Merged
Conversation
Co-authored-by: strawgate <6384545+strawgate@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Make previous findings check configurable for scheduled audit
Make close-older-issues configurable in scheduled-audit
Feb 27, 2026
Collaborator
|
/ai please resolve merge conflicts |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds a scheduled-audit safe-outputs fragment and wires a new boolean input Changes
Sequence Diagram(s)sequenceDiagram
participant Caller as Workflow Caller
participant Activation as Activation Job
participant Compute as compute_text Action
participant SafeOutputs as SafeOutputs Handler
participant GitHub as GitHub Issues API
Caller->>Activation: call gh-aw-scheduled-audit (inputs incl. close-older-issues)
Activation->>Compute: compute sanitized title/text/body
Compute-->>Activation: outputs: title, text, body
Activation->>SafeOutputs: invoke create-issue (includes close-older-issues, title-prefix, body)
SafeOutputs->>GitHub: query existing issues / close older issues (if configured)
SafeOutputs->>GitHub: create or skip issue
GitHub-->>SafeOutputs: result
SafeOutputs-->>Activation: propagate result
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Contributor
|
I checked PR I can’t resolve and push that conflict from this workflow run because this runtime disallows submitting changes under A maintainer can resolve by merging What is this? | From workflow: Mention in PR Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. |
Resolve merge conflicts in gh-aw-scheduled-audit.lock.yml: - Keep secret_verification_result output from main - Keep text/title outputs from PR branch - Keep GH_AW_ALLOWED_DOMAINS and server/API URL env vars from main - Keep dynamic close_older_issues from PR branch Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
strawgate
changed the title
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| timeout-minutes: 90 | ||
| steps: | ||
| - name: List previous findings | ||
| if: ${{ inputs.close-older-issues != 'true' }} |
Contributor
There was a problem hiding this comment.
[HIGH] Boolean input is compared as a string, so condition is always true
close-older-issues is declared as a boolean input, but this condition compares it to the string 'true'. In GitHub Actions expressions, mixed-type equality uses numeric coercion, so both true != 'true' and false != 'true' evaluate to true; this step will always run and the new toggle won't disable previous-findings lookup.
Suggested change
| if: ${{ inputs.close-older-issues != 'true' }} | |
| if: $\{\{ !inputs.close-older-issues }} |
Collaborator
There was a problem hiding this comment.
Good catch — fixed. Changed inputs.close-older-issues \!= 'true' to \!inputs.close-older-issues since the input is declared as type: boolean.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 14
🧹 Nitpick comments (1)
.github/workflows/gh-aw-fragments/pr-context.md (1)
42-46: Make linked-issue extraction more robust.Current parsing is narrow and can miss valid references (for example
owner/repo#123). Parsepr.jsonbody first, then match broader closure patterns.Suggested fix
- grep -oiP '(?:fixes|closes|resolves)\s+#\K\d+' /tmp/pr-context/pr.json 2>/dev/null \ + jq -r '.body // ""' /tmp/pr-context/pr.json \ + | grep -oiP '(?:fix(?:es|ed|ing)?|close(?:s|d)?|resolve(?:s|d)?)\s+(?:[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+)?#\K\d+' 2>/dev/null \ | sort -u \ | while read -r issue; do gh api "repos/$GITHUB_REPOSITORY/issues/$issue" > "/tmp/pr-context/issue-${issue}.json" || true done || true🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-fragments/pr-context.md around lines 42 - 46, Update the linked-issue extraction so it reads the PR body from /tmp/pr-context/pr.json and uses a broader regex to capture closure patterns including optional owner/repo prefixes (e.g., owner/repo#123) and different verbs (fixes|closes|resolves) rather than the narrow grep used now; modify the pipeline around the grep -oiP '(?:fixes|closes|resolves)\s+#\K\d+' invocation to first extract the "body" field from pr.json and then apply a regex that also accepts (?:[\w.-]+\/[\w.-]+#\d+|#\d+) or equivalent, de-duplicate with sort -u, and continue using the existing loop that calls gh api "repos/$GITHUB_REPOSITORY/issues/$issue" to fetch each issue JSON.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/gh-aw-breaking-change-detector.lock.yml:
- Line 303: The new sub-agent spawning guidance was mistakenly edited directly
in gh-aw-breaking-change-detector.lock.yml; move that paragraph into the
corresponding source .md (add the exact text about calling runSubagent with
agentType/model defaults and the fully self-contained prompt requirement), then
run the generator command gh aw compile to regenerate the .lock.yml so the
change is preserved; do not keep edits in the .lock.yml itself.
In @.github/workflows/gh-aw-bug-hunter.lock.yml:
- Line 304: The lockfile was manually edited: replace the placeholder model
value "model: \"__GH_AW_INPUTS_MODEL__\"" by regenerating the auto-generated
lockfile from the source fragment that uses model: "${{ inputs.model }}"; run
the canonical compile command (gh aw compile) against the source fragments (e.g.
.github/workflows/gh-aw-fragments/pick-three-keep-one.md) to recreate
.github/workflows/gh-aw-bug-hunter.lock.yml so the lock matches the source
rather than making an inline edit to the lockfile.
In @.github/workflows/gh-aw-code-simplifier.lock.yml:
- Line 283: Update the source fragment pick-three-keep-one.md to replace the
default model placeholder `${{ inputs.model }}` with `__GH_AW_INPUTS_MODEL__` to
match the change introduced in the lock file, then regenerate the lock by
running the compilation step (e.g., `gh aw compile`) so the lock file and source
fragment stay in sync.
In @.github/workflows/gh-aw-docs-drift.lock.yml:
- Line 314: The paragraph titled "How to spawn sub-agents" present in the
deprecated workflow file should not be edited there; instead, open the current
patrol workflow and its source doc that replace it (the patrol files referenced
in the header) and update the same "How to spawn sub-agents" paragraph in those
files so the guidance remains accurate; remove or leave the deprecated file
unchanged per the deprecation notice and ensure the updated text in the patrol
files preserves the default agentType/model examples and the requirement for
fully self-contained prompts.
In @.github/workflows/gh-aw-fragments/pr-context.md:
- Line 16: The pipeline step that runs `gh pr diff "$PR_NUMBER" >
/tmp/pr-context/pr.diff || true` silently swallows failures; remove the `||
true`, check the command exit status instead, and on failure emit a warning
(e.g., echo to stderr or use workflow logging) and create a known fallback
artifact at `/tmp/pr-context/pr.diff` containing a short message like "PR diff
unavailable" so downstream steps have deterministic input; update the step that
invokes `gh pr diff` and the artifact handling logic to implement this behavior.
In @.github/workflows/gh-aw-fragments/review-process.md:
- Around line 45-80: The document contains contradictory guidance about
re-flagging outdated review threads: the paragraph that says "do not flag issues
that are already under discussion (resolved, unresolved, or outdated)" conflicts
with the later "Existing review threads" bullets that allow re-flagging outdated
issues "only re-flag if the issue still applies to the current diff." Unify
these by keeping the first rule but clarifying it to: "Do not flag issues
already under discussion (resolved or unresolved); for outdated threads, only
re-flag if the concern still applies to the current diff." Update the phrases
"do not flag issues that are already under discussion (resolved, unresolved, or
outdated)" and the "Outdated" bullet under "Existing review threads" so both use
the same wording and intent.
In @.github/workflows/gh-aw-mention-in-pr-by-id.md:
- Line 129: Update the wording in the "**PR context on disk**" paragraph that
currently reads "`/tmp/pr-context/` — PR metadata, diff, files, reviews,
comments, and linked issues are pre-fetched. Read from these files instead of
calling the API." to instead state that `/tmp/pr-context` should be used as the
primary source and that API calls should be used only when required data is
unavailable (e.g., "use `/tmp/pr-context` as the primary source; call API tools
only when required data is unavailable"); make the same replacement for the
other near-duplicate paragraph with the same "**PR context on disk**" heading
later in the file.
In @.github/workflows/gh-aw-mention-in-pr-no-sandbox.md:
- Around line 148-150: The current reviewer steps assume
/tmp/pr-context/diffs/<filename>.diff is always present and complete; add a
fallback when that file is empty or truncated by checking its size/content and,
if missing/invalid, reading the full file from the workspace (the checked-out PR
branch) and/or generating a git diff for the filename (e.g., run git diff
origin/main -- <filename>) to reconstruct the changes; update the "Read the diff
from /tmp/pr-context/diffs/<filename>.diff" step to validate the artifact and
fall back to workspace file or live git diff so large/binary changes are not
silently skipped.
In @.github/workflows/gh-aw-mention-in-pr.lock.yml:
- Line 705: The pr diff fetch is being masked by the tolerant suffix in the
command 'gh pr diff "$PR_NUMBER" > /tmp/pr-context/pr.diff || true' which can
leave /tmp/pr-context/pr.diff empty; change the behavior in the generator so the
command fails on error (remove the "|| true") and/or capture and check the exit
status of 'gh pr diff' and abort with a clear error if it fails (e.g., ensure
the workflow exits non-zero and logs the gh error) — update the generator
template that emits the line containing 'gh pr diff "$PR_NUMBER" >
/tmp/pr-context/pr.diff || true' so generated .lock.yml no longer swallows
errors.
