@sentry/junior-github 0.7.0 → 0.9.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sentry/junior-github",
-  "version": "0.7.0",
+  "version": "0.9.0",
   "private": false,
   "publishConfig": {
     "access": "public"

package/plugin.yaml

@@ -6,6 +6,10 @@ capabilities:
   - issues.write
   - issues.comment
   - labels.write
+  - contents.read
+  - contents.write
+  - pull-requests.read
+  - pull-requests.write
 
 config-keys:
   - repo

package/skills/github/SKILL.md

@@ -1,37 +1,59 @@
 ---
 name: github
-description: Manage GitHub issue workflows and repository checkout via GitHub CLI with concise, evidence-backed content. Use when users ask to open, edit, label, comment on, close/reopen, or inspect GitHub issues via /github, or when they need `gh repo clone` guidance, especially shallow-clone defaults and exact CLI commands.
-requires-capabilities: github.issues.read github.issues.write github.issues.comment github.labels.write
+description: Manage GitHub issue workflows, pull request operations, and repository checkout via GitHub CLI with concise, evidence-backed content. Use when users ask to open, edit, label, comment on, close/reopen, or inspect GitHub issues, view or create pull requests, or when they need `gh repo clone` guidance, especially shallow-clone defaults and exact CLI commands.
+requires-capabilities: github.issues.read github.issues.write github.issues.comment github.labels.write github.contents.read github.contents.write github.pull-requests.read github.pull-requests.write
 uses-config: github.repo
 allowed-tools: bash
 ---
 
 # GitHub Operations
 
-Use this skill for `/github` workflows in the harness. Issues are the primary surface. Repository checkout is limited to `gh repo clone` guidance and execution when local code context is needed.
+Issue workflows and repository checkout via `gh` CLI.
+
+## Reference loading
+
+Load references conditionally based on the operation:
+
+| Operation          | Load                                                                                                                                                                                        |
+| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Any operation      | [references/api-surface.md](references/api-surface.md)                                                                                                                                      |
+| `clone`            | [references/common-use-cases.md](references/common-use-cases.md)                                                                                                                            |
+| `create`, `update` | [references/issue-examples.md](references/issue-examples.md), the matching type-specific template and type-specific rules, and [references/research-rules.md](references/research-rules.md) |
+| On failure         | [references/troubleshooting-workarounds.md](references/troubleshooting-workarounds.md)                                                                                                      |
 
 ## Workflow
 
-1. Confirm operation and target:
-- Determine `clone`, `create`, `update`, `comment`, `labels`, `state`, or read-only inspection.
-- Resolve repository (`owner/repo`) and issue number for non-create issue operations.
-- If repository is not explicit in args, query channel config:
-  - `jr-rpc config get github.repo`
-- If config exists and is valid `owner/repo`, use it as default.
+### 1. Resolve operation and target
+
+- Determine whether the task is `clone` or an issue operation (`create`, `update`, `comment`, `labels`, `state`, or read-only inspection).
+- Resolve repository (`owner/repo`). If it is not explicit, query channel config with `jr-rpc config get github.repo`.
+- If config exists and is valid `owner/repo`, use it as the default.
 - If repository is still missing, ask the user for `owner/repo`.
+- Resolve the issue number for non-create issue operations.
+
+### 2. Execute by operation type
+
+**Clone** → Follow the clone path below.
+**Issue operation** → Follow the issue path below.
+
+---
+
+### Clone path
+
+- Issue a `contents.read` credential scoped to the target repository before cloning:
+  - `jr-rpc issue-credential github.contents.read --repo owner/repo`
+- Default to a shallow clone.
+- Use exact command forms from [references/api-surface.md](references/api-surface.md) or [references/common-use-cases.md](references/common-use-cases.md).
+- Deepen incrementally only when the task needs repository history.
+- After cloning, check for `AGENTS.md` in the repo root (and `.github/AGENTS.md`) before making edits. Treat discovered instructions as hard constraints.
+- Report the local directory and whether the clone is shallow or full.
+
+---
+
+### Issue path
+
+#### 3. Classify issue type
 
