Skip to content

Comments

Fix issues with issue management workflow#8946

Open
craxal wants to merge 11 commits intomainfrom
dev/cralvord/issue-manager
Open

Fix issues with issue management workflow#8946
craxal wants to merge 11 commits intomainfrom
dev/cralvord/issue-manager

Conversation

@craxal
Copy link
Contributor

@craxal craxal commented Feb 20, 2026

  • Agency is an internal tool that a GitHub Action cannot access, so we switch to using GitHub Copilot CLI directly.
  • For various reasons, the workflow requires two different tokens, one to authorize org and repo access, another to authorize Copilot.

@craxal craxal force-pushed the dev/cralvord/issue-manager branch from 00c4611 to 5181b6c Compare February 20, 2026 22:53
@craxal craxal marked this pull request as ready for review February 21, 2026 01:51
Copilot AI review requested due to automatic review settings February 21, 2026 01:51
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the scheduled “Stale Issue Cleanup” GitHub Actions workflow to run the Copilot CLI-based issue management agent and documents the intended authentication model for Copilot inference vs. GitHub API operations.

Changes:

  • Replaces the “Install Agency” + agency copilot invocation with “Install Copilot CLI” + copilot --agent issue-manager.
  • Reworks the workflow’s authentication documentation and switches environment variables to separate Copilot model auth from GitHub API auth.
  • Tightens job permissions (removes issues: write) while keeping contents: read.
Comments suppressed due to low confidence (1)

.github/workflows/stale-issue-cleanup.yml:54

  • Job-level permissions is restricted to contents: read, but the workflow uploads an artifact via actions/upload-artifact@v4. That action uses GITHUB_TOKEN and typically requires actions: write; otherwise the upload can fail with "Resource not accessible by integration". Add actions: write (or remove the explicit permissions: override if least-privilege isn’t required here).
permissions:
  contents: read


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

env:
GH_TOKEN: ${{ secrets.STALE_ISSUES_TOKEN }}
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_TOKEN }}
STALE_ISSUES_TOKEN: ${{ secrets.STALE_ISSUES_TOKEN }}
Copy link

Copilot AI Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

STALE_ISSUES_TOKEN is exported, but the issue-manager agent instructions use gh api ... (GitHub CLI), which authenticates via GH_TOKEN (or a persisted gh auth login). As written, gh calls from the agent will run unauthenticated and fail. Set GH_TOKEN: ${{ secrets.STALE_ISSUES_TOKEN }} (and keep COPILOT_GITHUB_TOKEN for model auth), or add an explicit gh auth login --with-token step.

Suggested change
STALE_ISSUES_TOKEN: ${{ secrets.STALE_ISSUES_TOKEN }}
STALE_ISSUES_TOKEN: ${{ secrets.STALE_ISSUES_TOKEN }}
GH_TOKEN: ${{ secrets.STALE_ISSUES_TOKEN }}

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants