mirror of
https://github.com/QwenLM/qwen-code.git
synced 2026-07-09 17:19:02 +00:00
* fix(ci): require maintainer-applied `autofix/approved` label for tier-1 fast-path The scheduled scan and `issues:labeled` event paths in `qwen-autofix.yml` previously trusted the `status/ready-for-agent` label alone, which is applied by an LLM reading untrusted issue text. An attacker could craft issue content to trick the triage LLM into labeling it ready, bypassing human review. Introduce an `autofix/approved` label that only maintainers (write+ permission) can apply. Both the cron scan and event-triggered paths now require this label alongside `status/ready-for-agent` before entering the autonomous fix pipeline (dual-factor: LLM signal + human confirmation). Also: - `release.yml` automatically adds `autofix/approved` on workflow-created release-failure issues (trusted source, preserves existing automation) - Forced-issue path (non-dispatch) also checks for the new label - Claim step strips `autofix/approved` to keep processed issues clean Closes #5634 * fix(ci): address autofix approval review * fix(ci): address autofix approval follow-ups * test(ci): cover autofix approval gate * fix(ci): harden autofix approval revalidation * fix(ci): avoid autofix approval retry loop * fix(ci): harden autofix claim handling * fix(ci): clarify autofix reapproval label * fix(ci): make autofix claim label update non-destructive |
||
|---|---|---|
| .. | ||
| actions/post-coverage-comment | ||
| ISSUE_TEMPLATE | ||
| scripts | ||
| workflows | ||
| actionlint.yaml | ||
| dependabot.yml | ||
| pull_request_template.md | ||
| release.yml | ||