diff --git a/.github/instructions/github-agentic-workflows.instructions.md b/.github/instructions/github-agentic-workflows.instructions.md index e67998560f5..2fd2f0cfd06 100644 --- a/.github/instructions/github-agentic-workflows.instructions.md +++ b/.github/instructions/github-agentic-workflows.instructions.md @@ -36,11 +36,11 @@ The YAML frontmatter supports these fields: ### Core GitHub Actions Fields - **`on:`** - Workflow triggers (required) - - String: `"push"`, `"issues"`, `"workflow_dispatch"`, etc. + - String: `"push"`, `"issues"`, etc. - Object: Complex trigger configuration - Special: `command:` for /mention triggers - **`stop-after:`** - Can be included in the `on:` object to set a deadline for workflow execution. Supports absolute timestamps ("YYYY-MM-DD HH:MM:SS") or relative time deltas (+25h, +3d, +1d12h30m). Uses precise date calculations that account for varying month lengths. - + - **`permissions:`** - GitHub token permissions - Object with permission levels: `read`, `write`, `none` - Available permissions: `contents`, `issues`, `pull-requests`, `discussions`, `actions`, `checks`, `statuses`, `models`, `deployments`, `security-events` @@ -51,12 +51,7 @@ The YAML frontmatter supports these fields: - **`env:`** - Environment variables (object or string) - **`if:`** - Conditional execution expression (string) - **`run-name:`** - Custom workflow run name (string) -- **`name:`** - Workflow name displayed in GitHub Actions interface (string). Defaults to filename without extension if not specified. - - Examples: `"Copilot Agent PR Analysis"`, `"Dev Hawk"`, `"Smoke Claude"` -- **`description:`** - Optional workflow description rendered as a comment in generated `.lock.yml` file (string) - - Example: `"Quickstart for using the GitHub Actions library"` -- **`source:`** - Optional source reference indicating where workflow was added from (string). Format: `owner/repo/path@ref`. Rendered as a comment in generated lock file. - - Examples: `"githubnext/agentics/workflows/ci-doctor.md"`, `"githubnext/agentics/workflows/daily-perf-improver.md@1f181b37d3fe5862ab590648f25a292e345b5de6"` +- **`name:`** - Workflow name (string) - **`steps:`** - Custom workflow steps (object) - **`post-steps:`** - Custom workflow steps to run after AI execution (object) @@ -613,29 +608,16 @@ Import shared components using the `imports:` field in frontmatter: on: issues engine: copilot imports: - - shared/jqschema.md - - shared/reporting.md - - shared/mcp/gh-aw.md + - shared/security-notice.md + - shared/tool-setup.md + - shared/mcp/tavily.md --- ``` -**Additional Examples:** -```yaml -# Import relative to current workflow location -imports: - - ../instructions/documentation.instructions.md - -# Import multiple shared configurations -imports: - - shared/mcp/gh-aw.md - - shared/jqschema.md - - shared/reporting.md -``` - ### Import File Structure Import files are in `.github/workflows/shared/` and can contain: - Tool configurations (frontmatter only) -- Text content +- Text content - Mixed frontmatter + content Example import file with tools: diff --git a/.github/workflows/daily-news.md b/.github/workflows/daily-news.md index 77454d6f8d1..2536c4518d6 100644 --- a/.github/workflows/daily-news.md +++ b/.github/workflows/daily-news.md @@ -5,6 +5,8 @@ on: - cron: "0 9 * * 1-5" workflow_dispatch: +permissions: read-all + engine: copilot network: diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 68626d59882..e3928af150b 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -26,7 +26,10 @@ name: "Issue Summary to Notion" required: true type: string -permissions: read-all +permissions: + actions: read + contents: read + issues: read concurrency: group: "gh-aw-${{ github.workflow }}" @@ -56,7 +59,10 @@ jobs: agent: needs: activation runs-on: ubuntu-latest - permissions: read-all + permissions: + actions: read + contents: read + issues: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: diff --git a/.github/workflows/notion-issue-summary.md b/.github/workflows/notion-issue-summary.md index d5dcd378e7b..7dc6475928f 100644 --- a/.github/workflows/notion-issue-summary.md +++ b/.github/workflows/notion-issue-summary.md @@ -6,6 +6,10 @@ on: description: "Issue number to analyze" required: true type: string +permissions: + contents: read + issues: read + actions: read tools: github: imports: diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 118415bda6e..0bf83a4421f 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -25,7 +25,10 @@ name: "Smoke Claude" - cron: 0 0,6,12,18 * * * workflow_dispatch: null -permissions: read-all +permissions: + actions: read + contents: read + pull-requests: read concurrency: group: "gh-aw-${{ github.workflow }}" @@ -55,7 +58,10 @@ jobs: agent: needs: activation runs-on: ubuntu-latest - permissions: read-all + permissions: + actions: read + contents: read + pull-requests: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" env: diff --git a/.github/workflows/smoke-claude.md b/.github/workflows/smoke-claude.md index c04ffff50f0..5026fa4df91 100644 --- a/.github/workflows/smoke-claude.md +++ b/.github/workflows/smoke-claude.md @@ -3,6 +3,10 @@ on: schedule: - cron: "0 0,6,12,18 * * *" # Every 6 hours workflow_dispatch: +permissions: + contents: read + actions: read + pull-requests: read name: Smoke Claude engine: claude tools: diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 717b9179170..a49e7ca637d 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -25,7 +25,10 @@ name: "Smoke Codex" - cron: 0 0,6,12,18 * * * workflow_dispatch: null -permissions: read-all +permissions: + actions: read + contents: read + pull-requests: read concurrency: group: "gh-aw-${{ github.workflow }}" @@ -55,7 +58,10 @@ jobs: agent: needs: activation runs-on: ubuntu-latest - permissions: read-all + permissions: + actions: read + contents: read + pull-requests: read concurrency: group: "gh-aw-codex-${{ github.workflow }}" env: diff --git a/.github/workflows/smoke-codex.md b/.github/workflows/smoke-codex.md index dd6a9337e25..2022f41284f 100644 --- a/.github/workflows/smoke-codex.md +++ b/.github/workflows/smoke-codex.md @@ -3,6 +3,10 @@ on: schedule: - cron: "0 0,6,12,18 * * *" # Every 6 hours workflow_dispatch: +permissions: + contents: read + actions: read + pull-requests: read name: Smoke Codex engine: codex tools: diff --git a/.github/workflows/smoke-copilot.firewall.lock.yml b/.github/workflows/smoke-copilot.firewall.lock.yml index 0672c67acce..da37bbf076d 100644 --- a/.github/workflows/smoke-copilot.firewall.lock.yml +++ b/.github/workflows/smoke-copilot.firewall.lock.yml @@ -25,7 +25,10 @@ name: "Smoke Copilot Firewall" - cron: 0 0,6,12,18 * * * workflow_dispatch: null -permissions: read-all +permissions: + actions: read + contents: read + pull-requests: read concurrency: group: "gh-aw-${{ github.workflow }}" @@ -55,7 +58,10 @@ jobs: agent: needs: activation runs-on: ubuntu-latest - permissions: read-all + permissions: + actions: read + contents: read + pull-requests: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: diff --git a/.github/workflows/smoke-copilot.firewall.md b/.github/workflows/smoke-copilot.firewall.md index 504c852a539..2a2fe380a18 100644 --- a/.github/workflows/smoke-copilot.firewall.md +++ b/.github/workflows/smoke-copilot.firewall.md @@ -3,6 +3,10 @@ on: schedule: - cron: "0 0,6,12,18 * * *" # Every 6 hours workflow_dispatch: +permissions: + contents: read + actions: read + pull-requests: read name: Smoke Copilot Firewall engine: copilot network: diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index e6841a700d8..9a79c6d83e9 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -25,7 +25,10 @@ name: "Smoke Copilot" - cron: 0 0,6,12,18 * * * workflow_dispatch: null -permissions: read-all +permissions: + actions: read + contents: read + pull-requests: read concurrency: group: "gh-aw-${{ github.workflow }}" @@ -55,7 +58,10 @@ jobs: agent: needs: activation runs-on: ubuntu-latest - permissions: read-all + permissions: + actions: read + contents: read + pull-requests: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: diff --git a/.github/workflows/smoke-copilot.md b/.github/workflows/smoke-copilot.md index 7fbae14503a..267121dac6f 100644 --- a/.github/workflows/smoke-copilot.md +++ b/.github/workflows/smoke-copilot.md @@ -3,6 +3,10 @@ on: schedule: - cron: "0 0,6,12,18 * * *" # Every 6 hours workflow_dispatch: +permissions: + contents: read + actions: read + pull-requests: read name: Smoke Copilot engine: copilot network: diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index 8cc90292069..3fd913a6429 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -29,7 +29,10 @@ name: "Smoke OpenCode" - cron: 0 0,6,12,18 * * * workflow_dispatch: null -permissions: read-all +permissions: + actions: read + contents: read + pull-requests: read concurrency: group: "gh-aw-${{ github.workflow }}" @@ -59,7 +62,10 @@ jobs: agent: needs: activation runs-on: ubuntu-latest - permissions: read-all + permissions: + actions: read + contents: read + pull-requests: read concurrency: group: "gh-aw-custom-${{ github.workflow }}" env: diff --git a/.github/workflows/smoke-opencode.md b/.github/workflows/smoke-opencode.md index fba5d428fa3..334c36e930a 100644 --- a/.github/workflows/smoke-opencode.md +++ b/.github/workflows/smoke-opencode.md @@ -3,6 +3,10 @@ on: schedule: - cron: "0 0,6,12,18 * * *" # Every 6 hours workflow_dispatch: +permissions: + contents: read + actions: read + pull-requests: read name: Smoke OpenCode imports: - shared/opencode.md