Issues: unify bug form and subtype auto-labeling

[Takhoffman]

Summary

Describe the problem and fix in 2–5 bullets:

• Problem: Regression reports and other bug types were split across templates, and issue subtype labels were inconsistent when users picked the wrong path.
• Why it matters: Triage filters and queues lose precision when bugs are mislabeled or unlabeled by subtype.
• What changed: Consolidated bug intake into one bug form with required Bug type selection and added issue automation that maps that selection to exactly one subtype label (regression, bug:crash, bug:behavior).
• What did NOT change (scope boundary): No PR labeling logic, no triage lifecycle label changes (triage:*), and no runtime/product behavior changes.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related #

User-visible / Behavior Changes

• Issue reporters now use a single bug template and must pick a bug type.
• New bug issues with bug label are auto-normalized to exactly one subtype label: regression, bug:crash, or bug:behavior.

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: macOS
• Runtime/container: Node 22 + pnpm workspace
• Model/provider: N/A
• Integration/channel (if any): GitHub issue forms + issue workflows
• Relevant config (redacted): N/A

Steps

1. Open new issue and pick Bug report.
2. Submit with each Bug type option.
3. Confirm subtype label is applied and other subtype labels are removed.

Expected

• Subtype label matches the selected bug type and remains mutually exclusive.

Actual

• Matches expected in local workflow logic and validation checks.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: reviewed issue-form markdown parsing path and label sync behavior; verified formatting/lint/policy checks pass (pnpm check).
• Edge cases checked: unknown/missing Bug type value no-ops; non-bug issues are ignored; conflicting subtype labels are normalized to one.
• What you did not verify: live GitHub issue creation against production repo web UI.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps: N/A

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert this PR.
• Files/config to restore: .github/ISSUE_TEMPLATE/bug_report.yml, .github/ISSUE_TEMPLATE/regression_bug_report.yml, .github/workflows/auto-response.yml, CHANGELOG.md.
• Known bad symptoms reviewers should watch for: missing subtype labels on new bug issues, or wrong subtype label assignment.

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

• Risk: Issue-form heading/value drift could break subtype extraction from markdown.
  • Mitigation: strict whitelist mapping + safe no-op when unmatched.
• Risk: Existing issues may have stale mixed subtype labels.
  • Mitigation: workflow normalizes labels on issue edits/open events.

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

#	Severity	Title
1	🔵 Low	Untrusted issue events can trigger GitHub App token to create repository labels (label sync)

---

1. 🔵 Untrusted issue events can trigger GitHub App token to create repository labels (label sync)

Property	Value
Severity	Low
CWE	CWE-285
Location	.github/workflows/auto-response.yml:3-10

Description

The Auto response workflow runs on untrusted, user-controlled events (issues opened/edited and issue_comment created) while minting a GitHub App installation token from repository secrets and using it to perform repo-wide write operations.

With the newly added label-sync logic, any user who can open/edit an issue can cause the workflow to attempt repository label creation (not just labeling that issue):

• Triggers include issues (opened, edited) and issue_comment (created), which can be initiated by arbitrary GitHub users in public repos.
• The workflow creates a GitHub App token using secrets.GH_APP_PRIVATE_KEY* and passes it to actions/github-script.
• New helper ensureLabelExists() calls github.rest.issues.createLabel(...) when a label is missing.

While the label names/descriptions are currently hard-coded (limiting impact), this still expands the attack surface for privileged automation on untrusted events and enables label/metadata pollution if labels are absent, without any actor trust/authorization check.

Vulnerable code (repo label creation on untrusted events):

on:
  issues:
    types: [opened, edited, labeled]
  issue_comment:
    types: [created]

await github.rest.issues.createLabel({
  owner: context.repo.owner,
  repo: context.repo.repo,
  name,
  color,
  description,
});

Recommendation

Mitigate by removing repo-global mutation from untrusted triggers, or gate it behind trusted actors.

