ready-to-code-review: write review files to disk, offload playwright + criteria

[strawgate]

Summary

Consolidates how review instructions and large reference content are delivered to agents by moving reusable guidance out of large inlined prompts and onto disk.

New: ready_to_code_review safe-input tool (safe-output-code-review.md)

Called before PR review flows. Based on PR size it writes:

• /tmp/pr-context/agent-review.md — small/medium/large routing (review directly or spawn N sub-agents)
• /tmp/pr-context/subagent-{az,za,largest}.md — per-agent instruction files
• /tmp/pr-context/parent-review.md — comment format + inline severity threshold (from GH_AW_INPUTS_MINIMUM_SEVERITY)

Returns key paths and PR-size metadata in JSON so the agent knows where to start.

Review criteria moved to disk

• /tmp/pr-context/review-instructions.md — written by review-process.md at startup (criteria, false positives, severity, intensity, calibration examples for sub-agents)
• /tmp/pr-context/parent-review.md — written by the tool (comment format + threshold for the parent agent)
• Prompt text in review-process.md trimmed from a long inline section to a short pointer

Playwright instructions moved to disk

playwright-mcp-explorer.md now writes /tmp/playwright-instructions.md, and prompt text is reduced to a pointer to that file.

Self-review can use full criteria when available

safe-output-create-pr.md now conditionally includes /tmp/pr-context/review-instructions.md in the self-review README when that file exists.

Repository conventions pre-fetched to /tmp/agents.md

runtime-setup.md now fetches repository conventions into /tmp/agents.md (copy from AGENTS.md, or generator fallback), and prompts are updated to read this file directly.

Review workflow ordering fixes

• pr-review: context gathering (pr.json, reviews.json, thread data) is in Step 1 before calling ready_to_code_review in Step 2
• mention-in-pr: reviews.json gathering moved into Step 1 and review flow wording simplified
• Both workflows explicitly instruct reading parent-review.md after calling the tool

Remove generate_agents_md MCP tool

Removed from elastic-tools.md; corresponding prompt references were replaced with /tmp/agents.md guidance. The runtime fallback fetch remains in runtime-setup.md, and the network allowlist entry remains.

Generated by Update PR Body for issue #520

[coderabbitai]

Warning

Rate limit exceeded

@strawgate has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 0 minutes and 35 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between e8ab213 and 0d423a0.

📒 Files selected for processing (7)

• .github/workflows/gh-aw-mention-in-issue-no-sandbox.lock.yml
• .github/workflows/gh-aw-mention-in-issue-no-sandbox.md
• .github/workflows/gh-aw-mention-in-issue.lock.yml
• .github/workflows/gh-aw-mention-in-issue.md
• .github/workflows/gh-aw-test-improvement.lock.yml
• .github/workflows/gh-aw-test-improver.lock.yml
• .github/workflows/gh-aw-test-improver.md

📝 Walkthrough

Walkthrough

This PR upgrades the gh-aw setup action from v0.51.3 to v0.51.5 by adding the new version to the actions lock and updating all workflow references. It replaces the generate_agents_md mechanism with a pre-fetch workflow that stores repository conventions to /tmp/agents.md, eliminating the agents-md-generator MCP tool and removing its domain from allowlists. Workflows are updated to fetch conventions via a new step, adjust prompts to reference the local file, and remove the external generator from MCP configs. The safe-outputs tooling gains a new public repo field for PR creation schemas across multiple workflows.

Possibly related PRs

• \PR Review and mention in PR fixes #459: Adds github/gh-aw/actions/setup@v0.51.5 entry to actions-lock.json alongside this PR's widespread adoption of that setup version across all workflows.
• \Upgrade gh-aw to v0.49.4 and disable activation comments on all workflows #390: Updates gh-aw setup pins and recompiles workflow lock files with versioning changes similar to those introduced here.
• \Add Deep Research workflow scaffold #352: Modifies the gh-aw-deep-research workflow lock file with repository conventions handling and action version updates matching this PR's refactoring pattern.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ready-to-code-review-and-disk-offload

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 16

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

.github/workflows/gh-aw-pr-actions-fixer.md (1)

101-119: ⚠️ Potential issue | 🟡 Minor

Fix Step 1 numbering and make run_id substitution explicit.

Line 101 starts at step 1, but the next items jump to 3/4/5, and the snippets use {run_id} without showing where it is set. This can lead to execution mistakes.

Suggested edit

-1. Fetch workflow run details using `inputs.workflow-run-id`:
+1. Set the workflow run ID from `inputs.workflow-run-id`:
+   ````bash
+   RUN_ID="${{ inputs.workflow-run-id }}"
+   ````
+2. Fetch workflow run details:
    ````bash
-   gh api repos/${{ github.repository }}/actions/runs/{run_id} \
+   gh api repos/${{ github.repository }}/actions/runs/${RUN_ID} \
      --jq '{id: .id, html_url: .html_url, pull_requests: .pull_requests}'
    ````
 3. Identify the PRs associated with the workflow run from the response. If there are none, call `noop` with message "No pull request associated with workflow run; nothing to do" and stop.
 4. For each PR, call `pull_request_read` with method `get` to capture the author, branches, and fork status.
 5. Fetch workflow run details and logs with `bash` + `gh api`:
    - List jobs and their conclusions:
      ````bash
-     gh api repos/${{ github.repository }}/actions/runs/{run_id}/jobs \
+     gh api repos/${{ github.repository }}/actions/runs/${RUN_ID}/jobs \
        --jq '.jobs[] | {id: .id, name: .name, conclusion: .conclusion, html_url: .html_url}'
      ````
    - Download logs to `/tmp/gh-aw/agent/` and inspect the failing step output:
      ````bash
-     gh api repos/${{ github.repository }}/actions/runs/{run_id}/logs \
+     gh api repos/${{ github.repository }}/actions/runs/${RUN_ID}/logs \
        -H "Accept: application/vnd.github+json" \
-       > /tmp/gh-aw/agent/workflow-logs-{run_id}.zip
-     unzip -o /tmp/gh-aw/agent/workflow-logs-{run_id}.zip -d /tmp/gh-aw/agent/workflow-logs-{run_id}/
+       > /tmp/gh-aw/agent/workflow-logs-${RUN_ID}.zip
+     unzip -o /tmp/gh-aw/agent/workflow-logs-${RUN_ID}.zip -d /tmp/gh-aw/agent/workflow-logs-${RUN_ID}/
      ````

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-pr-actions-fixer.md around lines 101 - 119, The step
numbering and run_id substitution are incorrect; set RUN_ID from
inputs.workflow-run-id (e.g., RUN_ID="${{ inputs.workflow-run-id }}") then
renumber step 1 → 2 and replace all occurrences of placeholder {run_id} with the
variable ${RUN_ID} in the gh api calls (e.g., gh api repos/${{ github.repository
}}/actions/runs/${RUN_ID}, repos/.../jobs and repos/.../logs) and update
generated filenames to use workflow-logs-${RUN_ID}.zip and
workflow-logs-${RUN_ID}/ so the scripts reference the explicit RUN_ID variable
consistently.

.github/workflows/gh-aw-test-improver.md (1)

135-143: ⚠️ Potential issue | 🟡 Minor

Fix list numbering: duplicate item 1 and missing item 2.

The list has two items numbered "1" followed by "3". Renumber line 138 to "2".