In @.github/workflows/gh-aw-pr-review.lock.yml:
- Around line 456-457: The workflow reads /tmp/pr-context/review_comments.json
and uses pulls/$PR_NUMBER/comments but then expects thread-state fields
(isResolved/isOutdated) which the REST pulls comments endpoint doesn't provide;
update the logic to either (A) retrieve thread state via the GraphQL
reviewThreads connection (use a GraphQL query against pullRequest(number:
$PR_NUMBER) { reviewThreads(first: 100) { nodes { id isResolved isOutdated
comments { nodes { id body } } } } } and populate
/tmp/pr-context/review_comments.json with those fields) or (B) remove/disable
the resolved/outdated checks and any references to isResolved/isOutdated in the
code that processes review_comments.json; ensure any place referencing
pulls/$PR_NUMBER/comments, review_comments.json, reviewThreads, isResolved or
isOutdated is updated accordingly so thread-resolution checks are verifiable.
- Line 677: Update the gh API calls that write /tmp/pr-context/files.json,
/tmp/pr-context/reviews.json, /tmp/pr-context/review_comments.json, and
/tmp/pr-context/comments.json to use the --slurp option so paginated responses
are combined into a single valid JSON array (i.e., change the gh api invocations
that target "repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/files",
"repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/reviews",
"repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/comments", and
"repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" to include --paginate
--slurp).
In @.github/workflows/gh-aw-product-manager-impersonator.lock.yml:
- Line 312: This change belongs in the source fragment, not the generated lock
file: open the source fragment named pick-three-keep-one.md and replace the
literal string `${{ inputs.model }}` with `__GH_AW_INPUTS_MODEL__`, then
recompile the workflow bundle by running `gh aw compile` so the `.lock.yml` is
regenerated; do not edit the `.lock.yml` directly.
In @.github/workflows/gh-aw-ux-design-patrol.lock.yml:
- Line 309: The change should be made in the source workflow markdown that
generates .github/workflows/gh-aw-ux-design-patrol.lock.yml rather than editing
the generated .lock.yml; locate the corresponding source `.md` (the workflow
documentation that contains the spawn sub-agents text), update the
prompt/instruction there, then run the generator command `gh aw compile` to
regenerate `gh-aw-ux-design-patrol.lock.yml`; do not modify the generated file
directly.
In @.github/workflows/workflow-patrol.lock.yml:
- Line 328: The rendered workflow may interpolate an empty model when
inputs.model is undefined; update the source fragment (the .md/fragment used to
generate .lock.yml) so the runSubagent invocation defaults to a concrete model
string (e.g., "gpt-5.3-codex") instead of an empty value; implement this by
changing the template interpolation for model to use a fallback (e.g., `${{
inputs.model || 'gpt-5.3-codex' }}` or the template engine's equivalent) where
runSubagent, agentType, and model are composed, then recompile the .md/fragment
to regenerate the .lock.yml output.
---
Nitpick comments:
In @.github/workflows/gh-aw-fragments/pr-context.md:
- Around line 42-46: Update the linked-issue extraction so it reads the PR body
from /tmp/pr-context/pr.json and uses a broader regex to capture closure
patterns including optional owner/repo prefixes (e.g., owner/repo#123) and
different verbs (fixes|closes|resolves) rather than the narrow grep used now;
modify the pipeline around the grep -oiP '(?:fixes|closes|resolves)\s+#\K\d+'
invocation to first extract the "body" field from pr.json and then apply a regex
that also accepts (?:[\w.-]+\/[\w.-]+#\d+|#\d+) or equivalent, de-duplicate with
sort -u, and continue using the existing loop that calls gh api
"repos/$GITHUB_REPOSITORY/issues/$issue" to fetch each issue JSON.
ℹ️ Review info
Configuration used: Repository UI (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (32)
.github/workflows/gh-aw-agent-suggestions.lock.yml.github/workflows/gh-aw-autonomy-atomicity-analyzer.lock.yml.github/workflows/gh-aw-breaking-change-detect.lock.yml.github/workflows/gh-aw-breaking-change-detector.lock.yml.github/workflows/gh-aw-bug-hunter.lock.yml.github/workflows/gh-aw-code-duplication-detector.lock.yml.github/workflows/gh-aw-code-simplifier.lock.yml.github/workflows/gh-aw-docs-drift.lock.yml.github/workflows/gh-aw-docs-patrol.lock.yml.github/workflows/gh-aw-fragments/pick-three-keep-many.md.github/workflows/gh-aw-fragments/pick-three-keep-one.md.github/workflows/gh-aw-fragments/pr-context.md.github/workflows/gh-aw-fragments/review-process.md.github/workflows/gh-aw-framework-best-practices.lock.yml.github/workflows/gh-aw-information-architecture.lock.yml.github/workflows/gh-aw-issue-triage.lock.yml.github/workflows/gh-aw-mention-in-pr-by-id.lock.yml.github/workflows/gh-aw-mention-in-pr-by-id.md.github/workflows/gh-aw-mention-in-pr-no-sandbox.lock.yml.github/workflows/gh-aw-mention-in-pr-no-sandbox.md.github/workflows/gh-aw-mention-in-pr.lock.yml.github/workflows/gh-aw-mention-in-pr.md.github/workflows/gh-aw-performance-profiler.lock.yml.github/workflows/gh-aw-pr-review.lock.yml.github/workflows/gh-aw-pr-review.md.github/workflows/gh-aw-product-manager-impersonator.lock.yml.github/workflows/gh-aw-refactor-opportunist.lock.yml.github/workflows/gh-aw-scheduled-audit.lock.yml.github/workflows/gh-aw-text-auditor.lock.yml.github/workflows/gh-aw-ux-design-patrol.lock.yml.github/workflows/upgrade-check.lock.yml.github/workflows/workflow-patrol.lock.yml
✅ Files skipped from review due to trivial changes (3)
- .github/workflows/gh-aw-code-duplication-detector.lock.yml
- .github/workflows/gh-aw-scheduled-audit.lock.yml
- .github/workflows/gh-aw-mention-in-pr-no-sandbox.lock.yml
| Parallelize your work using sub-agents. Spawn 3 sub-agents, each approaching the task from a different angle — e.g., different focus areas, different heuristics, or different parts of the codebase. Each sub-agent works independently and should return its own list of findings. | ||
|
|
||
| **How to spawn sub-agents:** Call `runSubagent` with `agentType: "general-purpose"` and `model: "__GH_AW_INPUTS_MODEL__"` (unless the workflow specifies a different agent type or model). Sub-agents cannot see your conversation history, the other sub-agents' results, or any context you have gathered so far. Each prompt must be **fully self-contained** — include everything the sub-agent needs: | ||
| **How to spawn sub-agents:** Call `runSubagent` with the `agentType` and `model` specified by the workflow instructions below (defaulting to `agentType: "general-purpose"` and `model: "__GH_AW_INPUTS_MODEL__"` if none are specified). Sub-agents cannot see your conversation history, the other sub-agents' results, or any context you have gathered so far. Each prompt must be **fully self-contained** — include everything the sub-agent needs: |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Find the source manifest for this workflow
echo "=== Looking for source .md file ==="
fd 'gh-aw-breaking-change-detector\.md$' || echo "No .md file found"
echo -e "\n=== Checking git status for both source and lock files ==="
git diff --name-only | grep -E 'gh-aw-breaking-change-detector' || echo "No changes found in git diff"
echo -e "\n=== Checking if source .md exists and contains the updated text ==="
if fd 'gh-aw-breaking-change-detector\.md$' | head -1 | xargs cat > /tmp/md_content.txt 2>/dev/null; then
echo "Source .md file found. Checking for sub-agent guidance text..."
grep -n 'How to spawn sub-agents\|agentType.*model' /tmp/md_content.txt | head -20 || echo "Text not found in .md"
else
echo "Could not read source .md file"
fi
echo -e "\n=== Checking the locked .yml file ==="
if [ -f ".github/workflows/gh-aw-breaking-change-detector.lock.yml" ]; then
sed -n '300,310p' ".github/workflows/gh-aw-breaking-change-detector.lock.yml"
fiRepository: elastic/ai-github-actions
Length of output: 1614
Move this change to the source .md file — do not edit .lock.yml directly.
The updated sub-agent spawning guidance appears in the .lock.yml file but not in the corresponding source .md. Since .lock.yml files are auto-generated via gh aw compile, this direct edit will be overwritten. Add this text to the source .md file and recompile.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-breaking-change-detector.lock.yml at line 303, The
new sub-agent spawning guidance was mistakenly edited directly in
gh-aw-breaking-change-detector.lock.yml; move that paragraph into the
corresponding source .md (add the exact text about calling runSubagent with
agentType/model defaults and the fully self-contained prompt requirement), then
run the generator command gh aw compile to regenerate the .lock.yml so the
change is preserved; do not keep edits in the .lock.yml itself.
Collaborator
There was a problem hiding this comment.
This is a false positive. .lock.yml files are auto-generated by gh aw compile from source .md files. The __GH_AW_INPUTS_MODEL__ placeholder is the compiled form of ${{ inputs.model }} — this is expected and correct. The source .md files are the source of truth, and the lockfiles are regenerated from them on every compile.
There was a problem hiding this comment.
@strawgate, you're absolutely right — I apologize for the false positive. I see now that the changes were properly made in the source .md files and the .lock.yml was correctly regenerated via gh aw compile. The __GH_AW_INPUTS_MODEL__ placeholder is indeed the expected compiled form of ${{ inputs.model }}.
Thank you for the clarification about the compilation process!
