feature.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: .github/workflows/triage-issue.yml#L78

Potential issue: The pull request introduces a new "Changelog investigation" feature in
`SKILL.md` that requires the agent to use the `Grep` and `Read` tools. However, the
`allowedTools` list in the `triage-issue.yml` workflow was not updated to include
`Grep(./**)` and `Read(./**)`. The instructions explicitly forbid using `Bash grep/head`
as an alternative. When an issue mentioning a version number is processed, the agent
will attempt to use these un-whitelisted tools, causing the triage workflow to fail.

Also affects:

  • .agents/skills/triage-issue/SKILL.md:88~90

Copy link
Copy Markdown
Member Author

@s1gr1d s1gr1d Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The skill can use the Read tool and does not need grep but this was now also updated in the skills markdown to explicitly state this.


- name: Post triage job summary
Expand Down
Loading