feat(flue): Add shared issue triage workflow#180
Merged
Conversation
Move issue triage automation into the org .github repository so target repositories can call one shared Flue workflow. Add the Sentry Intern persona, central repository allowlist, manual issue dispatch path, and focused validation coverage. Co-Authored-By: GPT-5 Codex <noreply@openai.com>
![sentry-warden[bot]](https://avatars.githubusercontent.com/in/2755838?s=60&v=4){kind=small}
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Validate the repository input before exporting a canonical owner/name value and pass that sanitized value through environment variables in shell steps. This avoids evaluating caller-controlled repository text while preserving the reusable workflow contract. Co-Authored-By: GPT-5 Codex <noreply@openai.com>
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
Subscribe the shared issue triage workflow to opened issue events directly from .github instead of exposing it as a reusable workflow. Resolve the target repository and issue number from either the issue event or manual dispatch before the feature allowlist and agent steps run. Co-Authored-By: GPT-5 Codex <noreply@openai.com>
Keep duplicate triage from crashing when GitHub mutations fail. Duplicate closure now records comment, label, and close failures in the result so the workflow can surface human-review context instead of throwing through the whole run. Co-Authored-By: GPT-5 Codex <noreply@openai.com>
Keep issue triage as a reusable workflow because GitHub Actions event triggers run in the repository where the event occurs. Document the required local caller workflow and require workflow_call invocations to target the caller repository before the feature allowlist and token creation steps run. Co-Authored-By: GPT-5 Codex <noreply@openai.com>
Check whether the installed gh CLI supports --duplicate-of before linking duplicate closures. Fall back to --reason duplicate on older runners so duplicate triage can still close the issue instead of degrading to human review. Co-Authored-By: GPT-5 Codex <noreply@openai.com>
Validate the reusable workflow against GitHub Actions and action input contracts. Keep the workflow scoped to getsentry, validate required secrets before token creation, and configure pnpm setup to read automation/package.json. Also reject cross-repository duplicate candidates before automatic closure so only same-repo duplicates can be closed without human review. Co-Authored-By: GPT-5 Codex <noreply@openai.com>
Member
Author
|
if this ends up too painful i going to just set it up as a service, and bind a workflow here that calls a custom action |
Return an unavailable repository context when the prepared checkout path is missing or not a git checkout. This keeps the diagnosis stage from trusting a checkout path that cannot be inspected. Co-Authored-By: GPT-5 Codex <noreply@openai.com>
Install Prettier, lint-staged, simple-git-hooks, and a repo-local actionlint wrapper so workflow linting can run through pnpm. Format existing supported files once so the new lint gate starts green. Co-Authored-By: GPT-5 Codex <noreply@openai.com>
Derive the current repository from the issue URL when the payload omits it, and fall back to human review if either side of the duplicate comparison cannot be validated. This preserves the same-repository auto-close invariant for direct CLI invocations too. Co-Authored-By: GPT-5 Codex <noreply@openai.com>
Remove repo-local lint hook scaffolding and keep the workflow allowlist inline. Use the prepared target checkout directly and keep local tests on Node's built-in test runner to reduce dependency churn. Co-Authored-By: GPT-5 Codex <noreply@openai.com>
Make target repository checkout use the workflow token explicitly and close linked duplicates with gh --duplicate-of when available. Keep a duplicate reason fallback for older gh versions. Co-Authored-By: GPT-5 Codex <noreply@openai.com>
Pass the workflow GITHUB_TOKEN explicitly to both target repository checkout steps so reusable workflow callers use their repository-scoped token for source inspection. Co-Authored-By: GPT-5 Codex <noreply@openai.com>
Prevent read-only gh commands from inheriting write-scoped GitHub tokens when the read token is missing. Apply the duplicate label only after a duplicate close succeeds so failed closes do not leave open issues marked as duplicates. Co-Authored-By: OpenAI Codex <codex@openai.com>
Treat the prepared target repository as unavailable unless the checkout directory contains a Git checkout. This prevents a failed checkout that leaves an empty directory from being passed to the triage model as usable context. Co-Authored-By: OpenAI Codex <codex@openai.com>
Grant the issue triage read token contents access and use it for target repository checkout. This lets manual dispatch inspect private target repositories instead of silently losing code context under the .github repository token. Co-Authored-By: OpenAI Codex <codex@openai.com>
