From ad1d5a92394532f844d6fee18881ac0c0bf6bf8a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sat, 21 Feb 2026 00:17:58 +0000 Subject: [PATCH 1/2] add updates-needed workflow draft Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- DEVELOPING.md | 2 +- gh-agent-workflows/DEVELOPING.md | 2 +- .../gh-aw-downstream-updates-needed.md | 145 ++++++++++++++++ github/workflows/gh-aw-downstream-users.md | 159 ++++++++++++++++++ .../trigger-downstream-updates-needed.yml | 16 ++ 5 files changed, 322 insertions(+), 2 deletions(-) create mode 100644 github/workflows/gh-aw-downstream-updates-needed.md create mode 100644 github/workflows/gh-aw-downstream-users.md create mode 100644 github/workflows/trigger-downstream-updates-needed.yml diff --git a/DEVELOPING.md b/DEVELOPING.md index 12b09f38..e076148a 100644 --- a/DEVELOPING.md +++ b/DEVELOPING.md @@ -8,7 +8,7 @@ | `gh-agent-workflows/` | Per-workflow READMEs and `example.yml` triggers (examples + dogfood), consumer docs | [DEVELOPING.md](gh-agent-workflows/DEVELOPING.md) | | `claude-workflows/` | Composite actions wrapping Claude Code | [DEVELOPING.md](claude-workflows/DEVELOPING.md) | -Internal-only workflows (e.g., `gh-aw-upgrade-check.md`, `ci.yml`, `release.yml`) also live in `.github/workflows/`. See [gh-agent-workflows/DEVELOPING.md](gh-agent-workflows/DEVELOPING.md) for the full architecture. +Internal-only workflows (e.g., `gh-aw-upgrade-check.md`, `gh-aw-downstream-updates-needed.md`, `ci.yml`, `release.yml`) also live in `.github/workflows/`. See [gh-agent-workflows/DEVELOPING.md](gh-agent-workflows/DEVELOPING.md) for the full architecture. ## Quick Start diff --git a/gh-agent-workflows/DEVELOPING.md b/gh-agent-workflows/DEVELOPING.md index a54d1bf0..a75885f1 100644 --- a/gh-agent-workflows/DEVELOPING.md +++ b/gh-agent-workflows/DEVELOPING.md @@ -62,7 +62,7 @@ workflow (gh-aw-docs-drift.md) └── ... ``` -`gh-aw-upgrade-check` is an **internal-only** workflow — its shim lives directly in `.github/workflows/` (not in `gh-agent-workflows/`) so it is not installable via `gh aw add`. It runs on weekdays to check for new `gh-aw` releases and files issues tagged `[gh-aw-upgrade]`. +`gh-aw-upgrade-check` and `gh-aw-downstream-updates-needed` are **internal-only** workflows — their shims live directly in `.github/workflows/` (not in `gh-agent-workflows/`) so they are not installable via `gh aw add`. ### Shared fragments diff --git a/github/workflows/gh-aw-downstream-updates-needed.md b/github/workflows/gh-aw-downstream-updates-needed.md new file mode 100644 index 00000000..d44c64f7 --- /dev/null +++ b/github/workflows/gh-aw-downstream-updates-needed.md @@ -0,0 +1,145 @@ +--- +description: "Check downstream users for required workflow ref updates and report by repository" +imports: + - gh-aw-fragments/elastic-tools.md + - gh-aw-fragments/runtime-setup.md + - gh-aw-fragments/formatting.md + - gh-aw-fragments/rigor.md + - gh-aw-fragments/mcp-pagination.md + - gh-aw-fragments/messages-footer.md + - gh-aw-fragments/safe-output-create-issue.md + - gh-aw-fragments/scheduled-report.md +engine: + id: copilot + model: gpt-5.3-codex +on: + workflow_call: + inputs: + additional-instructions: + description: "Repo-specific instructions appended to the agent prompt" + type: string + required: false + default: "" + setup-commands: + description: "Shell commands to run before the agent starts (dependency install, build, etc.)" + type: string + required: false + default: "" + allowed-bot-users: + description: "Allowlisted bot actor usernames (comma-separated)" + type: string + required: false + default: "github-actions[bot]" + messages-footer: + description: "Footer appended to all agent comments and reviews" + type: string + required: false + default: "" + secrets: + COPILOT_GITHUB_TOKEN: + required: true + roles: [admin, maintainer, write] + bots: + - "${{ inputs.allowed-bot-users }}" +concurrency: + group: downstream-updates-needed + cancel-in-progress: true +permissions: + contents: read + issues: read + pull-requests: read +tools: + github: + toolsets: [repos, issues, pull_requests, search] + bash: true + web-fetch: +network: + allowed: + - defaults + - github + - go + - node + - python + - ruby +strict: false +safe-outputs: + noop: + create-issue: + max: 1 + title-prefix: "[downstream-updates] " + close-older-issues: true + expires: 7d +timeout-minutes: 30 +steps: + - name: Repo-specific setup + if: ${{ inputs.setup-commands != '' }} + env: + SETUP_COMMANDS: ${{ inputs.setup-commands }} + run: eval "$SETUP_COMMANDS" +--- + +Workflow for checking downstream users of these actions (in the `elastic` and `strawgate` orgs) and seeing if their workflows need updates. Post an issue with the repo-by-repo updates required. + +## Context + +- **Repository**: ${{ github.repository }} +- **Data file**: `data/downstream-users.json` + +## Step 1: Gather inputs + +1. Read `data/downstream-users.json`. +2. Keep only entries where `repo` starts with `elastic/` or `strawgate/`. +3. Fetch latest release for `elastic/ai-github-actions` and capture: + - `latest_version` (for example `v0.2.5`) + - `recommended_floating_major` (for example `v0`) +4. If no matching downstream repos exist, call `noop` with a clear message. + +## Step 2: Validate data model + +The expected schema for each workflow entry is: + +```json +{ + "workflow_file": ".github/workflows/example.yml", + "uses_target": "workflows/pr-review/rwx", + "ref": "v0" +} +``` + +If any downstream repo still has legacy string entries instead of objects, file an issue that explicitly says the downstream inventory must be regenerated with ref metadata before reliable update detection can run. + +## Step 3: Determine update status + +For each workflow entry, classify by `ref`: + +1. **Floating major** (`v`, e.g. `v0`) + - If equal to `recommended_floating_major`, mark as up to date. + - If different major, mark update needed to `recommended_floating_major`. + +2. **Pinned semver tag** (`vX.Y.Z`) + - Compare with `latest_version`. + - If older, mark update needed to `latest_version`. + +3. **Branch refs** (e.g. `main`, `master`, `release/*`) + - Mark as policy warning and recommend `recommended_floating_major` or `latest_version`. + +4. **SHA refs** (hex commit IDs) + - Mark as informational, no forced update, include recommendation to review manually. + +5. **Other refs** + - Mark as review needed and include the raw ref. + +## Step 4: Report + +Create one issue grouped by repo. For each repo with findings, include a table: + +- workflow file +- uses target +- current ref +- recommended ref +- reason + +If every entry is up to date and has no warnings, call `noop` with: +`Downstream updates check complete — no updates needed.` + +${{ inputs.additional-instructions }} diff --git a/github/workflows/gh-aw-downstream-users.md b/github/workflows/gh-aw-downstream-users.md new file mode 100644 index 00000000..f1c3bd0e --- /dev/null +++ b/github/workflows/gh-aw-downstream-users.md @@ -0,0 +1,159 @@ +--- +description: "Track downstream public repo usage of elastic/ai-github-actions and preserve refs" +imports: + - gh-aw-fragments/elastic-tools.md + - gh-aw-fragments/runtime-setup.md + - gh-aw-fragments/formatting.md + - gh-aw-fragments/rigor.md + - gh-aw-fragments/mcp-pagination.md + - gh-aw-fragments/workflow-edit-guardrails.md + - gh-aw-fragments/messages-footer.md + - gh-aw-fragments/safe-output-create-pr.md +engine: + id: copilot + model: gpt-5.3-codex +on: + workflow_call: + inputs: + additional-instructions: + description: "Repo-specific instructions appended to the agent prompt" + type: string + required: false + default: "" + setup-commands: + description: "Shell commands to run before the agent starts (dependency install, build, etc.)" + type: string + required: false + default: "" + allowed-bot-users: + description: "Allowlisted bot actor usernames (comma-separated)" + type: string + required: false + default: "github-actions[bot]" + messages-footer: + description: "Footer appended to all agent comments and reviews" + type: string + required: false + default: "" + secrets: + COPILOT_GITHUB_TOKEN: + required: true + roles: [admin, maintainer, write] + bots: + - "${{ inputs.allowed-bot-users }}" +concurrency: + group: downstream-users + cancel-in-progress: true +permissions: + contents: read + issues: read + pull-requests: read +tools: + github: + toolsets: [repos, issues, pull_requests, search] + bash: true + web-fetch: +network: + allowed: + - defaults + - github + - go + - node + - python + - ruby +strict: false +safe-outputs: + noop: +timeout-minutes: 30 +steps: + - name: Repo-specific setup + if: ${{ inputs.setup-commands != '' }} + env: + SETUP_COMMANDS: ${{ inputs.setup-commands }} + run: eval "$SETUP_COMMANDS" +--- + +# Downstream Users Tracking + +Maintain a canonical list of public downstream repositories using elastic/ai-github-actions, including workflow file paths and refs so downstream update checks are deterministic. + +## Context + +- **Repository**: ${{ github.repository }} +- **Output file**: `data/downstream-users.json` + +## Constraints + +- **CAN**: Read files, search GitHub, modify files locally, run commands, create a pull request. +- **CANNOT**: Directly push to the repository — use `create_pull_request`. +- **Only one PR per run.** +- Do not modify files under `.github/workflows/`. +- Keep the JSON output stable and sorted to minimize diff noise. + +## Step 1: Gather Context + +1. Call `generate_agents_md` to get repository conventions (if it fails, continue). +2. Read the current `data/downstream-users.json` file (if it exists). + +## Step 2: Discover Downstream Usage + +1. Use the `public-code-search` MCP server to find public repositories that reference this repo in workflow files. + - Search for `uses: elastic/ai-github-actions` in `*.yml` and `*.yaml` files. + - Example query input for `search_code`: + - `patterns`: `uses:\\s*elastic/ai-github-actions/` + - `include_globs`: `**/*.yml`, `**/*.yaml` + - Exclude `elastic/ai-github-actions` itself. + +2. For each unique repo + path pair returned: + - Fetch the workflow file using `github-get_file_contents`. + - Extract every `uses: elastic/ai-github-actions/...@...` line. + - For each match, keep: + - `workflow_file`: relative path of the workflow file where the `uses:` entry was found. + - `uses_target`: text between `elastic/ai-github-actions/` and `@`. + - `ref`: text after `@` (tag, branch, or SHA). + +## Step 3: Build the Data File + +Write `data/downstream-users.json` with this structure: + +````markdown +```json +{ + "generated_at": "", + "source": { + "query": "", + "notes": "" + }, + "repos": [ + { + "repo": "owner/repo", + "workflows": [ + { + "workflow_file": ".github/workflows/example.yml", + "uses_target": "workflows/pr-review/rwx", + "ref": "v0" + } + ] + } + ] +} +``` +```` + +Guidelines: +- Sort `repos` by `repo`. +- Sort each `workflows` list by `workflow_file`, then `uses_target`, then `ref`. +- Deduplicate exact duplicate workflow objects per repo. +- Use UTC timestamps with a `Z` suffix. + +## Step 4: Create the PR + +1. If the file is unchanged, call `noop` with: `Downstream users list already up to date.` +2. Otherwise, commit the updated JSON and call `create_pull_request`. + - Title: `"[downstream] Update downstream users list"` + - Body: + - Summary of repo count and workflow count + - The search query used + - Any exclusions (self repo, archived/forks if excluded) + +${{ inputs.additional-instructions }} diff --git a/github/workflows/trigger-downstream-updates-needed.yml b/github/workflows/trigger-downstream-updates-needed.yml new file mode 100644 index 00000000..a557b726 --- /dev/null +++ b/github/workflows/trigger-downstream-updates-needed.yml @@ -0,0 +1,16 @@ +name: Downstream Updates Needed +on: + schedule: + - cron: "0 11 * * 1-5" + workflow_dispatch: + +permissions: + contents: read + issues: write + pull-requests: read + +jobs: + run: + uses: ./.github/workflows/gh-aw-downstream-updates-needed.lock.yml + secrets: + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} From 49fcf614bf587ccee6a2ce7412f275bebdf90354 Mon Sep 17 00:00:00 2001 From: William Easton Date: Fri, 20 Feb 2026 18:24:14 -0600 