Adopt gh-aw Issue Assistant and align prompt with legacy behavior + code-aware triage#776
Conversation
Co-authored-by: supervoidcoder <88671013+supervoidcoder@users.noreply.github.com>
Co-authored-by: supervoidcoder <88671013+supervoidcoder@users.noreply.github.com>
Co-authored-by: supervoidcoder <88671013+supervoidcoder@users.noreply.github.com>
Co-authored-by: supervoidcoder <88671013+supervoidcoder@users.noreply.github.com>
…guidance Co-authored-by: supervoidcoder <88671013+supervoidcoder@users.noreply.github.com>
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
🤖 Auto-Component Test Results🎉 No new UI components detected!This PR doesn't add any new buttons, menus, or clickable components. Triggered by Copilot • Commit |
🎉 MEGA PR Test & Analysis Complete!Hi @Copilot! Your PR has been fully tested and analyzed! 🚀✨ 🌍 Test DeploymentLive Preview: https://OmniBlocks.github.io/scratch-gui/Copilot/776/ 🧪 Test ResultsESLint: ⏭️ Skipped (no JS/JSX files changed) Unit Tests: ✅
Integration Tests: ❌
📄 Full test outputs available in artifacts 🔦 Performance Audit (Lighthouse)✅ Audit completed successfully! 📊 Lighthouse Scores:
⚡ Core Web Vitals:
🟢 90-100 (Good) | 🟠 50-89 (Needs Improvement) | 🔴 0-49 (Poor) 📄 Full report in artifacts 📦 Bundle Size AnalysisTotal Build Size: 172M 📦 Top 5 Largest JavaScript Files:
🎨 Top 5 Largest CSS Files:
♿ Accessibility Testing✅ Accessibility scan completed!
📊 Build Details
💡 Pro Tip: Only one build was needed for all these checks - saving CI/CD minutes! 🎯 |
|
Caution Review failedThe pull request is closed. Summary by CodeRabbit
WalkthroughThis patch introduces a multi-stage GitHub Actions workflow for automated issue assistance powered by an AI agent. It adds configuration to mark workflow lock files as generated, includes a comprehensive 1061-line workflow pipeline with Copilot integration and threat detection, and provides behavioral documentation for the automation. Changes
Sequence DiagramsequenceDiagram
participant GitHub as GitHub Events
participant Pre as Pre-activation Check
participant Activation as Activation Job
participant Agent as Agent Execution
participant Copilot as Copilot CLI
participant MCP as MCP Gateway
participant SafeOut as Safe Outputs Server
participant Detection as Threat Detection
participant PR as PR/Workflow Status
GitHub->>Pre: Trigger workflow (issue/comment)
Pre->>Pre: Verify team membership & control
Pre-->>Activation: Pass/Fail status
Activation->>Activation: Initialize environment
Activation->>Activation: Validate workflow timestamps
Activation-->>Agent: Gate execution
Agent->>Agent: Checkout code, configure Git
Agent->>Copilot: Validate & install Copilot CLI
Agent->>SafeOut: Prepare MCP server components
Agent->>MCP: Start MCP gateway with config
Agent->>Agent: Generate workflow overview & prompt
Agent->>Copilot: Execute Copilot session with tools
Copilot-->>Agent: Return agent output
Agent->>Agent: Redact secrets, capture results
Agent-->>Detection: Pass artifacts
Detection->>Copilot: Execute threat detection
Copilot-->>Detection: Threat analysis results
Detection->>Detection: Parse & upload threat logs
Agent->>PR: Update PR with agent results
Detection->>PR: Update PR with threat status
Agent->>Agent: Cleanup (stop MCP, handle failures)
Detection->>PR: Final conclusion status
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Suggested labels
Poem
✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🎬 ULTRA Visual Regression Test ResultsHi @Copilot! Tested across 9 combinations (3 platforms × 3 browsers). 8/9 completed. 📊 Test Matrix Summary
|
| Base | PR | Diff |
|---|---|---|
 |  |  |
Diff: 0.36% (3346 pixels)
Player View
✅ No pixel difference detected.
Extension Library
✅ No pixel difference detected.
Advanced Settings
✅ No pixel difference detected.
Ubuntu + WebKit
Editor Initial
✅ No pixel difference detected.
Blocks Workspace
✅ No pixel difference detected.
Stage Sprites
✅ No pixel difference detected.
Code Tab
✅ No pixel difference detected.
Costumes Tab
✅ No pixel difference detected.
Sounds Tab
✅ No pixel difference detected.
Songs Tab
| Base | PR | Diff |
|---|---|---|
 |  |  |
Diff: 1.77% (65335 pixels)
Player View
✅ No pixel difference detected.
Extension Library
| Base | PR | Diff |
|---|---|---|
 |  |  |
Diff: 34.33% (1265690 pixels)
Advanced Settings
✅ No pixel difference detected.
Windows + Chrome
Editor Initial
✅ No pixel difference detected.
Blocks Workspace
✅ No pixel difference detected.
Stage Sprites
✅ No pixel difference detected.
Code Tab
✅ No pixel difference detected.