-2. Handle repository checkout first when operation is `clone`:
-- Default to a shallow clone for local inspection or one-off edits:
-  - `gh repo clone owner/repo [directory] -- --depth=1`
-- Pass extra `git clone` flags only after `--`.
-- Use a full-history clone only when the task explicitly needs history-heavy operations such as `git blame`, `git bisect`, tag/release archaeology, or broad commit-log analysis.
-- If the initial shallow clone is insufficient, deepen incrementally instead of recloning:
-  - `git -C <directory> fetch --depth=<n> origin`
-  - `git -C <directory> fetch --unshallow`
-- When cloning a fork, keep the default upstream remote behavior unless the user asks for a different remote name.
-- After checkout, report the local directory and whether the clone is shallow or full. Stop here for clone-only requests.
-
-3. Classify issue type before drafting:
 - Use explicit user type when provided (`bug`, `feature`, `task`).
 - Otherwise infer from intent:
   - `bug`: broken behavior, regression, error, failure.
@@ -39,48 +61,51 @@ Use this skill for `/github` workflows in the harness. Issues are the primary su
   - `task`: maintenance, cleanup, docs, refactor, operational chore.
 - Default to `task` when uncertain.
 
-4. Draft issue content:
-- Load the type-specific template:
-  - `bug`: [references/issue-template-bug.md](references/issue-template-bug.md)
-  - `feature`: [references/issue-template-feature.md](references/issue-template-feature.md)
-  - `task`: [references/issue-template-task.md](references/issue-template-task.md)
-- Follow [references/research-rules.md](references/research-rules.md) and the type-specific research rules:
-  - `bug`: [references/issue-type-bug.md](references/issue-type-bug.md)
-  - `feature`: [references/issue-type-feature.md](references/issue-type-feature.md)
-  - `task`: [references/issue-type-task.md](references/issue-type-task.md)
+#### 4. Draft issue content
+
+Load the type-specific template and rules:
+
+| Type      | Template                                                                     | Research rules                                                       |
+| --------- | ---------------------------------------------------------------------------- | -------------------------------------------------------------------- |
+| `bug`     | [references/issue-template-bug.md](references/issue-template-bug.md)         | [references/issue-type-bug.md](references/issue-type-bug.md)         |
+| `feature` | [references/issue-template-feature.md](references/issue-template-feature.md) | [references/issue-type-feature.md](references/issue-type-feature.md) |
+| `task`    | [references/issue-template-task.md](references/issue-template-task.md)       | [references/issue-type-task.md](references/issue-type-task.md)       |
+
+Follow [references/research-rules.md](references/research-rules.md) for cross-type research standards.
+
 - Generalize conversation context: replace user names, slash-command invocations, channel references, and session-specific fragments with the underlying technical problem.
-- Include code snippets when they clarify the problem pattern or proposed change.
-- Cross-reference related issues and PRs when they provide context.
-- For quality gates, use [references/issue-quality-checklist.md](references/issue-quality-checklist.md).
-- For structure examples, use [references/issue-examples.md](references/issue-examples.md).
-- When creating a new issue on behalf of a user, append a final attribution line at the end of the body in the form `Action taken on behalf of <name>.`
-- Use the clearest available user identifier from conversation context. Prefer a human name, then stable handle, and do not omit attribution for delegated mutations.
-
-5. Execute operation:
-- Issue credential for the required capability before API calls:
-  - Read-only (`gh issue view`, comment reads via `gh api`): `jr-rpc issue-credential github.issues.read`
-  - Create/update/state changes: `jr-rpc issue-credential github.issues.write`
-  - Comments: `jr-rpc issue-credential github.issues.comment`
-  - Labels: `jr-rpc issue-credential github.labels.write`
-- Repository checkout does not need an issue credential step. Use `gh repo clone` directly.
-- Resolve command and flags from [references/api-surface.md](references/api-surface.md).
-- Execute using `gh` CLI directly. Use [references/github-issue-api.md](references/github-issue-api.md) for exact command shapes.
-- Use [references/common-use-cases.md](references/common-use-cases.md) for ready-to-run operation patterns.
-- If an operation fails, follow [references/troubleshooting-workarounds.md](references/troubleshooting-workarounds.md) before retrying.
-- Read [references/sandbox-runtime.md](references/sandbox-runtime.md) for credential delivery details.
-
-6. Report result:
-- Return canonical issue URL, issue number, issue type, applied changes, and confidence for issue workflows.
-- For clone operations, return the repository, local directory, clone mode (`shallow` or `full`), and any follow-up deepen/unshallow action taken.
+- Use [references/issue-examples.md](references/issue-examples.md) to calibrate structure and depth.
+- Include code snippets, related issues, and related PRs only when they materially improve the issue.
+
+#### 5. Execute operation
+
+- Issue the narrowest matching capability credential before executing.
+- Use fully specified, non-interactive `gh` commands from [references/api-surface.md](references/api-surface.md).
+- Use [references/common-use-cases.md](references/common-use-cases.md) only when you need a concrete command pattern.
+- Check duplicates silently before creating a new issue. Only mention duplicates when relevant matches are actually found.
+
+#### 6. Report result
+
+- Return canonical issue URL, issue number, issue type, applied changes, and confidence.
 - Include references used for verified claims.
+- Keep routine issue-creation steps silent. Do not post progress chatter about duplicate checks, drafting, credential issuance, or command execution before the final result.
 
