fix: ensure labels exist before creating regression issues

[Mossaka]

Summary

• Add an "Ensure labels exist" step before issue creation that creates needs-investigation and performance labels if they don't already exist, preventing API 422 errors
• Add try/catch error handling around the issue creation step so failures are surfaced via core.setFailed() instead of silently failing

Test plan

• Verify YAML is valid (validated locally with Python yaml parser)
• Trigger workflow manually to confirm label creation and issue creation work end-to-end

Fixes #1759

🤖 Generated with Claude Code

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	86.14%	86.23%	📈 +0.09%
Statements	86.02%	86.11%	📈 +0.09%
Functions	87.45%	87.45%	➡️ +0.00%
Branches	78.81%	78.86%	📈 +0.05%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	86.3% → 86.7% (+0.37%)	85.9% → 86.2% (+0.36%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Updates the performance monitoring workflow to prevent regression issue creation from failing when required GitHub labels are missing, addressing issue #1759.

Changes:

• Adds a pre-step that ensures needs-investigation and performance labels exist (creating them when absent) before attempting issue creation.
• Wraps regression issue creation in try/catch and surfaces failures via core.setFailed() with a logged success URL on creation.

Show a summary per file

File	Description
.github/workflows/performance-monitor.yml	Ensures required labels exist to avoid GitHub API 422s and improves failure reporting for regression issue creation.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 0

[github-actions]

Smoke Test Results

• ✅ GitHub MCP: test: add CLI proxy sidecar integration tests #1734 "test: add CLI proxy sidecar integration tests", chore: upgrade workflows to gh-aw-actions v0.67.2 #1731 "chore: upgrade workflows to gh-aw-actions v0.67.2"
• ✅ Playwright: github.com title contains "GitHub"
• ✅ File write: /tmp/gh-aw/agent/smoke-test-claude-24106892877.txt created
• ✅ Bash verify: file content confirmed

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test Results

Test	Status
GitHub MCP connectivity	✅
File write/read (smoke-test-copilot-24106892898.txt)	✅
GitHub.com connectivity	✅

Overall: PASS

PR: fix: ensure labels exist before creating regression issues — @Mossaka

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke test results:

• Last 2 merged PR titles: ✅ fix: chown gh-aw config dirs to agent user before privilege drop in entrypoint (#1463); test: add CLI proxy sidecar integration tests
• safeinputs-gh pr list --repo github/gh-aw-firewall --limit 2 --json number,title,author: ❌ (safeinputs-gh: command not found)
• Playwright title check on https://github.com: ❌ (EACCES writing Playwright MCP log)
• Tavily search GitHub Agentic Workflows Firewall: ❌ (Tavily tool/CLI unavailable)
• File write + cat verification: ✅
• npm ci && npm run build: ✅
  Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test: GitHub Actions Services Connectivity ✅

Check	Result
Redis PING (host.docker.internal:6379)	✅ PONG
PostgreSQL pg_isready (host.docker.internal:5432)	✅ Accepting connections
PostgreSQL SELECT 1 (smoketest db, user postgres)	✅ Returned 1

All service connectivity checks passed.

🔌 Service connectivity validated by Smoke Services

[Mossaka]

Security Review — PR #1763

Scope

Reviewed the diff adding an "Ensure labels exist" step and error handling to the performance-monitor.yml workflow.

---

[Info] Workflow Permissions — Correctly Scoped

The workflow declares top-level permissions:

permissions:
  contents: read
  issues: write

issues: write is the minimum required for both issues.createLabel and issues.create. No other write permissions are granted. This follows the principle of least privilege. No concerns here.

---

[Info] Token Scope — Appropriate

The GITHUB_TOKEN used by actions/github-script@v7 is the default workflow token, automatically scoped to the repository. It cannot access other repositories or elevated organization permissions. Combined with the explicit permissions block above, the token's effective scope is minimal. No concerns.

---

[Info] Label Injection — Not a Risk

The label names are hardcoded string literals ('needs-investigation', 'performance'). They are not derived from any external input such as PR titles, commit messages, branch names, or benchmark output. An attacker cannot influence what labels are created or applied. No concerns.

---

[Info] GitHub API Usage — Safe

The actions/github-script@v7 steps use only context.repo.owner and context.repo.repo, which are repository-scoped values controlled by GitHub, not user-supplied strings. The issue title uses new Date().toISOString() (deterministic, no injection vector). The issue body reads from benchmark-results.json which is generated by the workflow's own benchmark script from git rev-parse HEAD and internal metrics — not from attacker-controlled input. There is no template literal injection risk from context variables.

---

[Low] Error Suppression — Catching HTTP 422

The new label-creation code catches errors with status === 422 and treats them as "label already exists." This is correct behavior — the GitHub API returns 422 when creating a duplicate label. However, 422 can also indicate other validation failures (e.g., invalid color hex, label name exceeding length limits).

Assessment: In practice, since the label names, colors, and descriptions are all hardcoded constants, the only realistic 422 scenario is "already exists." Non-422 errors are correctly re-thrown. The risk of masking a real error is negligible. No action required.

---

[Info] Issue Creation Error Handling — Improvement

The original code had no error handling around issues.create. The new code wraps it in try/catch and calls core.setFailed() on failure, which is a clear improvement — failures will now surface as workflow failures rather than silently passing. Good change.

---

Summary

Finding	Severity	Verdict
Workflow permissions scoped correctly	Info	Pass
Token scope minimal	Info	Pass
No label injection vector	Info	Pass
GitHub API usage safe (no context injection)	Info	Pass
422 error catch scope	Low	Acceptable — hardcoded inputs eliminate ambiguity
Issue creation error handling	Info	Improvement over prior code

Overall: No security concerns. The changes are well-scoped and follow security best practices for GitHub Actions workflows. The hardcoded label definitions, minimal permissions, and proper error handling make this a clean change.

— Security Review Agent