Costumes Tab
✅ No pixel difference detected.
Sounds Tab
✅ No pixel difference detected.
Songs Tab
| Base | PR | Diff |
|---|---|---|
 |  |  |
Diff: 41.40% (381533 pixels)
Player View
✅ No pixel difference detected.
Extension Library
✅ No pixel difference detected.
Advanced Settings
✅ No pixel difference detected.
Windows + Firefox
Editor Initial
✅ No pixel difference detected.
Blocks Workspace
✅ No pixel difference detected.
Stage Sprites
✅ No pixel difference detected.
Code Tab
✅ No pixel difference detected.
Costumes Tab
✅ No pixel difference detected.
Sounds Tab
✅ No pixel difference detected.
Songs Tab
| Base | PR | Diff |
|---|---|---|
 |  |  |
Diff: 0.05% (488 pixels)
Player View
| Base | PR | Diff |
|---|---|---|
 |  |  |
Diff: 0.00% (13 pixels)
Extension Library
✅ No pixel difference detected.
Advanced Settings
✅ No pixel difference detected.
Windows + WebKit
Editor Initial
✅ No pixel difference detected.
Blocks Workspace
✅ No pixel difference detected.
Stage Sprites
✅ No pixel difference detected.
Code Tab
✅ No pixel difference detected.
Costumes Tab
✅ No pixel difference detected.
Sounds Tab
✅ No pixel difference detected.
Songs Tab
| Base | PR | Diff |
|---|---|---|
 |  |  |
Diff: 0.40% (14908 pixels)
Player View
✅ No pixel difference detected.
Extension Library
✅ No pixel difference detected.
Advanced Settings
✅ No pixel difference detected.
Apple + Chrome
Editor Initial
✅ No pixel difference detected.
Blocks Workspace
✅ No pixel difference detected.
Stage Sprites
✅ No pixel difference detected.
Code Tab
✅ No pixel difference detected.
Costumes Tab
✅ No pixel difference detected.
Sounds Tab
✅ No pixel difference detected.
Songs Tab
| Base | PR | Diff |
|---|---|---|
 |  |  |
Diff: 24.78% (228347 pixels)
Player View
✅ No pixel difference detected.
Extension Library
✅ No pixel difference detected.
Advanced Settings
✅ No pixel difference detected.
Apple + Firefox
Editor Initial
✅ No pixel difference detected.
Blocks Workspace
| Base | PR | Diff |
|---|---|---|
 |  |  |
Diff: 0.21% (1094 pixels)
Stage Sprites
✅ No pixel difference detected.
Code Tab
| Base | PR | Diff |
|---|---|---|
 |  |  |
Diff: 0.12% (1094 pixels)
Costumes Tab
✅ No pixel difference detected.
Sounds Tab
✅ No pixel difference detected.
Songs Tab
| Base | PR | Diff |
|---|---|---|
 |  |  |
Diff: 0.03% (244 pixels)
Player View
✅ No pixel difference detected.
Extension Library
✅ No pixel difference detected.
Advanced Settings
| Base | PR | Diff |
|---|---|---|
 |  |  |
Diff: 0.12% (1094 pixels)
Apple + WebKit
Editor Initial
✅ No pixel difference detected.
Blocks Workspace
✅ No pixel difference detected.
Stage Sprites
✅ No pixel difference detected.
Code Tab
✅ No pixel difference detected.
Costumes Tab
✅ No pixel difference detected.
Sounds Tab
✅ No pixel difference detected.
Songs Tab
| Base | PR | Diff |
|---|---|---|
 |  |  |
Diff: 0.29% (10658 pixels)
Player View
| Base | PR | Diff |
|---|---|---|
 |  |  |
Diff: 2.94% (194492 pixels)
Extension Library
✅ No pixel difference detected.
Advanced Settings
✅ No pixel difference detected.
📦 Resources
There was a problem hiding this comment.
Pull request overview
This PR introduces a new GitHub Agentic Workflow-based issue assistant (gh-aw) intended to replace the prior multi-call assistant pattern, while aligning the assistant prompt with legacy behavior and encouraging code-aware triage in this repo.
Changes:
- Added a gh-aw source workflow prompt file for issue triage behavior and labeling guidance.
- Added the compiled gh-aw lockfile workflow that runs the Copilot agent with safe-outputs tooling.
- Updated
.gitattributesto treat workflow lockfiles as generated and prefermerge=oursfor them.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
.github/workflows/issue-assistant-agentic.md |
Defines triggers, safe-outputs intent, and the assistant prompt/triage rules. |
.github/workflows/issue-assistant-agentic.lock.yml |
Compiled workflow that executes the agent, safe-outputs server, and threat detection pipeline. |
.gitattributes |
Marks *.lock.yml workflow artifacts as generated and resolves merges by keeping the current branch’s version. |
| safe-outputs: | ||
| add-comment: | ||
| max: 1 | ||
| add-labels: |
There was a problem hiding this comment.
safe-outputs.add-labels is missing a max value, but later instructions say to add “up to 3” labels. Add an explicit max: 3 here so the source workflow frontmatter matches the intended bounded behavior and the compiled lockfile config.
| add-labels: | |
| add-labels: | |
| max: 3 |
| Avoid inline backticks and fenced code blocks unless absolutely necessary, | ||
| because markdown inside them may be stripped in this workflow's comment output path. | ||
|
|
||
| If this run was triggered by `issue_comment`, only respond when the newest comment includes `@OmniBlocks/ai`. | ||
| When replying to mentions, respond to that mention/follow-up request, not only the original issue body. |
There was a problem hiding this comment.