📝 Proposed fix

 1. Run each new or modified test **at least 5 times** in sequence and confirm every run passes.
    - Use the test framework's built-in repeat/count flag when available (e.g., `go test -count=5`, `pytest -x --count 5` with `pytest-repeat`, `--repeat 5` in Jest/Vitest).
    - If no built-in mechanism exists, use a simple shell loop: `for i in $(seq 1 5); do <test-command> || exit 1; done`
-1. If any run fails intermittently, investigate the root cause before proceeding. Common sources of flakiness:
+2. If any run fails intermittently, investigate the root cause before proceeding. Common sources of flakiness:
    - Reliance on timing, sleep, or wall-clock assertions
    - Shared mutable state between test cases
    - Non-deterministic iteration order (e.g., map/set ordering)
    - Dependence on external services or network
 3. If the test cannot be made reliably stable, do not include it in the PR. Call `noop` if no stable tests remain.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-test-improver.md around lines 135 - 143, The
markdown numbered list has duplicate "1." and a missing "2." — update the second
list item that starts "If any run fails intermittently, investigate..." to be
numbered "2." (so the three entries read 1, 2, 3) by editing the list block
containing "Run each new or modified test...", "If any run fails intermittently,
investigate the root cause..." and "If the test cannot be made reliably
stable..." to correct the numbering.

.github/workflows/gh-aw-ux-design-patrol.lock.yml (1)

233-355: ⚠️ Potential issue | 🟡 Minor

Remove remaining legacy generate_agents_md wording from the prompt.

Line 233 and Line 355 switch to /tmp/agents.md, but Line 328 still references context gathered from generate_agents_md. This leaves conflicting instructions in the same prompt and can misdirect sub-agents.

Based on learnings, apply this fix in the source .md workflow file and re-run gh aw compile rather than editing the .lock.yml directly.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-ux-design-patrol.lock.yml around lines 233 - 355,
Summary: Remove legacy "generate_agents_md" wording from the workflow prompt and
make the prompt consistently reference /tmp/agents.md. Locate and remove or
replace any occurrences of the token or phrase "generate_agents_md" in the
source prompt template (look for the exact string "generate_agents_md" in the
prompt generation .md file) and update any lines that say "context gathered from
generate_agents_md" to instead instruct reading /tmp/agents.md (or to reference
the standardized pre-fetched file). Do not edit the generated .lock.yml; instead
modify the original source workflow .md/template that produces these prompt
sections and then re-run the compilation step (gh aw compile) to regenerate the
lock file. Ensure there are no remaining mixed instructions by searching for
both "generate_agents_md" and any references that imply the older flow, and
confirm the compiled output only mentions /tmp/agents.md.

.github/workflows/gh-aw-test-improver.lock.yml (1)

329-333: ⚠️ Potential issue | 🟡 Minor

Fix ordered-list numbering in the Test Improver prompt.

Line [331] jumps from 1 to 3, and Line [363] restarts at 1 before Line [368] uses 3. Please renumber sequentially in the source workflow markdown to keep execution order unambiguous.

Based on learnings: files under .github/workflows/*.lock.yml are auto-generated by gh aw compile; apply this in the corresponding .md source and recompile.

Also applies to: 360-369

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-test-improver.lock.yml around lines 329 - 333, The
numbered list in the Test Improver prompt inside gh-aw-test-improver.lock.yml is
misnumbered (jumps from 1 to 3 and restarts later); open the original markdown
source for the Test Improver prompt, renumber the ordered-list items
sequentially so steps read 1,2,3,... (fix the sections that currently
jump/restart), then re-run the gh aw compile process to regenerate the .lock.yml
so the compiled workflow reflects the corrected numbering.

🧹 Nitpick comments (7)

.github/workflows/gh-aw-framework-best-practices.lock.yml (1)

640-643: Reorder repository-conventions fetch after PR branch checkout for ref consistency.
At Line 642, conventions are fetched before the optional PR branch checkout at Line 668. Reordering (in the source .md) would guarantee /tmp/agents.md reflects the final checked-out ref for PR-triggered runs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-framework-best-practices.lock.yml around lines 640 -
643, Move the "Fetch repository conventions" step so it runs after the PR branch
checkout step (the actions/checkout step that checks out the PR ref) to ensure
/tmp/agents.md reflects the checked-out ref; locate the step with name "Fetch
repository conventions" and relocate its entire env/run block to immediately
follow the checkout step (or any step that checks out the PR branch/ref) so the
OWNER/REPO and generated summary reflect the final checked-out commit.

.github/workflows/gh-aw-test-improvement.lock.yml (1)

644-647: Harden the new repo input field validation.

repo is newly exposed in the tool schema, but this segment does not enforce normalization/strict format constraints. Add validation hardening (sanitize and an owner/repo pattern check) in the source workflow markdown, then recompile lockfiles.

Based on learnings: files under .github/workflows/*.lock.yml are generated by gh aw compile; changes should be made in the corresponding .md source and then compiled.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-test-improvement.lock.yml around lines 644 - 647,
The new tool schema exposes the repo input but lacks normalization and format
validation; update the corresponding workflow source markdown (the .md that
generates .github/workflows/*.lock.yml) to add a sanitize step for the repo
input and a strict pattern check enforcing the owner/repo format (e.g., a regex
like ^[^/]+/[^/]+$) for the repo field, then re-run gh aw compile to regenerate
the .lock.yml files; look for the repo input definition in the source markdown
(the same logical field named "repo") and add the sanitize and pattern
validation there before compiling.

.github/workflows/gh-aw-refactor-opportunist.lock.yml (1)

651-655: Prefer a local gh-agent-workflows/AGENTS.md fallback before the external fetch.

If root AGENTS.md is absent, checking gh-agent-workflows/AGENTS.md first would keep conventions local and reduce dependency on the remote summary service. Please apply this in the source workflow .md (or imported fragment), then recompile.

Based on learnings: Review and reference GitHub Agent Workflows from ./gh-agent-workflows directory.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-refactor-opportunist.lock.yml around lines 651 -
655, Update the "Fetch repository conventions" step's shell block to check for a
local fallback before calling the external service: first test if "AGENTS.md"
exists (current test), then add an elif that checks
"gh-agent-workflows/AGENTS.md" and copies it to /tmp/agents.md with the same
echo message, otherwise proceed with the existing OWNER/REPO curl-based fetch
and warnings; modify the conditional branch in the run script that references
AGENTS.md, /tmp/agents.md, and the summary generation logic accordingly and
recompile the workflow.

.github/workflows/gh-aw-dependency-review.md (1)

136-170: Fix duplicated numbered-list indices for instruction clarity

Line 136, Line 150, and Line 170 restart numbering at 1. inside existing sequences. The content is fine, but the order becomes ambiguous for the agent. Renumber these follow-up items to preserve deterministic step flow.

.github/workflows/gh-aw-test-coverage-detector.lock.yml (1)

346-347: Align remaining sub-agent wording with /tmp/agents.md

Lines 346-347 move conventions loading to /tmp/agents.md, but Line 319 still references generate_agents_md as the conventions source example. This mixed guidance can cause prompt drift for sub-agents.