🧠 Learnings used
Learnt from: CR
Repo: elastic/ai-github-actions PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-21T07:31:50.826Z
Learning: Review and reference GitHub Agent Workflows from ./gh-agent-workflows directory
Learnt from: CR
Repo: elastic/ai-github-actions PR: 0
File: gh-agent-workflows/AGENTS.md:0-0
Timestamp: 2026-02-20T21:53:19.599Z
Learning: Applies to gh-agent-workflows/**/DEVELOPING.md : GitHub Agent Workflows documentation should be maintained in DEVELOPING.md
Learnt from: CR
Repo: elastic/ai-github-actions PR: 0
File: gh-agent-workflows/AGENTS.md:0-0
Timestamp: 2026-02-20T21:53:19.599Z
Learning: Applies to gh-agent-workflows/**/README.md : GitHub Agent Workflows documentation should be maintained in README.md
Learnt from: strawgate
Repo: elastic/ai-github-actions PR: 312
File: .github/workflows/gh-aw-small-problem-fixer.lock.yml:677-680
Timestamp: 2026-02-21T06:36:33.737Z
Learning: In the elastic/ai-github-actions repository, files under .github/workflows with the .lock.yml extension are auto-generated by running gh aw compile from corresponding .md source files. Do not edit .lock.yml files directly, as they will be overwritten. Make changes to the source .md files instead.
Learnt from: CR
Repo: elastic/ai-github-actions PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-21T07:31:50.826Z
Learning: Applies to {README.md,DEVELOPING.md,docs/upgrading.md} : Document AI GitHub Actions implementation and configuration in README.md, DEVELOPING.md, and docs/upgrading.md
| Parallelize your initial investigation using sub-agents. Spawn 3 sub-agents, each with a distinct angle — e.g., different starting points, different areas of the codebase, or different heuristics. Each sub-agent works independently and should return its single best candidate finding (with file paths, line numbers, and evidence) or a recommendation to `noop`. The goal is competition: 3 sub-agents each produce their best shot, and you pick the winner. | ||
|
|
||
| **How to spawn sub-agents:** Call `runSubagent` with `agentType: "general-purpose"` and `model: "__GH_AW_INPUTS_MODEL__"` (unless the workflow specifies a different agent type or model). Sub-agents cannot see your conversation history, the other sub-agents' results, or any context you have gathered so far. Each prompt must be **fully self-contained** — include everything the sub-agent needs to do its job: | ||
| **How to spawn sub-agents:** Call `runSubagent` with the `agentType` and `model` specified by the workflow instructions below (defaulting to `agentType: "general-purpose"` and `model: "__GH_AW_INPUTS_MODEL__"` if none are specified). Sub-agents cannot see your conversation history, the other sub-agents' results, or any context you have gathered so far. Each prompt must be **fully self-contained** — include everything the sub-agent needs to do its job: |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Step 1: Locate bug-hunter source and compiled files ==="
find . -name '*bug-hunter*' -type f | head -20
echo
echo "=== Step 2: Search for the sub-agent guidance text in both .md and .lock.yml ==="
rg -n "How to spawn sub-agents" --type md --type yaml 2>/dev/null || echo "Text not found via rg"
echo
echo "=== Step 3: Check if .md source exists and list workflow-related .md files ==="
fd 'bug-hunter.*\.md$|\.md$' .github/workflows gh-agent-workflows 2>/dev/null | head -20Repository: elastic/ai-github-actions
Length of output: 1380
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== File sizes ==="
wc -l .github/workflows/gh-aw-bug-hunter.md .github/workflows/gh-aw-bug-hunter.lock.yml
echo
echo "=== Content around line 304 in .lock.yml ==="
sed -n '300,310p' .github/workflows/gh-aw-bug-hunter.lock.yml
echo
echo "=== Search for 'spawn' or 'runSubagent' in both files ==="
echo "--- In .md file ---"
grep -n 'spawn\|runSubagent' .github/workflows/gh-aw-bug-hunter.md || echo "Not found"
echo
echo "--- In .lock.yml file ---"
grep -n 'spawn\|runSubagent' .github/workflows/gh-aw-bug-hunter.lock.yml || echo "Not found"
echo
echo "=== Check first 50 lines of .md source ==="
head -50 .github/workflows/gh-aw-bug-hunter.mdRepository: elastic/ai-github-actions
Length of output: 4844
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Check if pick-three-keep-one.md fragment exists ==="
ls -la .github/workflows/gh-aw-fragments/pick-three-keep-one.md
echo
echo "=== Read full fragment file ==="
cat .github/workflows/gh-aw-fragments/pick-three-keep-one.mdRepository: elastic/ai-github-actions
Length of output: 2356
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Count occurrences of __GH_AW_INPUTS_MODEL__ in .lock.yml ==="
grep -c '__GH_AW_INPUTS_MODEL__' .github/workflows/gh-aw-bug-hunter.lock.yml
echo
echo "=== Sample lines with __GH_AW_INPUTS_MODEL__ ==="
grep -n '__GH_AW_INPUTS_MODEL__' .github/workflows/gh-aw-bug-hunter.lock.yml | head -5
echo
echo "=== Check if ${{ inputs.model }} appears in .lock.yml (should not) ==="
grep -c '\${{ inputs.model }}' .github/workflows/gh-aw-bug-hunter.lock.yml || echo "Not found (expected)"
echo
echo "=== Compare: Check another workflow's .lock.yml for same pattern ==="
grep -c '__GH_AW_INPUTS_MODEL__' .github/workflows/gh-aw-code-simplifier.lock.yml 2>/dev/null || echo "File not found"Repository: elastic/ai-github-actions
Length of output: 782
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Check for model references in .lock.yml ==="
grep -n 'model' .github/workflows/gh-aw-bug-hunter.lock.yml | head -10
echo
echo "=== Check full git context for line 304 if available ==="
git log -p --all -S '__GH_AW_INPUTS_MODEL__' -- '.github/workflows/gh-aw-bug-hunter.lock.yml' 2>/dev/null | head -100 || echo "Git history not available"
echo
echo "=== Verify: does source fragment match what appears in lockfile? ==="
echo "Fragment text:"
grep -A 1 'How to spawn sub-agents' .github/workflows/gh-aw-fragments/pick-three-keep-one.md
echo
echo "Lockfile text:"
grep -A 1 'How to spawn sub-agents' .github/workflows/gh-aw-bug-hunter.lock.ymlRepository: elastic/ai-github-actions
Length of output: 2127
Recompile this lockfile from source—do not manually edit auto-generated files.
Line 304 contains model: "__GH_AW_INPUTS_MODEL__", but the source fragment at .github/workflows/gh-aw-fragments/pick-three-keep-one.md specifies model: "${{ inputs.model }}". This mismatch indicates a direct manual edit to the .lock.yml file. Auto-generated lockfiles must be regenerated by running gh aw compile from the source .md files, not edited directly. Regenerate .github/workflows/gh-aw-bug-hunter.lock.yml from its source .md to ensure consistency.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-bug-hunter.lock.yml at line 304, The lockfile was
manually edited: replace the placeholder model value "model:
\"__GH_AW_INPUTS_MODEL__\"" by regenerating the auto-generated lockfile from the
source fragment that uses model: "${{ inputs.model }}"; run the canonical
compile command (gh aw compile) against the source fragments (e.g.
.github/workflows/gh-aw-fragments/pick-three-keep-one.md) to recreate
.github/workflows/gh-aw-bug-hunter.lock.yml so the lock matches the source
rather than making an inline edit to the lockfile.
Collaborator
There was a problem hiding this comment.
This is a false positive. .lock.yml files are auto-generated by gh aw compile from source .md files. The __GH_AW_INPUTS_MODEL__ placeholder is the compiled form of ${{ inputs.model }} — this is expected and correct. The source .md files are the source of truth, and the lockfiles are regenerated from them on every compile.
There was a problem hiding this comment.
@strawgate, you're absolutely right—this is a false positive. Thank you for the clarification! I misunderstood the compilation process. The __GH_AW_INPUTS_MODEL__ placeholder in the .lock.yml file is the correct compiled form of ${{ inputs.model }} from the source .md files. This transformation is expected behavior when running gh aw compile, not a manual edit.
I apologize for the incorrect review comment. I've noted this for future reviews.
✏️ Learnings added
Learnt from: strawgate
Repo: elastic/ai-github-actions PR: 445
File: .github/workflows/gh-aw-bug-hunter.lock.yml:304-304
Timestamp: 2026-02-27T19:33:32.194Z
Learning: In the elastic/ai-github-actions repository, when `gh aw compile` generates `.lock.yml` files from source `.md` files, it transforms `${{ inputs.model }}` into the placeholder `__GH_AW_INPUTS_MODEL__`. This is expected compilation behavior, not a manual edit.
Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.