 ## Guardrails
 
+### Execution
+
 - Execute operations as soon as required fields are available. Do not pause for confirmation unless the user explicitly asks for preview/dry-run.
 - Require explicit confirmation only for close/reopen or destructive broad rewrites.
-- Default to shallow clones for efficiency. Do not use a full clone unless the task requires repository history or the user asks for it.
+- Do not overwrite issue fields unless explicitly requested. Prefer partial updates over full body replacement.
+
+### Quality
+
 - Never claim verification without citing sources.
 - For `bug` issues, do not present a fix as definitive unless root-cause evidence is explicit.
-- Do not overwrite issue fields unless explicitly requested. Prefer partial updates over full body replacement.
+- If no relevant duplicates are found, continue directly to draft and create the issue, then report the created issue.
+
+### Scope
+
+- Issue workflows, pull request operations, and repository checkout. Do not execute repository admin mutations.
+- Default to shallow clones. Do not use a full clone unless the task requires repository history or the user asks for it.
 - If repository or installation access is missing, stop and return a concrete remediation message.
-- Scope is issue workflows plus repository checkout. Do not execute pull-request or repository admin mutations in this skill.

package/skills/github/references/api-surface.md

@@ -1,37 +1,42 @@
 # GitHub CLI API Surface
 
-This skill supports issue workflows plus repository checkout via `gh repo clone`.
+All operations use `gh` CLI. Commands must be deterministic and non-interactive.
 
-All operations use `gh` CLI.
+## Authentication
+
+Issue credentials with `jr-rpc issue-credential <capability>` before executing commands. The runtime handles token injection transparently.
 
 ## Capability to command mapping
 
-| Capability | Commands |
-| --- | --- |
-| none required | `gh repo clone` |
-| `github.issues.read` | `gh issue view`, `gh api /repos/.../comments` |
-| `github.issues.write` | `gh issue create`, `gh issue edit`, `gh issue close`, `gh issue reopen` |
-| `github.issues.comment` | `gh issue comment` |
-| `github.labels.write` | `gh issue edit --add-label/--remove-label` |
+| Capability                   | Commands                                                                |
+| ---------------------------- | ----------------------------------------------------------------------- |
+| `github.contents.read`       | `gh repo clone`, `git fetch`                                            |
+| `github.contents.write`      | `git push`, `gh api` (create/update file contents)                      |
+| `github.issues.read`         | `gh issue view`, `gh api /repos/.../comments`                           |
+| `github.issues.write`        | `gh issue create`, `gh issue edit`, `gh issue close`, `gh issue reopen` |
+| `github.issues.comment`      | `gh issue comment`                                                      |
+| `github.labels.write`        | `gh issue edit --add-label/--remove-label`                              |
+| `github.pull-requests.read`  | `gh pr view`, `gh pr list`, `gh pr diff`, `gh pr checks`                |
+| `github.pull-requests.write` | `gh pr create`, `gh pr edit`, `gh pr merge`, `gh pr close`              |
 
