Add daily detector agentic workflow for "Resource not accessible by integration" across long-term branches

[Copilot]

Summary

Adds a daily detector workflow for Resource not accessible by integration failures in Elastic repositories. It scans failed GitHub Actions runs on the default branch plus optional long-term branches, then opens one combined tracking issue when matches are found.

What changed

• Added a new Elastic-specific detector workflow source and compiled lock file:
  • .github/workflows/gh-aw-estc-actions-resource-not-accessible-detector.md
  • .github/workflows/gh-aw-estc-actions-resource-not-accessible-detector.lock.yml
• Added consumer documentation and a starter trigger workflow:
  • gh-agent-workflows/estc-actions-resource-not-accessible-detector/README.md
  • gh-agent-workflows/estc-actions-resource-not-accessible-detector/example.yml
• Registered this workflow in Elastic-specific docs/navigation:
  • gh-agent-workflows/README.md
  • docs/workflows/gh-agent-workflows.md
  • mkdocs.yml
• Added the workflow to scripts/dogfood.sh exclusions (not auto-dogfooded in this repository).

Workflow behavior

• Runs daily (06:00 UTC in the example trigger) and supports manual dispatch.
• Supports look-back-days (default 1) to define the failed-run scan window.
• Prescan queries failed runs for the default branch plus long-term-branches, downloads logs, and matches Resource not accessible by integration.
• If no findings are present, emits noop and does not open an issue.
• Uses issue-title-prefix (default [resource-not-accessible-by-integration]) to deduplicate against equivalent open tracking issues.
• Creates one combined issue with scan summary, affected workflows/runs, evidence, root-cause assessment, and minimum-permission remediation guidance.
• Detection-only workflow: it does not open PRs.
• Caller workflow permissions should include actions: read, contents: read, and issues: write.

Similar behavior with base Scheduled Audit

The consumer README documents how to achieve similar behavior with the generic Scheduled Audit workflow via additional-instructions.

Generated by Update PR Body for issue #425

[strawgate]

/ai don't we already have a CI detective workflow we could just provide custom instructions to? I couldn't find it in the documentation but maybe you can

[github-actions]

Short answer: we have something close, but not equivalent.

pr-actions-detective is intentionally read-only and PR-event scoped (it comments on failed PR runs, but does not open fix PRs): see gh-agent-workflows/pr-actions-detective/README.md (L7, L23) and .github/workflows/gh-aw-pr-actions-detective.md (L78-L90, L120-L126).

This new workflow is specialized for the daily remediation use case: scheduled run, scans default + configurable long-term branches, matches the exact Resource not accessible by integration error, and opens one remediation PR per affected workflow with required reviewer assignment (gh-agent-workflows/resource-not-accessible-by-integration-fixer/README.md, added in this PR).

So yes, we could force this into generic/custom instructions, but the dedicated fixer gives deterministic behavior + documentation/discoverability for this recurring incident class.

---

What is this? | From workflow: Mention in PR

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[strawgate]

/ai let's adjust the workflow here to be similar to our issue ones where we don't want to repost the same issue and so we run a script ahead of time and just have the output of that ready for the agent.

In the script let's enumerate the workflows look for any logs etc so that we can tag the workflows that have this problem and write them to disk and only have the agent investigate workflows with the problem.

That should make this into a fairly simple workflow for the agent to follow. Let's have it open one issue with the combined analysis of the results. Let's have an input which is the number of look-back days.

And let's document how you could get somewhat similar behavior just using the scheduled audit

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new auto-generated GitHub Actions detector/fixer workflow that scans for "Resource not accessible by integration" failures, plus trigger/reuse workflows, docs, example usage, mkdocs entry, and registration in quick-setup.

Changes

Cohort / File(s)	Summary
Workflow Lock & Orchestration .github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.lock.yml	Adds a comprehensive auto-generated detector/fixer workflow with many inputs/secrets, multi-stage lifecycle (prescan, prompt rendering & redaction, MCP gateway & safe-outputs, agent/threat-detection runs, artifact handling, and conclusion reporting).
Trigger / Invocation .github/workflows/trigger-resource-not-accessible-by-integration-fixer.yml, gh-agent-workflows/resource-not-accessible-by-integration-fixer/example.yml	Adds scheduled (daily) and manual triggers that reuse the lock workflow; forwards COPILOT_GITHUB_TOKEN and look-back-days input.
Documentation & READMEs .github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.md, gh-agent-workflows/resource-not-accessible-by-integration-fixer/README.md, gh-agent-workflows/README.md	New documentation and READMEs describing detector behaviour, inputs, prescan/gather-analysis flow, deduplication, remediation guidance, and quick-setup instructions.
Site Navigation & Quick Setup docs/workflows/gh-agent-workflows.md, mkdocs.yml, scripts/quick-setup.sh	Registers the workflow in docs navigation and adds it to the quick-setup continuous_improvement_workflows list for optional installation.

