Skip to content

fix(auto-triage): add community and cookie approval-labels and centralize guard policy#24143

Merged
pelikhan merged 6 commits intomainfrom
copilot/deep-report-label-unlabeled-issues
Apr 2, 2026
Merged

fix(auto-triage): add community and cookie approval-labels and centralize guard policy#24143
pelikhan merged 6 commits intomainfrom
copilot/deep-report-label-unlabeled-issues

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 2, 2026
edited
Loading

The auto-triage-issues workflow couldn't label issues from community contributors (author_association: NONE) because it had no explicit min-integrity or approval-labels configured — causing determine_automatic_lockdown.cjs to default to approved for this public repo. Since community issues carry none integrity (below approved), DIFC blocked the agent from processing them.

Changes

  • shared/github-guard-policy.md (new): Shared agentic workflow that centralizes the standard approval labels for the repository — approval-labels: [cookie, community]. All workflows import this instead of declaring approval labels inline.
  • auto-triage-issues.md: Keep min-integrity: approved and import shared/github-guard-policy.md so issues carrying the community label bypass the integrity check.
  • auto-triage-issues.md: Add compiler and threat-detection to the component label classification rules — both labels already exist in the repo and are directly relevant to the backlogged issues.
  • 19 workflows refactored: Removed hardcoded approval-labels: [cookie] (or [community]) from every workflow and replaced with an import of shared/github-guard-policy.md. Affected workflows include daily-issues-report, issue-monster, issue-triage-agent, grumpy-reviewer, org-health-report, pr-triage-agent, refiner, smoke-agent-public-approved, smoke-agent-scoped-approved, smoke-copilot, stale-repo-identifier, weekly-blog-post-writer, weekly-issue-summary, weekly-safe-outputs-spec-review, workflow-generator, and others.
  • All lock files recompiled: Every affected workflow now has GH_AW_APPROVAL_LABELS_EXTRA: cookie,community in the parse-guard-vars step.
# shared/github-guard-policy.md
tools:
  github:
    approval-labels: [cookie, community]

Copilot AI linked an issue Apr 2, 2026 that may be closed by this pull request
[deep-report] Label 5 unlabeled community issues blocked by DIFC auto-triage #24138
Closed
@pelikhan
fix: allow auto-triage to label community issues by setting min-integ…
185311c 
…rity: none

The auto-triage-issues workflow had no min-integrity configured, causing
determine_automatic_lockdown.cjs to default to 'approved' for this public
repo. Community issues (author_association=NONE) have 'none' integrity —
below the 'approved' threshold — so DIFC blocked the agent from labeling
5 unlabeled community issues (#24128, #23963, #23935, #23178, #23148).

Changes:
- Add min-integrity: none to tools.github in auto-triage-issues.md
- Add compiler and threat-detection to component label classification rules
- Recompile lock file (removes determine-automatic-lockdown step, replaces
  with parse-guard-vars since min-integrity is now explicitly configured)

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/1461eb67-1f96-44c0-a97e-025f66ce2460

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Label five unlabeled community issues blocked by DIFC auto-triage fix(auto-triage): set min-integrity: none to unblock labeling of community-filed issues Apr 2, 2026
Copilot AI requested a review from pelikhan April 2, 2026 16:41
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 2, 2026

@copilot set community as approval label and keep approved min integrity

@pelikhan
fix: use approval-labels: community with min-integrity: approved inst…
b12c1eb 
…ead of none

Instead of lowering min-integrity to none (permissive for all content),
keep min-integrity: approved and add approval-labels: [community] so that
issues already carrying the community label bypass the integrity check.

This is consistent with the pattern used by other workflows (issue-monster,
issue-triage-agent, etc.) and avoids unnecessarily widening the trust scope.
The safe-outputs write-sink (accept: *) lets the agent write labels without
DIFC blocking the add_labels call.