 ## Command matrix
 
-| Operation | Command |
-| --- | --- |
-| Clone repository (default shallow) | `gh repo clone owner/repo [DIRECTORY] -- --depth=1` |
-| Deepen shallow clone | `git -C DIRECTORY fetch --depth=N origin` |
-| Convert shallow clone to full | `git -C DIRECTORY fetch --unshallow` |
-| Create issue | `gh issue create --repo owner/repo --title "..." [--body-file PATH]` |
-| Update issue fields | `gh issue edit NUMBER --repo owner/repo [--title "..."] [--body-file PATH]` |
-| Close issue | `gh issue close NUMBER --repo owner/repo [--comment "..."]` |
-| Reopen issue | `gh issue reopen NUMBER --repo owner/repo` |
-| Add labels | `gh issue edit NUMBER --repo owner/repo --add-label LABEL [--add-label LABEL2]` |
-| Remove labels | `gh issue edit NUMBER --repo owner/repo --remove-label LABEL [--remove-label LABEL2]` |
-| Add comment | `gh issue comment NUMBER --repo owner/repo --body-file PATH` |
-| Read issue | `gh issue view NUMBER --repo owner/repo --json number,title,state,labels,assignees,author,url,body` |
-| Read comments | `gh api /repos/owner/repo/issues/NUMBER/comments --method GET --header "Accept: application/vnd.github+json"` |
-
-## Credential + config helper commands
+| Operation                          | Command                                                                                                       |
+| ---------------------------------- | ------------------------------------------------------------------------------------------------------------- |
+| Clone repository (default shallow) | `gh repo clone owner/repo [DIRECTORY] -- --depth=1`                                                           |
+| Deepen shallow clone               | `git -C DIRECTORY fetch --depth=N origin`                                                                     |
+| Convert shallow clone to full      | `git -C DIRECTORY fetch --unshallow`                                                                          |
+| Create issue                       | `gh issue create --repo owner/repo --title "..." --body-file PATH`                                            |
+| Update issue fields                | `gh issue edit NUMBER --repo owner/repo [--title "..."] [--body-file PATH]`                                   |
+| Close issue                        | `gh issue close NUMBER --repo owner/repo [--comment "..."]`                                                   |
+| Reopen issue                       | `gh issue reopen NUMBER --repo owner/repo`                                                                    |
+| Add labels                         | `gh issue edit NUMBER --repo owner/repo --add-label LABEL [--add-label LABEL2]`                               |
+| Remove labels                      | `gh issue edit NUMBER --repo owner/repo --remove-label LABEL [--remove-label LABEL2]`                         |
+| Add comment                        | `gh issue comment NUMBER --repo owner/repo --body-file PATH`                                                  |
+| Read issue                         | `gh issue view NUMBER --repo owner/repo --json number,title,state,labels,assignees,author,url,body`           |
+| Read comments                      | `gh api /repos/owner/repo/issues/NUMBER/comments --method GET --header "Accept: application/vnd.github+json"` |
+
+## Credential and config helpers
 
 Resolve repo default:
 
@@ -45,17 +50,23 @@ Set repo default:
 jr-rpc config set github.repo owner/repo
 ```
 
-Pass extra `git clone` flags after `--`:
-
-```bash
-gh repo clone owner/repo -- --depth=1 --filter=blob:none
-```
-
 Issue scoped credentials:
 
 ```bash
+jr-rpc issue-credential github.contents.read --repo owner/repo
+jr-rpc issue-credential github.contents.write --repo owner/repo
 jr-rpc issue-credential github.issues.read
 jr-rpc issue-credential github.issues.write
 jr-rpc issue-credential github.issues.comment
 jr-rpc issue-credential github.labels.write
+jr-rpc issue-credential github.pull-requests.read
+jr-rpc issue-credential github.pull-requests.write
 ```
+
+## Behavior notes
+
+- Prefer `--json` output for machine-readable parsing where available.
+- Use `gh api` for endpoints not fully covered by `gh issue` subcommands.
+- Pass extra `git clone` flags after `--` (e.g. `gh repo clone owner/repo -- --depth=1`).
+- For automation, always fully specify `gh issue create` with `--title` and `--body` or `--body-file`; never rely on interactive prompts.
+- Return actionable errors for auth, permission, not-found, and validation failures.

package/skills/github/references/common-use-cases.md

@@ -4,15 +4,17 @@ Use these patterns as direct execution playbooks.
 
 ## 1) Clone a repository for local work
 
-Default to a shallow clone unless the task requires full history:
+Issue credentials first, then default to a shallow clone:
 
