fix(flue): Harden issue triage workflow contracts

Validate the reusable workflow against GitHub Actions and action input contracts. Keep the workflow scoped to getsentry, validate required secrets before token creation, and configure pnpm setup to read automation/package.json.

Also reject cross-repository duplicate candidates before automatic closure so only same-repo duplicates can be closed without human review.

Co-Authored-By: GPT-5 Codex <noreply@openai.com>

Author: dcramer

.agents/skills/issue-triage/SKILL.md

@@ -51,6 +51,7 @@ Goal: determine whether the new issue is a confirmed duplicate.
    - Search open and closed issues in the same repository with `gh search issues --repo <repository>`.
    - Add `--limit 10` to every `gh search issues` command.
    - Exclude the current issue number from candidates.
+   - Only mark same-repository issues as duplicates. A cross-repository issue can be related context, but it must not be returned as `duplicate`.
 3. Keep search terms specific.
    - Do not search generic language, stack, or repo terms by themselves, such as `typescript`, `javascript`, `python`, `rust`, `language`, `rewrite`, `error`, or `timeout`.
    - For low-signal rewrite requests like "rewrite in Rust" with body "because Rust is good", search only the exact title and exact distinctive body phrase. Do not fan out to generic terms.

.agents/skills/issue-triage/SOURCES.md

@@ -6,6 +6,10 @@
 | --- | --- |
 | User request in this session | Defines required behavior: duplicate search and closure, repository checkout, diagnosis, validation, concise issue rewrites, issue-triage-bot identity in the first comment sentence, casually professional comment voice, and inheriting `not planned` closure from canonical duplicate issues. |
 | Flue README issue triage example | Confirms GitHub Actions + CLI-only Flue agent pattern, `sandbox: "local"`, staged skill calls, command grants, and structured Valibot results. |
+| GitHub Actions reusable workflow documentation | Confirms `workflow_call`, caller job `uses`, inherited secrets, caller-owned `github` context, and `GITHUB_TOKEN` permission downgrading behavior. |
+| GitHub Actions events and workflow template documentation | Confirms issue events run from workflows in the event repository and org `.github` templates are for creating local workflow files, not global event subscription. |
+| `actions/create-github-app-token`, `actions/checkout`, `actions/setup-node`, and `pnpm/action-setup` documentation | Confirms GitHub App token inputs, scoped repository tokens, checkout inputs, pnpm cache setup, and non-root `package_json_file` behavior. |
+| OpenAI API authentication documentation | Confirms the model provider key should stay secret and be loaded from server-side environment variables. |
 | `gh issue --help`, `gh issue view --help`, `gh issue edit --help`, `gh issue close --help`, `gh search issues --help`, `gh label list --help` | Confirms available GitHub CLI commands and flags for reading issues, searching duplicates, editing bodies, closing issues, and listing labels. |
 | Repository `AGENTS.md` | Supplies project workflow constraints, security expectations, and quality gate expectations. |
 
@@ -26,5 +30,5 @@
 
 ## Open Gaps
 
-- The first implementation does not run an end-to-end dry run against a real issue to confirm GitHub token permissions.
+- The first implementation does not run an end-to-end smoke test against a real issue to confirm GitHub token permissions.
 - Duplicate detection is agent-assisted and conservative; it may require follow-up tuning after observing real triage outcomes.

.flue/agents/issue-triage.ts

@@ -298,6 +298,24 @@ function normalizeStateReason(value: unknown) {
   return value.toLowerCase().replace(/[\s-]+/g, "_");
 }
 
+export function issueRepositoryFromUrl(url: string) {
+  try {
+    const parsed = new URL(url);
+    if (parsed.hostname !== "github.com") {
+      return null;
+    }
+
+    const [owner, name, type] = parsed.pathname.split("/").filter(Boolean);
+    if (!owner || !name || type !== "issues") {
+      return null;
+    }
+
+    return `${owner}/${name}`;
+  } catch {
+    return null;
+  }
+}
+
 export function wasClosedAsNotPlanned(issue: unknown) {
   if (!isRecord(issue)) {
     return false;
@@ -887,6 +905,31 @@ export default async function ({ init, payload }: FlueContext) {
       );
     }
 
+    const duplicateRepository = issueRepositoryFromUrl(
+      duplicateSearch.duplicate.url,
+    );
+    if (repository && duplicateRepository !== repository) {
+      return {
+        outcome: "needs_human_review",
+        steps: [
+          { name: "search-duplicates", result: duplicateSearch.status },
+          {
+            name: "validate-duplicate",
+            result: duplicateRepository
+              ? `cross-repo candidate from ${duplicateRepository}`
+              : "candidate URL did not identify a same-repo GitHub issue",
+          },
+        ],
+        duplicate: duplicateSearch.duplicate,
+        labels_applied: [],
+        comment_posted: false,
+        needs_human_review: true,
+        summary: duplicateRepository
+          ? `Found duplicate candidate #${duplicateSearch.duplicate.number} in ${duplicateRepository}, but automatic closure only supports same-repo duplicates.`
+          : `Found duplicate candidate #${duplicateSearch.duplicate.number}, but its URL could not be validated as a same-repo issue.`,
+      };
+    }
+
     const closureContext = await readIssueContext(
       session,
       issueNumber,

