github · pelikhan · Feb 21, 2026 · Feb 21, 2026 · Feb 21, 2026 · Copilot
diff --git a/pkg/workflow/compiler_orchestrator_workflow.go b/pkg/workflow/compiler_orchestrator_workflow.go
@@ -532,6 +532,10 @@ func (c *Compiler) extractAdditionalConfigurations(
 	}
 	workflowData.SafeOutputs = mergedSafeOutputs
 
+	// Auto-inject create-issues if safe-outputs is configured but has no non-builtin outputs.
+	// This ensures every workflow with safe-outputs has at least one meaningful action handler.
+	applyDefaultCreateIssue(workflowData)
+
 	return nil
 }
 

diff --git a/pkg/workflow/compiler_types.go b/pkg/workflow/compiler_types.go
@@ -524,6 +524,7 @@ type SafeOutputsConfig struct {
 	Mentions                        *MentionsConfig                        `yaml:"mentions,omitempty"`                  // Configuration for @mention filtering in safe outputs
 	Footer                          *bool                                  `yaml:"footer,omitempty"`                    // Global footer control - when false, omits visible footer from all safe outputs (XML markers still included)
 	GroupReports                    bool                                   `yaml:"group-reports,omitempty"`             // If true, create parent "Failed runs" issue for agent failures (default: false)
+	AutoInjectedCreateIssue         bool                                   `yaml:"-"`                                   // Internal: true when create-issues was automatically injected by the compiler (not user-configured)
 }
 
 // SafeOutputMessagesConfig holds custom message templates for safe-output footer and notification messages

diff --git a/pkg/workflow/safe_outputs_config_helpers.go b/pkg/workflow/safe_outputs_config_helpers.go
@@ -121,6 +121,51 @@ func (c *Compiler) formatSafeOutputsRunsOn(safeOutputs *SafeOutputsConfig) strin
 	return fmt.Sprintf("runs-on: %s", safeOutputs.RunsOn)
 }
 
+// builtinSafeOutputFields contains the struct field names for the built-in safe output types
+// that are excluded from the "non-builtin" check. These are: noop, missing-data, missing-tool.
+var builtinSafeOutputFields = map[string]bool{
+	"NoOp":        true,
+	"MissingData": true,
+	"MissingTool": true,
+}
+
+// nonBuiltinSafeOutputFieldNames is a pre-computed list of field names from safeOutputFieldMapping
+// that are not builtins, used by hasNonBuiltinSafeOutputsEnabled to avoid repeated map iterations.
+var nonBuiltinSafeOutputFieldNames = func() []string {
+	var fields []string
+	for fieldName := range safeOutputFieldMapping {
+		if !builtinSafeOutputFields[fieldName] {
+			fields = append(fields, fieldName)
+		}
+	}
+	return fields
+}()
+
+// hasNonBuiltinSafeOutputsEnabled checks if any non-builtin safe outputs are configured.
+// The builtin types (noop, missing-data, missing-tool) are excluded from this check
+// because they are always auto-enabled and do not represent a meaningful output action.
+func hasNonBuiltinSafeOutputsEnabled(safeOutputs *SafeOutputsConfig) bool {
+	if safeOutputs == nil {
+		return false
+	}
+
+	// Custom safe-jobs are always non-builtin
+	if len(safeOutputs.Jobs) > 0 {
+		return true
+	}
+
+	// Check non-builtin pointer fields using the pre-computed list
+	val := reflect.ValueOf(safeOutputs).Elem()
+	for _, fieldName := range nonBuiltinSafeOutputFieldNames {
+		field := val.FieldByName(fieldName)
+		if field.IsValid() && !field.IsNil() {
+			return true
+		}
+	}
+
+	return false
+}
+
 // HasSafeOutputsEnabled checks if any safe-outputs are enabled
 func HasSafeOutputsEnabled(safeOutputs *SafeOutputsConfig) bool {
 	enabled := hasAnySafeOutputEnabled(safeOutputs)
@@ -132,6 +177,28 @@ func HasSafeOutputsEnabled(safeOutputs *SafeOutputsConfig) bool {
 	return enabled
 }
 
+// applyDefaultCreateIssue injects a default create-issues safe output when safe-outputs is configured
+// but has no non-builtin output types. The injected config uses the workflow ID as the label
+// and [workflowID] as the title prefix. The AutoInjectedCreateIssue flag is set so the prompt
+// generator can add a specific instruction for the agent.
+func applyDefaultCreateIssue(workflowData *WorkflowData) {
+	if workflowData.SafeOutputs == nil {
+		return
+	}
+	if hasNonBuiltinSafeOutputsEnabled(workflowData.SafeOutputs) {
+		return
+	}
+
+	workflowID := workflowData.WorkflowID
+	safeOutputsConfigLog.Printf("Auto-injecting create-issues for workflow %q (no non-builtin safe outputs configured)", workflowID)
+	workflowData.SafeOutputs.CreateIssues = &CreateIssuesConfig{
+		BaseSafeOutputConfig: BaseSafeOutputConfig{Max: 1},
+		Labels:               []string{workflowID},
+		TitlePrefix:          fmt.Sprintf("[%s]", workflowID),
+	}
+	workflowData.SafeOutputs.AutoInjectedCreateIssue = true
+}
+
 // GetEnabledSafeOutputToolNames returns a list of enabled safe output tool names.
 // NOTE: Tool names should NOT be included in agent prompts. The agent should query
 // the MCP server to discover available tools. This function is used for generating