 ```bash
+jr-rpc issue-credential github.contents.read --repo owner/repo
 gh repo clone owner/repo -- --depth=1
 ```
 
 Clone into a specific directory:
 
 ```bash
+jr-rpc issue-credential github.contents.read --repo owner/repo
 gh repo clone owner/repo worktree/repo -- --depth=1
 ```
 

package/skills/github/references/sandbox-runtime.md

@@ -2,12 +2,6 @@
 
 This skill runs in the harness sandbox (`node22`) and commands execute via the `bash` tool.
 
-## Runtime environment
-
-- Sandbox OS is Amazon Linux 2023.
-- System packages are installed with `dnf`.
-- Any package install command must run with root privileges (`sudo: true` in sandbox command execution).
-
 ## What is currently available
 
 - Node runtime in sandbox (`node22` image).
@@ -15,24 +9,8 @@ This skill runs in the harness sandbox (`node22`) and commands execute via the `
 - Outbound network access (default allow-all unless harness sets a network policy).
 - Skill files are synchronized into `/vercel/sandbox/skills/<skill-name>`.
 
-## Important constraint
-
-Credentials should only be injected per command execution scope. Do not rely on global/session-wide environment for privileged tokens.
-
 ## Credential strategy
 
-1. Enable credentials with the narrowest capability needed:
-   - `github.issues.read` for `view` and comment reads
-   - `github.issues.write` for create/update/close/reopen
-   - `github.issues.comment` for comments
-   - `github.labels.write` for label mutations
-2. Runtime injects `Authorization` header transforms for `api.github.com`.
-3. Execute `gh` CLI commands directly.
-4. Do not persist tokens in files.
-
-## Operational checks
-
-- Verify CLI availability:
-  - `gh --version`
-- Use non-interactive command flags in automation contexts.
-- If 401/403 appears after credential issuance, reissue once, then stop with remediation guidance if still failing.
+1. Issue credentials with `jr-rpc issue-credential <capability>` before executing commands. See [api-surface.md](api-surface.md) for the capability-to-command mapping.
+2. Credentials are scoped per command execution. Do not persist tokens in files.
+3. If 401/403 appears after credential issuance, reissue once, then stop with remediation guidance.

package/skills/github/references/github-issue-api.md

@@ -1,54 +0,0 @@
-# GitHub CLI Command Reference
-
-All issue operations should go through `gh` CLI commands.
-
-## Authentication
-
-- Preferred: sandbox network policy injects Authorization headers for `api.github.com`.
-- Optional local fallback: `GITHUB_TOKEN` (short-lived GitHub App installation token).
-- If `GITHUB_TOKEN` is a host placeholder value, rely on header transforms and do not override it.
-
-## Command shapes
-
-### Create issue
-
-`gh issue create --repo owner/repo --title "..." [--body-file /tmp/issue.md]`
-
-### Update title/body
-
-`gh issue edit 123 --repo owner/repo [--title "..."] [--body-file /tmp/issue.md]`
-
-### Close issue
-
-`gh issue close 123 --repo owner/repo [--comment "..."]`
-
-### Reopen issue
-
-`gh issue reopen 123 --repo owner/repo`
-
-### Add labels
-
-`gh issue edit 123 --repo owner/repo --add-label bug --add-label regression`
-
-### Remove labels
-
-`gh issue edit 123 --repo owner/repo --remove-label triage`
-
-### Add comment
-
-`gh issue comment 123 --repo owner/repo --body-file /tmp/comment.md`
-
-### Get issue JSON
-
-`gh issue view 123 --repo owner/repo --json number,title,state,labels,assignees,author,url,body`
-
-### List comments JSON (read-only)
-
-`gh api /repos/owner/repo/issues/123/comments --method GET --header "Accept: application/vnd.github+json"`
-
-## Behavior notes
-
-- Prefer `--json` output for machine-readable parsing where available.
-- Use `gh api` for endpoints not fully covered by `gh issue` subcommands.
-- Commands should be deterministic and non-interactive in harness usage.
-- Return actionable errors for auth, permission, not-found, and validation failures.