mirror of
https://github.com/github/spec-kit.git
synced 2026-07-04 04:45:43 +08:00
* feat(bug-fix): add label-driven bug-fix agentic workflow Add a `bug-fix` gh-aw workflow as stage 2 of the assess -> fix -> test bug pipeline, mirroring the existing `bug-assess` stage. It triggers when a maintainer applies the `bug-fix` label, recovers the slug and remediation contract from the prior bug-assess assessment comment, applies the fix, and opens a draft pull request plus a summary comment for human review. The workflow is intentionally decoupled from Spec Kit specifics: it consumes the assessment from the issue comment rather than any `.specify/` files, so it is portable to other repositories running the matching bug-assess stage. - .github/workflows/bug-fix.md authored and compiled to bug-fix.lock.yml - Label-gated trigger (github.event.label.name == 'bug-fix') - Draft PR via create-pull-request safe-output; scoped permissions - Untrusted-input / URL-safety guardrails consistent with bug-assess - Maintainer remains the gatekeeper; no unattended automation Refs #3238 Assisted-by: GitHub Copilot (model: Claude Opus 4.8, autonomous) Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * fix(bug-fix): tighten bash allowlist and block protected files Address Copilot review feedback on PR #3258: - Trim tools.bash to the inspect set plus a small test-runner set (pytest, npm, go, cargo, dotnet), dropping package-manager/build tools (pip, npx, pnpm, yarn, mvn, gradle, make, bundle, rake, ruby, node) to reduce blast radius under prompt injection. - Set create-pull-request.protected-files.policy: blocked so edits to sensitive files (dependency manifests, README/CHANGELOG/SECURITY, etc.) block PR creation, matching the stronger contract used by the other PR-creating workflows in this repo. Refs #3238 Assisted-by: GitHub Copilot (model: Claude Opus 4.8, autonomous) Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * fix(bug-fix): resync lock body_hash after review edits The Copilot autofix commits edited bug-fix.md (verdict phrasing, Assisted-by trailer) but did not recompile the lock, leaving body_hash stale. Since the workflow runs with strict integrity, the runtime-imported bug-fix.md must match the lock's recorded body_hash. Recompiled with gh-aw v0.79.8 (checkout pin kept at v7.0.0 to match sibling locks); the only change is the body_hash. Assisted-by: GitHub Copilot (model: Claude Opus 4.8, autonomous) Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * fix(bug-fix): align add-labels max to 1 and soften next-stage label reference Address two Copilot review findings: - add-labels.max: the authored frontmatter said max:1 but the committed lock enforced max:2 (stale from an earlier frontmatter), and Step 8 said 'max 2 labels total'. The workflow only ever applies ONE status label per run (fix-proposed | needs-reproduction | fix-blocked | needs-assessment), so 1 is the correct, tightest contract. Recompiled so the lock now enforces max:1, and reworded Step 8 to 'exactly one status label per run'. - bug-test label: Step 7 hard-coded applying a 'bug-test' label that does not exist in this repo. Since the workflow is portable, reworded to present the stage-3 bug-test workflow as the planned next stage 'if the repository has it configured' rather than assuming it exists. Recompiled with gh-aw v0.79.8; checkout pins kept at v7.0.0 to match sibling locks. No compile drift. Assisted-by: GitHub Copilot (model: Claude Opus 4.8, autonomous) Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * fix(bug-fix): set add-labels max to 1 consistently across source and lock A prior autofix flipped the authored frontmatter add-labels.max back to 2, re-introducing the mismatch: source said 2, the compiled lock enforced 1, and Step 8 prose says 'exactly one status label per run'. The workflow only ever applies a single status label per run (needs-assessment | needs-reproduction | fix-proposed | fix-blocked), so 1 is the correct, tightest contract and matches the compiled lock. Set the frontmatter to max:1 so source, lock, and prose all agree (also avoids the lock staleness guard failing on a frontmatter mismatch). Assisted-by: GitHub Copilot (model: Claude Opus 4.8, autonomous) Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * fix(bug-fix): relax protected files and number bug-fix branches Address the two new Copilot review findings: - was still covering README.md and CHANGELOG.md, which can legitimately need updates as part of a prior bug remediation. Add them to the exclude list so the workflow can still open a PR when the assessment calls for documentation changes, matching the pattern used by add-community-extension. - The generated branch name used , but the repo convention for bug fixes requires so branches are traceable and aligned with AGENTS.md. Update the branch naming guidance to use . Recompiled with gh-aw v0.79.8; lock reflects the protected-files exclusion and keeps the v7.0.0 checkout pin fixups. Assisted-by: GitHub Copilot (model: Claude Opus 4.8, autonomous) Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * fix(bug-fix): accept workflow-authored assessment comments from bot/service accounts Address the open Copilot finding on assessment-author matching. The workflow previously required the prior assessment comment to be authored by `github-actions[bot]`. That is too strict for portable repos where bug-assess may post through a different bot/service account token. Updated Step 1 to select the most recent assessment comment that appears workflow-authored by combining: - bot/service-account authorship, and - expected bug-assess structure (assessment header plus remediation/files/tests sections). This keeps the spoof-resistance intent while removing dependence on one fixed login. Recompiled with gh-aw v0.79.8 and kept checkout v7.0.0 pin fixups. Assisted-by: GitHub Copilot (model: Claude Opus 4.8, autonomous) Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * fix(bug-fix): clarify local-check guardrails for dependency fetching Address Copilot feedback on Step 5 consistency around network-dependent checks. The workflow previously listed `go test ./...` and `cargo test` as examples while also forbidding network-dependent commands, which could be ambiguous on clean runners. Updated Step 5 to: - keep those commands as examples only when dependencies are already present - explicitly disallow dependency-fetch/install commands during verification (go mod download/go get/cargo fetch/npm|pnpm|yarn install) Recompiled with gh-aw v0.79.8 and kept checkout v7.0.0 pin fixups. Assisted-by: GitHub Copilot (model: Claude Opus 4.8, autonomous) Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * fix(bug-fix): make status label application conditional on label existence Address Copilot feedback about missing status labels causing runtime failures. The workflow previously instructed unconditional application of `needs-assessment`, `fix-blocked`, and `fix-proposed`. In repositories where those labels are not pre-created, `add_labels` fails and can break the run. Updated Steps 1/3/4/8 to require existence checks before adding those labels: - add the label only if it exists - otherwise skip labeling and explicitly note that in the comment This preserves the status-label UX when labels exist while keeping execution robust in repos that have not created every optional status label yet. Recompiled with gh-aw v0.79.8 and kept checkout v7.0.0 pin fixups. Assisted-by: GitHub Copilot (model: Claude Opus 4.8, autonomous)