This prompt says to avoid inline backticks because formatting may be stripped, but then uses inline backticks for issue_comment and @OmniBlocks/ai. Consider replacing these with plain text or bold to keep the guidance consistent with its own markdown constraints.
| pre_activation: | ||
| runs-on: ubuntu-slim | ||
| outputs: | ||
| activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} | ||
| steps: | ||
| - name: Setup Scripts | ||
| uses: github/gh-aw/actions/setup@v0.43.22 | ||
| with: | ||
| destination: /opt/gh-aw/actions | ||
| - name: Check team membership for workflow | ||
| id: check_membership | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| GH_AW_REQUIRED_ROLES: admin,maintainer,write | ||
| with: |
There was a problem hiding this comment.
The workflow is gated on pre_activation requiring the actor to have admin,maintainer,write roles, which means the assistant will be skipped for issues opened/edited by regular contributors. If the intent is to assist triage on public issues (per PR description), remove or relax this membership gate (or scope it to only the privileged actions).
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | ||
| GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"add_labels\":{},\"missing_data\":{},\"missing_tool\":{}}" |
There was a problem hiding this comment.
GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG leaves add_labels unconstrained ({}), which may fall back to a higher default than the intended “max 3 labels” limit (and conflicts with the earlier config.json that sets add_labels.max to 3). Set an explicit max for add_labels here to ensure label additions are actually capped.
| GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"add_labels\":{},\"missing_data\":{},\"missing_tool\":{}}" | |
| GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"add_labels\":{\"max\":3},\"missing_data\":{},\"missing_tool\":{}}" |
| sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.16.4 --skip-pull \ | ||
| -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ |
There was a problem hiding this comment.
The Copilot invocation uses --allow-all-tools and --allow-all-paths (and the sandbox enables host access). For an issue assistant triggered from user-generated content, this is a large blast radius even with safe-outputs. Prefer restricting the agent to only the minimal tools/paths needed for repo search and file reads to reduce the impact of prompt injection or accidental destructive commands.
| sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.16.4 --skip-pull \ | |
| -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ | |
| sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.16.4 --skip-pull \ | |
| -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ |
|
|
||
| permissions: {} | ||
|
|
||
| concurrency: | ||
| group: "gh-aw-${{ github.workflow }}-${{ github.event.issue.number }}" |
There was a problem hiding this comment.
workflow_dispatch is enabled but has no inputs for an issue/PR/discussion number; the safe output tools also default to “current context”, which won’t exist for manual runs. Add workflow_dispatch inputs (e.g., issue_number) and plumb them into the prompt/context so manual runs can target a specific item reliably.
| permissions: {} | |
| concurrency: | |
| group: "gh-aw-${{ github.workflow }}-${{ github.event.issue.number }}" | |
| inputs: | |
| issue_number: | |
| description: "Issue number to run the assistant against when manually triggered" | |
| required: true | |
| type: string | |
| permissions: {} | |
| concurrency: | |
| group: "gh-aw-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.event.inputs.issue_number || github.event.issue.number }}" |
coderabbitai
bot
added
enhancement
coderabbitai
bot
added
security-sensitive
Replaces the existing multi-call issue assistant pattern with a GitHub Agentic Workflow and ports the prompt semantics to match the prior assistant behavior. The new prompt also instructs the agent to inspect related repository code before suggesting fixes/actions.
Agentic workflow introduction
.github/workflows/issue-assistant-agentic.mdas the source workflow..github/workflows/issue-assistant-agentic.lock.yml..gitattributesto treat*.lock.ymlworkflow artifacts as generated withmerge=ours.Triggering + safe action model
issues(opened,edited),issue_comment(created), andworkflow_dispatch.add-comment,add-labels) with bounded behavior (single comment, capped labels).Prompt parity with legacy issue assistant
Agentic code-awareness improvements
Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
github.github.com/home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js(dns block)https://api.github.com/repos/OmniBlocks/scratch-gui/actions/workflows/usr/bin/gh gh workflow list --all --json id,name,path,state(http block)https://api.github.com/repos/actions/github-script/git/ref/tags/v8/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha ic.md(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha flow(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.43.22/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.43.22 --jq .object.sha(http block)/usr/bin/gh gh api(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.43.22 --jq .object.sha ic.md(http block)https://api.github.com/user/usr/bin/gh gh api user --jq .login(http block)/usr/bin/gh gh api user --jq .login ic.md(http block)/usr/bin/gh gh api user --jq .login -assistant-agentic.md(http block)If you need me to access, download, or install something from one of these locations, you can either:
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.