.flue/tests/issue-triage.test.ts

@@ -4,6 +4,7 @@ import {
   buildDuplicateClosureComment,
   hasDuplicateOfFlag,
   hasIssueTriageBotIntro,
+  issueRepositoryFromUrl,
   wasClosedAsNotPlanned,
   withIssueTriageBotIntro,
 } from "../agents/issue-triage";
@@ -82,4 +83,13 @@ describe("duplicate closure", () => {
     );
     expect(hasDuplicateOfFlag("      --reason string      Reason")).toBe(false);
   });
+
+  it("extracts the repository from GitHub issue URLs", () => {
+    expect(
+      issueRepositoryFromUrl(
+        "https://github.com/getsentry/sentry-mcp/issues/950",
+      ),
+    ).toBe("getsentry/sentry-mcp");
+    expect(issueRepositoryFromUrl("https://example.com/issues/950")).toBeNull();
+  });
 });

.github/flue/README.md

@@ -42,9 +42,10 @@ jobs:
 Repositories are still centrally gated by `features.json`. If a caller workflow
 is added to a repository that is not listed there, the reusable workflow exits
 before creating a Sentry Intern app token or checking out the target repository.
-For `workflow_call` runs, the requested repository must also match the caller
-repository. Manual dispatch from `.github` is the only path that can point the
-workflow at a different allowlisted repository for smoke testing.
+For `workflow_call` runs, the requested repository must also belong to
+`getsentry` and match the caller repository. Manual dispatch from `.github` is
+the only path that can point the workflow at a different allowlisted repository
+for smoke testing.
 
 ## Configuration
 
@@ -55,8 +56,11 @@ Required organization configuration:
 - `FLUE_OPENAI_API_KEY` secret for the model provider.
 
 Sentry Intern only needs the GitHub App `Issues: read and write` repository
-permission for triage comments, labels, issue edits, and issue closure. Source
-checkout uses the caller workflow's `GITHUB_TOKEN` with `contents: read`.
+permission for triage comments, labels, issue edits, and issue closure. GitHub
+Apps also receive read-only metadata access. Source checkout uses the caller
+workflow's `GITHUB_TOKEN` with `contents: read`; the current enabled
+repositories are public, so manual smoke-test checkouts from `.github` work
+without granting the app contents access.
 
 ## Testing
 

.github/workflows/issue-triage.yml

@@ -60,7 +60,7 @@ jobs:
           TARGET_ISSUE_NUMBER: ${{ inputs['issue-number'] }}
           TARGET_REF: ${{ inputs['target-ref'] }}
           AUTOMATION_REF: ${{ inputs['automation-ref'] }}
-          EXPECTED_OWNER: ${{ github.repository_owner }}
+          EXPECTED_OWNER: getsentry
           CALLER_REPOSITORY: ${{ github.repository }}
           EVENT_NAME: ${{ github.event_name }}
           WORKFLOW_REF_NAME: ${{ github.ref_name }}
@@ -109,7 +109,7 @@ jobs:
       - name: Checkout org automation
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          repository: ${{ github.repository_owner }}/.github
+          repository: getsentry/.github
           ref: ${{ steps.target.outputs['automation-ref'] }}
           path: automation
           persist-credentials: false
@@ -126,19 +126,29 @@ jobs:
       - name: Validate Flue configuration
         env:
           FLUE_CLIENT_ID: ${{ vars.FLUE_CLIENT_ID }}
+          FLUE_PRIVATE_KEY: ${{ secrets.FLUE_PRIVATE_KEY }}
+          FLUE_OPENAI_API_KEY: ${{ secrets.FLUE_OPENAI_API_KEY }}
         run: |
           if [ -z "$FLUE_CLIENT_ID" ]; then
             echo "Missing required FLUE_CLIENT_ID organization variable" >&2
             exit 2
           fi
+          if [ -z "$FLUE_PRIVATE_KEY" ]; then
+            echo "Missing required FLUE_PRIVATE_KEY organization secret" >&2
+            exit 2
+          fi
+          if [ -z "$FLUE_OPENAI_API_KEY" ]; then
+            echo "Missing required FLUE_OPENAI_API_KEY organization secret" >&2
+            exit 2
+          fi
 
       - name: Create issue triage bot token
         id: issue-triage-app-token
         uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
           client-id: ${{ vars.FLUE_CLIENT_ID }}
           private-key: ${{ secrets.FLUE_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
+          owner: getsentry
           repositories: ${{ steps.target.outputs.name }}
           permission-issues: write
 
@@ -164,6 +174,7 @@ jobs:
       - name: Install pnpm
         uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
         with:
+          package_json_file: automation/package.json
           run_install: false
 
       - name: Setup Node.js