Skip to content

Partial revert of #400: restore the issue-triggered helpers PR #400 said it would retain #419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
sebryu wants to merge 2 commits into from
Closed

Partial revert of #400: restore the issue-triggered helpers PR #400 said it would retain #419

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9cb901c
Restore five reusable workflows deleted in #400
sebryu May 1, 2026
d6135fc
Restore composite actions, scripts, and Dockerfile required by the wo…
sebryu May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions .github/workflows/comment-on-unready-assigned-issue.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Comment on Unready Assigned Issue
on:
workflow_call:
secrets:
OZ_MGMT_GHA_APP_ID:
required: true
OZ_MGMT_GHA_PRIVATE_KEY:
required: true
jobs:
comment_when_unready:
runs-on: ubuntu-slim
permissions:
issues: write
steps:
- name: Create GitHub App token
id: app_token
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3
with:
app-id: ${{ secrets.OZ_MGMT_GHA_APP_ID }}
owner: ${{ github.repository_owner }}
private-key: ${{ secrets.OZ_MGMT_GHA_PRIVATE_KEY }}
- name: Checkout repo
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: Run unready-assignment workflow
uses: warpdotdev/oz-for-oss/.github/actions/run-oz-python-script@main # main
Copy link
Copy Markdown
Contributor

@oz-for-oss oz-for-oss Bot May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [IMPORTANT] This call still points at warpdotdev/oz-for-oss/.github/actions/run-oz-python-script@main, but .github/actions/run-oz-python-script/action.yml and the .github/scripts entrypoints are absent from main. Restore those dependencies too or rewrite this workflow to call the new control-plane path; otherwise callers will still fail with action.yml not found.

with:
script-path: comment_on_unready_assigned_issue.py
env:
GH_TOKEN: ${{ steps.app_token.outputs.token }}
GH_APP_SLUG: ${{ steps.app_token.outputs.app-slug }}
101 changes: 101 additions & 0 deletions .github/workflows/respond-to-triaged-issue-comment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
name: Respond to Triaged Issue Comment
on:
workflow_call:
secrets:
OZ_MGMT_GHA_APP_ID:
required: true
OZ_MGMT_GHA_PRIVATE_KEY:
required: true
OSS_WARP_API_KEY:
required: true
jobs:
# ``author_association`` is scoped to the repository, so an actual org
# member may still report as ``CONTRIBUTOR`` (private membership,
# contribution-history ordering, etc.). Gate the inline-response run
# on either the static allowlist OR a positive
# ``GET /orgs/{org}/members/{login}`` probe so legitimate maintainer
# comments are not dropped.
#
# Downstream adapters only need the ``on:`` trigger plus a
# pass-through ``uses:`` call; mention, bot, event-type, and trust
# gates all live in this file.
check_trust:
name: Check commenter trust
if: >-
github.event_name == 'issue_comment' &&
!github.event.issue.pull_request &&
contains(github.event.comment.body, '@oz-agent') &&
contains(github.event.issue.labels.*.name, 'triaged') &&
!contains(github.event.issue.labels.*.name, 'ready-to-spec') &&
!contains(github.event.issue.labels.*.name, 'ready-to-implement') &&
github.event.comment.user.type != 'Bot' &&
!endsWith(github.event.comment.user.login, '[bot]')
runs-on: ubuntu-slim
outputs:
trusted: ${{ steps.evaluate.outputs.trusted }}
steps:
- name: Create GitHub App token
id: app_token
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3
with:
app-id: ${{ secrets.OZ_MGMT_GHA_APP_ID }}
owner: ${{ github.repository_owner }}
private-key: ${{ secrets.OZ_MGMT_GHA_PRIVATE_KEY }}
- name: Evaluate commenter trust
id: evaluate
env:
GH_TOKEN: ${{ steps.app_token.outputs.token }}
ASSOCIATION: ${{ github.event.comment.author_association }}
ACTOR: ${{ github.event.comment.user.login }}
ORG: ${{ github.repository_owner }}
run: |
set -euo pipefail
case "${ASSOCIATION:-}" in
OWNER|MEMBER|COLLABORATOR)
echo "Treating @${ACTOR} as trusted via author_association=${ASSOCIATION}."
echo "trusted=true" >> "$GITHUB_OUTPUT"
exit 0
;;
esac
if gh api --silent "/orgs/${ORG}/members/${ACTOR}" 2>/dev/null; then
echo "Treating @${ACTOR} as trusted via /orgs/${ORG}/members (association=${ASSOCIATION})."
echo "trusted=true" >> "$GITHUB_OUTPUT"
else
echo "::notice::Ignoring @oz-agent mention from @${ACTOR}; not an org member (association=${ASSOCIATION})."
echo "trusted=false" >> "$GITHUB_OUTPUT"
fi
respond_inline:
needs: check_trust
if: needs.check_trust.outputs.trusted == 'true'
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
env:
TRIAGE_IMAGE: oz-for-oss-triage
steps:
- name: Create GitHub App token
id: app_token
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3
with:
app-id: ${{ secrets.OZ_MGMT_GHA_APP_ID }}
owner: ${{ github.repository_owner }}
private-key: ${{ secrets.OZ_MGMT_GHA_PRIVATE_KEY }}
- name: Checkout repo
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
fetch-depth: 0
- name: Build triage agent container
uses: warpdotdev/oz-for-oss/.github/actions/build-triage-image@main # main
Copy link
Copy Markdown
Contributor

@oz-for-oss oz-for-oss Bot May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [IMPORTANT] warpdotdev/oz-for-oss/.github/actions/build-triage-image@main is also missing from main, so this restored job will fail before it reaches the inline response script. Restore the composite action and Docker assets or replace the step with the current implementation.