Proposed source-fragment fix

- - All repository context, conventions, and constraints you've gathered (e.g., from `generate_agents_md`)
+ - All repository context, conventions, and constraints you've gathered (e.g., from `/tmp/agents.md`)

Based on learnings: .github/workflows/*.lock.yml files are generated by gh aw compile, so apply this in the corresponding source .md/fragment and recompile.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-test-coverage-detector.lock.yml around lines 346 -
347, Update the remaining example/convention reference from generate_agents_md
to use /tmp/agents.md so all sub-agent wording is consistent; locate the
fragment or markdown that produces the .github/workflows/*.lock.yml (the source
that still references generate_agents_md), change the example/mention to point
to /tmp/agents.md, then re-run the generator (gh aw compile) to regenerate the
lock YAML so the compiled
.github/workflows/gh-aw-test-coverage-detector.lock.yml no longer references
generate_agents_md.

.github/workflows/workflow-patrol.lock.yml (1)

195-195: Align the remaining conventions reference with /tmp/agents.md.

The updated guidance now points to /tmp/agents.md, but the Pick Three section still references generate_agents_md, which creates mixed instructions for sub-agents. Please update the source workflow Markdown and recompile.

Suggested source change (`.github/workflows/workflow-patrol.md`)

- - All repository context, conventions, and constraints you've gathered (e.g., from `generate_agents_md`)
+ - All repository context, conventions, and constraints you've gathered (e.g., from `/tmp/agents.md`)

Also applies to: 278-278

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/workflow-patrol.lock.yml at line 195, Update the Pick
Three section in the source Markdown (workflow-patrol.md) to replace any
references to generate_agents_md with the new /tmp/agents.md convention so all
guidance consistently tells agents to read/include /tmp/agents.md; then re-run
the workflow Markdown compilation step to regenerate the lock file
(.github/workflows/workflow-patrol.lock.yml) so lines that previously mentioned
generate_agents_md (e.g., the Pick Three paragraph) now reference
/tmp/agents.md.

.github/workflows/gh-aw-pr-actions-detective.md (1)

97-109: Make run-id substitution explicit in command examples.

Using a concrete RUN_ID variable reduces copy/paste mistakes with literal {run_id}.

Suggested prompt tweak

-3. Fetch workflow run details and logs with `bash` + `gh api`:
+3. Fetch workflow run details and logs with `bash` + `gh api`:
+   - Set the run ID first:
+     ````bash
+     RUN_ID="${{ github.event.workflow_run.id }}"
+     ````
    - List jobs and their conclusions:
      ````bash
-     gh api repos/${{ github.repository }}/actions/runs/{run_id}/jobs \
+     gh api repos/${{ github.repository }}/actions/runs/${RUN_ID}/jobs \
        --jq '.jobs[] | {id: .id, name: .name, conclusion: .conclusion, html_url: .html_url}'
      ````
    - Download logs to `/tmp/gh-aw/agent/` and inspect the failing step output:
      ````bash
-     gh api repos/${{ github.repository }}/actions/runs/{run_id}/logs \
+     gh api repos/${{ github.repository }}/actions/runs/${RUN_ID}/logs \
        -H "Accept: application/vnd.github+json" \
-       > /tmp/gh-aw/agent/workflow-logs-{run_id}.zip
-     unzip -o /tmp/gh-aw/agent/workflow-logs-{run_id}.zip -d /tmp/gh-aw/agent/workflow-logs-{run_id}/
+       > /tmp/gh-aw/agent/workflow-logs-${RUN_ID}.zip
+     unzip -o /tmp/gh-aw/agent/workflow-logs-${RUN_ID}.zip -d /tmp/gh-aw/agent/workflow-logs-${RUN_ID}/
      ````

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-pr-actions-detective.md around lines 97 - 109,
Replace literal `{run_id}` placeholders with a concrete shell variable to avoid
copy/paste errors: add a RUN_ID variable assignment (e.g., RUN_ID="${{
github.event.workflow_run.id }}") and update the example commands that use
repos/${{ github.repository }}/actions/runs/{run_id}/jobs and /logs and any
output paths so they reference ${RUN_ID} (also update the output filenames and
unzip target from workflow-logs-{run_id}.zip to workflow-logs-${RUN_ID}.zip and
workflow-logs-{RUN_ID}/). Ensure all occurrences in the snippet (the gh api jobs
call, the gh api logs call, and the >/unzip paths) are changed to use ${RUN_ID}.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/gh-aw-code-duplication-fixer.lock.yml:
- Around line 633-636: Update the schema for the "repo" property so its
description matches actual validation: either remove the unverified phrase "Must
be in the allowed-repos list" from the "repo" description, or implement
allowlist enforcement in the validation layer (e.g., add an allowlist check in
the validation.json or the workflow input validation code) and reference that
enforcement in the description; ensure the change targets the "repo" property
text and/or the validation rules that currently only specify type: string and
maxLength: 256 so the description and validation remain consistent.

In @.github/workflows/gh-aw-code-simplifier.md:
- Line 117: Update Step 1 of the "Pick Three, Keep One" pattern to explicitly
instruct each sub-agent to read the repository conventions before being spawned:
add a sentence like "Read /tmp/agents.md for repository conventions (skip if
missing)" immediately before the instruction to spawn the three general-purpose
sub-agents so that each sub-agent prompt includes the repo conventions, full
'Bar for merit' criteria, and 'Constraints'; ensure this change is applied where
Step 1 is defined and referenced for spawning sub-agents so prompts are
consistent with other workflows.

In @.github/workflows/gh-aw-estc-pr-buildkite-detective.lock.yml:
- Around line 357-359: Update Step 1.2 to require exhausting pagination of
list_pull_requests before deciding to noop: call list_pull_requests repeatedly
(or use its pagination mechanism) to fetch all open PR pages, accumulate
candidates, then for each candidate call pull_request_read/get and only call
noop with "No pull request associated with failed commit status; nothing to do"
if no candidates across all pages match head.sha; ensure the doc references
list_pull_requests pagination and that pull_request_read/get is only run after
full pagination.

In @.github/workflows/gh-aw-fragments/runtime-setup.md:
- Around line 66-90: The workflow currently posts repository metadata
(OWNER/REPO) to agents-md-generator.fastmcp.app whenever AGENTS.md is absent;
gate that external fetch by checking repository visibility or an opt-in
variable: wrap the existing curl/fetch block in a condition that first checks
github.repository_visibility != 'private' (or a repo secret/variable like
ENABLE_EXTERNAL_CONVENTIONS == 'true'), and if the repo is private and not
opted-in, skip the curl and emit a warning; ensure the condition applies before
using OWNER/REPO and the sed/jq pipeline so no external request is made for
private repos.

In @.github/workflows/gh-aw-fragments/safe-output-code-review.md:
- Around line 14-19: The PR size parsing silently falls back to diff_lines = 0
when the regex only matches plain digits; update the parsing around pr_size and
diff_lines (the re.search call) to accept formatted numbers (e.g., thousands
separators) by matching a broader numeric token (e.g., allow commas/underscores)
and then normalize the matched string by removing separators before converting
to int; ensure the exception path still handles failures but avoid defaulting to
0 if possible (or explicitly treat "unknown" differently) so large PRs aren't
misrouted to the small-PR path.

In @.github/workflows/gh-aw-mention-in-pr-by-id.lock.yml:
- Line 651: The workflow empties /tmp/pr-context/pr.diff on gh pr diff failure
but still computes DIFF_LINES with wc -l, causing large PRs to be misclassified;
update the failure branch (the gh pr diff ... if ! ... then ... fi block) to
compute DIFF_LINES from files.json instead of relying on pr.diff—e.g., when the
branch writes an empty pr.diff (the line using ": > /tmp/pr-context/pr.diff"),
also calculate DIFF_LINES by summing (.additions + .deletions) across
/tmp/pr-context/files.json via jq and write that value into DIFF_LINES (used
later when creating pr-size.txt and echoing PR size); make the change in the
source .md that generates this .lock.yml and recompile with gh aw compile.