Subject: [PATCH 2/2] Move agent output from github/ to .github/ --- .../gh-aw-downstream-updates-needed.md | 0 .github/workflows/gh-aw-downstream-users.md | 22 ++- .../trigger-downstream-updates-needed.yml | 0 github/workflows/gh-aw-downstream-users.md | 159 ------------------ 4 files changed, 16 insertions(+), 165 deletions(-) rename {github => .github}/workflows/gh-aw-downstream-updates-needed.md (100%) rename {github => .github}/workflows/trigger-downstream-updates-needed.yml (100%) delete mode 100644 github/workflows/gh-aw-downstream-users.md diff --git a/github/workflows/gh-aw-downstream-updates-needed.md b/.github/workflows/gh-aw-downstream-updates-needed.md similarity index 100% rename from github/workflows/gh-aw-downstream-updates-needed.md rename to .github/workflows/gh-aw-downstream-updates-needed.md diff --git a/.github/workflows/gh-aw-downstream-users.md b/.github/workflows/gh-aw-downstream-users.md index dc262548..f1c3bd0e 100644 --- a/.github/workflows/gh-aw-downstream-users.md +++ b/.github/workflows/gh-aw-downstream-users.md @@ -1,5 +1,5 @@ --- -description: "Track downstream public repo usage of elastic/ai-github-actions and update data" +description: "Track downstream public repo usage of elastic/ai-github-actions and preserve refs" imports: - gh-aw-fragments/elastic-tools.md - gh-aw-fragments/runtime-setup.md @@ -75,7 +75,7 @@ steps: # Downstream Users Tracking -Maintain a canonical list of public downstream repositories using elastic/ai-github-actions, including which workflows they consume. +Maintain a canonical list of public downstream repositories using elastic/ai-github-actions, including workflow file paths and refs so downstream update checks are deterministic. ## Context @@ -106,8 +106,11 @@ Maintain a canonical list of public downstream repositories using elastic/ai-git 2. For each unique repo + path pair returned: - Fetch the workflow file using `github-get_file_contents`. - - Extract every `uses: elastic/ai-github-actions/...` line. - - Normalize each entry by removing the leading `elastic/ai-github-actions/` and any `@version` suffix. + - Extract every `uses: elastic/ai-github-actions/...@...` line. + - For each match, keep: + - `workflow_file`: relative path of the workflow file where the `uses:` entry was found. + - `uses_target`: text between `elastic/ai-github-actions/` and `@`. + - `ref`: text after `@` (tag, branch, or SHA). ## Step 3: Build the Data File @@ -124,7 +127,13 @@ Write `data/downstream-users.json` with this structure: "repos": [ { "repo": "owner/repo", - "workflows": ["workflows/mention-in-issue/rwxp", "..."] + "workflows": [ + { + "workflow_file": ".github/workflows/example.yml", + "uses_target": "workflows/pr-review/rwx", + "ref": "v0" + } + ] } ] } @@ -133,7 +142,8 @@ Write `data/downstream-users.json` with this structure: Guidelines: - Sort `repos` by `repo`. -- Sort each `workflows` list alphabetically. +- Sort each `workflows` list by `workflow_file`, then `uses_target`, then `ref`. +- Deduplicate exact duplicate workflow objects per repo. - Use UTC timestamps with a `Z` suffix. ## Step 4: Create the PR diff --git a/github/workflows/trigger-downstream-updates-needed.yml b/.github/workflows/trigger-downstream-updates-needed.yml similarity index 100% rename from github/workflows/trigger-downstream-updates-needed.yml rename to .github/workflows/trigger-downstream-updates-needed.yml diff --git a/github/workflows/gh-aw-downstream-users.md b/github/workflows/gh-aw-downstream-users.md deleted file mode 100644 index f1c3bd0e..00000000 --- a/github/workflows/gh-aw-downstream-users.md +++ /dev/null @@ -1,159 +0,0 @@ ---- -description: "Track downstream public repo usage of elastic/ai-github-actions and preserve refs" -imports: - - gh-aw-fragments/elastic-tools.md - - gh-aw-fragments/runtime-setup.md - - gh-aw-fragments/formatting.md - - gh-aw-fragments/rigor.md - - gh-aw-fragments/mcp-pagination.md - - gh-aw-fragments/workflow-edit-guardrails.md - - gh-aw-fragments/messages-footer.md - - gh-aw-fragments/safe-output-create-pr.md -engine: - id: copilot - model: gpt-5.3-codex -on: - workflow_call: - inputs: - additional-instructions: - description: "Repo-specific instructions appended to the agent prompt" - type: string - required: false - default: "" - setup-commands: - description: "Shell commands to run before the agent starts (dependency install, build, etc.)" - type: string - required: false - default: "" - allowed-bot-users: - description: "Allowlisted bot actor usernames (comma-separated)" - type: string - required: false - default: "github-actions[bot]" - messages-footer: - description: "Footer appended to all agent comments and reviews" - type: string - required: false - default: "" - secrets: - COPILOT_GITHUB_TOKEN: - required: true - roles: [admin, maintainer, write] - bots: - - "${{ inputs.allowed-bot-users }}" -concurrency: - group: downstream-users - cancel-in-progress: true -permissions: - contents: read - issues: read - pull-requests: read -tools: - github: - toolsets: [repos, issues, pull_requests, search] - bash: true - web-fetch: -network: - allowed: - - defaults - - github - - go - - node - - python - - ruby -strict: false -safe-outputs: - noop: -timeout-minutes: 30 -steps: - - name: Repo-specific setup - if: ${{ inputs.setup-commands != '' }} - env: - SETUP_COMMANDS: ${{ inputs.setup-commands }} - run: eval "$SETUP_COMMANDS" ---- - -# Downstream Users Tracking - -Maintain a canonical list of public downstream repositories using elastic/ai-github-actions, including workflow file paths and refs so downstream update checks are deterministic. - -## Context - -- **Repository**: ${{ github.repository }} -- **Output file**: `data/downstream-users.json` - -## Constraints - -- **CAN**: Read files, search GitHub, modify files locally, run commands, create a pull request. -- **CANNOT**: Directly push to the repository — use `create_pull_request`. -- **Only one PR per run.** -- Do not modify files under `.github/workflows/`. -- Keep the JSON output stable and sorted to minimize diff noise. - -## Step 1: Gather Context - -1. Call `generate_agents_md` to get repository conventions (if it fails, continue). -2. Read the current `data/downstream-users.json` file (if it exists). - -## Step 2: Discover Downstream Usage - -1. Use the `public-code-search` MCP server to find public repositories that reference this repo in workflow files. - - Search for `uses: elastic/ai-github-actions` in `*.yml` and `*.yaml` files. - - Example query input for `search_code`: - - `patterns`: `uses:\\s*elastic/ai-github-actions/` - - `include_globs`: `**/*.yml`, `**/*.yaml` - - Exclude `elastic/ai-github-actions` itself. - -2. For each unique repo + path pair returned: - - Fetch the workflow file using `github-get_file_contents`. - - Extract every `uses: elastic/ai-github-actions/...@...` line. - - For each match, keep: - - `workflow_file`: relative path of the workflow file where the `uses:` entry was found. - - `uses_target`: text between `elastic/ai-github-actions/` and `@`. - - `ref`: text after `@` (tag, branch, or SHA). - -## Step 3: Build the Data File - -Write `data/downstream-users.json` with this structure: - -````markdown -```json -{ - "generated_at": "", - "source": { - "query": "", - "notes": "" - }, - "repos": [ - { - "repo": "owner/repo", - "workflows": [ - { - "workflow_file": ".github/workflows/example.yml", - "uses_target": "workflows/pr-review/rwx", - "ref": "v0" - } - ] - } - ] -} -``` -```` - -Guidelines: -- Sort `repos` by `repo`. -- Sort each `workflows` list by `workflow_file`, then `uses_target`, then `ref`. -- Deduplicate exact duplicate workflow objects per repo. -- Use UTC timestamps with a `Z` suffix. - -## Step 4: Create the PR - -1. If the file is unchanged, call `noop` with: `Downstream users list already up to date.` -2. Otherwise, commit the updated JSON and call `create_pull_request`. - - Title: `"[downstream] Update downstream users list"` - - Body: - - Summary of repo count and workflow count - - The search query used - - Any exclusions (self repo, archived/forks if excluded) - -${{ inputs.additional-instructions }}