feat: add daily-otel-instrumentation-advisor workflow#24655
Conversation
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/2b0febeb-53b8-4f19-83d4-471aed9ce7d9 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/2b0febeb-53b8-4f19-83d4-471aed9ce7d9 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/f4105523-ca3b-4a69-b16a-0b68e1089963 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds a new daily agentic workflow that reviews repository JavaScript OpenTelemetry instrumentation and files a single actionable GitHub issue (or no-ops), with the workflow compiled into the generated lockfile.
Changes:
- Introduces
daily-otel-instrumentation-advisorworkflow manifest with prompt/instructions and Safe Outputs issue-creation configuration. - Adds Sentry MCP server configuration to the workflow manifest.
- Adds the compiled workflow output (
*.lock.yml) reflecting the new workflow.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/daily-otel-instrumentation-advisor.md | New workflow manifest/prompt for daily OTel instrumentation review, including Sentry MCP config and issue-creation Safe Outputs. |
| .github/workflows/daily-otel-instrumentation-advisor.lock.yml | Generated compiled GitHub Actions workflow corresponding to the new manifest. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 2
| sentry: | ||
| url: "https://mcp.sentry.dev/mcp/gh-aw-test.sentry.io/gh-aw/" | ||
| headers: | ||
| Authorization: "Bearer ${{ secrets.SENTRY_API_KEY }}" |
There was a problem hiding this comment.
mcp-servers.sentry doesn’t declare an allowed tool list. In this repo, MCP servers are typically constrained via allowed (e.g. .github/workflows/shared/mcp/tavily.md:8, .github/workflows/shared/mcp/datadog.md:9-13). With no allowlist, the compiled lock config ends up permissive (write-sink accepts *), which increases blast radius if the server exposes more tools than intended. Add an explicit allowed: list (preferably the minimal set of Sentry tools this workflow needs).
| Authorization: "Bearer ${{ secrets.SENTRY_API_KEY }}" | |
| Authorization: "Bearer ${{ secrets.SENTRY_API_KEY }}" | |
| allowed: [] |
| tracker-id: daily-otel-instrumentation-advisor | ||
| engine: claude | ||
| mcp-servers: | ||
| sentry: | ||
| url: "https://mcp.sentry.dev/mcp/gh-aw-test.sentry.io/gh-aw/" | ||
| headers: | ||
| Authorization: "Bearer ${{ secrets.SENTRY_API_KEY }}" |
There was a problem hiding this comment.
The Sentry MCP auth header is set using a GitHub expression (Authorization: "Bearer ${{ secrets.SENTRY_API_KEY }}"). Because this gets embedded into the compiled workflow script/config, it’s easier to accidentally persist or print the secret (e.g., if the generated MCP config is ever echoed for debugging). Prefer passing SENTRY_API_KEY via environment and referencing it from the MCP config (similar to how the workflow handles GH_AW_SAFE_OUTPUTS_API_KEY), then recompile the lock file.
| tracker-id: daily-otel-instrumentation-advisor | |
| engine: claude | |
| mcp-servers: | |
| sentry: | |
| url: "https://mcp.sentry.dev/mcp/gh-aw-test.sentry.io/gh-aw/" | |
| headers: | |
| Authorization: "Bearer ${{ secrets.SENTRY_API_KEY }}" | |
| env: | |
| SENTRY_API_KEY: ${{ secrets.SENTRY_API_KEY }} | |
| tracker-id: daily-otel-instrumentation-advisor | |
| engine: claude | |
| mcp-servers: | |
| sentry: | |
| url: "https://mcp.sentry.dev/mcp/gh-aw-test.sentry.io/gh-aw/" | |
| headers: | |
| Authorization: "Bearer ${SENTRY_API_KEY}" |
daily-otel-instrumentation-advisor.md