fix(ci): prefetch issue context for GH-AW fixers under MCP integrity gating#959
Draft
fr4nc1sc0-r4m0n wants to merge 2 commits into
Draft
fix(ci): prefetch issue context for GH-AW fixers under MCP integrity gating#959fr4nc1sc0-r4m0n wants to merge 2 commits into
fr4nc1sc0-r4m0n wants to merge 2 commits into
Conversation
…gating Public repos get automatic min-integrity: approved, which hides triage comments from github-actions (CONTRIBUTOR). Prefetch the issue thread with GITHUB_TOKEN and inject it into fixer prompts before the agent runs. Co-authored-by: Cursor <cursoragent@cursor.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Pull request overview
Adds issue-context prefetching so GH-AW issue fixers can receive issue bodies and comments before agent execution, especially when MCP integrity gating hides triage comments.
Changes:
- Adds a reusable prefetch workflow and shell script for collecting issue metadata and comments.
- Wires prefetched context into generic, security, and resource-not-accessible fixer prompts.
- Extends issue-comment allow-list loading and adds
github-actionsas an allowed issue author.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
scripts/obs/prefetchIssueContext.sh |
Fetches issue details/comments and emits markdown context. |
config/obs/allowed_issue_authors.json |
Adds github-actions to issue author allow list. |
.github/workflows/prefetch-issue-context.yml |
New reusable workflow to run the prefetch script. |
.github/workflows/oblt-aw-ingress.yml |
Loads allowed authors for issue_comment and passes them to the generic fixer. |
.github/workflows/gh-aw-security-fixer.yml |
Adds prefetched context to security fixer instructions. |
.github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.yml |
Adds prefetched context to resource-access fixer instructions. |
.github/workflows/gh-aw-issue-fixer.yml |
Adds allowed-bot input and prefetched context to generic issue fixer. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| jobs: | ||
| prefetch: | ||
| runs-on: ubuntu-latest | ||
| permissions: |
Comment on lines
+20
to
+21
| - name: Checkout repository | ||
| uses: actions/checkout@v6 |
| if [ "$comment_count" -eq 0 ]; then | ||
| echo "<no comments>" | ||
| else | ||
| jq -r '.[] | "### Comment by \(.user.login) (\(.created_at))\n\n\(.body)\n"' <<<"$comments_json" |
Comment on lines
+55
to
+58
| { | ||
| echo 'context<<EOF' | ||
| cat "${RUNNER_TEMP}/prefetched-issue-context.md" | ||
| echo 'EOF' |
Comment on lines
+51
to
+53
| jq -r '.[] | "### Comment by \(.user.login) (\(.created_at))\n\n\(.body)\n"' <<<"$comments_json" | ||
| fi | ||
| } >"${RUNNER_TEMP}/prefetched-issue-context.md" |
| issue_url=$(jq -r '.url' <<<"$issue_json") | ||
| issue_labels=$(jq -r '[.labels[].name] | join(", ")' <<<"$issue_json") | ||
|
|
||
| comments_json=$(gh api "repos/${repository}/issues/${issue_number}/comments" --paginate) |
| actions: read | ||
|
|
||
| jobs: | ||
| prefetch-issue-context: |
Drop prefetching full issue threads into agent prompts. Pass allowed_issue_authors_csv (including github-actions) to generic issue fixer and triage wrappers for upstream MCP trusted-users mapping. Co-authored-by: Cursor <cursoragent@cursor.com>
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
github-actionsto config/obs/allowed_issue_authors.json and passallowed_issue_authors_csvfrom ingress to generic issue-fixer and issue-triage wrappers (same pattern as security/resource fixers).allowed-bot-users→ MCPtrusted-userswithmin-integrity: approved, so triage comments fromgithub-actions(CONTRIBUTOR) count as approved integrity instead of being filtered.Merge order: land ai-github-actions #1128 first (or pin lock ref temporarily), then this PR.
Test plan
/ai implementon elastic/oblt-aw#958.Related issue: https://github.com/elastic/observability-robots/issues/3614