🧠 Learnings used
Learnt from: CR
Repo: elastic/ai-github-actions PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-21T07:31:50.826Z
Learning: Review and reference GitHub Agent Workflows from ./gh-agent-workflows directory
Learnt from: CR
Repo: elastic/ai-github-actions PR: 0
File: gh-agent-workflows/AGENTS.md:0-0
Timestamp: 2026-02-20T21:53:19.599Z
Learning: Applies to gh-agent-workflows/**/DEVELOPING.md : GitHub Agent Workflows documentation should be maintained in DEVELOPING.md
Learnt from: CR
Repo: elastic/ai-github-actions PR: 0
File: gh-agent-workflows/AGENTS.md:0-0
Timestamp: 2026-02-20T21:53:19.599Z
Learning: Applies to gh-agent-workflows/**/README.md : GitHub Agent Workflows documentation should be maintained in README.md
Learnt from: strawgate
Repo: elastic/ai-github-actions PR: 312
File: .github/workflows/gh-aw-small-problem-fixer.lock.yml:677-680
Timestamp: 2026-02-21T06:36:33.737Z
Learning: In the elastic/ai-github-actions repository, files under .github/workflows with the .lock.yml extension are auto-generated by running gh aw compile from corresponding .md source files. Do not edit .lock.yml files directly, as they will be overwritten. Make changes to the source .md files instead.
| Parallelize your work using sub-agents. Spawn 3 sub-agents, each approaching the task from a different angle — e.g., different focus areas, different heuristics, or different parts of the codebase. Each sub-agent works independently and should return its own list of findings. | ||
|
|
||
| **How to spawn sub-agents:** Call `runSubagent` with `agentType: "general-purpose"` and `model: "__GH_AW_INPUTS_MODEL__"` (unless the workflow specifies a different agent type or model). Sub-agents cannot see your conversation history, the other sub-agents' results, or any context you have gathered so far. Each prompt must be **fully self-contained** — include everything the sub-agent needs: | ||
| **How to spawn sub-agents:** Call `runSubagent` with the `agentType` and `model` specified by the workflow instructions below (defaulting to `agentType: "general-purpose"` and `model: "__GH_AW_INPUTS_MODEL__"` if none are specified). Sub-agents cannot see your conversation history, the other sub-agents' results, or any context you have gathered so far. Each prompt must be **fully self-contained** — include everything the sub-agent needs: |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Find candidate source workflow markdown files ==="
fd -HI 'gh-aw-docs-(drift|patrol)\.md$' || echo "No direct matches found"
echo
echo "=== Search for related markdown files in gh-agent-workflows ==="
fd -HI '\.md$' gh-agent-workflows/ 2>/dev/null | head -20 || echo "Directory may not exist or no matches"
echo
echo "=== Search for the updated sub-agent wording in all markdown files ==="
rg -l 'How to spawn sub-agents' . 2>/dev/null || echo "Pattern not found in any markdown"
echo
echo "=== Inspect lock file for the specific wording ==="
rg -n -C 2 'How to spawn sub-agents' .github/workflows/gh-aw-docs-drift.lock.yml 2>/dev/null || echo "Pattern not found in lock file"
echo
echo "=== List all .md files in .github/workflows ==="
fd -HI '\.md$' .github/workflows/ 2>/dev/null | head -20 || echo "No markdown files found"
echo
echo "=== Check structure of gh-agent-workflows ==="
ls -la gh-agent-workflows/ 2>/dev/null | head -20 || echo "Directory does not exist"Repository: elastic/ai-github-actions
Length of output: 4534
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Check docs-patrol.md for sub-agent wording ==="
rg -n -C 3 'How to spawn sub-agents|runSubagent' .github/workflows/gh-aw-docs-patrol.md || echo "Not found in docs-patrol"
echo
echo "=== Check lock file metadata/header for source reference ==="
head -20 .github/workflows/gh-aw-docs-drift.lock.yml
echo
echo "=== List all .lock.yml files and their sources ==="
fd -HI '\.lock\.yml$' .github/workflows/ | while read -r lock; do
src="${lock%.lock.yml}.md"
if [ -f "$src" ]; then
echo "✓ $lock (source exists: $src)"
else
echo "✗ $lock (NO SOURCE: $src not found)"
fi
doneRepository: elastic/ai-github-actions
Length of output: 7790
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Check if docs-patrol.lock.yml contains the same sub-agent wording ==="
rg -n -C 2 'How to spawn sub-agents' .github/workflows/gh-aw-docs-patrol.lock.yml || echo "Pattern not in docs-patrol"
echo
echo "=== Confirm drift.lock.yml is marked deprecated ==="
head -10 .github/workflows/gh-aw-docs-drift.lock.yml | grep -i deprecatRepository: elastic/ai-github-actions
Length of output: 1109
This is a deprecated file; update the current version instead.
The file .github/workflows/gh-aw-docs-drift.lock.yml is marked for deprecation and removal. Per its header notice, use gh-aw-docs-patrol.lock.yml (and its source gh-aw-docs-patrol.md) going forward. The same "How to spawn sub-agents" text already exists in the current patrol file and should be updated there instead.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-docs-drift.lock.yml at line 314, The paragraph
titled "How to spawn sub-agents" present in the deprecated workflow file should
not be edited there; instead, open the current patrol workflow and its source
doc that replace it (the patrol files referenced in the header) and update the
same "How to spawn sub-agents" paragraph in those files so the guidance remains
accurate; remove or leave the deprecated file unchanged per the deprecation
notice and ensure the updated text in the patrol files preserves the default
agentType/model examples and the requirement for fully self-contained prompts.
Collaborator
There was a problem hiding this comment.
This is a false positive. .lock.yml files are auto-generated by gh aw compile from source .md files. The __GH_AW_INPUTS_MODEL__ placeholder is the compiled form of ${{ inputs.model }} — this is expected and correct. The source .md files are the source of truth, and the lockfiles are regenerated from them on every compile.
There was a problem hiding this comment.
@strawgate, you're absolutely right—my apologies for the false positive. I failed to apply the existing learning that .lock.yml files are auto-generated from source .md files via gh aw compile. The change is correct and expected: the __GH_AW_INPUTS_MODEL__ placeholder is the compiled form of ${{ inputs.model }}, and lockfile changes naturally reflect updates to the source .md files. Thank you for the clarification!
/)/)
(•.•)
/>📝 _noted!_
🧠 Learnings used
Learnt from: CR
Repo: elastic/ai-github-actions PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-21T07:31:50.826Z
Learning: Review and reference GitHub Agent Workflows from ./gh-agent-workflows directory
Learnt from: CR
Repo: elastic/ai-github-actions PR: 0
File: gh-agent-workflows/AGENTS.md:0-0
Timestamp: 2026-02-20T21:53:19.599Z
Learning: Applies to gh-agent-workflows/**/DEVELOPING.md : GitHub Agent Workflows documentation should be maintained in DEVELOPING.md
Learnt from: CR
Repo: elastic/ai-github-actions PR: 0
File: gh-agent-workflows/AGENTS.md:0-0
Timestamp: 2026-02-20T21:53:19.599Z
Learning: Applies to gh-agent-workflows/**/README.md : GitHub Agent Workflows documentation should be maintained in README.md
Learnt from: strawgate
Repo: elastic/ai-github-actions PR: 312
File: .github/workflows/gh-aw-small-problem-fixer.lock.yml:677-680
Timestamp: 2026-02-21T06:36:33.737Z
Learning: In the elastic/ai-github-actions repository, files under .github/workflows with the .lock.yml extension are auto-generated by running gh aw compile from corresponding .md source files. Do not edit .lock.yml files directly, as they will be overwritten. Make changes to the source .md files instead.
Learnt from: CR
Repo: elastic/ai-github-actions PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-21T07:31:50.826Z
Learning: Applies to {README.md,DEVELOPING.md,docs/upgrading.md} : Document AI GitHub Actions implementation and configuration in README.md, DEVELOPING.md, and docs/upgrading.md
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
There was a problem hiding this comment.
Actionable comments posted: 5
🧹 Nitpick comments (2)
.github/workflows/gh-aw-fragments/review-process.md (1)
28-33: Align uncertainty guidance with the later intensity policy.Line 32 currently says to include findings when unsure, but later sections for balanced/conservative guidance lean toward not flagging ambiguous issues. Consider making this consistent to reduce noisy findings.
Suggested wording tweak
- - If the issue is clearly handled, skip it. If you're unsure, include it — the parent will verify. + - If the issue is clearly handled, skip it. If it remains ambiguous after the quick-check, do not include it unless the configured intensity explicitly favors broader reporting.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-fragments/review-process.md around lines 28 - 33, Replace the sentence "If you're unsure, include it — the parent will verify." with guidance that mirrors the later intensity policy (balanced/conservative): instruct reviewers to only add findings when they can describe a concrete trigger or reasonable suspicion, otherwise skip to avoid noise; reference the existing phrases "If you're unsure, include it — the parent will verify." and the later "balanced/conservative" guidance so editors can make the wording consistent across the document..github/workflows/gh-aw-mention-in-pr-no-sandbox.lock.yml (1)
176-178: Declare missing inputs in the source.mdfile.The generated
.lock.ymlreferences three inputs that are not declared inon.workflow_call.inputs:
inputs.minimum_severity(fromreview-process.mdfragment)inputs.intensity(fromreview-process.mdfragment)inputs.target-pr-number(frompr-context.mdfragment)Add declarations for these to
.github/workflows/gh-aw-mention-in-pr-no-sandbox.mdin theworkflow_call.inputssection, then recompile viagh aw compile.Affects lines: 176-178, 551-553, 570-573, 596-598, 711
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-mention-in-pr-no-sandbox.lock.yml around lines 176 - 178, The lock references three missing workflow_call inputs—minimum_severity, intensity, and target-pr-number—so add declarations for these in the workflow_call.inputs section of the gh-aw-mention-in-pr-no-sandbox.md source (use names exactly: minimum_severity, intensity, target-pr-number); set sensible defaults/types to match usage (e.g., minimum_severity default "low", intensity default "balanced", and target-pr-number as an integer/optional or required based on where it's used), save the .md, then recompile the workflow with `gh aw compile`.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/downstream-users.lock.yml:
- Around line 253-257: The prompt text in the generated workflow
(.github/workflows/*.lock.yml) advertises a 10,240 KB patch limit but the
handler config still sets max_patch_size: 1024, causing a mismatch; update the
source .md that generates this lock file so the handler config and prompt text
agree (either change the prompt text to reflect 1024 or bump the handler's
max_patch_size to 10240), then re-run the generator (gh aw compile) to
regenerate the .lock.yml; look for the handler key max_patch_size: 1024 and the
prompt block that lists "Patch size" to ensure both values match.