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/810029cf-38d6-496c-999d-6437902841fe

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 2, 2026
edited
Loading

@copilot set community as approval label and keep approved min integrity

Done in b12c1eb. Reverted min-integrity: none back to approved and added approval-labels: [community] to the tools.github guard config. Issues carrying the community label will bypass the integrity check, while the safe-outputs write-sink: {accept: ["*"]} allows add_labels calls without DIFC blocking the write.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --local user.name x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --local pull.rebase x_amd64/vet (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --local user.name x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --local pull.rebase x_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --local user.name x_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --local user.name x_amd64/vet (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title fix(auto-triage): set min-integrity: none to unblock labeling of community-filed issues fix(auto-triage): add community approval-label to unblock labeling of community-filed issues Apr 2, 2026
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 2, 2026

@copilot cookie and community are the approved labels. Create a share agentic workflow and refactor all AWs that use approval-labels

@pelikhan
feat: create shared/github-guard-policy.md and refactor all AWs to us…
3f5f978 
…e it

- Add shared/github-guard-policy.md with approval-labels: [cookie, community]
- Remove hardcoded approval-labels: [cookie] from 18 workflows
- Remove approval-labels: [community] from auto-triage-issues.md
- Add import for shared/github-guard-policy.md to all 19 affected workflows
- Recompile all lock files — GH_AW_APPROVAL_LABELS_EXTRA now set to cookie,community in every workflow

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/67559ffd-0ee3-4c57-9599-a5a583f414f8

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 2, 2026
edited
Loading

@copilot cookie and community are the approved labels. Create a share agentic workflow and refactor all AWs that use approval-labels

Done in 3f5f978. Created shared/github-guard-policy.md with approval-labels: [cookie, community] and refactored all 19 workflows that previously had approval-labels to import the shared policy instead. All lock files now compile with GH_AW_APPROVAL_LABELS_EXTRA: cookie,community.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha .js&#39; --ignore-path .prettierignore --log-level=error security x_amd64/vet OUTPUT -d 168.63.129.16 x_amd64/vet tion�� --noprofile 53 64/pkg/tool/linux_amd64/vet ignore all.md k/_temp/ghcca-no--show-toplevel 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha -t security x_amd64/vet -nxv eport.md ndor/bin/bash x_amd64/vet tion�� --noprofile git 64/pkg/tool/linux_amd64/vet ignore rror-handling.mdrev-parse ash 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --noprofile git x_amd64/vet --local t-integrator.md bash x_amd64/vet --no�� --noprofile git 64/pkg/tool/linux_amd64/vet copilot/deep-repgit mary.md nfig/composer/ve--show-toplevel 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha .js&#39; --ignore-path .prettierigno-errorsas ithub/workflows/claude-code-user-ifaceassert x_amd64/vet OUTPUT -d 168.63.129.16 x_amd64/vet tion�� --noprofile conntrack 64/pkg/tool/linux_amd64/vet ignore -j DROP 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --noprofile git x_amd64/vet --local analysis.md cal/bin/bash x_amd64/vet tion�� --noprofile git 64/pkg/tool/linux_amd64/vet ignore -default.md 64/bin/bash 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha ..&#34; git x_amd64/vet --local ts-conformance.mrev-parse /home/REDACTED/.lo--show-toplevel x_amd64/vet |GH_�� k/gh-aw/gh-aw/.github/workflows/issue-arborist.l-errorsas git 64/pkg/tool/linux_amd64/vet copilot/deep-repgit uts-spec-review.rev-parse tnet/tools/bash 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha .js&#39; --ignore-path .prettierigno-errorsas security x_amd64/vet OUTPUT -d 168.63.129.16 x_amd64/vet tion�� --noprofile owner 64/pkg/tool/linux_amd64/vet ignore -j ACCEPT 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha .js&#39; --ignore-path .prettierigno-errorsas security x_amd64/vet OUTPUT -d 168.63.129.16 x_amd64/vet tion�� --noprofile owner 64/pkg/tool/linux_amd64/vet ignore -j ACCEPT 64/pkg/tool/linux_amd64/vet (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 2, 2026

