Add gardener workflows

[byrichardpowell]

Summary

Adds the gardener tooling from shopify-app-js to this monorepo:

1. gardener-notify-event.yml + gardener-notify-slack.yml — auto-label new issues/PRs with devtools-gardener and post a summary to Slack. Split into two workflows so Dependabot-opened PRs (which lose GITHUB_TOKEN write access and Actions secrets) still get labeled and notified via the workflow_run follow-up.
2. gardener-investigate-issue.yml — runs anthropics/claude-code-action on issues labeled devtools-investigate-for-gardener. Posts a starter Slack message, runs the investigation against a structured JSON schema, writes the report to the job summary, and threads the Summary section back to Slack.
3. .agents/skills/investigating-github-issues/ — skill invoked by the workflow, tailored for this monorepo:
   • Respects the existing convention of skills living under .agents/skills/ (with .claude/skills symlinked to it).
   • Scope is constrained to packages/<pkg>/src/ with a matching .changeset/ entry (Path A fix requires a changeset written directly via the Write tool, not npx changeset).
   • Excludes pnpm/npm/npx/nx/tsc from allowed-tools to block arbitrary execution from prompt injection.
   • Documents the monorepo layout (cli, cli-kit, app, theme, create-app, the plugin-* family, store, organizations, ui-extensions-*) so the investigation starts in the right package.
   • Points at the oclif commands/ → services/ layering and shared cli-kit primitives when tracing bug reports.

Setup required (post-merge)

• Create labels: devtools-gardener, devtools-investigate-for-gardener
• Add secrets: ANTHROPIC_API_KEY, SLACK_GARDENER_BOT_TOKEN (+ optional ANTHROPIC_BASE_URL)
• Add variable: GARDENER_SLACK_CHANNEL_ID

Test plan

• Create the devtools-gardener and devtools-investigate-for-gardener labels
• Set secrets and variables
• Open a throwaway test issue — confirm devtools-gardener is applied and Slack gets a post
• Manually apply devtools-investigate-for-gardener to a real issue — confirm the investigation runs and reports back

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Adds “gardener” automation to the repo to label/notify on new issues & PRs and to run an LLM-assisted investigation workflow for labeled issues, plus the associated agent skill documentation.

Changes:

• Introduces a two-step event capture + workflow_run Slack notifier to support Dependabot/fork scenarios.
• Adds an issue investigation workflow using anthropics/claude-code-action, posting start/completion updates to Slack and writing results to the job summary.
• Adds an investigating-github-issues agent skill and reference templates/policies under .agents/skills/.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
.github/workflows/gardener-notify-slack.yml	Downloads captured event payload, applies devtools-gardener, and posts an Issue/PR summary to Slack.
.github/workflows/gardener-notify-event.yml	Captures issue/PR webhook payload and uploads it as an artifact for the follow-up notifier.
.github/workflows/gardener-investigate-issue.yml	Runs Claude-based investigations when a label is applied (or via manual dispatch) and posts results to Slack + job summary.
.agents/skills/shared/references/version-maintenance-policy.md	Adds a version-maintenance policy reference used by the investigation skill.
.agents/skills/investigating-github-issues/references/investigation-report-template.md	Adds a structured investigation report template.
.agents/skills/investigating-github-issues/SKILL.md	Adds the investigation skill definition, repository context, and constraints/guardrails.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

curl -f only fails on non-2xx responses; Slack's chat.postMessage often returns HTTP 200 with { "ok": false, ... } for errors (invalid_auth, channel_not_found, etc.). As written, this step can silently succeed even when Slack rejected the message. Consider capturing the response and failing/logging when .ok is false (or use slackapi/slack-github-action, which handles this).

[Copilot]

Resolve issue number hardcodes the issue URL to https://github.com/.... This will produce incorrect links on GitHub Enterprise Server and is inconsistent with later use of github.server_url. Consider building the issue URL from github.server_url (and github.repository) instead of hardcoding github.com.

Suggested change

	echo "url=https://github.com/${{ github.repository }}/issues/$NUMBER" >> "$GITHUB_OUTPUT"
	echo "url=${{ github.server_url }}/${{ github.repository }}/issues/$NUMBER" >> "$GITHUB_OUTPUT"

[Copilot]

The Slack payload builder treats Claude's report as "trusted" and skips escaping/sanitization, but the report content is derived from untrusted issue text and can include Slack mrkdwn sequences (e.g., <!channel>, <@U...>, crafted links) that will be interpreted in Slack. Please sanitize/escape the report before placing it in a mrkdwn block (or otherwise neutralize mentions/links) to avoid notification injection/spam.

[Copilot]

The Markdown→Slack link conversion re-inserts the captured URL into Slack's <url|text> syntax without sanitizing characters like > or |. A crafted Markdown link URL containing these characters can break the Slack markup and potentially inject additional mrkdwn (mentions/links). Consider validating/encoding URLs before interpolation (or avoid converting links and leave them as plain text).

Suggested change

	s{\x01(\d+)\x02(.*?)\x03}{"<$u[$1]|$2>"}ge;
	s{\x01(\d+)\x02(.*?)\x03}{
	my $url = $u[$1];
	if ($url !~ /[>|\r\n]/) {
	"<$url|$2>";
	} else {
	$url =~ s/&/&amp;/g;
	$url =~ s/</&lt;/g;
	$url =~ s/>/&gt;/g;
	"$2 ($url)";
	}
	}ge;