In @.github/workflows/gh-aw-fragments/pr-context.md:
- Around line 76-79: The find loop fails when /tmp/pr-context/threads doesn't
exist under set -euo pipefail; guard the block by checking directory existence
before running find (e.g., wrap the find/jq/rm loop in if [ -d
"/tmp/pr-context/threads" ]; then ... fi) so the step is skipped when no threads
directory exists, preserving the existing conversion logic that uses jq and rm
on '*.jsonl' files.
In @.github/workflows/gh-aw-mention-in-issue-no-sandbox.lock.yml:
- Around line 1591-1592: The GH_AW_CI_TRIGGER_TOKEN environment entry currently
only uses secrets.EXTRA_COMMIT_GITHUB_TOKEN which may be empty; update the
source workflow .md so GH_AW_CI_TRIGGER_TOKEN falls back to the repo token
(e.g., use secrets.EXTRA_COMMIT_GITHUB_TOKEN || secrets.GITHUB_TOKEN /
github.token) to avoid empty-token PR flows, then recompile the .md into the
.lock.yml using gh aw compile; target the GH_AW_CI_TRIGGER_TOKEN assignment in
the workflow source so the generated .lock.yml gets the fallback.
In @.github/workflows/gh-aw-mention-in-pr.lock.yml:
- Around line 173-175: Add the missing workflow inputs "intensity" and
"minimum_severity" to the source workflow's workflow_call.inputs in the .md file
so callers can pass those values (they are currently referenced in the compiled
lock file via inputs.intensity and inputs.minimum_severity). Update the
workflow_call.inputs block to declare intensity (type string, default
"balanced", optional) and minimum_severity (type string, default "low",
optional) with the provided descriptions, then re-run the compilation step (gh
aw compile) to regenerate the .lock.yml so the GH_AW_EXPR_* entries reference
declared inputs.
In @.github/workflows/gh-aw-pr-review.lock.yml:
- Line 685: The find that converts per-file JSONL to JSON arrays can fail under
set -euo pipefail if /tmp/pr-context/threads doesn't exist; create the directory
beforehand to avoid a non-zero exit. Add a precondition mkdir -p
/tmp/pr-context/threads immediately before the block that runs find
/tmp/pr-context/threads -name '*.jsonl' | while ... (the JSONL-to-JSON
conversion loop), ensuring the threads directory always exists even when there
are no review threads.
---
Nitpick comments:
In @.github/workflows/gh-aw-fragments/review-process.md:
- Around line 28-33: Replace the sentence "If you're unsure, include it — the
parent will verify." with guidance that mirrors the later intensity policy
(balanced/conservative): instruct reviewers to only add findings when they can
describe a concrete trigger or reasonable suspicion, otherwise skip to avoid
noise; reference the existing phrases "If you're unsure, include it — the parent
will verify." and the later "balanced/conservative" guidance so editors can make
the wording consistent across the document.
In @.github/workflows/gh-aw-mention-in-pr-no-sandbox.lock.yml:
- Around line 176-178: The lock references three missing workflow_call
inputs—minimum_severity, intensity, and target-pr-number—so add declarations for
these in the workflow_call.inputs section of the
gh-aw-mention-in-pr-no-sandbox.md source (use names exactly: minimum_severity,
intensity, target-pr-number); set sensible defaults/types to match usage (e.g.,
minimum_severity default "low", intensity default "balanced", and
target-pr-number as an integer/optional or required based on where it's used),
save the .md, then recompile the workflow with `gh aw compile`.
ℹ️ Review info
Configuration used: Repository UI (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (75)
.github/workflows/agent-deep-dive.lock.yml.github/workflows/agent-efficiency.lock.yml.github/workflows/downstream-users.lock.yml.github/workflows/gh-aw-agent-suggestions.lock.yml.github/workflows/gh-aw-autonomy-atomicity-analyzer.lock.yml.github/workflows/gh-aw-branch-actions-detective.lock.yml.github/workflows/gh-aw-breaking-change-detect.lock.yml.github/workflows/gh-aw-breaking-change-detector.lock.yml.github/workflows/gh-aw-bug-exterminator.lock.yml.github/workflows/gh-aw-bug-exterminator.md.github/workflows/gh-aw-bug-hunter.lock.yml.github/workflows/gh-aw-code-duplication-detector.lock.yml.github/workflows/gh-aw-code-duplication-fixer.lock.yml.github/workflows/gh-aw-code-duplication-fixer.md.github/workflows/gh-aw-code-simplifier.lock.yml.github/workflows/gh-aw-code-simplifier.md.github/workflows/gh-aw-docs-drift.lock.yml.github/workflows/gh-aw-docs-patrol.lock.yml.github/workflows/gh-aw-estc-docs-patrol-external.lock.yml.github/workflows/gh-aw-estc-downstream-health.lock.yml.github/workflows/gh-aw-estc-newbie-contributor-patrol-external.lock.yml.github/workflows/gh-aw-flaky-test-investigator.lock.yml.github/workflows/gh-aw-fragments/pr-context.md.github/workflows/gh-aw-fragments/review-examples.md.github/workflows/gh-aw-fragments/review-process.md.github/workflows/gh-aw-fragments/safe-output-create-issue.md.github/workflows/gh-aw-fragments/safe-output-create-pr.md.github/workflows/gh-aw-fragments/safe-output-push-to-pr.md.github/workflows/gh-aw-fragments/safe-output-scheduled-audit-issue.md.github/workflows/gh-aw-fragments/safe-output-update-pr.md.github/workflows/gh-aw-framework-best-practices.lock.yml.github/workflows/gh-aw-information-architecture.lock.yml.github/workflows/gh-aw-issue-fixer.lock.yml.github/workflows/gh-aw-issue-fixer.md.github/workflows/gh-aw-mention-in-issue-no-sandbox.lock.yml.github/workflows/gh-aw-mention-in-issue-no-sandbox.md.github/workflows/gh-aw-mention-in-issue.lock.yml.github/workflows/gh-aw-mention-in-issue.md.github/workflows/gh-aw-mention-in-pr-by-id.lock.yml.github/workflows/gh-aw-mention-in-pr-by-id.md.github/workflows/gh-aw-mention-in-pr-no-sandbox.lock.yml.github/workflows/gh-aw-mention-in-pr-no-sandbox.md.github/workflows/gh-aw-mention-in-pr.lock.yml.github/workflows/gh-aw-mention-in-pr.md.github/workflows/gh-aw-newbie-contributor-fixer.lock.yml.github/workflows/gh-aw-newbie-contributor-fixer.md.github/workflows/gh-aw-newbie-contributor-patrol.lock.yml.github/workflows/gh-aw-performance-profiler.lock.yml.github/workflows/gh-aw-plan.lock.yml.github/workflows/gh-aw-pr-actions-fixer.lock.yml.github/workflows/gh-aw-pr-actions-fixer.md.github/workflows/gh-aw-pr-review-addresser.lock.yml.github/workflows/gh-aw-pr-review.lock.yml.github/workflows/gh-aw-product-manager-impersonator.lock.yml.github/workflows/gh-aw-project-summary.lock.yml.github/workflows/gh-aw-refactor-opportunist.lock.yml.github/workflows/gh-aw-release-update.lock.yml.github/workflows/gh-aw-release-update.md.github/workflows/gh-aw-scheduled-audit.lock.yml.github/workflows/gh-aw-scheduled-audit.md.github/workflows/gh-aw-scheduled-fix.lock.yml.github/workflows/gh-aw-scheduled-fix.md.github/workflows/gh-aw-small-problem-fixer.lock.yml.github/workflows/gh-aw-small-problem-fixer.md.github/workflows/gh-aw-stale-issues.lock.yml.github/workflows/gh-aw-test-improvement.lock.yml.github/workflows/gh-aw-test-improver.lock.yml.github/workflows/gh-aw-test-improver.md.github/workflows/gh-aw-text-auditor.lock.yml.github/workflows/gh-aw-text-beautifier.lock.yml.github/workflows/gh-aw-text-beautifier.md.github/workflows/gh-aw-update-pr-body.lock.yml.github/workflows/gh-aw-ux-design-patrol.lock.yml.github/workflows/upgrade-check.lock.yml.github/workflows/workflow-patrol.lock.yml
💤 Files with no reviewable changes (1)
- .github/workflows/gh-aw-fragments/review-examples.md
✅ Files skipped from review due to trivial changes (16)
- .github/workflows/gh-aw-code-duplication-fixer.md
- .github/workflows/gh-aw-estc-docs-patrol-external.lock.yml
- .github/workflows/gh-aw-pr-actions-fixer.md
- .github/workflows/gh-aw-project-summary.lock.yml
- .github/workflows/gh-aw-release-update.md
- .github/workflows/gh-aw-estc-downstream-health.lock.yml
- .github/workflows/gh-aw-stale-issues.lock.yml
- .github/workflows/gh-aw-plan.lock.yml
- .github/workflows/gh-aw-text-beautifier.md
- .github/workflows/gh-aw-flaky-test-investigator.lock.yml
- .github/workflows/gh-aw-newbie-contributor-fixer.md
- .github/workflows/agent-deep-dive.lock.yml
- .github/workflows/gh-aw-branch-actions-detective.lock.yml
- .github/workflows/gh-aw-fragments/safe-output-update-pr.md
- .github/workflows/gh-aw-update-pr-body.lock.yml
- .github/workflows/gh-aw-estc-newbie-contributor-patrol-external.lock.yml
🚧 Files skipped from review as they are similar to previous changes (16)
- .github/workflows/gh-aw-information-architecture.lock.yml
- .github/workflows/gh-aw-refactor-opportunist.lock.yml
- .github/workflows/gh-aw-bug-hunter.lock.yml
- .github/workflows/gh-aw-framework-best-practices.lock.yml
- .github/workflows/gh-aw-product-manager-impersonator.lock.yml
- .github/workflows/gh-aw-docs-patrol.lock.yml
- .github/workflows/gh-aw-code-simplifier.lock.yml
- .github/workflows/gh-aw-autonomy-atomicity-analyzer.lock.yml
- .github/workflows/gh-aw-agent-suggestions.lock.yml
- .github/workflows/gh-aw-ux-design-patrol.lock.yml
- .github/workflows/gh-aw-pr-review-addresser.lock.yml
- .github/workflows/gh-aw-breaking-change-detect.lock.yml
- .github/workflows/gh-aw-pr-actions-fixer.lock.yml
- .github/workflows/gh-aw-fragments/safe-output-push-to-pr.md
- .github/workflows/gh-aw-performance-profiler.lock.yml
- .github/workflows/gh-aw-fragments/safe-output-scheduled-audit-issue.md
Comment on lines
+253
to
+257
| - **Patch size**: Max ~10 MB (10,240 KB). Keep changes focused. | ||
| - **Title**: Max 128 characters. Sanitized. | ||
| - **Body**: No explicit mention/link limits, but bot triggers (`fixes #123`, `closes #456`) are neutralized. | ||
| - **Committed changes required**: You must have locally committed changes before creating a PR (unless `allow_empty` is configured). | ||
| - **Base branch**: Must be configured in the safe-output config. The PR targets this branch. | ||
| - **Committed changes required**: You must have locally committed changes before creating a PR. | ||
| - **Base branch**: The PR targets the repository's default branch. |
There was a problem hiding this comment.