In @.github/workflows/gh-aw-mention-in-pr-by-id.md:
- Around line 149-152: The workflow currently calls ready_to_code_review and
then reads agent-review.md but omits reading parent-review.md, so update the
sequence so that after ready_to_code_review the runner also reads
/tmp/pr-context/parent-review.md (or parent-review.md in the same review path)
and merges its instructions into the review context used by agent-review.md and
sub-agents; ensure any inline-comment formatting rules and severity-threshold
directives from parent-review.md are applied before spawning code-review
sub-agents or emitting final comments.

In @.github/workflows/gh-aw-mention-in-pr-no-sandbox.md:
- Around line 149-157: The flow calls ready_to_code_review but never explicitly
loads the parent review controls; update the procedure that runs after
ready_to_code_review (the orchestration that reads /tmp/pr-context/reviews.json
and /tmp/pr-context/review_comments.json) to also read and apply
/tmp/pr-context/parent-review.md before spawning sub-agents or deciding review
severity; ensure the code path that references review approach files (the block
handling agent-review.md and subagent-*.md) loads and parses parent-review.md
and merges its severity/format controls into the decision logic so downstream
steps (sub-agent spawn, dedupe/verify) honor the parent-review settings.

In @.github/workflows/gh-aw-mention-in-pr.lock.yml:
- Line 734: DIFF_LINES is computed from /tmp/pr-context/pr.diff even when gh pr
diff failed and pr.diff was intentionally emptied; change the DIFF_LINES
assignment (the DIFF_LINES variable computation) to detect an empty/zero-length
/tmp/pr-context/pr.diff and fall back to summing (.additions + .deletions) from
/tmp/pr-context/files.json (or use FILE_COUNT-based heuristic) so large PRs
aren't misclassified; update the workflow fragment that defines DIFF_LINES and
ensure pr-size.txt is written from the fallback value, then apply the change in
the source workflow fragment (not the generated .lock.yml) and run gh aw compile
to regenerate the lockfile.

In @.github/workflows/gh-aw-pr-ci-detective.lock.yml:
- Around line 324-327: The workflow iterates "for each PR" using
github.event.workflow_run.pull_requests but the add_comment step is limited to
max: 1, making multi-PR runs nondeterministic; update the compiled workflow
logic to either (A) scope processing to a single PR (e.g., take the first item
from github.event.workflow_run.pull_requests and feed that to
pull_request_read/get and the rest of the flow) or (B) increase add_comment
capacity and explicitly loop and call add_comment once per PR, and then
regenerate the lock file by applying the change in the original source .md
workflow used by gh aw compile and recompile so the .lock.yml reflects the fix.

In @.github/workflows/gh-aw-pr-review.lock.yml:
- Around line 1094-1095: The workflow currently reads
GH_AW_INPUTS_MINIMUM_SEVERITY into threshold but never passes it into the
ready_to_code_review / safe-input server, so overrides are ignored; update the
ready_to_code_review service/job invocation to propagate minimum_severity (e.g.,
export or add to env for the ready_to_code_review container/process) using the
same GH_AW_INPUTS_MINIMUM_SEVERITY variable name (or pass threshold into the
ready_to_code_review env), and then apply this change in the source .md used to
generate the .github/workflows/*.lock.yml and recompile with `gh aw compile` so
the generated lock file includes the exported variable for ready_to_code_review.

In @.github/workflows/gh-aw-product-manager-impersonator.lock.yml:
- Around line 239-240: The prompt text in the generated lock file references a
stale symbol `generate_agents_md` while other sections switch to
`/tmp/agents.md`; update the source `.md` workflow that produces this lock so
all occurrences of `generate_agents_md` are replaced with `/tmp/agents.md` (or
otherwise unify the wording), then re-run the generation step (`gh aw compile`)
so the `.github/workflows/gh-aw-product-manager-impersonator.lock.yml`
consistently instructs sub-agents to read `/tmp/agents.md`; look for the prompt
delimiter `GH_AW_PROMPT_EOF` and any mentions of `generate_agents_md` in the
source .md to make the change.

In @.github/workflows/gh-aw-scheduled-fix.lock.yml:
- Around line 565-569: Update the "Fetch repository conventions" run script so
local lookup checks multiple candidate paths before calling the remote
generator: test for root AGENTS.md, then .github/AGENTS.md, then
.agents/AGENTS.md (and use the first one found), copying it to /tmp/agents.md
and printing the same success message; only if none exist proceed to compute
OWNER/REPO and call the remote generator (preserving the existing summary/jq
logic and warning behavior). Reference the existing run block and the OWNER/REPO
variables to locate where to implement the ordered existence checks and copy
behavior.

In @.github/workflows/gh-aw-test-improvement.lock.yml:
- Around line 334-337: The ordered list in the workflow prompt has misnumbered
steps (it jumps from "1. Determine required repo commands (lint/build/test) and
how to run tests:" to "3. Identify coverage tooling (nyc, jest --coverage,
pytest --cov, go test -cover, etc.).") — update both occurrences (the block
containing the "Determine required repo commands..." item and the later block
around the "Identify coverage tooling..." item) so the numbering is sequential
(1, 2, 3, ...) and consistent; ensure any subsequent numbered items following
these two fragments are renumbered accordingly to fix the jump.

In @.github/workflows/gh-aw-test-improver.md:
- Around line 104-106: The numbered list in gh-aw-test-improver.md jumps from
"1." to "3." — fix the sequence by either renumbering the third bullet to "2."
or inserting the intended missing item as "2."; update the line that currently
starts with "3. Identify coverage tooling (nyc, jest --coverage, pytest --cov,
go test -cover, etc.)." so the list is contiguous and consistent.

In @.github/workflows/gh-aw-ux-design-patrol.lock.yml:
- Around line 650-654: The "Fetch repository conventions" step reads AGENTS.md
before the PR branch is checked out, risking stale guidance; move this step to
run after the workflow checks out the PR branch (i.e., after the
actions/checkout step) or modify the step to explicitly checkout the PR ref
first (use actions/checkout@v3 with ref: ${{ github.head_ref }}), then
read/write AGENTS.md to /tmp/agents.md so the fetched conventions reflect the PR
branch.

---

Outside diff comments:
In @.github/workflows/gh-aw-pr-actions-fixer.md:
- Around line 101-119: The step numbering and run_id substitution are incorrect;
set RUN_ID from inputs.workflow-run-id (e.g., RUN_ID="${{ inputs.workflow-run-id
}}") then renumber step 1 → 2 and replace all occurrences of placeholder
{run_id} with the variable ${RUN_ID} in the gh api calls (e.g., gh api repos/${{
github.repository }}/actions/runs/${RUN_ID}, repos/.../jobs and repos/.../logs)
and update generated filenames to use workflow-logs-${RUN_ID}.zip and
workflow-logs-${RUN_ID}/ so the scripts reference the explicit RUN_ID variable
consistently.

