Add github-issue-autosolve reusable workflow#15
Open
fantapop wants to merge 22 commits into
Open
Conversation
fantapop
force-pushed
the
pr/autosolve-go
branch
from
0655ce2 to
6f1121d
Compare
fantapop
force-pushed
the
pr/autosolve-workflow
branch
from
1ad618a to
31b2395
Compare
fantapop
force-pushed
the
pr/autosolve-go
branch
from
6f1121d to
5c7a16f
Compare
fantapop
force-pushed
the
pr/autosolve-workflow
branch
from
31b2395 to
7f63d0e
Compare
This was referenced Mar 25, 2026
fantapop
force-pushed
the
pr/autosolve-go
branch
from
5c7a16f to
a9a9010
Compare
fantapop
force-pushed
the
pr/autosolve-workflow
branch
from
7f63d0e to
f97d11e
Compare
fantapop
force-pushed
the
pr/autosolve-go
branch
from
a9a9010 to
1abbbb0
Compare
fantapop
force-pushed
the
pr/autosolve-workflow
branch
from
f97d11e to
6feb8db
Compare
fantapop
force-pushed
the
pr/autosolve-go
branch
from
1abbbb0 to
6fd24ba
Compare
fantapop
force-pushed
the
pr/autosolve-workflow
branch
from
6feb8db to
dc09887
Compare
There was a problem hiding this comment.
Pull request overview
Adds a reusable GitHub Actions workflow intended to automate resolving GitHub Issues by composing the existing autosolve/assess and autosolve/implement actions, plus status commenting, label management, and concurrency controls for per-issue runs.
Changes:
- Added a new reusable workflow
.github/workflows/github-issue-autosolve.ymlthat orchestrates assess → implement and posts issue comments for common outcomes. - Added changelog entry documenting the new reusable workflow.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 11 comments.
| File | Description |
|---|---|
| CHANGELOG.md | Documents the new github-issue-autosolve reusable workflow under Unreleased additions. |
| .github/workflows/github-issue-autosolve.yml | Introduces the reusable workflow with issue/label handling, concurrency per issue, and assess/implement orchestration with issue comments and summaries. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
fantapop
force-pushed
the
pr/autosolve-workflow
branch
from
dc09887 to
55ac777
Compare
fantapop
force-pushed
the
pr/autosolve-workflow
branch
3 times, most recently
from
124bdb4 to
7c6c9ae
Compare
fantapop
force-pushed
the
pr/autosolve-workflow
branch
from
7c6c9ae to
d96e9ab
Compare
fantapop
force-pushed
the
pr/autosolve-go
branch
2 times, most recently
from
922542b to
a6b2953
Compare
fantapop
force-pushed
the
pr/autosolve-workflow
branch
from
c8ce1c3 to
39b77ec
Compare
fantapop
force-pushed
the
pr/autosolve-go
branch
from
a6b2953 to
314a6b9
Compare
fantapop
force-pushed
the
pr/autosolve-workflow
branch
3 times, most recently
from
a7f878c to
64e408e
Compare
fantapop
force-pushed
the
pr/autosolve-go
branch
from
314a6b9 to
f818651
Compare
Give the security reviewer tools (Bash, Read, Grep, Glob) so it can inspect staged diffs itself instead of having them injected into the prompt. This prevents attacker-controlled code from escaping prompt boundaries. Also adds a Prompt field to RunOptions so callers can pass prompt text directly without writing a temp file, and validates that Prompt and PromptFile are not both set. Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
The additional_instructions input was redundant — callers can put everything in the prompt input, and skill files already cover repo-specific instructions. Removing it simplifies the prompt assembly and eliminates a potential prompt injection surface. Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
Rename prompt to system_prompt to signal it should contain only trusted instructions. Add context_vars input for safely passing untrusted user content (e.g., issue titles/bodies) via environment variables — Claude is automatically told which vars are available and instructed not to follow instructions found within them. Build an explicit env allowlist for the Claude CLI subprocess so it only sees baseline system/auth vars plus caller-specified context vars, preventing secrets from leaking. Remove ANTHROPIC_API_KEY support in favor of Vertex AI only. Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
Ensure .github/ is always included in blocked paths regardless of caller configuration. This prevents Claude from modifying workflow files, actions, or other GitHub configuration that could run arbitrary code. Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
- Fix YAML parse error in assess action.yml (remove quotes around $RUNNER_TEMP/autosolve in the run directive). - Tell Claude it is in READ-ONLY mode during assessment so it does not complain about lacking write permissions. - Skip Go setup and binary build in implement action when the autosolve binary already exists from a prior step, avoiding duplicate cache restore tar errors. Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
- Instruct Claude to never include secret values in responses — describe findings by file and line number instead. - Skip logging security review output since it may reference secrets found in the diff. - Log Claude output in collapsible ::group:: blocks in the step log, gated by a verbose_logging input (default false). Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
JSON output in ::group:: log sections is now indented for readability in the GitHub Actions log viewer. Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
The assess step only permits Read,Grep,Glob — no Bash — so Claude could not read context_vars from the environment. Add a scoped Bash(printenv VAR) permission for each declared context var and update the prompt to tell Claude to use `printenv`. fixup bdb5ba4 Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
fantapop
force-pushed
the
pr/autosolve-go
branch
from
20e41e0 to
9b1b16c
Compare
fantapop
force-pushed
the
pr/autosolve-workflow
branch
from
7a75118 to
b0444a9
Compare
git symbolic-ref refs/remotes/origin/HEAD prints a fatal error when origin/HEAD is not configured (common with actions/checkout persist-credentials: false). Rather than suppress the error, default pr_base_branch to "main" in the action input and remove the auto-detection code entirely. Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
The workspace root is the actions repo checkout, not the target repo, so setup-go can't find go.mod for cache hashing. Caching isn't needed since the autosolve binary is a one-off build. Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
Previously the implement binary exited 0 even on failure (all retries exhausted, security check failed, PR creation failed), making the step appear green. Now it writes outputs first so subsequent workflow steps can still read them, then returns an error so the step is correctly marked as failed. Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
Turnkey GitHub Issues integration composing assess + implement with issue comments, label management, and concurrency control. Checks for existing PRs by head branch, authenticates via Vertex AI workload identity federation, and supports verbose Claude logging. Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
fantapop
force-pushed
the
pr/autosolve-go
branch
from
9b1b16c to
555a3c5
Compare
fantapop
force-pushed
the
pr/autosolve-workflow
branch
from
b0444a9 to
66b1956
Compare
fantapop
force-pushed
the
pr/autosolve-go
branch
13 times, most recently
from
6e2dc18 to
909d84e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Turnkey reusable workflow for GitHub Issues integration that composes the
autosolve/assessandautosolve/implementactions with:Testing
Tested end-to-end against cockroachlabs/ccloud-private-automation-testing via issue label trigger.
Test plan