--- # ───────────────────────────────────────────────────────────────────────────── # .github/workflows/auto-triage-issues.md · GitHub Agentic Workflow (gh-aw) # QRefAI AI Coding Field Guide, Part 3 (Q3.6) # # GitHub Agentic Workflows are the event-driven, OUTER-LOOP automation substrate # for Copilot (vs. Claude hooks, which are inner-loop, per-tool, in the dev's # interactive session). You write the workflow in natural-language Markdown and # the gh-aw compiler turns it into a hardened, locked Actions workflow (.lock.yml). # # ★ READ-ONLY BY DEFAULT ★ The agent gets a read-only token. Any write goes # through "safe outputs" — sanitized, declarative ops with hard limits. Never # give the agent direct write access. # # ★ COMPILE WITH: gh aw compile --strict ★ # Strict mode enforces the security layers: read-only token, secrets isolated into # post-agent jobs, network firewall (Squid allowlist), containerized per-server MCP # gateway, and a trusted compiler that pins actions to SHAs and runs linters # (actionlint, zizmor, shellcheck, poutine). # ───────────────────────────────────────────────────────────────────────────── on: issues: types: [opened, reopened] permissions: contents: read # read-only token to the agent issues: read safe-outputs: add-comment: # sanitized, declarative write — not raw API access max: 1 add-labels: max: 3 allowed: [bug, enhancement, question, security, needs-info, duplicate] --- # Auto-triage new issues When an issue is opened or reopened: 1. Read the issue title and body. 2. Classify it: bug / enhancement / question / security / duplicate. 3. Apply the most fitting labels (from the allowed set above), at most three. 4. If the issue is missing information needed to act on it (repro steps, version, expected vs actual), post ONE comment listing exactly what's needed and apply `needs-info`. Do not close, assign, or edit the issue — only label and, at most, comment once. Be concise and specific; never post a generic acknowledgment.