In @.github/workflows/gh-aw-test-improver.lock.yml:
- Around line 329-333: The numbered list in the Test Improver prompt inside
gh-aw-test-improver.lock.yml is misnumbered (jumps from 1 to 3 and restarts
later); open the original markdown source for the Test Improver prompt, renumber
the ordered-list items sequentially so steps read 1,2,3,... (fix the sections
that currently jump/restart), then re-run the gh aw compile process to
regenerate the .lock.yml so the compiled workflow reflects the corrected
numbering.

In @.github/workflows/gh-aw-test-improver.md:
- Around line 135-143: The markdown numbered list has duplicate "1." and a
missing "2." — update the second list item that starts "If any run fails
intermittently, investigate..." to be numbered "2." (so the three entries read
1, 2, 3) by editing the list block containing "Run each new or modified
test...", "If any run fails intermittently, investigate the root cause..." and
"If the test cannot be made reliably stable..." to correct the numbering.

In @.github/workflows/gh-aw-ux-design-patrol.lock.yml:
- Around line 233-355: Summary: Remove legacy "generate_agents_md" wording from
the workflow prompt and make the prompt consistently reference /tmp/agents.md.
Locate and remove or replace any occurrences of the token or phrase
"generate_agents_md" in the source prompt template (look for the exact string
"generate_agents_md" in the prompt generation .md file) and update any lines
that say "context gathered from generate_agents_md" to instead instruct reading
/tmp/agents.md (or to reference the standardized pre-fetched file). Do not edit
the generated .lock.yml; instead modify the original source workflow
.md/template that produces these prompt sections and then re-run the compilation
step (gh aw compile) to regenerate the lock file. Ensure there are no remaining
mixed instructions by searching for both "generate_agents_md" and any references
that imply the older flow, and confirm the compiled output only mentions
/tmp/agents.md.

---

Nitpick comments:
In @.github/workflows/gh-aw-framework-best-practices.lock.yml:
- Around line 640-643: Move the "Fetch repository conventions" step so it runs
after the PR branch checkout step (the actions/checkout step that checks out the
PR ref) to ensure /tmp/agents.md reflects the checked-out ref; locate the step
with name "Fetch repository conventions" and relocate its entire env/run block
to immediately follow the checkout step (or any step that checks out the PR
branch/ref) so the OWNER/REPO and generated summary reflect the final
checked-out commit.

In @.github/workflows/gh-aw-pr-actions-detective.md:
- Around line 97-109: Replace literal `{run_id}` placeholders with a concrete
shell variable to avoid copy/paste errors: add a RUN_ID variable assignment
(e.g., RUN_ID="${{ github.event.workflow_run.id }}") and update the example
commands that use repos/${{ github.repository }}/actions/runs/{run_id}/jobs and
/logs and any output paths so they reference ${RUN_ID} (also update the output
filenames and unzip target from workflow-logs-{run_id}.zip to
workflow-logs-${RUN_ID}.zip and workflow-logs-{RUN_ID}/). Ensure all occurrences
in the snippet (the gh api jobs call, the gh api logs call, and the >/unzip
paths) are changed to use ${RUN_ID}.

In @.github/workflows/gh-aw-refactor-opportunist.lock.yml:
- Around line 651-655: Update the "Fetch repository conventions" step's shell
block to check for a local fallback before calling the external service: first
test if "AGENTS.md" exists (current test), then add an elif that checks
"gh-agent-workflows/AGENTS.md" and copies it to /tmp/agents.md with the same
echo message, otherwise proceed with the existing OWNER/REPO curl-based fetch
and warnings; modify the conditional branch in the run script that references
AGENTS.md, /tmp/agents.md, and the summary generation logic accordingly and
recompile the workflow.

In @.github/workflows/gh-aw-test-coverage-detector.lock.yml:
- Around line 346-347: Update the remaining example/convention reference from
generate_agents_md to use /tmp/agents.md so all sub-agent wording is consistent;
locate the fragment or markdown that produces the .github/workflows/*.lock.yml
(the source that still references generate_agents_md), change the
example/mention to point to /tmp/agents.md, then re-run the generator (gh aw
compile) to regenerate the lock YAML so the compiled
.github/workflows/gh-aw-test-coverage-detector.lock.yml no longer references
generate_agents_md.

In @.github/workflows/gh-aw-test-improvement.lock.yml:
- Around line 644-647: The new tool schema exposes the repo input but lacks
normalization and format validation; update the corresponding workflow source
markdown (the .md that generates .github/workflows/*.lock.yml) to add a sanitize
step for the repo input and a strict pattern check enforcing the owner/repo
format (e.g., a regex like ^[^/]+/[^/]+$) for the repo field, then re-run gh aw
compile to regenerate the .lock.yml files; look for the repo input definition in
the source markdown (the same logical field named "repo") and add the sanitize
and pattern validation there before compiling.

In @.github/workflows/workflow-patrol.lock.yml:
- Line 195: Update the Pick Three section in the source Markdown
(workflow-patrol.md) to replace any references to generate_agents_md with the
new /tmp/agents.md convention so all guidance consistently tells agents to
read/include /tmp/agents.md; then re-run the workflow Markdown compilation step
to regenerate the lock file (.github/workflows/workflow-patrol.lock.yml) so
lines that previously mentioned generate_agents_md (e.g., the Pick Three
paragraph) now reference /tmp/agents.md.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between da672ed and e8ab213.

📒 Files selected for processing (103)

