Add quick setup script for gh-aw workflows

[github-actions]

Summary

• add scripts/quick-setup.sh to bootstrap GitHub Agent Workflows in a target repo
• script installs recommended trigger-*.yml files plus agentics-maintenance.yml, sets COPILOT_GITHUB_TOKEN, creates a branch, pushes, and opens a PR
• document the quick setup flow in README.md and gh-agent-workflows/README.md

Testing

• make lint

Refs #140

• Fixes Offer quick setup script #140

AI generated by Issue Assistant

Summary by CodeRabbit

• New Features

  • Added an automated quick-setup tool to provision GitHub Actions workflows, create a setup branch, push changes, and open a pull request; includes workflow selection, optional continuous-improvement set, secret handling, dry-run mode, and robust validations/error checks.

• Documentation

  • Added Quick Setup docs with usage examples, CLI options, list of default workflows, and guidance for enabling continuous-improvement workflows.

[strawgate]

@copilot looks good, don't include pr-ci-fixer and also let's add a --continuous-improvement flag which also adds a bunch of the best of the continuous improver ones

[Copilot]

@strawgate I've opened a new pull request, #180, to work on those changes. Once the pull request is ready, I'll request review from you.

[github-actions]

Verdict: approve. I found no security, logic, data integrity, performance, or error-handling issues that require changes before merge.

---

What is this? | From workflow: PR Review Agent

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. for issue #173

[github-actions]

The failing check is Verify compiled workflows (job 64218180384), and the failure is from the lock-file cleanliness gate after make compile (Working tree dirty after make compile.).

Root cause: this is not introduced by this PR’s file changes (README.md, gh-agent-workflows/README.md, scripts/quick-setup.sh only). Reproducing locally on main with make compile produces the same dirty set in .github/workflows/ (many *.lock.yml updates plus new trigger-*.yml files), so the branch is inheriting a baseline compile drift.

What I ran:

• git diff --name-status origin/main...origin/issue-140-quick-setup-script-28dc95ff6ee078e5 (shows only the 3 PR files above)
• make compile on main (reproduces dirty .github/workflows/* outputs)

Recommended remediation:

1. Regenerate and commit the compiled workflow outputs in a dedicated maintenance PR (or equivalent lock refresh) so make compile is clean.
2. Re-run this PR checks after that baseline update.

I did not push a fix commit from this run because the required correction is regeneration of files under .github/workflows/ (baseline repository maintenance, not PR-local logic).

---

What is this? | From workflow: PR Checks Fixer

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

Verdict: request changes.

There is a blocking reliability issue that should be fixed before merge.

---

What is this? | From workflow: PR Review Agent

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. for issue #173

[github-actions]

CI failed in job Verify compiled workflows (run 22202529552), step Ensure lock files are up to date.

Root cause: after make compile, the repo was still dirty and CI exited with:

• Working tree dirty after make compile.
• modified: agentics-maintenance.yml and many gh-aw-*.lock.yml files under .github/workflows/
• untracked: .github/workflows/trigger-issue-triage-pr.yml

Recommended fix:

1. Regenerate and sync workflow outputs locally (make compile).
2. Commit the generated workflow/lockfile updates plus the missing new trigger workflow file.
3. Re-run CI.

Validation I ran here:

• Attempted local make compile in this environment, but it could not fetch github.com/github/gh-aw from proxy.golang.org (Forbidden), so I could not fully reproduce generation locally in this runner.

---

What is this? | From workflow: PR CI Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

CI failure is from Verify compiled workflows at the Ensure lock files are up to date step, where make compile leaves a dirty working tree.

Root cause observed in run 22202529552 job 64218802880:

• git status --porcelain after compile shows many modified .github/workflows/gh-aw-*.lock.yml files
• one untracked file: .github/workflows/trigger-issue-triage-pr.yml
• step exits 1 with Working tree dirty after make compile.

Recommended fix:

1. On the PR branch, run make compile.
2. Commit regenerated workflow outputs (the new trigger file plus updated lock files).
3. Push and re-run CI.

