ci: pass TRIAGE_WEBHOOK_URL to octo-issue-notify#81
Merged
Conversation
The issue notification caller only forwarded OCTO_BOT_TOKEN, so the triage webhook mode of octo-issue-notify@v1 never received its URL and was silently skipped β the issue triage agent was never invoked. Forward TRIAGE_WEBHOOK_URL (org-level secret) so the triage agent runs on new issues.
Jerry-Xin
approved these changes
Jun 8, 2026
Jerry-Xin
left a comment
Jerry-Xin
left a comment
There was a problem hiding this comment.
The PR is relevant to octo-admin and correctly forwards the optional triage webhook secret to the issue notification reusable workflow.
π¬ Non-blocking
- π΅ Suggestion:
.github/workflows/octo-issue-feed.yml:11usesMininglamp-OSS/.github/.github/workflows/octo-issue-notify.yml@v1, a mutable tag, while.github/workflows/octo-issue-feed.yml:19-21forwards secrets. This matches the existing project pattern, so it is not blocking, but pinning secret-bearing reusable workflows to immutable SHAs would reduce supply-chain risk.
β Highlights
.github/workflows/octo-issue-feed.yml:20-21now passes bothOCTO_BOT_TOKENandTRIAGE_WEBHOOK_URL, aligning the caller with the reusable workflowβs optional triage webhook mode.- The change is narrowly scoped and does not introduce new permissions or expose the secret in logs.
yujiawei
approved these changes
Jun 8, 2026
yujiawei
left a comment
yujiawei
left a comment
There was a problem hiding this comment.
Code Review β PR #81 (octo-admin)
Summary
This one-line change forwards the TRIAGE_WEBHOOK_URL secret from octo-issue-feed.yml into the reusable octo-issue-notify.yml@v1 workflow, so that the triage webhook mode is actually enabled. Previously only OCTO_BOT_TOKEN was forwarded, so the reusable workflow's optional TRIAGE_WEBHOOK_URL secret was always empty and the triage agent was never invoked. The fix is correct and minimal.
1. Verification
- β
Secret name matches the reusable workflow contract. The reusable workflow
Mininglamp-OSS/.github/.github/workflows/octo-issue-notify.yml@v1declaressecrets.TRIAGE_WEBHOOK_URL(required: false). The caller passesTRIAGE_WEBHOOK_URL: ${{ secrets.TRIAGE_WEBHOOK_URL }}β exact name match, no typo. (octo-issue-feed.yml:21) - β
Downstream actually consumes the secret. The reusable workflow forwards it to the
octo-notify@v1composite action aswebhook-url: ${{ secrets.TRIAGE_WEBHOOK_URL }}, which enables "webhook mode" and POSTs the caller-built JSON payload. Cross-repo dependency chain verified end-to-end (caller β reusable workflow β composite action). - β
Graceful no-op when the secret is absent.
TRIAGE_WEBHOOK_URLis declaredrequired: false. If the secret is unset,secrets.TRIAGE_WEBHOOK_URLresolves to an empty string; the composite action's webhook branch is gated onif webhook_url:(after.strip()), so an empty value simply skips webhook mode without failing the job. No build/run break introduced. - β
Consistent with existing convention. This mirrors the pre-existing
OCTO_BOT_TOKENline directly above it; same@v1ref, samesecrets:block style.
2. Security review (PR classified security-sensitive)
- β
No secret leakage to untrusted users. The workflow triggers on
issues: [opened, reopened]. The webhook URL is a capability secret consumed only viaenv:inside the composite action and sent throughurllibβ it is never echoed to logs (only the static labelwebhookis printed), and GitHub masks registered secret values. The issue author/title never receive the secret. - β
No injection surface. The webhook payload is constructed with
json.dumpsoverenv:-provided values, and inputs are sanitized (control characters stripped, length-capped) in the reusable workflow before serialization. No${{ }}interpolation into shell or JSON strings. - β Minimal egress by design. The forwarded payload contains only repo/number/title/url/author/action β the issue body is deliberately not egressed (the triage agent fetches details itself via the GitHub API). This is appropriate for a public repo.
- β
Least privilege preserved.
permissions: {}is retained; no new permissions are granted by this change.
3. Items worth a human verifying (no code change required)
These are operational/config checks that cannot be confirmed from the diff alone:
- Does the
TRIAGE_WEBHOOK_URLsecret actually exist at the org or repo level with the correct value? If it is unset or wrong, this change is a safe no-op but the stated goal (triage runs on new issues) will silently not happen. Recommend confirming the secret is configured and pointing at the intended triage endpoint, then opening a test issue to confirm the triage agent fires. - Capability-secret correctness (the URL path itself being the auth token) cannot be validated from code β confirm the endpoint is the intended triage receiver.
4. Non-blocking notes
- (nit, pre-existing) Both reusable-workflow refs use the mutable tag
@v1rather than a pinned commit SHA. For supply-chain hardening, pinning org reusable workflows to a SHA is best practice. This is consistent with the existingOCTO_BOT_TOKENline and not introduced by this PR, so it is out of scope here β just flagging for a future hardening pass. - (observation) The reusable workflow now centrally forwards only
opened(notreopened), while this caller still subscribes to[opened, reopened]. Reopened events will trigger the job and then be skipped early inside the reusable workflow. This is intended per the reusable workflow's documented event policy; harmless, minor wasted run on reopen.
Verdict
The change is correct, minimal, and safe. The cross-repo secret contract is satisfied and the security posture is sound. No P0/P1 issues. The only follow-ups are operational config verifications (secret existence/value), not code defects β so they do not block merge.
APPROVED.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The issue notification caller only forwarded OCTO_BOT_TOKEN, so the triage webhook mode was silently skipped and the triage agent was never invoked. Forward the org-level TRIAGE_WEBHOOK_URL secret so triage runs on new issues.