• .github/aw/actions-lock.json
• .github/workflows/agent-deep-dive.lock.yml
• .github/workflows/agent-efficiency.lock.yml
• .github/workflows/agentics-maintenance.yml
• .github/workflows/downstream-users.lock.yml
• .github/workflows/downstream-users.md
• .github/workflows/gh-aw-agent-suggestions.lock.yml
• .github/workflows/gh-aw-autonomy-atomicity-analyzer.lock.yml
• .github/workflows/gh-aw-branch-actions-detective.lock.yml
• .github/workflows/gh-aw-branch-actions-detective.md
• .github/workflows/gh-aw-breaking-change-detect.lock.yml
• .github/workflows/gh-aw-breaking-change-detector.lock.yml
• .github/workflows/gh-aw-bug-exterminator.lock.yml
• .github/workflows/gh-aw-bug-hunter.lock.yml
• .github/workflows/gh-aw-code-duplication-detector.lock.yml
• .github/workflows/gh-aw-code-duplication-fixer.lock.yml
• .github/workflows/gh-aw-code-simplifier.lock.yml
• .github/workflows/gh-aw-code-simplifier.md
• .github/workflows/gh-aw-deep-research.lock.yml
• .github/workflows/gh-aw-dependency-review.lock.yml
• .github/workflows/gh-aw-dependency-review.md
• .github/workflows/gh-aw-docs-drift.lock.yml
• .github/workflows/gh-aw-docs-patrol.lock.yml
• .github/workflows/gh-aw-duplicate-issue-detector.lock.yml
• .github/workflows/gh-aw-estc-actions-resource-not-accessible-detector.lock.yml
• .github/workflows/gh-aw-estc-actions-resource-not-accessible-detector.md
• .github/workflows/gh-aw-estc-docs-patrol-external.lock.yml
• .github/workflows/gh-aw-estc-docs-pr-review.lock.yml
• .github/workflows/gh-aw-estc-docs-pr-review.md
• .github/workflows/gh-aw-estc-downstream-health.lock.yml
• .github/workflows/gh-aw-estc-newbie-contributor-patrol-external.lock.yml
• .github/workflows/gh-aw-estc-pr-buildkite-detective.lock.yml
• .github/workflows/gh-aw-estc-pr-buildkite-detective.md
• .github/workflows/gh-aw-flaky-test-investigator.lock.yml
• .github/workflows/gh-aw-fragments/elastic-tools.md
• .github/workflows/gh-aw-fragments/network-ecosystems.md
• .github/workflows/gh-aw-fragments/pick-three-keep-many.md
• .github/workflows/gh-aw-fragments/playwright-mcp-explorer.md
• .github/workflows/gh-aw-fragments/pr-context.md
• .github/workflows/gh-aw-fragments/review-process.md
• .github/workflows/gh-aw-fragments/runtime-setup.md
• .github/workflows/gh-aw-fragments/safe-output-code-review.md
• .github/workflows/gh-aw-fragments/safe-output-create-pr.md
• .github/workflows/gh-aw-fragments/scheduled-audit.md
• .github/workflows/gh-aw-fragments/scheduled-fix.md
• .github/workflows/gh-aw-framework-best-practices.lock.yml
• .github/workflows/gh-aw-information-architecture.lock.yml
• .github/workflows/gh-aw-internal-gemini-cli-web-search.lock.yml
• .github/workflows/gh-aw-internal-gemini-cli-web-search.md
• .github/workflows/gh-aw-internal-gemini-cli.lock.yml
• .github/workflows/gh-aw-internal-gemini-cli.md
• .github/workflows/gh-aw-issue-fixer.lock.yml
• .github/workflows/gh-aw-issue-fixer.md
• .github/workflows/gh-aw-issue-triage.lock.yml
• .github/workflows/gh-aw-issue-triage.md
• .github/workflows/gh-aw-mention-in-issue-no-sandbox.lock.yml
• .github/workflows/gh-aw-mention-in-issue-no-sandbox.md
• .github/workflows/gh-aw-mention-in-issue.lock.yml
• .github/workflows/gh-aw-mention-in-issue.md
• .github/workflows/gh-aw-mention-in-pr-by-id.lock.yml
• .github/workflows/gh-aw-mention-in-pr-by-id.md
• .github/workflows/gh-aw-mention-in-pr-no-sandbox.lock.yml
• .github/workflows/gh-aw-mention-in-pr-no-sandbox.md
• .github/workflows/gh-aw-mention-in-pr.lock.yml
• .github/workflows/gh-aw-mention-in-pr.md
• .github/workflows/gh-aw-newbie-contributor-fixer.lock.yml
• .github/workflows/gh-aw-newbie-contributor-patrol.lock.yml
• .github/workflows/gh-aw-performance-profiler.lock.yml
• .github/workflows/gh-aw-plan.lock.yml
• .github/workflows/gh-aw-plan.md
• .github/workflows/gh-aw-pr-actions-detective.lock.yml
• .github/workflows/gh-aw-pr-actions-detective.md
• .github/workflows/gh-aw-pr-actions-fixer.lock.yml
• .github/workflows/gh-aw-pr-actions-fixer.md
• .github/workflows/gh-aw-pr-ci-detective.lock.yml
• .github/workflows/gh-aw-pr-review-addresser.lock.yml
• .github/workflows/gh-aw-pr-review-addresser.md
• .github/workflows/gh-aw-pr-review.lock.yml
• .github/workflows/gh-aw-pr-review.md
• .github/workflows/gh-aw-product-manager-impersonator.lock.yml
• .github/workflows/gh-aw-project-summary.lock.yml
• .github/workflows/gh-aw-refactor-opportunist.lock.yml
• .github/workflows/gh-aw-release-update.lock.yml
• .github/workflows/gh-aw-release-update.md
• .github/workflows/gh-aw-scheduled-audit.lock.yml
• .github/workflows/gh-aw-scheduled-fix.lock.yml
• .github/workflows/gh-aw-small-problem-fixer.lock.yml
• .github/workflows/gh-aw-small-problem-fixer.md
• .github/workflows/gh-aw-stale-issues-investigator.lock.yml
• .github/workflows/gh-aw-stale-issues-remediator.lock.yml
• .github/workflows/gh-aw-stale-issues.lock.yml
• .github/workflows/gh-aw-test-coverage-detector.lock.yml
• .github/workflows/gh-aw-test-improvement.lock.yml
• .github/workflows/gh-aw-test-improver.lock.yml
• .github/workflows/gh-aw-test-improver.md
• .github/workflows/gh-aw-text-auditor.lock.yml
• .github/workflows/gh-aw-text-beautifier.lock.yml
• .github/workflows/gh-aw-update-pr-body.lock.yml
• .github/workflows/gh-aw-update-pr-body.md
• .github/workflows/gh-aw-ux-design-patrol.lock.yml
• .github/workflows/upgrade-check.lock.yml
• .github/workflows/workflow-patrol.lock.yml
• Makefile

💤 Files with no reviewable changes (1)

• .github/workflows/gh-aw-fragments/elastic-tools.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# First, check the structure of the workflow file
echo "=== Examining workflow file structure ==="
wc -l .github/workflows/gh-aw-code-duplication-fixer.lock.yml

echo
echo "=== Lines around 633-636 (the repo parameter definition) ==="
sed -n '630,640p' .github/workflows/gh-aw-code-duplication-fixer.lock.yml

echo
echo "=== Searching for 'allowed-repos' or 'allowlist' in the workflow file ==="
rg -n 'allowed.?repos|allowlist' .github/workflows/gh-aw-code-duplication-fixer.lock.yml

echo
echo "=== Searching for create_pull_request and repo validation ==="
rg -n -B2 -A2 'create_pull_request' .github/workflows/gh-aw-code-duplication-fixer.lock.yml | head -100

echo
echo "=== Searching for handler config or validation logic ==="
rg -n 'handler|validate|check.*repo' .github/workflows/gh-aw-code-duplication-fixer.lock.yml | head -50

Repository: elastic/ai-github-actions

Length of output: 6171

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Looking at validation.json content (around line 721+) ==="
sed -n '721,800p' .github/workflows/gh-aw-code-duplication-fixer.lock.yml | head -60

echo
echo "=== Searching for 'repo' parameter validation in validation.json ==="
sed -n '721,1000p' .github/workflows/gh-aw-code-duplication-fixer.lock.yml | grep -A20 -B5 '"repo"' | head -80

echo
echo "=== Checking if allowed-repos appears anywhere in the entire workflow ==="
rg -i 'allowed' .github/workflows/gh-aw-code-duplication-fixer.lock.yml

echo
echo "=== Looking for safe outputs handler references ==="
find .github -name '*handler*' -o -name '*safe*output*' 2>/dev/null | head -20

echo
echo "=== Searching for documentation or references about repo parameter ==="
rg -n 'repo.*allowed\|allowed.*repo' .github/

Repository: elastic/ai-github-actions

Length of output: 16305

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Checking safe-output-create-pr.md for repo allowlist mentions ==="
cat .github/workflows/gh-aw-fragments/safe-output-create-pr.md | grep -A10 -B5 'repo\|allowed' | head -60

echo
echo "=== Full repo validation in validation.json ==="
sed -n '721,1000p' .github/workflows/gh-aw-code-duplication-fixer.lock.yml | sed -n '/"repo":/,/},/p'

Repository: elastic/ai-github-actions

Length of output: 2018

---

Schema description does not match validation implementation.