Prompt limit and enforced limit are inconsistent.
Lines 253–257 advertise a 10,240 KB patch limit, but the actual handler config at Line 1492 still enforces max_patch_size: 1024. This will reject patches that the prompt says are allowed.
Please update the corresponding source .md workflow so the generated handler config and prompt text match, then re-run compilation.
Based on learnings: files under .github/workflows/*.lock.yml are auto-generated by gh aw compile; changes should be made in the source .md file.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/downstream-users.lock.yml around lines 253 - 257, The
prompt text in the generated workflow (.github/workflows/*.lock.yml) advertises
a 10,240 KB patch limit but the handler config still sets max_patch_size: 1024,
causing a mismatch; update the source .md that generates this lock file so the
handler config and prompt text agree (either change the prompt text to reflect
1024 or bump the handler's max_patch_size to 10240), then re-run the generator
(gh aw compile) to regenerate the .lock.yml; look for the handler key
max_patch_size: 1024 and the prompt block that lists "Patch size" to ensure both
values match.
Comment on lines
+76
to
+79
| find /tmp/pr-context/threads -name '*.jsonl' 2>/dev/null | while IFS= read -r jsonl; do | ||
| jq -s '.' "$jsonl" > "${jsonl%.jsonl}.json" | ||
| rm "$jsonl" | ||
| done |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
find . -name "pr-context.md" -type fRepository: elastic/ai-github-actions
Length of output: 118
🏁 Script executed:
wc -l .github/workflows/gh-aw-fragments/pr-context.mdRepository: elastic/ai-github-actions
Length of output: 120
🏁 Script executed:
sed -n '60,85p' .github/workflows/gh-aw-fragments/pr-context.mdRepository: elastic/ai-github-actions
Length of output: 1173
🏁 Script executed:
sed -n '69,79p' .github/workflows/gh-aw-fragments/pr-context.mdRepository: elastic/ai-github-actions
Length of output: 631
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Clean up test directory
rm -rf /tmp/test-pr-context-verify
echo "Test 1: find on missing directory with 2>/dev/null redirection under pipefail"
if find /tmp/test-pr-context-verify/threads -name '*.jsonl' 2>/dev/null | while IFS= read -r f; do :; done; then
echo "Result: find succeeded (pipe exit code 0)"
else
echo "Result: find failed (pipe exit code non-zero)"
fi
echo ""
echo "Test 2: checking actual exit code of find without piping"
find /tmp/test-pr-context-verify/threads -name '*.jsonl' 2>/dev/null; echo "Exit code: $?"Repository: elastic/ai-github-actions
Length of output: 250
🏁 Script executed:
sed -n '1,85p' .github/workflows/gh-aw-fragments/pr-context.md | grep -n "mkdir\|threads"Repository: elastic/ai-github-actions
Length of output: 563
🏁 Script executed:
# Check if there's an initial mkdir for /tmp/pr-context/threads earlier in the file
grep -n "mkdir.*threads" .github/workflows/gh-aw-fragments/pr-context.mdRepository: elastic/ai-github-actions
Length of output: 137
🏁 Script executed:
#!/bin/bash
# Test under pipefail exactly as the script would run
set -euo pipefail
rm -rf /tmp/verify-test
echo "Testing: find on missing directory with 2>/dev/null under pipefail"
( find /tmp/verify-test/threads -name '*.jsonl' 2>/dev/null | while IFS= read -r f; do :; done ) && result="success" || result="failed"
echo "Result: $result"
echo ""
echo "Testing: alternative - checking if directory exists first"
if [ -d /tmp/verify-test/threads ]; then
find /tmp/verify-test/threads -name '*.jsonl' | while IFS= read -r f; do :; done
echo "Found files and processed them"
else
echo "Directory doesn't exist, skipped safely"
fiRepository: elastic/ai-github-actions
Length of output: 249
🏁 Script executed:
sed -n '1,20p' .github/workflows/gh-aw-fragments/pr-context.mdRepository: elastic/ai-github-actions
Length of output: 720
🏁 Script executed:
# Search for set -e, set -u, set -o pipefail in the file
grep -n "set -e\|set -u\|set -o pipefail" .github/workflows/gh-aw-fragments/pr-context.mdRepository: elastic/ai-github-actions
Length of output: 94
🏁 Script executed:
sed -n '1,50p' .github/workflows/gh-aw-fragments/pr-context.mdRepository: elastic/ai-github-actions
Length of output: 2064
Guard find when /tmp/pr-context/threads does not exist.
With set -euo pipefail, Line 76 fails the entire step on PRs without review threads, because the /tmp/pr-context/threads directory is only created conditionally (line 72, inside a loop that processes threads). When no threads exist, find exits non-zero, and pipefail propagates that failure.
✅ Suggested fix
- # Convert per-file JSONL to proper JSON arrays
- find /tmp/pr-context/threads -name '*.jsonl' 2>/dev/null | while IFS= read -r jsonl; do
- jq -s '.' "$jsonl" > "${jsonl%.jsonl}.json"
- rm "$jsonl"
- done
+ # Convert per-file JSONL to proper JSON arrays
+ if [ -d /tmp/pr-context/threads ]; then
+ find /tmp/pr-context/threads -name '*.jsonl' | while IFS= read -r jsonl; do
+ jq -s '.' "$jsonl" > "${jsonl%.jsonl}.json"
+ rm "$jsonl"
+ done
+ fi📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| find /tmp/pr-context/threads -name '*.jsonl' 2>/dev/null | while IFS= read -r jsonl; do | |
| jq -s '.' "$jsonl" > "${jsonl%.jsonl}.json" | |
| rm "$jsonl" | |
| done | |
| # Convert per-file JSONL to proper JSON arrays | |
| if [ -d /tmp/pr-context/threads ]; then | |
| find /tmp/pr-context/threads -name '*.jsonl' | while IFS= read -r jsonl; do | |
| jq -s '.' "$jsonl" > "${jsonl%.jsonl}.json" | |
| rm "$jsonl" | |
| done | |
| fi |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-fragments/pr-context.md around lines 76 - 79, The
find loop fails when /tmp/pr-context/threads doesn't exist under set -euo
pipefail; guard the block by checking directory existence before running find
(e.g., wrap the find/jq/rm loop in if [ -d "/tmp/pr-context/threads" ]; then ...
fi) so the step is skipped when no threads directory exists, preserving the
existing conversion logic that uses jq and rm on '*.jsonl' files.
Comment on lines
+1591
to
1592
| GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"create_issue\":{\"max\":1},\"create_pull_request\":{\"draft\":\"${{ inputs.draft-prs }}\",\"max\":1,\"max_patch_size\":10240},\"missing_data\":{},\"missing_tool\":{}}" | ||
| GH_AW_CI_TRIGGER_TOKEN: ${{ secrets.EXTRA_COMMIT_GITHUB_TOKEN }} |
There was a problem hiding this comment.
Add fallback for GH_AW_CI_TRIGGER_TOKEN to avoid empty-token PR flows.