@copilot merge main, recompile

Copilot AI changed the title fix(auto-triage): add community approval-label to unblock labeling of community-filed issues fix(auto-triage): add community and cookie approval-labels and centralize guard policy Apr 2, 2026
Copilot AI and others added 2 commits April 2, 2026 17:15
@pelikhan
Merge remote-tracking branch 'origin/main' into copilot/deep-report-l…
16eb486 
…abel-unlabeled-issues

# Conflicts:
#	.github/workflows/issue-triage-agent.lock.yml
#	.github/workflows/pr-triage-agent.lock.yml
#	.github/workflows/stale-repo-identifier.lock.yml
#	.github/workflows/weekly-issue-summary.lock.yml

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
chore: merge main and recompile all workflows
83d490d 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/c587e82a-9f15-4d34-aa57-9677fc5acc7b

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 2, 2026
edited
Loading

@copilot merge main, recompile

Done in 83d490d. Merged origin/main (resolved conflicts in 4 lock files), rebuilt the binary, and recompiled all 179 workflows — 0 errors.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw KIXsfoa/DRd6nDrg-C (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@pelikhan pelikhan marked this pull request as ready for review April 2, 2026 17:17
Copilot AI review requested due to automatic review settings April 2, 2026 17:17
@pelikhan pelikhan merged commit 5380a02 into main Apr 2, 2026
@pelikhan pelikhan deleted the copilot/deep-report-label-unlabeled-issues branch April 2, 2026 17:17
@github-actions

This comment has been minimized.

Sign in to view
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 2, 2026

Hey @Copilot 👋 — great work centralizing the guard policy and fixing the community issue DIFC integrity mismatch! The scope is well-defined and the description clearly documents all 19+ affected workflows. All the mechanical lock file regeneration looks correct.

A couple of things to address before this leaves draft:

  • Add tests for shared/github-guard-policy.md — This new shared file is now imported by every major workflow. Add a TestGuardPolicySharedImport test case following the pattern in pkg/cli/compile_guard_policy_test.go to create a regression guard against future regressions.

  • Update github_lockdown_autodetect_test.go — These integration tests still assert on the old determine-automatic-lockdown step name. While they won't break (they test the compiler, not deployed workflow files), adding a test case that documents the new explicit guard-policy path would improve long-term maintainability.

Once out of draft and tests are added, this looks ready for maintainer review. 🚀

Generated by Contribution Check ·

@github-actions github-actions bot mentioned this pull request Apr 2, 2026
Closed
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes auto-triage labeling for community-authored issues by centralizing GitHub MCP guard approval-label policy and applying it across workflows so community/cookie-labeled items can pass the integrity gate.

Changes:

  • Added a shared guard policy (shared/github-guard-policy.md) defining standard approval-labels: [cookie, community].
  • Updated auto-triage-issues to import the shared policy, explicitly set min-integrity: approved, and expanded component classification (compiler, threat-detection).
  • Refactored multiple workflows to remove inline approval-labels and recompiled lockfiles so GH_AW_APPROVAL_LABELS_EXTRA includes cookie,community.