Validation performed:

• Inspected run/job metadata and failed-job logs for run 22202529552.
• Confirmed this is not unique to this PR: recent main CI runs are also failing with the same compile-dirty-tree pattern, so the generated workflow artifacts in-repo likely need regeneration/commit in general.

---

What is this? | From workflow: PR Checks Fixer

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[strawgate]

@copilot is this still relevant? any updates we need to make?

[Copilot]

@strawgate I've opened a new pull request, #223, to work on those changes. Once the pull request is ready, I'll request review from you.

[github-actions]

The failing check is Verify compiled workflows (job 64323123197), and it fails because make compile leaves the repo dirty, so the lock-file consistency guard exits 1.

• Failing step: Ensure lock files are up to date
• Log evidence: after compile, CI runs if [ -n "$(git status --porcelain)" ]; then ... exit 1 and reports Working tree dirty after make compile.
• Files shown as modified include .github/workflows/agentics-maintenance.yml plus many .github/workflows/gh-aw-*.lock.yml files.

Recommended fix (minimal):

1. On the PR branch, run make compile with the repo’s pinned toolchain (gh-aw v0.45.1 in CI).
2. Commit the regenerated .github/workflows/agentics-maintenance.yml and .github/workflows/*.lock.yml outputs.
3. Re-run CI.

If those generated changes are not expected for this PR, rebase/merge latest main first, then run make compile and commit only the deterministic output.

Validation I ran here:

• Inspected workflow run 22234656647 + job logs directly.
• Attempted local make compile, but it could not complete in this runner due blocked Go module fetch (proxy.golang.org returned Forbidden), so root-cause confirmation is based on CI logs.

---

What is this? | From workflow: PR CI Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

Failed check is Verify compiled workflows at step Ensure lock files are up to date in run 22234656647 (job 64323123197). Root cause: make compile leaves the tree dirty, showing many updated lock files under .github/workflows/*.lock.yml and two new files: .github/workflows/trigger-docs-drift-external.yml and .github/workflows/trigger-docs-new-contributor-review-external.yml; this is exactly what the CI log reports before exit code 1.

I reproduced locally on this PR branch with make compile && git status --short and got the same dirty-worktree result, so the failure is deterministic and not transient.

Recommended remediation: regenerate and commit the compiled workflow outputs so make compile is clean (including the two missing trigger workflow files), then rerun CI. I did not push changes from this run because the required fix is entirely in .github/workflows/ generated artifacts.

---

What is this? | From workflow: PR Checks Fixer

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[strawgate]

@coderabbitai what do you think

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

@strawgate, I'd be happy to provide my thoughts! Let me first examine the current state of the quick-setup script to see if the changes discussed with @copilot have been implemented.

---

🏁 Script executed:

#!/bin/bash

# First, let's find and read the quick-setup.sh script
fd -t f "quick-setup.sh" --exec cat {}

echo "---"

# Check for pr-ci-fixer references in the script
echo "Checking for pr-ci-fixer references:"
rg -n "pr-ci-fixer" scripts/quick-setup.sh || echo "No pr-ci-fixer found"

echo "---"

# Check for continuous-improvement flag
echo "Checking for --continuous-improvement flag:"
rg -n "continuous-improvement" scripts/quick-setup.sh || echo "No --continuous-improvement flag found"

echo "---"

# List all yml files being referenced in the script
echo "Workflow files referenced in the script:"
rg -n "\.yml" scripts/quick-setup.sh || echo "No .yml references found"

Length of output: 6485

---

@strawgate, great work on the implementation! Here are my thoughts:

✅ What's been implemented well:

1. pr-ci-fixer excluded - Confirmed it's not in the default or continuous improvement workflows

2. --continuous-improvement flag added - Cleanly implemented and adds 11 additional workflows:

   • bug-hunter, bug-exterminator, code-simplifier
   • docs-drift, docs-new-contributor-review
   • small-problem-fixer, stale-issues, test-improvement
   • breaking-change-detect, semantic-function-clustering, update-pr-body

3. Smart design choices:

   • append_workflow_if_missing() prevents duplicates if users specify --workflows and --continuous-improvement together
   • Clean separation between default (5 workflows) and continuous improvement (11 workflows)
   • Good UX with --dry-run support for testing before applying

📊 Current setup:

Default workflows (5):

• pr-review, issue-triage, mention-in-issue, mention-in-pr, pr-ci-detective

With --continuous-improvement (16 total):

• All default + 11 continuous improvement workflows

💭 Considerations:

The continuous improvement set is quite comprehensive - 16 workflows total when the flag is enabled. This could be a lot of automation for teams new to GitHub Agent Workflows. However, users can always:

• Use --workflows to pick specific ones
• Try default first, then add --continuous-improvement later

Overall, this looks production-ready and addresses the feedback from @copilot perfectly! 🎯

[github-actions]

CI failed because the workflow compilation check found generated workflow files out of date in this PR branch.

What failed

• Workflow run: 22239846601
• Failed job: Verify compiled workflows (64340551598)
• Failed step: Ensure lock files are up to date

Key log evidence:

Working tree dirty after make compile.
 M .github/workflows/agentics-maintenance.yml
 M .github/workflows/gh-aw-*.lock.yml   (many files)
 ?? .github/workflows/trigger-docs-drift-external.yml
 ?? .github/workflows/trigger-docs-new-contributor-review-external.yml
##[error]Process completed with exit code 1.

Root cause

make compile produces changes that are not committed on this branch, so CI correctly fails the clean-tree assertion.

Recommended fix (minimal)

On the PR branch (issue-140-quick-setup-script-28dc95ff6ee078e5), run:

make compile
git add .github/workflows/
git commit -m "Regenerate compiled workflow lock files"
git push

This should satisfy the Ensure lock files are up to date check.

Tests/verification run

• Reviewed run metadata and job list for 22239846601
• Inspected failed job logs (Verify compiled workflows)
• Confirmed only this single job failed; other CI jobs passed

---

What is this? | From workflow: PR CI Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

The failure is in Verify compiled workflows at step Ensure lock files are up to date (https://github.com/elastic/ai-github-actions/actions/runs/22239846601/job/64340551598). make compile leaves the tree dirty, so CI exits 1.

Reproduced locally on branch issue-140-quick-setup-script-28dc95ff6ee078e5:

• make compile
• Result: modified .github/workflows/agentics-maintenance.yml + many .github/workflows/*.lock.yml
• Result: untracked .github/workflows/trigger-docs-drift-external.yml and .github/workflows/trigger-docs-new-contributor-review-external.yml

Recommended remediation on this PR branch:

1. Run make compile from a clean tree.
2. Commit all generated .github/workflows updates (including new trigger files if intended, or explicitly exclude those workflows in scripts/dogfood.sh before compiling).
3. Re-run CI.

I did not push a fix here because the required update is primarily generated workflow artifacts under .github/workflows/.

---

What is this? | From workflow: PR Checks Fixer

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new executable quick-setup Bash script and corresponding README sections that automate provisioning recommended GitHub Actions workflows, optionally create/set a COPILOT_GITHUB_TOKEN secret, create a branch, commit/push workflow files, and open a pull request via the GitHub CLI. Script supports workflow selection, continuous-improvement, dry-run, and secret skipping.

Changes

Cohort / File(s)	Summary
Docs: quick setup README.md, gh-agent-workflows/README.md	Added "Quick setup script" sections with a curl-based invocation example, lists default workflows, and documents CLI options (--repo, --branch, --workflows, --continuous-improvement, --skip-secret, --dry-run, -h/--help) and described default actions performed by the script.
Script: provisioning scripts/quick-setup.sh	New executable Bash script implementing the quick-setup flow: option parsing, environment validation (gh, git, curl), repo/branch resolution, workflow list construction (defaults ± continuous-improvement), fetching and writing workflow templates into .github/workflows/, adding maintenance workflow, optional COPILOT_GITHUB_TOKEN secret handling, branch creation, commit/push, PR creation, dry-run support, and error handling.