with:
image-name: ${{ env.TRIAGE_IMAGE }}
- name: Run inline issue response workflow
uses: warpdotdev/oz-for-oss/.github/actions/run-oz-python-script@main # main
with:
script-path: respond_to_triaged_issue_comment.py
env:
GH_TOKEN: ${{ steps.app_token.outputs.token }}
GH_APP_SLUG: ${{ steps.app_token.outputs.app-slug }}
WARP_API_KEY: ${{ secrets.OSS_WARP_API_KEY }}
Copy link
Copy Markdown
Contributor

@oz-for-oss oz-for-oss Bot May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [IMPORTANT] [SECURITY] This forwards OSS_WARP_API_KEY into the same agent environment that receives untrusted issue bodies/comments, so prompt-injection content can ask the agent to read and echo the secret and the workflow posts analysis_comment without redaction. Keep the API key out of the agent/tool environment or use a narrowly scoped ephemeral token plus output secret scanning before enabling this path.

WARP_AGENT_MODEL: ${{ vars.WARP_AGENT_MODEL || '' }}
WARP_API_BASE_URL: https://app.warp.dev/api/v1
43 changes: 43 additions & 0 deletions .github/workflows/update-dedupe.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
name: Update Dedupe Skill
on:
workflow_call:
inputs:
lookback_days:
description: Number of days to look back for closed-as-duplicate signals
required: false
default: '7'
type: string
secrets:
OZ_MGMT_GHA_APP_ID:
required: true
OZ_MGMT_GHA_PRIVATE_KEY:
required: true
OSS_WARP_API_KEY:
required: true
jobs:
update_dedupe:
runs-on: ubuntu-slim
permissions:
contents: write
pull-requests: write
steps:
- name: Create GitHub App token
id: app_token
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3
with:
app-id: ${{ secrets.OZ_MGMT_GHA_APP_ID }}
owner: ${{ github.repository_owner }}
private-key: ${{ secrets.OZ_MGMT_GHA_PRIVATE_KEY }}
- name: Checkout repo
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: Run update dedupe workflow
uses: warpdotdev/oz-for-oss/.github/actions/run-oz-python-script@main # main
with:
script-path: update_dedupe.py
env:
GH_TOKEN: ${{ steps.app_token.outputs.token }}
LOOKBACK_DAYS: ${{ inputs.lookback_days || '7' }}
WARP_API_KEY: ${{ secrets.OSS_WARP_API_KEY }}
WARP_AGENT_MODEL: ${{ vars.WARP_AGENT_MODEL || '' }}
WARP_ENVIRONMENT_ID: ${{ vars.WARP_ENVIRONMENT_ID || '' }}
WARP_API_BASE_URL: https://app.warp.dev/api/v1
43 changes: 43 additions & 0 deletions .github/workflows/update-pr-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
name: Update PR Review Skill
on:
workflow_call:
inputs:
lookback_days:
description: Number of days to look back for PR feedback
required: false
default: '7'
type: string
secrets:
OZ_MGMT_GHA_APP_ID:
required: true
OZ_MGMT_GHA_PRIVATE_KEY:
required: true
OSS_WARP_API_KEY:
required: true
jobs:
update_pr_review:
runs-on: ubuntu-slim
permissions:
contents: write
pull-requests: write
steps:
- name: Create GitHub App token
id: app_token
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3
with:
app-id: ${{ secrets.OZ_MGMT_GHA_APP_ID }}
owner: ${{ github.repository_owner }}
private-key: ${{ secrets.OZ_MGMT_GHA_PRIVATE_KEY }}
- name: Checkout repo
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: Run update PR review workflow
uses: warpdotdev/oz-for-oss/.github/actions/run-oz-python-script@main # main
with:
script-path: update_pr_review.py
env:
GH_TOKEN: ${{ steps.app_token.outputs.token }}
LOOKBACK_DAYS: ${{ inputs.lookback_days || '7' }}
WARP_API_KEY: ${{ secrets.OSS_WARP_API_KEY }}
WARP_AGENT_MODEL: ${{ vars.WARP_AGENT_MODEL || '' }}
WARP_ENVIRONMENT_ID: ${{ vars.WARP_ENVIRONMENT_ID || '' }}
WARP_API_BASE_URL: https://app.warp.dev/api/v1
43 changes: 43 additions & 0 deletions .github/workflows/update-triage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
name: Update Triage Skill
on:
workflow_call:
inputs:
lookback_days:
description: Number of days to look back for triage feedback
required: false
default: '7'
type: string
secrets:
OZ_MGMT_GHA_APP_ID:
required: true
OZ_MGMT_GHA_PRIVATE_KEY:
required: true
OSS_WARP_API_KEY:
required: true
jobs:
update_triage:
runs-on: ubuntu-slim
permissions:
contents: write
pull-requests: write
steps:
- name: Create GitHub App token
id: app_token
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3
with:
app-id: ${{ secrets.OZ_MGMT_GHA_APP_ID }}
owner: ${{ github.repository_owner }}
private-key: ${{ secrets.OZ_MGMT_GHA_PRIVATE_KEY }}
- name: Checkout repo
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: Run update triage workflow
uses: warpdotdev/oz-for-oss/.github/actions/run-oz-python-script@main # main
with:
script-path: update_triage.py
env:
GH_TOKEN: ${{ steps.app_token.outputs.token }}
LOOKBACK_DAYS: ${{ inputs.lookback_days || '7' }}
WARP_API_KEY: ${{ secrets.OSS_WARP_API_KEY }}
WARP_AGENT_MODEL: ${{ vars.WARP_AGENT_MODEL || '' }}
WARP_ENVIRONMENT_ID: ${{ vars.WARP_ENVIRONMENT_ID || '' }}
WARP_API_BASE_URL: https://app.warp.dev/api/v1