The repo parameter description claims "Must be in the allowed-repos list," but the validation.json schema only enforces type: string and maxLength: 256. No allowlist validation exists in the visible validation layer. Clarify where repository allowlist enforcement actually occurs, or remove the unsubstantiated claim from the schema description to prevent security confusion.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-code-duplication-fixer.lock.yml around lines 633 -
636, Update the schema for the "repo" property so its description matches actual
validation: either remove the unverified phrase "Must be in the allowed-repos
list" from the "repo" description, or implement allowlist enforcement in the
validation layer (e.g., add an allowlist check in the validation.json or the
workflow input validation code) and reference that enforcement in the
description; ensure the change targets the "repo" property text and/or the
validation rules that currently only specify type: string and maxLength: 256 so
the description and validation remain consistent.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash

# First, list available files to understand structure
echo "=== Repository structure ==="
git ls-files .github/workflows/ gh-aw-fragments/ 2>/dev/null | head -20

echo -e "\n=== Checking runtime-setup.md for agents.md references ==="
if [ -f gh-aw-fragments/runtime-setup.md ]; then
  rg -C3 'agents\.md' gh-aw-fragments/runtime-setup.md || echo "No agents.md references found"
else
  echo "File not found"
fi

echo -e "\n=== Checking pick-three-keep-one.md for conventions instructions ==="
if [ -f gh-aw-fragments/pick-three-keep-one.md ]; then
  rg -C3 'conventions|agents\.md' gh-aw-fragments/pick-three-keep-one.md || echo "No matches found"
else
  echo "File not found"
fi

echo -e "\n=== Checking gh-aw-code-simplifier.md lines around 117 ==="
if [ -f .github/workflows/gh-aw-code-simplifier.md ]; then
  sed -n '110,125p' .github/workflows/gh-aw-code-simplifier.md
else
  echo "File not found"
fi

echo -e "\n=== Checking how other PR workflow files reference conventions ==="
for file in .github/workflows/gh-aw-*.md; do
  if [ -f "$file" ] && [ "$(basename $file)" != "gh-aw-code-simplifier.md" ]; then
    echo "--- $(basename $file) ---"
    rg -C2 'tmp/agents\.md|repo conventions' "$file" | head -10
  fi
done

Repository: elastic/ai-github-actions

Length of output: 9786

---

Add explicit instruction to read repository conventions.

Line 117 instructs to "Include the repo conventions" in sub-agent prompts but doesn't specify where to obtain them. Other workflows in this codebase (e.g., gh-aw-pr-review.md) explicitly start Step 1 with: "Read /tmp/agents.md for repository conventions (skip if missing)." Add this instruction to Step 1 before spawning sub-agents to match the established pattern and ensure conventions are available.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-code-simplifier.md at line 117, Update Step 1 of the
"Pick Three, Keep One" pattern to explicitly instruct each sub-agent to read the
repository conventions before being spawned: add a sentence like "Read
/tmp/agents.md for repository conventions (skip if missing)" immediately before
the instruction to spawn the three general-purpose sub-agents so that each
sub-agent prompt includes the repo conventions, full 'Bar for merit' criteria,
and 'Constraints'; ensure this change is applied where Step 1 is defined and
referenced for spawning sub-agents so prompts are consistent with other
workflows.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check if corresponding .md source file exists
fd -e md "gh-aw-estc-pr-buildkite-detective" .github/workflows/

Repository: elastic/ai-github-actions

Length of output: 123

---

🏁 Script executed:

# List all files in the workflows directory to understand structure
ls -la .github/workflows/ | head -30

Repository: elastic/ai-github-actions

Length of output: 2341

---

🏁 Script executed:

# Check the .md source file for pagination context
fd -e md "gh-aw-estc-pr-buildkite-detective" .github/workflows/ -x cat -n {}

Repository: elastic/ai-github-actions

Length of output: 12048

---

🏁 Script executed:

cat -n .github/workflows/gh-aw-fragments/mcp-pagination.md

Repository: elastic/ai-github-actions

Length of output: 1658

---

🌐 Web query:

GitHub MCP server list_pull_requests pagination default behavior page size

💡 Result:

For the official GitHub MCP Server tool list_pull_requests:

• It uses page-based pagination via page (min 1) and perPage (min 1, max 100). The tool schema documents these parameters but does not explicitly state defaults. (github.com)
• If you omit perPage (and/or page), behavior follows GitHub REST API defaults: 30 items per page by default, and omitting page returns the first page (page=1). (octokit.github.io)

Citations:

• 1: https://github.com/github/github-mcp-server
• 2: https://octokit.github.io/routes/cache/api.github.com/v3/index.html?utm_source=openai

---

Explicitly require pagination exhaustion before concluding no PR exists.
Step 1.2 allows noop after calling list_pull_requests without requiring all pages to be fetched. Since list_pull_requests defaults to 30 items per page, this misses valid PRs in repos with many open PRs. Exhausting pagination before the noop call is essential.

Update Step 1.2 in the source .md file:

Suggested prompt fix

-2. Call `list_pull_requests` for the repository (open PRs), then call `pull_request_read` with method `get` on candidates and keep PRs where `head.sha` matches the failed commit SHA. If none match, call `noop` with message "No pull request associated with failed commit status; nothing to do" and stop.
+2. Call `list_pull_requests` for the repository (open PRs) with pagination, iterating through all pages until the final page. Then call `pull_request_read` with method `get` on candidates and keep PRs where `head.sha` matches the failed commit SHA. Only call `noop` with message "No pull request associated with failed commit status; nothing to do" after all pages are exhausted with no match.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	1. Use the commit SHA provided in the Context section above. If it is empty, discover it from the PR's commit statuses or check runs.
	2. Call `list_pull_requests` for the repository (open PRs), then call `pull_request_read` with method `get` on candidates and keep PRs where `head.sha` matches the failed commit SHA. If none match, call `noop` with message "No pull request associated with failed commit status; nothing to do" and stop.
	3. For each matching PR, keep author, branches, and fork status for downstream analysis.
	1. Use the commit SHA provided in the Context section above. If it is empty, discover it from the PR's commit statuses or check runs.
	2. Call `list_pull_requests` for the repository (open PRs) with pagination, iterating through all pages until the final page. Then call `pull_request_read` with method `get` on candidates and keep PRs where `head.sha` matches the failed commit SHA. Only call `noop` with message "No pull request associated with failed commit status; nothing to do" after all pages are exhausted with no match.
	3. For each matching PR, keep author, branches, and fork status for downstream analysis.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-estc-pr-buildkite-detective.lock.yml around lines
357 - 359, Update Step 1.2 to require exhausting pagination of
list_pull_requests before deciding to noop: call list_pull_requests repeatedly
(or use its pagination mechanism) to fetch all open PR pages, accumulate
candidates, then for each candidate call pull_request_read/get and only call
noop with "No pull request associated with failed commit status; nothing to do"
if no candidates across all pages match head.sha; ensure the doc references
list_pull_requests pagination and that pull_request_read/get is only run after
full pagination.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# First, understand the directory structure
echo "=== Repository structure (top level) ==="
git ls-files | head -30

echo -e "\n=== gh-agent-workflows directory ==="
git ls-files | grep -E "gh-agent-workflows|\.github/workflows" | head -20

