Add branch-actions-detective for failed main CI runs

[Copilot]

Failed CI runs on the default branch without an associated PR were not auto-triaged. Existing pr-actions-detective requires a PR context and noops otherwise.

What this PR adds

• Reusable detective workflow: .github/workflows/gh-aw-branch-actions-detective.lock.yml
• Prompt source for that workflow: .github/workflows/gh-aw-branch-actions-detective.md
• Trigger workflow in this repo: .github/workflows/trigger-branch-actions-detective.yml
• Consumer example and docs:
  • gh-agent-workflows/branch-actions-detective/example.yml
  • gh-agent-workflows/branch-actions-detective/README.md

Trigger conditions

The detector runs on workflow_run (completed) for "Internal: CI", "CI", "Build", and "Test", and only when all conditions are true:

• github.event.workflow_run.conclusion == 'failure'
• github.event.workflow_run.head_branch == github.event.repository.default_branch
• toJSON(github.event.workflow_run.pull_requests) == '[]'

Detection + dedup behavior

• Analyzes failing jobs/logs and files one tracking issue via create-issue safe output.
• Uses [branch-actions-detective] title prefix for dedup.
• Calls noop instead of filing a duplicate when an open issue already tracks the same root cause.
• Uses close-older-issues: true and expires: 7d to keep stale issues under control.

Consumer install

name: Branch Actions Detective
on:
  workflow_run:
    workflows: ["Internal: CI", "CI", "Build", "Test"]
    types: [completed]

jobs:
  run:
    if: >-
      github.event.workflow_run.conclusion == 'failure' &&
      github.event.workflow_run.head_branch == github.event.repository.default_branch &&
      toJSON(github.event.workflow_run.pull_requests) == '[]'
    uses: elastic/ai-github-actions/.github/workflows/gh-aw-branch-actions-detective.lock.yml@v0
    secrets:
      COPILOT_GITHUB_TOKEN: $\{\{ secrets.COPILOT_GITHUB_TOKEN }}

Fixes #370

Generated by Update PR Body

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request introduces a comprehensive GitHub Actions workflow system called "Branch Actions Detective" that automatically detects and triages failed CI runs on protected branches without associated pull requests, analyzing root causes and creating or updating tracking issues with remediation suggestions.

Changes

Cohort / File(s)	Summary
Branch Actions Detective Workflow .github/workflows/gh-aw-branch-actions-detective.lock.yml	Multi-stage automation pipeline (1425 lines) orchestrating pre-activation checks, Copilot-based analysis, threat detection, safe-output MCP integration, and result aggregation with extensive error handling, secret masking, and conditional fail-safe pathways.
Trigger and Invocation .github/workflows/trigger-branch-actions-detective.yml, gh-agent-workflows/branch-actions-detective/example.yml	Trigger workflows that listen for failed Internal: CI workflow_run events on default branch without PRs and invoke the detective workflow with required credentials.
Configuration and Documentation .github/workflows/gh-aw-branch-actions-detective.md, gh-agent-workflows/branch-actions-detective/README.md	Workflow manifest defining inputs, secrets, permissions, and toolsets, plus user-facing documentation covering purpose, installation, trigger conditions, and safe-output support.

Sequence Diagram(s)

sequenceDiagram
    participant GitHub as GitHub Actions
    participant Pre as pre_activation Job
    participant Act as activation Job
    participant Agent as agent Job<br/>(Copilot)
    participant Det as detection Job
    participant Safe as safe_outputs Job<br/>(MCP)
    participant Conc as conclusion Job
    participant Issue as Issue Tracker

    GitHub->>Pre: Trigger on failed CI workflow_run
    Pre->>Pre: Check membership & permissions
    Pre->>Act: Pass membership validation
    Act->>Act: Activate workflow context
    Act->>Agent: Proceed if authorized
    Agent->>Agent: Setup Copilot<br/>Generate dynamic prompt<br/>Analyze failing CI logs
    Agent->>Agent: Create aw_info metadata
    Agent->>Det: Pass analysis results
    Det->>Det: Analyze agent outputs<br/>Cross-reference threat data
    Det->>Safe: Send detection findings
    Safe->>Safe: Configure MCP servers<br/>Apply safe-output tooling<br/>Validate outputs
    Safe->>Conc: Output safe results
    Conc->>Conc: Aggregate all results<br/>Deduplicate by root cause
    Conc->>Issue: Create/Update tracking issue<br/>with root cause & remediation
    Conc->>GitHub: Report conclusion

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Replace backwards compat symlinks with copies #341: Introduces multi-job detector workflow patterns and backward-compatibility handling for reusable workflows, providing foundational patterns extended by this branch-actions-detective implementation.

Suggested reviewers

• github-actions

Poem

🐰 A detective hops into CI's darkest night,
With Copilot's lens to spotlight the blight,
Root causes unmasked, issues tracked clean—
No spam, just one thread for what might have been!
Branch failures? Detected. Issues? Deduped.
One more puzzle solved! 🔍✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding a branch-actions-detective workflow for failed main CI runs, which aligns with the PR's core objective.
Linked Issues check	✅ Passed	The PR fully addresses all coding requirements from issue #370: detects failed CI runs on main without PRs, analyzes root causes, creates/updates tracking issues, and implements deduplication via safe outputs.
Out of Scope Changes check	✅ Passed	All changes are scoped to the branch-actions-detective workflow implementation; no unrelated modifications or out-of-scope alterations are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch copilot/add-branch-actions-detective

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}