Sequence Diagram(s)

sequenceDiagram
    participant Scheduler
    participant ReuseWorkflow as Reuse Workflow (lock.yml)
    participant Prescan
    participant MCP as MCP Gateway / Safe-Outputs
    participant CopilotCLI as Copilot CLI / Agent
    participant ThreatDetect as Threat Detector
    participant GitHub as GitHub Issues / Artifacts

    Scheduler->>ReuseWorkflow: trigger (cron or workflow_dispatch)
    ReuseWorkflow->>Prescan: run prescan (look-back-days, branches)
    Prescan->>MCP: upload prescan artifacts / start safe-outputs
    ReuseWorkflow->>CopilotCLI: render prompts, start agent via Copilot CLI
    CopilotCLI->>MCP: request safe outputs, fetch artifacts
    CopilotCLI->>ThreatDetect: run threat-detection passes
    ThreatDetect->>GitHub: create combined analysis issue / upload artifacts
    ReuseWorkflow->>MCP: stop safe-outputs / teardown
    ReuseWorkflow->>Scheduler: conclude (noop or create-issue)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Add daily fixer agentic workflow for 'Resource not accessible by integration' across long-term branches #424: Implements the same "Resource not accessible by integration" detector/fixer and associated artifacts; directly related.

Possibly related PRs

• Replace backwards compat symlinks with copies #341: Adds similar Copilot-style detector workflows and orchestration patterns; strongly related.
• Add product-manager-impersonator and refactor-opportunist workflows #360: Adds other gh-agent detector workflows and modifies quick-setup integration; related.
• Add quick setup script for gh-aw workflows #173: Introduced/modified the quick-setup script infrastructure that this change extends.

Suggested reviewers

• strawgate

Poem

🐰 sniffing the logs
I hop through runs at break of day,
Hunting errors that block the way,
I gather clues, then gently fix,
A patch, a note, a carrot mix — hooray! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding a daily detector workflow for a specific CI error across branches.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch copilot/add-daily-fixer-workflow

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.md:
- Around line 186-203: The PR template uses a triple-backtick fenced block that
contains another triple-backtick block under the "## Failure Evidence" section,
creating nested fences; change the outer fence to a four-backtick fence and
replace the inner triple-backtick with a ```text fenced block (and the matching
closing fences) so the example log snippet is rendered correctly; update the
block that contains "## Affected Workflow" / "## Failure Evidence" accordingly
so the outer fence opens with ````markdown and closes with ```` and the inner
log snippet uses ```text and ``` to close.
- Around line 220-223: Replace the misspelled reviewer team slug
"elastic/observablt-ci" with the correct "elastic/observability-ci" wherever it
appears in the workflow text so reviewer assignment works as intended; confirm
the change by searching for the exact string "elastic/observablt-ci" and
updating it to "elastic/observability-ci" (the README already references
"elastic/observability-cicd" so only the reviewer slug in the workflow needs
correction).

---

ℹ️ Review info

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b056f17 and c0bbd02.

📒 Files selected for processing (9)

• .github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.lock.yml
• .github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.md
• .github/workflows/trigger-resource-not-accessible-by-integration-fixer.yml
• docs/workflows/gh-agent-workflows.md
• gh-agent-workflows/README.md
• gh-agent-workflows/resource-not-accessible-by-integration-fixer/README.md
• gh-agent-workflows/resource-not-accessible-by-integration-fixer/example.yml
• mkdocs.yml
• scripts/quick-setup.sh

[strawgate]

@copilot let's change this to a detection workflow (not fix) and use a step to do the failed workflow scan and ideally check the logs for the "Resource not accessible by integration" message so we create a simple file for the Agent to review which has the workflows it needs to identify remediations for

[Copilot]

/ai don't we already have a CI detective workflow we could just provide custom instructions to? I couldn't find it in the documentation but maybe you can

Yes — branch-actions-detective and pr-actions-detective both diagnose CI failures and post findings, but they're event-driven (triggered on workflow_run completion for a specific run) and only read logs for that one run. They don't do a scheduled scan across all failed runs from the past N days, and they don't produce a single consolidated issue grouping multiple workflows. Using additional-instructions on those to add this behavior would be technically possible but awkward since the whole log-scan/dedup loop would end up in the agent prompt with no pre-processing step. A dedicated scheduled detector with a bash pre-scan fits the pattern used by other daily workflows (e.g. downstream-health, bug-hunter) and keeps the agent prompt simple.