Repository: elastic/ai-github-actions

Length of output: 2393

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Run the verification script from the review comment
rg -n --type=md -C2 'agents-md-generator\.fastmcp\.app|ALLOW_EXTERNAL_CONVENTIONS_FETCH|github\.event\.repository\.private|Fetch repository conventions'

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Check the specific file and context around lines 66-90
echo "=== Checking runtime-setup.md ==="
fd runtime-setup.md -x cat -n {}

echo -e "\n=== Checking for github.event.repository.private in workflows ==="
rg 'github\.event\.repository' --type=md --type=yaml -C2

Repository: elastic/ai-github-actions

Length of output: 2568

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Looking for runtime-setup files ==="
find . -name "*runtime*" -type f 2>/dev/null | head -20

echo -e "\n=== Looking for gh-aw-fragments directory ==="
find . -name "gh-aw-fragments" -type d 2>/dev/null

echo -e "\n=== Searching for the API endpoint in any file ==="
rg 'fastmcp\.app' --type=md --type=yaml --type=json 2>/dev/null || echo "No results found"

echo -e "\n=== Searching for AGENTS.md references ==="
rg 'AGENTS\.md' --type=md --type=yaml --type=json 2>/dev/null | head -20 || echo "No results found"

Repository: elastic/ai-github-actions

Length of output: 4244

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Checking for ALLOW_EXTERNAL in any file ==="
rg 'ALLOW_EXTERNAL|EXTERNAL_CONVENTIONS' 2>/dev/null | head -20 || echo "No results"

echo -e "\n=== Looking at github.event context usage in YAML workflows ==="
rg 'github\.event' --type=yaml -C1 | head -40

Repository: elastic/ai-github-actions

Length of output: 3458

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Looking for any fetch/curl to external APIs in workflow files ==="
rg 'curl.*https?://' --type=md --type=yaml -C2 | head -60

echo -e "\n=== Check if file exists in git (including staged/uncommitted) ==="
git status --short | grep -i runtime || echo "No runtime files in git status"

Repository: elastic/ai-github-actions

Length of output: 5995

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Full runtime-setup.md file ==="
cat -n ./.github/workflows/gh-aw-fragments/runtime-setup.md

echo -e "\n=== Checking for downstream usage of /tmp/agents.md ==="
rg '/tmp/agents\.md|agents\.md' --type=md --type=yaml -B2 -A2

Repository: elastic/ai-github-actions

Length of output: 4108

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Verify available GitHub context in this workflow context ==="
echo "Checking if 'repository' object is used (common alternative to github.event.repository):"
rg 'github\.repository[^_]' --type=yaml --type=md -C2 | head -40

echo -e "\n=== Looking for private repo checks or visibility checks ==="
rg 'private|visibility|GITHUB_REPOSITORY' --type=md -B2 -A2 | grep -E '\.md.*private|\.md.*visibility|GITHUB_REPOSITORY' | head -20

Repository: elastic/ai-github-actions

Length of output: 5494

---

Gate external conventions fetch for private repos (data disclosure risk).

This step posts repository metadata (owner/repo) to agents-md-generator.fastmcp.app whenever AGENTS.md is absent, with no guards for private repositories. This can leak repository names to a third-party service.

Add a conditional guard to skip the external fetch for private repos or when not explicitly enabled. Use github.repository_visibility == 'private' or a repository secret/variable opt-in to control this behavior.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-fragments/runtime-setup.md around lines 66 - 90, The
workflow currently posts repository metadata (OWNER/REPO) to
agents-md-generator.fastmcp.app whenever AGENTS.md is absent; gate that external
fetch by checking repository visibility or an opt-in variable: wrap the existing
curl/fetch block in a condition that first checks github.repository_visibility
!= 'private' (or a repo secret/variable like ENABLE_EXTERNAL_CONVENTIONS ==
'true'), and if the repo is private and not opted-in, skip the curl and emit a
warning; ensure the condition applies before using OWNER/REPO and the sed/jq
pipeline so no external request is made for private repos.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

PR size parsing can silently misroute large PRs into the small-PR path

At Line 14, the regex only matches plain digits. If the size string contains thousands separators or format drift, parsing fails and Line 15/Line 18 set diff_lines to 0, which routes Line 47 to the small-PR strategy.

Proposed fix

-          m = re.search(r', (\d+) diff', pr_size)
-          diff_lines = int(m.group(1)) if m else 0
+          m = re.search(r',\s*([\d,]+)\s+diff', pr_size)
+          diff_lines = int(m.group(1).replace(',', '')) if m else 800
       except Exception:
           pr_size = 'unknown size'
-          diff_lines = 0
+          diff_lines = 800

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	m = re.search(r', (\d+) diff', pr_size)
	diff_lines = int(m.group(1)) if m else 0
	except Exception:
	pr_size = 'unknown size'
	diff_lines = 0
	m = re.search(r',\s*([\d,]+)\s+diff', pr_size)
	diff_lines = int(m.group(1).replace(',', '')) if m else 800
	except Exception:
	pr_size = 'unknown size'
	diff_lines = 800

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-fragments/safe-output-code-review.md around lines 14
- 19, The PR size parsing silently falls back to diff_lines = 0 when the regex
only matches plain digits; update the parsing around pr_size and diff_lines (the
re.search call) to accept formatted numbers (e.g., thousands separators) by
matching a broader numeric token (e.g., allow commas/underscores) and then
normalize the matched string by removing separators before converting to int;
ensure the exception path still handles failures but avoid defaulting to 0 if
possible (or explicitly treat "unknown" differently) so large PRs aren't
misrouted to the small-PR path.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Unify conventions wording to remove the stale generate_agents_md reference.

Line 239 and Line 358 switch the flow to /tmp/agents.md, but the prompt still references generate_agents_md later (Line 331). This mixed guidance can misdirect sub-agents.

Suggested source-level fix (edit the `.md` source, then recompile)

- - All repository context, conventions, and constraints you've gathered (e.g., from generate_agents_md)
+ - All repository context, conventions, and constraints you've gathered (e.g., from `/tmp/agents.md`)

Based on learnings, this .lock.yml is generated; apply changes in the corresponding .md workflow source and run gh aw compile.

Also applies to: 358-358

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-product-manager-impersonator.lock.yml around lines
239 - 240, The prompt text in the generated lock file references a stale symbol
`generate_agents_md` while other sections switch to `/tmp/agents.md`; update the
source `.md` workflow that produces this lock so all occurrences of
`generate_agents_md` are replaced with `/tmp/agents.md` (or otherwise unify the
wording), then re-run the generation step (`gh aw compile`) so the
`.github/workflows/gh-aw-product-manager-impersonator.lock.yml` consistently
instructs sub-agents to read `/tmp/agents.md`; look for the prompt delimiter
`GH_AW_PROMPT_EOF` and any mentions of `generate_agents_md` in the source .md to
make the change.

[github-actions]

The issue-assistant workflows now import gh-aw-fragments/review-process.md (.github/workflows/gh-aw-mention-in-issue.md and .github/workflows/gh-aw-mention-in-issue-no-sandbox.md, import list line 12), but they still do not include the PR-review safe-output tooling that review-process.md now requires (for ready_to_code_review / PR review actions). A concrete failure path is an issue comment asking for a PR review: the prompt now instructs unavailable tools, so the run cannot complete that requested action. Please either add the required review safe-output fragments to these workflows or avoid importing review-process.md in issue workflows.

---

What is this? | From workflow: PR Review

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.