Sequence Diagram(s)

sequenceDiagram
    actor User
    participant Script as quick-setup.sh
    participant Git as git
    participant GHCLI as gh
    participant FS as FileSystem
    participant GitHub as GitHub API

    User->>Script: run quick-setup (opts)
    Script->>Git: ensure repo exists & clean
    Script->>GHCLI: verify authentication
    GHCLI->>GitHub: validate token
    GitHub-->>GHCLI: auth OK
    Script->>Script: resolve target repo/branch & workflows
    Script->>FS: curl workflow templates
    FS-->>Script: return files
    Script->>FS: write .github/workflows/*.yml
    Script->>GHCLI: create/check COPILOT_GITHUB_TOKEN secret (unless --skip-secret)
    GHCLI->>GitHub: set repository secret
    Script->>Git: create/checkout branch
    Script->>Git: stage & commit changes
    Script->>Git: push branch
    Git->>GitHub: upload branch
    Script->>GHCLI: create pull request
    GHCLI->>GitHub: open PR
    GitHub-->>User: PR created

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I hopped through bash with curl and cheer,
I fetched workflows, made a branch appear,
A secret tucked, a commit pushed along,
A PR opened — my little script's song.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change: adding a quick setup script for GitHub Agent Workflows.
Linked Issues check	✅ Passed	The PR fully implements the requirements from issue #140: script creates/guides GitHub PAT creation, sets repository secret, creates branch, adds recommended workflows, pushes changes, and opens PR.
Out of Scope Changes check	✅ Passed	All changes are directly in scope: the setup script, documentation updates, and supporting infrastructure are all aligned with issue #140 objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch issue-140-quick-setup-script-28dc95ff6ee078e5

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Verdict: approve.

One low-severity documentation inconsistency was noted inline; no blocking issues found.

---

What is this? | From workflow: PR Review Agent

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. for issue #173

[github-actions]

Verdict: request changes.

Please address the inline medium-severity credential-handling issue before merge.

---

What is this? | From workflow: PR Review Agent

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. for issue #173

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/quick-setup.sh`:
- Line 237: The current call gh secret set COPILOT_GITHUB_TOKEN --repo "$repo"
--body "$token" exposes the token in process listings; change it to feed the
token via stdin instead (e.g., use printf '%s' "$token" | gh secret set
COPILOT_GITHUB_TOKEN --repo "$repo" --body-file - or another gh option that
reads from stdin) and keep proper quoting/printf to avoid adding a newline;
update the invocation in quick-setup.sh where that command appears (replace the
--body "$token" usage with the piped-stdin approach).

[strawgate]

/ai please address pr feedback

[github-actions]

Implemented the outstanding credential-handling feedback in scripts/quick-setup.sh by avoiding PAT exposure in process arguments:

• Replaced gh secret set ... --body "$token" with printf '%s' "$token" | gh secret set ...
• Updated the corresponding --dry-run output to match the new safe invocation

Validation: make lint passed locally.

I pushed commit 50c9abd to this PR branch and resolved the two open token-exposure review threads.

---

What is this? | From workflow: PR Assistant

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. for issue #173

[github-actions]

Verdict: request changes.

---

What is this? | From workflow: PR Review Agent

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. for issue #173

[strawgate]

/ai please address feedback

[github-actions]

Implemented and pushed a fix for the remaining setup-branch feedback in scripts/quick-setup.sh: new setup branches are now created from the repository default branch (origin/(default)), with a default-branch lookup/fetch before branch creation. This prevents unrelated commits from the caller’s current branch from being included in the generated setup PR. I also ran make lint before and after the change (both passed) and resolved the addressed review threads.

---

What is this? | From workflow: PR Assistant

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. for issue #173

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/quick-setup.sh`:
- Around line 231-232: The token input currently echoes since the script uses
"read -r token"; change the read call to disable terminal echo (use the -s flag)
so secrets aren't shown as typed and add a newline after input to keep prompt
formatting; update the prompt/behavior around the "printf 'Paste the token here:
'" and the read invocation (the read command referenced as "read -r token") to
use "read -r -s token" and print a newline after to restore normal output.

[strawgate]

/ai please address feedback

[strawgate]

/ai please address feedback

[github-actions]

Implemented the remaining feedback and pushed a follow-up commit to this PR.

• Updated scripts/quick-setup.sh to hide token input while typing (read -r -s token) and print a newline after input.
• Ran make lint successfully.
• Resolved the addressed review thread.

---

What is this? | From workflow: PR Assistant

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. for issue #173