At Line 1592, GH_AW_CI_TRIGGER_TOKEN uses only EXTRA_COMMIT_GITHUB_TOKEN (optional). When unset, safe-output PR follow-up actions can fail due to missing auth.
Suggested fix (apply in the source .md workflow and recompile)
- GH_AW_CI_TRIGGER_TOKEN: ${{ secrets.EXTRA_COMMIT_GITHUB_TOKEN }}
+ GH_AW_CI_TRIGGER_TOKEN: ${{ secrets.EXTRA_COMMIT_GITHUB_TOKEN || secrets.GH_AW_GITHUB_TOKEN }}Based on learnings: In this repository, .lock.yml files are generated via gh aw compile; updates should be made in the corresponding source .md file.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-mention-in-issue-no-sandbox.lock.yml around lines
1591 - 1592, The GH_AW_CI_TRIGGER_TOKEN environment entry currently only uses
secrets.EXTRA_COMMIT_GITHUB_TOKEN which may be empty; update the source workflow
.md so GH_AW_CI_TRIGGER_TOKEN falls back to the repo token (e.g., use
secrets.EXTRA_COMMIT_GITHUB_TOKEN || secrets.GITHUB_TOKEN / github.token) to
avoid empty-token PR flows, then recompile the .md into the .lock.yml using gh
aw compile; target the GH_AW_CI_TRIGGER_TOKEN assignment in the workflow source
so the generated .lock.yml gets the fallback.
Comment on lines
+173
to
+175
| GH_AW_EXPR_7B543459: ${{ inputs.minimum_severity || 'low' }} | ||
| GH_AW_EXPR_7F2A702A: ${{ inputs.resolve-pull-request-review-thread-max }} | ||
| GH_AW_EXPR_8D9F5797: ${{ inputs.intensity || 'balanced' }} |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# Find the workflow files mentioned in the review
find .github/workflows -name "*gh-aw-mention-in-pr*" -type fRepository: elastic/ai-github-actions
Length of output: 366
🏁 Script executed:
# Check if the .md source file exists
ls -la .github/workflows/gh-aw-mention-in-pr.md 2>/dev/null || echo "File not found"Repository: elastic/ai-github-actions
Length of output: 158
🏁 Script executed:
# Examine the .lock.yml file at the specified lines
if [ -f ".github/workflows/gh-aw-mention-in-pr.lock.yml" ]; then
echo "=== Lines 173-175 in .lock.yml ==="
sed -n '173,175p' ".github/workflows/gh-aw-mention-in-pr.lock.yml"
echo
echo "=== Searching for all references to minimum_severity and intensity in .lock.yml ==="
rg -n "minimum_severity|intensity" ".github/workflows/gh-aw-mention-in-pr.lock.yml" | head -20
fiRepository: elastic/ai-github-actions
Length of output: 10695
🏁 Script executed:
# Check the workflow_call.inputs section in .lock.yml
if [ -f ".github/workflows/gh-aw-mention-in-pr.lock.yml" ]; then
echo "=== workflow_call section ==="
awk '/^on:$/,/^[a-z]+:/' ".github/workflows/gh-aw-mention-in-pr.lock.yml" | head -100
fiRepository: elastic/ai-github-actions
Length of output: 98
🏁 Script executed:
cat -n ".github/workflows/gh-aw-mention-in-pr.md" | head -120Repository: elastic/ai-github-actions
Length of output: 4828
🏁 Script executed:
# Search for input declarations in the .md file
rg -n "minimum_severity|intensity" ".github/workflows/gh-aw-mention-in-pr.md" -B 2 -A 2Repository: elastic/ai-github-actions
Length of output: 51
🏁 Script executed:
# Check the on.workflow_call.inputs section in the .md file
awk '/^on:$/,/^[a-z]+:/ {print NR": "$0}' ".github/workflows/gh-aw-mention-in-pr.md" | head -80Repository: elastic/ai-github-actions
Length of output: 76
🏁 Script executed:
# Check the full .md file for any mention of minimum_severity or intensity
wc -l ".github/workflows/gh-aw-mention-in-pr.md"Repository: elastic/ai-github-actions
Length of output: 113
🏁 Script executed:
# Search the entire .md file for these inputs
rg -i "minimum.severity|intensity" ".github/workflows/gh-aw-mention-in-pr.md"Repository: elastic/ai-github-actions
Length of output: 51
🏁 Script executed:
# Check the imported fragments to see if they define these inputs
for fragment in gh-aw-fragments/*.md; do
if [ -f "$fragment" ]; then
if rg -l "minimum.severity|intensity" "$fragment" 2>/dev/null; then
echo "Found in: $fragment"
fi
fi
doneRepository: elastic/ai-github-actions
Length of output: 51
🏁 Script executed:
# Let's also see the entire inputs section of the .md file
sed -n '26,80p' ".github/workflows/gh-aw-mention-in-pr.md"Repository: elastic/ai-github-actions
Length of output: 1855
🏁 Script executed:
# Check the full .md file to see where these expressions come from
cat -n ".github/workflows/gh-aw-mention-in-pr.md"Repository: elastic/ai-github-actions
Length of output: 10635
Declare minimum_severity and intensity inputs in the source workflow file.
The compiled .lock.yml references ${{ inputs.minimum_severity }} and ${{ inputs.intensity }} at multiple locations (lines 173, 175, 548, 549, 568, 570), but these inputs are not declared in the workflow_call.inputs schema. This prevents callers from configuring these values. Add both inputs to the source .md file's workflow_call.inputs section and recompile with gh aw compile:
Input declarations to add
intensity:
default: balanced
description: "Review intensity: conservative, balanced, or aggressive"
required: false
type: string
minimum_severity:
default: low
description: "Minimum severity for inline comments: critical, high, medium, low, or nitpick"
required: false
type: stringAlso applies to: 548–549, 568–570, 595–597
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-mention-in-pr.lock.yml around lines 173 - 175, Add
the missing workflow inputs "intensity" and "minimum_severity" to the source
workflow's workflow_call.inputs in the .md file so callers can pass those values
(they are currently referenced in the compiled lock file via inputs.intensity
and inputs.minimum_severity). Update the workflow_call.inputs block to declare
intensity (type string, default "balanced", optional) and minimum_severity (type
string, default "low", optional) with the provided descriptions, then re-run the
compilation step (gh aw compile) to regenerate the .lock.yml so the GH_AW_EXPR_*
entries reference declared inputs.
| GH_TOKEN: ${{ github.token }} | ||
| PR_NUMBER: ${{ github.event.pull_request.number || inputs.target-pr-number || github.event.issue.number }} | ||
| name: Fetch PR context to disk | ||
| run: "set -euo pipefail\nmkdir -p /tmp/pr-context\n\n# PR metadata\ngh pr view \"$PR_NUMBER\" --json title,body,author,baseRefName,headRefName,url \\\n > /tmp/pr-context/pr.json\n\n# Full diff\nif ! gh pr diff \"$PR_NUMBER\" > /tmp/pr-context/pr.diff; then\n echo \"::warning::Failed to fetch full PR diff; per-file diffs from files.json are still available.\"\n : > /tmp/pr-context/pr.diff\nfi\n\n# Changed files list (--paginate may output concatenated arrays; jq -s 'add' merges them)\ngh api \"repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/files\" --paginate \\\n | jq -s 'add // []' > /tmp/pr-context/files.json\n\n# Per-file diffs\njq -c '.[]' /tmp/pr-context/files.json | while IFS= read -r entry; do\n filename=$(echo \"$entry\" | jq -r '.filename')\n mkdir -p \"/tmp/pr-context/diffs/$(dirname \"$filename\")\"\n echo \"$entry\" | jq -r '.patch // empty' > \"/tmp/pr-context/diffs/${filename}.diff\"\ndone\n\n# Existing reviews\ngh api \"repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/reviews\" --paginate \\\n | jq -s 'add // []' > /tmp/pr-context/reviews.json\n\n# Review threads with resolution status (GraphQL — REST lacks isResolved/isOutdated)\ngh api graphql --paginate -f query='\n query($owner: String!, $repo: String!, $number: Int!, $endCursor: String) {\n repository(owner: $owner, name: $repo) {\n pullRequest(number: $number) {\n reviewThreads(first: 100, after: $endCursor) {\n pageInfo { hasNextPage endCursor }\n nodes {\n id\n isResolved\n isOutdated\n isCollapsed\n path\n line\n startLine\n comments(first: 100) {\n nodes {\n id\n body\n author { login }\n createdAt\n }\n }\n }\n }\n }\n }\n }\n' -F owner=\"${GITHUB_REPOSITORY%/*}\" -F repo=\"${GITHUB_REPOSITORY#*/}\" -F \"number=$PR_NUMBER\" \\\n --jq '.data.repository.pullRequest.reviewThreads.nodes' \\\n | jq -s 'add // []' > /tmp/pr-context/review_comments.json\n\n# Per-file review threads (mirrors diffs/ structure)\njq -c '.[]' /tmp/pr-context/review_comments.json | while IFS= read -r thread; do\n filepath=$(echo \"$thread\" | jq -r '.path // empty')\n [ -z \"$filepath\" ] && continue\n mkdir -p \"/tmp/pr-context/threads/$(dirname \"$filepath\")\"\n echo \"$thread\" >> \"/tmp/pr-context/threads/${filepath}.jsonl\"\ndone\n# Convert per-file JSONL to proper JSON arrays\nfind /tmp/pr-context/threads -name '*.jsonl' 2>/dev/null | while IFS= read -r jsonl; do\n jq -s '.' \"$jsonl\" > \"${jsonl%.jsonl}.json\"\n rm \"$jsonl\"\ndone\n\n# PR discussion comments\ngh api \"repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments\" --paginate \\\n | jq -s 'add // []' > /tmp/pr-context/comments.json\n\n# Linked issues\ngrep -oiE '(fixes|closes|resolves)\\s+#[0-9]+' /tmp/pr-context/pr.json 2>/dev/null \\\n | grep -oE '[0-9]+$' \\\n | sort -u \\\n | while read -r issue; do\n gh api \"repos/$GITHUB_REPOSITORY/issues/$issue\" > \"/tmp/pr-context/issue-${issue}.json\" || true\n done || true\n\n# Write manifest\ncat > /tmp/pr-context/README.md << 'MANIFEST'\n# PR Context\n\nPre-fetched PR data. All files are in `/tmp/pr-context/`.\n\n| File | Description |\n| --- | --- |\n| `pr.json` | PR metadata — title, body, author, base/head branches, URL |\n| `pr.diff` | Full unified diff of all changes |\n| `files.json` | Changed files array — each entry has `filename`, `status`, `additions`, `deletions`, `patch` |\n| `diffs/<path>.diff` | Per-file diffs — one file per changed file, mirroring the repo path under `diffs/` |\n| `reviews.json` | Prior review submissions — author, state (APPROVED/CHANGES_REQUESTED/COMMENTED), body |\n| `review_comments.json` | All review threads (GraphQL) — each thread has `id`, `isResolved`, `isOutdated`, `path`, `line`, and nested `comments` with body/author |\n| `threads/<path>.json` | Per-file review threads — one file per changed file with existing threads, mirroring the repo path under `threads/` |\n| `comments.json` | PR discussion comments (not inline) |\n| `issue-{N}.json` | Linked issue details (one file per linked issue, if any) |\n| `agents.md` | Repository conventions from `generate_agents_md` (if written by agent) |\n| `review-instructions.md` | Review instructions, criteria, and calibration examples (if written by review-process fragment) |\nMANIFEST\n\necho \"PR context written to /tmp/pr-context/\"\nls -la /tmp/pr-context/" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Test 1: Verify find behavior on missing directory with pipefail
set -euo pipefail
tmp_test=$(mktemp -d)
trap "rm -rf $tmp_test" EXIT
echo "=== Test: find on missing directory with set -euo pipefail ==="
set +e
(
set -euo pipefail
find "$tmp_test/nonexistent" -name '*.jsonl' 2>/dev/null | while IFS= read -r f; do :; done
)
status=$?