Options (choose one or combine):

1. Do not auto-create labels on issue events. Pre-create labels manually and remove createLabel fallback:

​// Instead of createLabel, just return if missing.
try {
  await github.rest.issues.getLabel({ owner, repo, name });
} catch (e) {
  if (e?.status === 404) return; // don't create from untrusted event
  throw e;
}

2. Gate label creation/sync to trusted users only, e.g. only if the issue author is a collaborator/member/owner:

const assoc = context.payload.issue?.author_association;
const trusted = ["OWNER","MEMBER","COLLABORATOR"].includes(assoc);
if (!trusted) return;

3. Split workflows: keep issue_comment auto-responses in a workflow that does not mint an App token and has minimal permissions; run label-sync in a separate workflow triggered only by maintainers (e.g., workflow_dispatch or issues.labeled with a maintainer-only label).

Also consider reducing job permissions to the minimum needed (e.g., drop pull-requests: write if not required in this job) and avoid using long-lived App private keys on events that any user can trigger.

---

Analyzed PR: #30733 at commit fbcf724

[chatgpt-codex-connector]

💡 Codex Review

openclaw/.github/workflows/auto-response.yml

Line 299 in 869243d

if (action === "opened" || action === "edited") {

Run subtype normalization on labeled issue events

syncBugSubtypeLabel is only called inside the opened/edited branch, so issues.labeled events never re-normalize bug subtype labels. In practice, if a triager adds bug or an extra subtype label later, the issue can keep zero or multiple subtype labels indefinitely, which breaks the stated “exactly one subtype” routing/filtering behavior for bug triage.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[greptile-apps]

Greptile Summary

This PR consolidates bug reporting into a single issue template with a required Bug type dropdown (Regression/Crash/Behavior bug) and adds GitHub Actions automation to normalize bug subtype labels. The changes eliminate the separate regression template, reducing template fragmentation and ensuring consistent labeling for triage workflows.

Key changes:

• Merged regression template into the main bug template with a required bug-type dropdown
• Added syncBugSubtypeLabel automation that extracts the dropdown value, maps it to the correct label (regression, bug:crash, or bug:behavior), and ensures mutual exclusivity by removing conflicting subtype labels
• Workflow creates missing labels with proper colors/descriptions and handles edge cases safely (no-op for invalid/missing values)

Implementation notes:

• Label sync runs on issue opened and edited events, not on labeled events—manual label changes won't auto-correct until the next edit, which appears intentional to avoid fighting manual corrections
• Error handling is defensive with proper 404 checks for missing labels
• The form value extraction uses robust regex with proper escaping and returns the first non-empty line from the markdown section

Confidence Score: 5/5

• This PR is safe to merge with minimal risk—it's infrastructure-only automation for issue templates and labeling
• Score reflects well-structured defensive code with proper error handling, limited scope (GitHub issue forms and workflows only), no runtime/product changes, safe no-op behavior for invalid input, and thorough PR documentation. The automation is backward compatible and the logic correctly maps dropdown values to labels with mutual exclusivity enforcement.
• No files require special attention

_{Last reviewed commit: 869243d}

[Takhoffman]

PR #30733 - Issues: unify bug form and subtype auto-labeling (#30733)

Merged via squash.

• Merge commit: ff563ee
• Verified: pnpm build, pnpm check, pnpm test:macmini
• Changes made:
  M .github/ISSUE_TEMPLATE/bug_report.yml
  D .github/ISSUE_TEMPLATE/regression_bug_report.yml
  M .github/workflows/auto-response.yml
  M CHANGELOG.md
• Why these changes were made:
  Consolidate bug intake into a single form with explicit bug type selection and deterministic subtype labels to improve issue triage/filter accuracy and reduce regression misrouting.
• Changelog: CHANGELOG.md updated=true required=true opt_out=false

Thanks @Takhoffman!

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fbcf724300

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Normalize subtype labels on issue label changes

Call syncBugSubtypeLabel for issues:labeled events as well, because right now it only runs for opened/edited issues. If someone adds a conflicting subtype label (for example, adding regression onto a crash report), this workflow run is triggered by labeled but never reconciles the bug subtype set, so the issue can keep multiple subtype labels and break queue filtering that expects a single subtype.

Useful? React with 👍 / 👎.