Add GitHub Actions workflow for auto-answering issues#5836
Add GitHub Actions workflow for auto-answering issues#5836
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a new GitHub Actions workflow intended to automatically generate and post responses to newly opened/labeled GitHub issues by running a Node.js script (with OpenAI + Octokit dependencies).
Changes:
- Introduces
.github/workflows/main.ymlto trigger onissuesevents (opened,labeled). - Sets up Node.js 20, installs
@octokit/restandopenai, then executes a repo script to generate/post a response.
|
@copilot rename the file to auto-answer-issues.yml |
| permissions: | ||
| issues: write | ||
| contents: read |
There was a problem hiding this comment.
The job requests contents: read, but this workflow doesn’t appear to need repository contents (it only installs npm packages and calls GitHub/Azure OpenAI). For least-privilege, consider removing contents: read unless a later step truly requires it.
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
There was a problem hiding this comment.
The actions/checkout step is not used by subsequent steps (the script is inline and dependencies are installed from the registry). Removing checkout reduces runtime and avoids granting/using repository content access unnecessarily.
| - name: Checkout repository | |
| uses: actions/checkout@v4 |
| }); | ||
| const botAlreadyCommented = comments.some( | ||
| (comment) => comment.user?.login === "github-actions[bot]" |
There was a problem hiding this comment.
This prompt hard-codes “An issue has been opened…”, but the workflow also runs on the labeled event. Consider adjusting the prompt text based on github.event.action so the model has accurate context (e.g., “opened” vs “labeled for auto-answer”).
| - Uses markdown formatting suitable for a GitHub issue comment. | ||
| `; | ||
|
|
||
| const completion = await openai.chat.completions.create({ | ||
| model: AZURE_OPENAI_DEPLOYMENT, | ||
| messages: [ |
There was a problem hiding this comment.
This workflow always posts a new comment for every eligible opened/labeled event. There’s currently no guard for a specific label name and no check for whether the bot has already commented, so repeated labeling (or reopening) can spam issues and burn Azure OpenAI tokens. Consider (a) gating on a dedicated label (e.g. only when action == 'labeled' && label.name == 'auto-answer'), and/or (b) listing existing issue comments via Octokit and exiting early if a prior auto-answer marker/comment from the bot is already present.
gladjohn
left a comment
gladjohn
left a comment
There was a problem hiding this comment.
do we plan to turn off the issue sentinel workflow that get's triggered now?
This action will attempt to answer questions customers have when posted on the repo.
…hor_association (#5841) * Initial plan * Guard workflow against untrusted triggering using author_association Co-authored-by: trwalke <30090357+trwalke@users.noreply.github.com> * Add COLLABORATOR and CONTRIBUTOR to author_association guard Co-authored-by: trwalke <30090357+trwalke@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: trwalke <30090357+trwalke@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…issues.yml (#5842) * Initial plan * Rename main.yml to auto-answer-issues.yml Co-authored-by: trwalke <30090357+trwalke@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: trwalke <30090357+trwalke@users.noreply.github.com>
…5843) * Initial plan * Switch auto-answer-issues workflow from OpenAI.com to Azure OpenAI Co-authored-by: trwalke <30090357+trwalke@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: trwalke <30090357+trwalke@users.noreply.github.com>
…workflow (#5846) * Initial plan * Fix ESM/CJS issue: use dynamic import() for openai and @octokit/rest in workflow Co-authored-by: trwalke <30090357+trwalke@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: trwalke <30090357+trwalke@users.noreply.github.com>
…s workflow (#5845) * Initial plan * Remove CONTRIBUTOR from author_association check in auto-answer-issues workflow Co-authored-by: trwalke <30090357+trwalke@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: trwalke <30090357+trwalke@users.noreply.github.com>
* Initial plan * Add duplicate comment detection to auto-answer-issues workflow Co-authored-by: trwalke <30090357+trwalke@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: trwalke <30090357+trwalke@users.noreply.github.com>
bgavrilMS
force-pushed
the
trwalke/addGhActionForIssues
branch
from
7e8dbfc to
52a3945
Compare
| # Only run for issues created by org members or owners (i.e., Microsoft Open Source enterprise members). | ||
| # github.event.issue.author_association is set by GitHub based on the issue author's relationship | ||
| # to this repository. MEMBER = org member, OWNER = repo/org owner. This prevents untrusted | ||
| # external contributors from triggering the Azure OpenAI-backed responder and consuming secrets/tokens. |
There was a problem hiding this comment.