set -e
echo "Exit status: $status (should be non-zero if directory missing causes failure)"
echo ""
echo "=== Test: find on existing directory ==="
mkdir -p "$tmp_test/threads"
(
set -euo pipefail
find "$tmp_test/threads" -name '*.jsonl' 2>/dev/null | while IFS= read -r f; do :; done
)
echo "Exit status: $? (should be 0)"
echo ""
echo "=== Locate source .md files for gh-aw-pr-review ==="
find . -name "*pr-review*.md" -o -name "*pr-review*.lock.yml" | head -20Repository: elastic/ai-github-actions
Length of output: 619
🏁 Script executed:
#!/bin/bash
# Search for the source .md file
echo "=== Looking for pr-review source files ==="
find . -path "./.github/workflows/*pr-review*" -type f | sortRepository: elastic/ai-github-actions
Length of output: 602
🏁 Script executed:
#!/bin/bash
# Look for .md files in .github/workflows that might compile to the lockfile
echo "=== All files in .github/workflows ==="
ls -la .github/workflows/ | grep -E "\.(md|lock\.yml)$" || echo "No .md or .lock.yml found"
echo ""
echo "=== Check if there's a workflows directory with .md sources ==="
find .github -name "*.md" | head -20Repository: elastic/ai-github-actions
Length of output: 10225
🏁 Script executed:
#!/bin/bash
# Read the source .md file to verify the problematic pattern
wc -l .github/workflows/gh-aw-pr-review.mdRepository: elastic/ai-github-actions
Length of output: 109
🏁 Script executed:
#!/bin/bash
# Search for the "Per-file review threads" section in the source .md file
grep -n "Per-file review threads" .github/workflows/gh-aw-pr-review.mdRepository: elastic/ai-github-actions
Length of output: 51
🏁 Script executed:
#!/bin/bash
# Extract the relevant section from the .md source file (showing context)
grep -A 20 "Per-file review threads" .github/workflows/gh-aw-pr-review.mdRepository: elastic/ai-github-actions
Length of output: 51
🏁 Script executed:
#!/bin/bash
# Search for review_comments or threads patterns in the source .md
grep -n "review_comments\|review_threads\|/tmp/pr-context/threads" .github/workflows/gh-aw-pr-review.mdRepository: elastic/ai-github-actions
Length of output: 247
🏁 Script executed:
#!/bin/bash
# Get the full content of the source .md to understand its structure
cat -n .github/workflows/gh-aw-pr-review.mdRepository: elastic/ai-github-actions
Length of output: 9973
🏁 Script executed:
#!/bin/bash
# Search for pr-context.md fragment
find . -name "pr-context.md" -o -name "*pr-context*"Repository: elastic/ai-github-actions
Length of output: 118
🏁 Script executed:
#!/bin/bash
# Look for gh-aw-fragments directory
find . -path "*/gh-aw-fragments*" -type dRepository: elastic/ai-github-actions
Length of output: 104
🏁 Script executed:
#!/bin/bash
# Read the pr-context.md fragment file
cat -n .github/workflows/gh-aw-fragments/pr-context.mdRepository: elastic/ai-github-actions
Length of output: 6352
Fix missing directory initialization before find in PR-context generation.
The script at line 76 runs find /tmp/pr-context/threads ... under set -euo pipefail. If there are no prior review threads, the directory is never created (the loop at lines 69-74 only creates subdirectories for files with threads), causing find to exit non-zero and fail the entire step on clean PRs.
Fix
Add mkdir -p /tmp/pr-context/threads before the find command:
# Per-file review threads (mirrors diffs/ structure)
+ mkdir -p /tmp/pr-context/threads
jq -c '.[]' /tmp/pr-context/review_comments.json | while IFS= read -r thread; doEdit .github/workflows/gh-aw-fragments/pr-context.md and recompile with gh aw compile.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-pr-review.lock.yml at line 685, The find that
converts per-file JSONL to JSON arrays can fail under set -euo pipefail if
/tmp/pr-context/threads doesn't exist; create the directory beforehand to avoid
a non-zero exit. Add a precondition mkdir -p /tmp/pr-context/threads immediately
before the block that runs find /tmp/pr-context/threads -name '*.jsonl' | while
... (the JSONL-to-JSON conversion loop), ensuring the threads directory always
exists even when there are no review threads.
This was referenced Feb 27, 2026
This was referenced Feb 28, 2026
This was referenced Mar 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR updates multiple GitHub Agent workflows to improve scheduled-audit behavior, PR review context handling, and review guidance.
Why
gh-aw-scheduled-auditpreviously hardcodedclose-older-issues: false, so users could not choose between deduplicating against prior findings vs replacing older reports.Changes
1) Scheduled audit: configurable
close-older-issuesclose-older-issuesinput togh-aw-scheduled-audit(default:false)..github/workflows/gh-aw-fragments/safe-output-scheduled-audit-issue.mdsocreate-issueusesclose-older-issues: $\{\{ inputs.close-older-issues }}.false: previous findings are fetched and used for duplicate suppression.true: previous-findings dedup is skipped and older reports are replaced by safe outputs.gh-agent-workflows/scheduled-audit/README.mdgh-agent-workflows/DEVELOPING.md2) PR review + mention workflows: pre-fetched PR context on disk
.github/workflows/gh-aw-fragments/pr-context.md.gh-aw-pr-reviewand mention-in-PR workflows now pre-fetch PR metadata, diff, files, reviews, review threads, comments, and linked issues into/tmp/pr-context/./tmp/pr-context/README.mdand local context files first, with API fallback only when required data is unavailable.3) Review process overhaul for sub-agent quality and deduplication
.github/workflows/gh-aw-fragments/review-process.mdwith stronger verification protocol, duplicate-thread checks, severity calibration, and inline-comment threshold handling.review-process.mdand removed the separatereview-examples.mdfragment.gh-aw-pr-reviewto use the pre-fetched context flow and explicit sub-agent ordering/verification steps before inline comments.4) Mention-in-PR workflow execution/safe-output updates
max-patch-size: 10240).$\{\{ secrets.EXTRA_COMMIT_GITHUB_TOKEN || secrets.GH_AW_GITHUB_TOKEN }}5) Safe-output create-PR limitations refresh
.github/workflows/gh-aw-fragments/safe-output-create-pr.mdguidance to reflect:6) Prompt audit automation
scripts/extract-lockfile-prompts.shto extract prompt text from compiled lockfiles into/tmp/prompt-audit/..github/workflows/trigger-prompt-audit.ymlfor weekly scheduled + manual prompt audits via scheduled-audit.7) Lockfile regeneration and sub-agent guidance alignment
.lock.ymlfiles to reflect source workflow/fragment changes.agentType/model, with defaults when unspecified.Usage (
gh-aw-scheduled-audit)close-older-issues: false(default): checks previous findings and avoids duplicates.close-older-issues: true: replaces the older report when filing a new one.Fixes #444.