Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 48 additions & 17 deletions .github/workflows/stale-issue-cleanup.yml
Original file line number Diff line number Diff line change
@@ -1,25 +1,55 @@
name: Stale Issue Cleanup

# Authentication:
# This workflow requires a token with the following scopes:
# - issues:write (to comment on and close issues)
# - read:org (to read team membership)
# - read:project and project (to update the Resolution project field)
# For experimentation, use a PAT stored as STALE_ISSUES_TOKEN repo secret.
# For production, replace with a GitHub App token to avoid manual renewal:
# - Register one "Storage Explorer Automation" GitHub App in the microsoft org
# - Grant it issues:write, members:read, and projects:write permissions
# - Install it on this repo (and any other repos your agents need)
# - Use actions/create-github-app-token to generate tokens at runtime
# - One app can serve all agent workflows
# # Authentication
#
# This workflow uses two secrets:
#
# 1. `COPILOT_TOKEN` — a Fine-Grained Personal Access Token for Copilot model inference
#
# The Copilot CLI (v0.0.413+) accepts only OAuth tokens or Fine-Grained PATs
# (prefix: github_pat_). Classic PATs (prefix: ghp_) are rejected with
# "No authentication information found" regardless of which env var they are placed in
# or whether they have the `copilot` scope.
#
# To create this token:
#
# - Go to github.com/settings/personal-access-tokens/new
# - Resource owner: your personal account
# - Repository access: None (no repository permissions needed)
# - Expiration: set as appropriate
# - Account permissions: Copilot Requests -> Read-only
# - Store as `COPILOT_TOKEN` repo secret
#
# 2. `STALE_ISSUES_TOKEN` — a Classic PAT for GitHub CLI API calls
#
# Fine-Grained PATs in the microsoft org require org owner approval, so a Classic PAT
# is used for org-level operations. Required scopes:
#
# - `read:org` — list members of the microsoft/azure-storage-explorer team
# - `project` — update the Resolution field on the org-level project
# - `repo` — comment on and close issues
#
# PATs are a temporary onboarding mechanism. For production, consider replacing with a
# GitHub App token to avoid manual renewal:
#
# - Register a "Storage Explorer Automation" GitHub App in the microsoft org
# - Grant it `members:read` and `projects:write` permissions
# - Install it on this repo
# - Use `actions/create-github-app-token` to generate tokens at runtime
# Note: a GitHub App cannot hold a Copilot seat, so COPILOT_TOKEN will always require
# a personal Fine-Grained PAT.
#
# # Install Step Note
#
# The "Install Copilot CLI" step downloads from gh.io/copilot-install, which is a public
# GitHub URL that completes in ~3 seconds on GitHub-hosted runners.

on:
schedule:
- cron: "0 9 1,15 * *" # Twice monthly
workflow_dispatch: # Allow manual triggers

permissions:
issues: write
contents: read

jobs:
Expand All @@ -29,16 +59,17 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4

- name: Install Agency
- name: Install Copilot CLI
run: |
curl -sSfL https://aka.ms/InstallTool.sh | sh -s agency
curl -fsSL https://gh.io/copilot-install | bash
echo "$HOME/.local/bin" >> "$GITHUB_PATH"

- name: Run stale issue cleanup agent
env:
GH_TOKEN: ${{ secrets.STALE_ISSUES_TOKEN }}
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_TOKEN }}
STALE_ISSUES_TOKEN: ${{ secrets.STALE_ISSUES_TOKEN }}
Copy link

Copilot AI Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

STALE_ISSUES_TOKEN is exported, but the issue-manager agent instructions use gh api ... (GitHub CLI), which authenticates via GH_TOKEN (or a persisted gh auth login). As written, gh calls from the agent will run unauthenticated and fail. Set GH_TOKEN: ${{ secrets.STALE_ISSUES_TOKEN }} (and keep COPILOT_GITHUB_TOKEN for model auth), or add an explicit gh auth login --with-token step.

Suggested change
STALE_ISSUES_TOKEN: ${{ secrets.STALE_ISSUES_TOKEN }}
STALE_ISSUES_TOKEN: ${{ secrets.STALE_ISSUES_TOKEN }}
GH_TOKEN: ${{ secrets.STALE_ISSUES_TOKEN }}

Copilot uses AI. Check for mistakes.
run: |
agency copilot \
copilot \
--agent issue-manager \
--prompt "Find and close stale bug issues." \
--allow-all-tools \
Expand Down