Replaces every floating tag in our workflow and composite action files
with an immutable 40-character commit SHA, keeping the original `# vX`
comment so Dependabot can still propose version bumps. 186 occurrences
across 25 workflows and 2 composite actions.
Also widens the github-actions Dependabot entry to use the plural
`directories` key with `/.github/actions/*` so composite actions under
`.github/actions/<name>/action.yml` are kept up to date. Previously
Dependabot only scanned `.github/workflows` and the repo-root
`action.yml`, leaving our `python-setup` and `sample-validation-setup`
composite actions unmaintained.
Scopes the triage job to the integration GitHub Environment, adds
the azure/login OIDC step, and exposes the same OpenAI / Azure
OpenAI / Foundry / Anthropic env vars the integration test
workflow uses. This lets the triage agent write repro code that
constructs model clients from the environment without any secrets
entering the agent prompt or generated-code literals.
Azure OpenAI and Foundry continue to authenticate via AAD
(DefaultAzureCredential), so there is no API key to leak for
those providers.
* Automated issue triage workflow
* Bump dependencies
* Fix issue-triage workflow: security, reliability, and testability
Address six review comments on the issue-triage workflow:
1. Change trigger from issues:opened to issues:labeled so the
secret-backed triage flow is only triggered by a maintainer-
controlled signal.
2. Include inputs.issue_number in the concurrency group so
workflow_dispatch runs for the same issue are properly
de-duplicated.
3. Improve team membership error handling to fail closed: verify
the team exists before checking membership, and only treat a
404 as 'not a member' (all other errors fail the job).
4. Use optional chaining (issue.user?.login) for the API-fetched
issue to handle deleted GitHub accounts without crashing.
5. Extract the inline github-script into a testable module at
.github/scripts/check_team_membership.js with 10 tests in
.github/tests/test_check_team_membership.js covering all
code paths (payload/API author resolution, deleted accounts,
team lookup failure, 404 vs non-404 membership errors).
6. Make the spam gate actually stop the job by exiting non-zero
instead of just logging, so future steps cannot accidentally
run for spam issues.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Make issue-triage workflow manually triggered only for initial testing
Remove the 'issues' event trigger, keeping only 'workflow_dispatch' so the
workflow can be tested manually before enabling automatic triggers.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>