Reviewed changes

Copilot reviewed 39 out of 39 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/shared/github-guard-policy.md New shared import that standardizes GitHub guard approval-labels across workflows.
.github/workflows/auto-triage-issues.md Imports shared guard policy, sets min-integrity: approved, and adds new component label heuristics.
.github/workflows/auto-triage-issues.lock.yml Recompiled; switches to parsed guard vars and embeds standardized approval labels/trust lists into MCP guard config.
.github/workflows/workflow-generator.md Removes inline approval-labels and imports shared guard policy.
.github/workflows/workflow-generator.lock.yml Recompiled to include runtime-import of shared guard policy and cookie,community in parsed approval labels.
.github/workflows/weekly-safe-outputs-spec-review.md Removes inline approval-labels and imports shared guard policy.
.github/workflows/weekly-safe-outputs-spec-review.lock.yml Recompiled to include shared guard policy import and cookie,community approval labels extra.
.github/workflows/weekly-issue-summary.md Removes inline approval-labels and imports shared guard policy alongside existing shared imports.
.github/workflows/weekly-issue-summary.lock.yml Recompiled to include shared guard policy import and cookie,community approval labels extra.
.github/workflows/weekly-blog-post-writer.md Removes inline approval-labels and imports shared guard policy.
.github/workflows/weekly-blog-post-writer.lock.yml Recompiled to include shared guard policy import and cookie,community approval labels extra.
.github/workflows/stale-repo-identifier.md Removes inline approval-labels and imports shared guard policy.
.github/workflows/stale-repo-identifier.lock.yml Recompiled to include shared guard policy import and cookie,community approval labels extra.
.github/workflows/smoke-copilot.md Removes inline approval-labels and imports shared guard policy.
.github/workflows/smoke-copilot.lock.yml Recompiled to include shared guard policy import and cookie,community approval labels extra.
.github/workflows/smoke-agent-scoped-approved.md Removes inline approval-labels and imports shared guard policy.
.github/workflows/smoke-agent-scoped-approved.lock.yml Recompiled to include shared guard policy import and cookie,community approval labels extra.
.github/workflows/smoke-agent-public-approved.md Removes inline approval-labels and imports shared guard policy.
.github/workflows/smoke-agent-public-approved.lock.yml Recompiled to include shared guard policy import and cookie,community approval labels extra.
.github/workflows/refiner.md Removes inline approval-labels and imports shared guard policy.
.github/workflows/refiner.lock.yml Recompiled to include shared guard policy import and cookie,community approval labels extra.
.github/workflows/pr-triage-agent.md Removes inline approval-labels and imports shared guard policy.
.github/workflows/pr-triage-agent.lock.yml Recompiled to include shared guard policy import and cookie,community approval labels extra.
.github/workflows/org-health-report.md Removes inline approval-labels and imports shared guard policy.
.github/workflows/org-health-report.lock.yml Recompiled to include shared guard policy import and cookie,community approval labels extra.
.github/workflows/issue-triage-agent.md Removes inline approval-labels and imports shared guard policy.
.github/workflows/issue-triage-agent.lock.yml Recompiled to include shared guard policy import and cookie,community approval labels extra.
.github/workflows/issue-monster.md Removes inline approval-labels and imports shared guard policy.
.github/workflows/issue-monster.lock.yml Recompiled to include shared guard policy import and cookie,community approval labels extra.
.github/workflows/issue-arborist.md Removes inline approval-labels and imports shared guard policy.
.github/workflows/issue-arborist.lock.yml Recompiled to include shared guard policy import and cookie,community approval labels extra.
.github/workflows/grumpy-reviewer.md Removes inline approval-labels and imports shared guard policy.
.github/workflows/grumpy-reviewer.lock.yml Recompiled to include shared guard policy import and cookie,community approval labels extra.
.github/workflows/discussion-task-miner.md Removes inline approval-labels and imports shared guard policy.
.github/workflows/discussion-task-miner.lock.yml Recompiled to include shared guard policy import and cookie,community approval labels extra.
.github/workflows/daily-issues-report.md Removes inline approval-labels and imports shared guard policy.
.github/workflows/daily-issues-report.lock.yml Recompiled to include shared guard policy import and cookie,community approval labels extra.
.github/workflows/daily-doc-updater.md Removes inline approval-labels and imports shared guard policy.
.github/workflows/daily-doc-updater.lock.yml Recompiled to include shared guard policy import and cookie,community approval labels extra.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

needs-work

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[deep-report] Label 5 unlabeled community issues blocked by DIFC auto-triage

3 participants

@pelikhan