@copilot let's change this to a detection workflow (not fix) and use a step to do the failed workflow scan and ideally check the logs for the "Resource not accessible by integration" message so we cre...

Done in bdfd89f. The workflow is now a detection-only workflow:

• A bash pre-scan step runs before the agent: it queries failed workflow runs across the configured branches, downloads logs, greps for Resource not accessible by integration, and writes matches to /tmp/gh-aw/agent/resource-not-accessible-findings.tsv. The agent only sees workflows that already matched.
• One combined issue per run (not per-workflow PRs). If the findings file is empty the agent calls noop.
• look-back-days input (default: 1) controls the scan window.
• Dropped create-pull-request / workflow-edit-guardrails in favour of create-issue / previous-findings to avoid duplicate posting.
• The README documents how you can get similar behaviour with the base Scheduled Audit workflow.

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.md (2)

196-198: Consider adding language specifier to fenced code block.

The markdownlint tool flags this block for missing a language specifier (MD040). Adding text would silence the warning.

Proposed fix

-   ````
+   ````text
    https://raw.githubusercontent.com/elastic/observability-cicd/main/github-actions/actionable/alerts/app/prompts/accessible-by-integration.txt
    ````

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.md
around lines 196 - 198, The fenced code block containing the URL (the
four-backtick fence "````" enclosing
https://raw.githubusercontent.com/elastic/observability-cicd/main/github-actions/actionable/alerts/app/prompts/accessible-by-integration.txt)
should include a language specifier to satisfy markdownlint MD040; update the
opening fence to "````text" so the block becomes a text code block.

---

215-246: Consider adding language specifier to the issue body template block.

The markdownlint tool flags this block for missing a language specifier (MD040). Adding markdown would silence the warning and clarify the content type.

Proposed fix

-  ````
+  ````markdown
   ## Scan Summary
   ...

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.md
around lines 215 - 246, The code block in the template (the opening fence that
starts with followed by "## Scan Summary") is missing a language specifier which triggers MD040; update the opening fence to include the language specifier by changing the code fence tomarkdown so the block reads markdown followed by the "## Scan Summary" content and the closing , ensuring the
language is explicit and markdownlint no longer flags it.

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.md:

• Around line 196-198: The fenced code block containing the URL (the
  four-backtick fence "" enclosing https://raw.githubusercontent.com/elastic/observability-cicd/main/github-actions/actionable/alerts/app/prompts/accessible-by-integration.txt) should include a language specifier to satisfy markdownlint MD040; update the opening fence to "text" so the block becomes a text code block.
• Around line 215-246: The code block in the template (the opening fence that
  starts with followed by "## Scan Summary") is missing a language specifier which triggers MD040; update the opening fence to include the language specifier by changing the code fence tomarkdown so the block reads markdown followed by the "## Scan Summary" content and the closing , ensuring the
  language is explicit and markdownlint no longer flags it.

</details>

---

<details>
<summary>ℹ️ Review info</summary>

**Configuration used**: Repository UI (base), Organization UI (inherited)

**Review profile**: CHILL

**Plan**: Pro

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between 922bc15b32b0f61e1acec45df183e30f27ff2b74 and 76f1842164f1612aeacf96b2610ff7daab3dbd97.

</details>

<details>
<summary>📒 Files selected for processing (5)</summary>

* `.github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.lock.yml`
* `.github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.md`
* `docs/workflows/gh-agent-workflows.md`
* `gh-agent-workflows/README.md`
* `mkdocs.yml`

</details>

<details>
<summary>🚧 Files skipped from review as they are similar to previous changes (3)</summary>

* mkdocs.yml
* gh-agent-workflows/README.md
* docs/workflows/gh-agent-workflows.md

</details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[strawgate]

/ai fix pr open issues

[fr4nc1sc0-r4m0n]

/ai if now it's a detector, I think the name of the workflow and all its references shouldn't be fixer anymore but detector

[github-actions]

REQUEST_CHANGES: Deduplication is currently broken in .github/workflows/gh-aw-estc-actions-resource-not-accessible-detector.lock.yml (line 577), where TITLE_PREFIX is sourced from $\{\{ inputs.title-prefix }} even though the workflow defines issue-title-prefix; this makes the previous-findings search use an empty prefix and can miss existing tracking issues.

---

What is this? | From workflow: PR Review

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.