Commit Graph

7 Commits

  • ci: pin third-party GitHub Actions to commit SHAs (#5972)
    Replaces every floating tag in our workflow and composite action files
    with an immutable 40-character commit SHA, keeping the original `# vX`
    comment so Dependabot can still propose version bumps. 186 occurrences
    across 25 workflows and 2 composite actions.
    
    Also widens the github-actions Dependabot entry to use the plural
    `directories` key with `/.github/actions/*` so composite actions under
    `.github/actions/<name>/action.yml` are kept up to date. Previously
    Dependabot only scanned `.github/workflows` and the repo-root
    `action.yml`, leaving our `python-setup` and `sample-validation-setup`
    composite actions unmaintained.
  • Trigger issue triage on bug-labeled issues (#5763)
    * Trigger issue triage on bug-labeled issues instead of manual dispatch
    
    * Address PR feedback: scope concurrency cancellation to bug-label events
  • Propagate integration-test model credentials to issue-triage repro (#5443)
    Scopes the triage job to the integration GitHub Environment, adds
    the azure/login OIDC step, and exposes the same OpenAI / Azure
    OpenAI / Foundry / Anthropic env vars the integration test
    workflow uses. This lets the triage agent write repro code that
    constructs model clients from the environment without any secrets
    entering the agent prompt or generated-code literals.
    
    Azure OpenAI and Foundry continue to authenticate via AAD
    (DefaultAzureCredential), so there is no API key to leak for
    those providers.
  • Automated issue triage workflow (#5419)
    * Automated issue triage workflow
    
    * Bump dependencies
    
    * Fix issue-triage workflow: security, reliability, and testability
    
    Address six review comments on the issue-triage workflow:
    
    1. Change trigger from issues:opened to issues:labeled so the
       secret-backed triage flow is only triggered by a maintainer-
       controlled signal.
    
    2. Include inputs.issue_number in the concurrency group so
       workflow_dispatch runs for the same issue are properly
       de-duplicated.
    
    3. Improve team membership error handling to fail closed: verify
       the team exists before checking membership, and only treat a
       404 as 'not a member' (all other errors fail the job).
    
    4. Use optional chaining (issue.user?.login) for the API-fetched
       issue to handle deleted GitHub accounts without crashing.
    
    5. Extract the inline github-script into a testable module at
       .github/scripts/check_team_membership.js with 10 tests in
       .github/tests/test_check_team_membership.js covering all
       code paths (payload/API author resolution, deleted accounts,
       team lookup failure, 404 vs non-404 membership errors).
    
    6. Make the spam gate actually stop the job by exiting non-zero
       instead of just logging, so future steps cannot accidentally
       run for spam issues.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Make issue-triage workflow manually triggered only for initial testing
    
    Remove the 'issues' event trigger, keeping only 'workflow_dispatch' so the
    workflow can be tested manually before enabling automatic triggers.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <copilot@github.com>
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>