Catch remaining unhandled triage failures and return a human-review result instead of crashing the workflow. This covers issue context fetch failures outside the narrower duplicate and update handling paths. Co-Authored-By: OpenAI Codex <codex@openai.com>
Use the read-only gh command as the default for JSON reads so future read helpers do not silently inherit write-token access. Co-Authored-By: OpenAI Codex <codex@openai.com>
Remove bespoke provider and network error classification from issue triage. Keep the fail-closed path and preserve the actionable gh close capability error, but otherwise use one generic safe failure summary. Co-Authored-By: OpenAI Codex <codex@openai.com>
Remove the first-sentence parser that tried to infer whether model comments already identified the bot persona. Make the handler own the fixed Sentry Intern intro and update the triage skill so model comments only provide the substantive note. Co-Authored-By: OpenAI Codex <codex@openai.com>
Remove the manual workflow default repository so dispatch runs must choose the target explicitly. Clarify the Flue README with the required organization secrets and variable for issue triage. Co-Authored-By: OpenAI Codex <codex@openai.com>
Allow model JSON to return null for an absent duplicate candidate without rejecting the entire duplicate search result. Keep the existing runtime guard for duplicate status without a candidate and add focused schema coverage. Co-Authored-By: OpenAI Codex <codex@openai.com>
Treat GitHub repository names as case-insensitive when validating same-repository duplicate candidates. This avoids rejecting a valid duplicate only because the candidate URL used different casing. Co-Authored-By: OpenAI Codex <codex@openai.com>
Create gh command definitions at use time so workflow-provided tokens are not captured before runtime. Normalize target repository casing during workflow validation so allowlist and caller checks behave consistently for GitHub repository names. Co-Authored-By: OpenAI Codex <codex@openai.com>
mchen-sentry
approved these changes
May 12, 2026
Add a job-level gate for the issue triage allowlist so disabled repositories skip before runner work continues. Keep the existing validation step for enabled repositories. Co-Authored-By: OpenAI Codex <codex@openai.com>
Use explicit repository comparisons for the job-level issue triage allowlist. This keeps the cheap skip path while preserving mixed-case repository input behavior. Co-Authored-By: OpenAI Codex <codex@openai.com>
Make the job-level repository gate the single allowlist for issue triage. Keep the validation step focused on enabled repository inputs. Co-Authored-By: OpenAI Codex <codex@openai.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 1e44262. Configure here.
Remove a redundant human-review condition after the earlier human-review return path. Keep the update result driven by actual update failures. Co-Authored-By: OpenAI Codex <codex@openai.com>
dcramer
added a commit
that referenced
this pull request
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a reusable Flue issue triage workflow in getsentry/.github so target repositories can call one shared Sentry Intern triage implementation instead of carrying local Flue code. The workflow also keeps a manual workflow_dispatch path that points at a specific issue for a real smoke test.
Sentry Intern Triage
The Flue agent enforces a first-sentence Sentry Intern identity in comments, keeps the casually professional triage voice in the skill, and inherits not-planned closure when the canonical duplicate was closed that way. Automatic duplicate closure is limited to same-repository candidates; cross-repository matches now fall back to human review.
Repository Gate
A central feature registry enables issue triage for getsentry/cli, getsentry/dotagents, getsentry/junior, getsentry/sentry-mcp, getsentry/vitest-evals, and getsentry/warden. Reusable workflow calls must target their own getsentry repository, and the workflow checks the feature registry before creating the GitHub App token or checking out the target repository.
Workflow Contracts
The workflow validates required Flue secrets and variables before creating the Sentry Intern token, scopes the app token to issues write on the target repository, and uses the caller GITHUB_TOKEN for source checkout. pnpm setup reads automation/package.json so the pinned action can resolve the packageManager field from the checked-out automation repo, and the Flue agent now treats missing or invalid prepared checkouts as unavailable instead of trusted.
Local Tooling
Adds repo-local Prettier, actionlint, lint-staged, and simple-git-hooks wiring so workflow and formatting checks can run with pnpm before commit. The actionlint wrapper handles both full-repo runs and lint-staged file lists.
Validation
Validated with pnpm run lint, lint-staged against the PR diff, focused Vitest coverage, Flue node build, YAML parsing, allowlist accept and reject checks, pinned action tag checks, git diff whitespace checks, and the PR check suite.