removed test things. cleanup. restricted only for by command

Author: chernser

.github/workflows/claude-issue-triage.yml

@@ -1,8 +1,9 @@
 name: Triage issue with Claude
 
-# Triages a single GitHub issue with Claude. It runs when a new issue is opened,
-# when a maintainer comments `/triage` on an issue, or when dispatched manually
-# with an explicit issue number.
+# Triages a single GitHub issue with Claude. It runs when a maintainer comments
+# `/triage` on an issue, or when dispatched manually with an explicit issue
+# number. Triage is never run automatically on issue open, so untrusted users
+# cannot trigger model runs by opening issues.
 #
 # The triage method lives in a Claude "skill" committed to this repo at
 # `.cursor/skills/triage-issues/` (SKILL.md + references.md). The workflow checks
@@ -23,8 +24,6 @@ name: Triage issue with Claude
 # cannot post a tampered comment on its own.
 
 on:
-  issues:
-    types: [opened]
   issue_comment:
     types: [created]
   workflow_dispatch:
@@ -33,13 +32,6 @@ on:
         description: "Issue number to triage"
         required: true
         type: string
-  # TEST ONLY: run the split workflow on PRs so it can be exercised from a
-  # branch (a pull_request run uses the workflow file as it exists on the PR
-  # branch, and claude-code-action natively supports pull_request — unlike
-  # push). No issue context, so it falls back to issue 2827 (see prep step).
-  # Remove this trigger before merging.
-  pull_request:
-    types: [opened, synchronize, reopened]
 
 # Least privilege by default; each job narrows or widens this as needed.
 permissions:
@@ -48,12 +40,10 @@ permissions:
 jobs:
   triage:
     name: Triage issue
-    # Triage on: a newly opened issue, a `/triage` command from a maintainer
-    # (not on pull requests), or a manual dispatch.
+    # Triage only on an explicit `/triage` command from a maintainer (not on
+    # pull requests) or a manual dispatch. Opening an issue does not trigger it.
     if: >-
       github.event_name == 'workflow_dispatch' ||
-      github.event_name == 'issues' ||
-      github.event_name == 'pull_request' ||
       (github.event_name == 'issue_comment' &&
        github.event.issue.pull_request == null &&
        startsWith(github.event.comment.body, '/triage') &&
@@ -67,9 +57,6 @@ jobs:
     permissions:
       contents: read
       issues: read
-      # TEST ONLY: claude-code-action reads PR context on pull_request events.
-      # Read-only; remove with the pull_request trigger before merging.
-      pull-requests: read
     concurrency:
       group: claude-issue-triage-${{ github.repository }}-${{ github.event.inputs.issue_number || github.event.issue.number }}
       cancel-in-progress: true
@@ -97,10 +84,6 @@ jobs:
           # issue that triggered the event (opened issue or commented issue).
           ISSUE="${INPUT_ISSUE:-}"
           [ -z "$ISSUE" ] && ISSUE="${EVENT_ISSUE:-}"
-          # TEST ONLY: the pull_request trigger has no issue context, so fall
-          # back to a known issue to exercise the split workflow. Remove with the
-          # pull_request trigger before merging.
-          [ -z "$ISSUE" ] && ISSUE="2827"
           if [ -z "$ISSUE" ]; then
             echo "::error::no issue number — pass issue_number or trigger on issues/issue_comment"
             exit 1
@@ -196,7 +179,7 @@ jobs:
       # Hand the report to the privileged job via an artifact. Nothing with a
       # writable token has run up to this point.
       - name: Upload triage report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: triage-report
           path: triage/triage-report.md
@@ -215,7 +198,7 @@ jobs:
       issues: write
     steps:
       - name: Download triage report
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: triage-report
           path: triage