Automated issue triage workflow#5419
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a new GitHub Actions workflow to automatically triage newly opened issues (and allow manual invocation) by checking reporter team membership and then running DevFlow-based classification/repro steps.
Changes:
- Introduces
.github/workflows/issue-triage.ymlto run onissues: openedandworkflow_dispatch. - Adds a team-membership gate to skip auto-triage for internal reporters.
- Runs DevFlow scripts to classify spam/relevance and optionally trigger reproduction.
moonbox3
left a comment
moonbox3
left a comment
There was a problem hiding this comment.
Automated Code Review
Reviewers: 4 | Confidence: 83%
✓ Correctness
The workflow is structurally sound for normal operation. The three issues from the prior review thread (secret exposure on any opened issue, concurrency group missing workflow_dispatch input, and catch-all error handling in team membership) remain unresolved in the current diff and are the most significant concerns. One new minor finding: the issue-author lookup via the REST API on line 75 does not guard against a null
userfield (which GitHub returns for deleted accounts), unlike line 68 which uses optional chaining.
✓ Security Reliability
The three main security concerns (unrestricted trigger on
issues: opened, concurrency group missinginputs.issue_number, and fail-open on team membership API errors) were already identified in the existing unresolved review thread. Beyond those, the workflow follows good practices: issue number input is regex-validated (line 51), secrets are passed through environment variables rather than expression interpolation (avoiding script injection), and checkouts usepersist-credentials: false. No new high-confidence security or reliability issues were found.
✓ Test Coverage
This PR adds a new GitHub Actions workflow for issue triage. From a test coverage perspective, the workflow embeds non-trivial team-membership-check logic as inline JavaScript (lines 67–96) rather than extracting it into a testable script under
.github/scripts/, which is the established pattern in this repo (seestale_issue_pr_ping.pywith its correspondingtest_stale_issue_pr_ping.py). The inline JS includes fallback author resolution, API error handling, and membership state checking — all paths that would benefit from unit tests but currently cannot be tested. The core triage scripts (classify_issue_spam.py,trigger_issue_repro.py) live in an external private repo and are outside the scope of this PR. No blocking test-coverage issues, but the untested inline logic is a notable gap given existing repo conventions.
✓ Design Approach
The workflow is structurally sound: minimal permissions, input validation, credential hygiene (
persist-credentials: false), and a two-job gate that skips triage for team members. The three issues raised in the prior review thread (trigger scope allowing any external issue to burn secrets, concurrency group not coveringworkflow_dispatchinputs, and fail-open error handling in team membership) remain unresolved in this diff and are the most significant design concerns. Beyond those, no new blocking design-approach issues were identified.
Suggestions
- Line 75:
issue.user.loginwill throw aTypeErrorfor issues opened by deleted GitHub accounts (userisnull). Use optional chaining (issue.user?.login) or a null guard, consistent with line 68'scontext.payload.issue?.user?.login. - Extract the inline JavaScript team-membership-check logic (lines 67–96) into a dedicated script under
.github/scripts/(e.g.,check_team_membership.js) with unit tests under.github/tests/, following the establishedstale_issue_pr_ping.py/test_stale_issue_pr_ping.pypattern. This would allow testing the fallback author-resolution, active-membership distinction, and error-handling branches. - The 'Stop after spam gate' step (line 155) is a misleading no-op—it logs but doesn't halt execution. The real gating relies on per-step
ifconditions, so any future step added without its own guard will silently bypass the spam gate. Consider failing the job when spam is detected (labeling is already applied) or restructuring into a separate job so the decision is enforced at the job-dependency level.
Automated review by moonbox3's agents
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Automated Code Review
Reviewers: 4 | Confidence: 87%
✓ Correctness
This workflow closely mirrors the existing devflow-pr-review.yml and follows established repo patterns. The prior review comments (concurrency group missing inputs.issue_number, null-safety on issue.user.login, overly permissive error catch in team check, and the no-op spam gate step) remain the significant correctness concerns. No additional blocking issues were found beyond what has already been flagged.
✓ Security Reliability
The workflow is well-structured and follows existing repository patterns (closely mirrors devflow-pr-review.yml). The most significant security and reliability concerns—fail-open error handling in team membership checks, null-safety on issue.user, concurrency group gaps for workflow_dispatch, and the non-blocking spam gate—have already been identified in the existing review thread. Input validation is solid (regex check on issue_number, all shell variables properly quoted, persist-credentials: false on checkouts). After thorough review, no new high-severity security or reliability issues were found beyond those already flaged.
✓ Test Coverage
This workflow adds non-trivial logic in two untested inline blocks: a bash script that resolves issue metadata with input validation (lines 38–59) and a JavaScript block that resolves the issue author and checks team membership (lines 67–96). The JS block's test gap is already identified in the existing review thread (moonbox3, line 96). However, the bash block's input-validation regex and event-type branching are also testable and currently uncovered. The repo's established convention (
.github/scripts/+.github/tests/, as demonstrated bystale_issue_pr_ping.py) provides a clear pattern for extracting and testing this logic. No new tests are included in this PR.
✓ Design Approach
I did a bounded context pass across the new workflow plus the adjacent automation it builds on (
.github/workflows/devflow-pr-review.yml,.github/workflows/label-issues.yml,.github/workflows/stale-issue-pr-ping.yml, and the existing stale-issue script/tests). I did not find any additional design-approach problems beyond the concerns already captured in the unresolved review threads; the remaining issues I considered were either already raised there or would have required guessing about behavior in the private DevFlow scripts.
Suggestions
- The bash input-validation and event-routing logic in the 'Resolve issue metadata' step (lines 44–57) contains branching and a regex guard that would benefit from test coverage — consider extracting it into a testable script following the .github/scripts/ + .github/tests/ pattern already established by stale_issue_pr_ping.py.
Automated review by moonbox3's agents
Address six review comments on the issue-triage workflow: 1. Change trigger from issues:opened to issues:labeled so the secret-backed triage flow is only triggered by a maintainer- controlled signal. 2. Include inputs.issue_number in the concurrency group so workflow_dispatch runs for the same issue are properly de-duplicated. 3. Improve team membership error handling to fail closed: verify the team exists before checking membership, and only treat a 404 as 'not a member' (all other errors fail the job). 4. Use optional chaining (issue.user?.login) for the API-fetched issue to handle deleted GitHub accounts without crashing. 5. Extract the inline github-script into a testable module at .github/scripts/check_team_membership.js with 10 tests in .github/tests/test_check_team_membership.js covering all code paths (payload/API author resolution, deleted accounts, team lookup failure, 404 vs non-404 membership errors). 6. Make the spam gate actually stop the job by exiting non-zero instead of just logging, so future steps cannot accidentally run for spam issues. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Remove the 'issues' event trigger, keeping only 'workflow_dispatch' so the workflow can be tested manually before enabling automatic triggers. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Motivation and Context
GitHub workflow to automate initial bug reports from issues.
Description
Contribution Checklist