The comment claims this only runs for org members/owners and equates that to “Microsoft Open Source enterprise members”, but github.event.issue.author_association reflects repo/org relationship (not GitHub Enterprise membership). Please adjust this comment to accurately describe what’s enforced so readers don’t assume a stronger guarantee than exists.
| # Only run for issues created by org members or owners (i.e., Microsoft Open Source enterprise members). | |
| # github.event.issue.author_association is set by GitHub based on the issue author's relationship | |
| # to this repository. MEMBER = org member, OWNER = repo/org owner. This prevents untrusted | |
| # external contributors from triggering the Azure OpenAI-backed responder and consuming secrets/tokens. | |
| # Only run for issues created by users who have a trusted relationship to this repo/org in GitHub | |
| # (based on github.event.issue.author_association), such as MEMBER, OWNER, or COLLABORATOR. | |
| # author_association reflects the issue author's relationship to this repository/organization only; | |
| # it does NOT indicate GitHub Enterprise or "Microsoft Open Source enterprise" membership. |
| if: | | ||
| github.event.issue.author_association == 'MEMBER' || | ||
| github.event.issue.author_association == 'OWNER' || | ||
| github.event.issue.author_association == 'COLLABORATOR' | ||
| steps: |
There was a problem hiding this comment.
The explanatory comment says “Only run for issues created by org members or owners”, but the if: condition also allows COLLABORATOR. Either update the comment to include collaborators, or tighten the condition to match the stated restriction.
| if: | | ||
| github.event.issue.author_association == 'MEMBER' || | ||
| github.event.issue.author_association == 'OWNER' || | ||
| github.event.issue.author_association == 'COLLABORATOR' | ||
| steps: |
There was a problem hiding this comment.
PR description says the automation is restricted to “members, owners, collaborators, and contributors”, but the workflow guard currently does not include CONTRIBUTOR. Either update the PR description to match the implementation, or add CONTRIBUTOR back if it’s intended to be allowed.
| // Check if the bot has already commented on this issue to avoid duplicate responses. | ||
| const comments = await octokit.paginate(octokit.issues.listComments, { | ||
| owner: REPO_OWNER, | ||
| repo: REPO_NAME, | ||
| issue_number: issueNumber, | ||
| per_page: 100 | ||
| }); | ||
| const botAlreadyCommented = comments.some( | ||
| (comment) => comment.user?.login === "github-actions[bot]" | ||
| ); | ||
| if (botAlreadyCommented) { | ||
| console.log("Bot has already commented on this issue. Skipping."); | ||
| return; | ||
| } |
There was a problem hiding this comment.
The duplicate-response check treats any existing comment by github-actions[bot] as “already answered”. That’s overly broad (other workflows/actions can comment as github-actions[bot]) and can prevent this workflow from ever posting. Consider adding a unique marker to this workflow’s comment (e.g., an HTML comment tag) and checking for that marker instead.
This pull request introduces a new GitHub Actions workflow to automatically respond to issues opened or labeled by trusted contributors. The workflow leverages Azure OpenAI to generate a friendly, informative reply and posts it as a comment on the issue. The automation is restricted to members, owners, collaborators, and contributors to prevent misuse.
Automated issue triage and response:
.github/workflows/auto-answer-issues.ymlto enable automatic responses to issues using Azure OpenAI, triggered when issues are opened or labeled by trusted contributors.@octokit/restandopenaiNode.js packages to interact with GitHub and Azure OpenAI APIs for generating and posting replies.Security and access control: