Skip to content

Add agentic issue-triage workflow for Win32-OpenSSH#2443

Open
tgauth wants to merge 8 commits into
PowerShell:L1-Prodfrom
tgauth:tgauth-add-issue-triage-workflow
Open

Add agentic issue-triage workflow for Win32-OpenSSH#2443
tgauth wants to merge 8 commits into
PowerShell:L1-Prodfrom
tgauth:tgauth-add-issue-triage-workflow

Conversation

@tgauth

@tgauth tgauth commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds a GitHub Agentic Workflow (gh-aw) for automated issue triage, modeled on PowerShell/vscode-powershell and adapted to the realities of Win32-OpenSSH. On each opened/reopened issue, an AI agent gathers context (read-only) and takes exactly one action through sanitized, least-privilege safe-outputs.

This is the first of the planned triage workflows; comment-handler and stale-closer will follow separately.

Files

  • .github/workflows/issue-triage.md — human-editable source (the workflow logic)
  • .github/workflows/issue-triage.lock.yml — compiled workflow Actions runs (generated by gh aw compile; do not hand-edit)
  • .github/aw/actions-lock.json — pinned action SHAs
  • .gitattributes — marks *.lock.yml as generated

Triage behavior — one of five outcomes

  • A. Spam / not a real issue -> close as "not planned" with one calm, polite sentence
  • B. Duplicate of an open issue -> Resolution - Duplicate + close
  • C. Genuine but incomplete -> Waiting on Author + More info needed + a comment naming the specific missing details (OpenSSH-for-Windows version, server/client OS, expected vs actual — matching the issue template)
  • D. Genuine, actionable Windows-port issue (Windows-specific bug, or an enhancement/parity feature) -> Investigate + type/area labels + a maintainer hand-off comment
  • E. Genuine cross-platform OpenSSH bug (reproduces on Linux/macOS) -> no labels, just a comment recommending the author file upstream; left open for maintainers to close once tracked upstream

Handling the repo's caveats

  • Encodes that issues are tracked here but the Windows code lives in PowerShell/openssh-portable (a downstream fork of upstream openssh/openssh-portable).
  • Distinguishes Windows-specific vs general cross-platform problems so upstream bugs don't pollute the Investigate queue.
  • Issue-Upstream Parity is reserved for enhancement requests where the Windows port lacks an upstream feature — never for bugs.
  • Upstream recommendation points to OpenSSH Bugzilla (bugzilla.mindrot.org); security bugs go to openssh@openssh.com. The agent only recommends — it never files upstream or touches other repos.

Safety

  • Agent is read-only; all mutations flow through gh-aw safe-outputs with an allow-list locked to the existing Win32-OpenSSH label taxonomy (add-labels max 5, add-comment max 1, close-issue -> not_planned max 1).
  • Acknowledges each triggering issue with a thumbs-up reaction while processing.

Notes for reviewers / enabling

  • Running this requires gh-aw to be enabled on the repo (the Copilot engine + workflow secrets such as GH_AW_GITHUB_TOKEN). That's repo configuration, not part of this code change.
  • To edit behavior: change issue-triage.md, then run gh aw compile to regenerate the .lock.yml.

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

tgauth and others added 7 commits April 13, 2023 09:31
Adds a gh-aw issue-triage workflow modeled on PowerShell/vscode-powershell, adapted to Win32-OpenSSH. On opened/reopened issues the agent takes exactly one action: close spam, mark/close duplicates, request author feedback, or label genuine issues with 'Investigate' plus area/type labels and a maintainer hand-off comment.

Accounts for the repo's caveats: issues are tracked here but Windows code lives in PowerShell/openssh-portable (a downstream fork of upstream openssh/openssh-portable). Cross-platform OpenSSH bugs are flagged 'Issue-Upstream Parity' with a comment recommending the author file upstream (Bugzilla / openssh@openssh.com for security), without auto-filing.

Uses the existing Win32-OpenSSH label taxonomy. Includes the compiled .lock.yml, action pin cache, and .gitattributes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Corrects the meaning of 'Issue-Upstream Parity': it now applies only to enhancement requests where the Windows port lacks a feature that exists upstream, never to bugs.

Adds a distinct outcome E for genuine cross-platform OpenSSH bugs (reproduce on Linux/macOS): the agent applies no labels at all and posts only an upstream-filing recommendation (Bugzilla / openssh@openssh.com for security), leaving the issue open for maintainers to close once tracked upstream. These no longer enter the 'Investigate' queue.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Expands the add-labels allow-list to cover the full Resolution-* set via glob, so every resolution label is available. Triage behavior stays conservative: the agent still actively applies only 'Resolution - Duplicate' on fresh issues; the others are reserved for unmistakable edge cases / maintainers.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a GitHub Agentic Workflow (“gh-aw”) to automatically triage newly opened/reopened issues in Win32-OpenSSH, using a human-editable source file that compiles into a locked GitHub Actions workflow.

Changes:

  • Introduces the issue-triage agent workflow definition (issue-triage.md) describing outcomes A–E and the associated labeling/commenting/closing behavior.
  • Checks in the compiled, pinned workflow (issue-triage.lock.yml) plus an actions SHA lock entry.
  • Marks *.lock.yml workflow outputs as generated to reduce noise and prefer “ours” on merges.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/issue-triage.md Human-editable agent workflow source defining triage behavior and safe-output constraints.
.github/workflows/issue-triage.lock.yml Generated/pinned GitHub Actions workflow produced by gh aw compile.
.github/aw/actions-lock.json Pins the gh-aw setup action SHA used by the workflow toolchain.
.gitattributes Marks lock workflow outputs as generated and sets merge strategy for them.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/issue-triage.md Outdated
Comment thread .github/workflows/issue-triage.md Outdated
Addresses PR review: the safe-outputs note implied ALL writes go through safe-outputs, but the workflow also adds a +1 acknowledgement reaction directly (outside safe-outputs). Clarify that safe-outputs governs labels/comments/closures while the reaction is a separate workflow-side write.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants