github · pelikhan · Apr 20, 2026 · Apr 20, 2026
diff --git a/docs/src/content/docs/guides/ephemerals.md b/docs/src/content/docs/guides/ephemerals.md
@@ -111,6 +111,7 @@ Available operations:
 | `create_labels` | Create any repository labels referenced in safe-outputs that do not yet exist |
 | `clean_cache_memories` | Clean up outdated cache-memory entries (same as the automated scheduled cleanup) |
 | `validate` | Run full workflow validation with all linters and file an issue if findings are detected |
+| `activity_report` | Generate a repository activity report for the last 24 hours, week, and month, and create an issue with the results |
 
 **Operation details:**
 
@@ -119,6 +120,7 @@ Available operations:
 - **`create_labels`**: Runs `gh aw compile --json --no-emit`, collects all unique label names across workflows, and creates missing ones with deterministic pastel colors. Requires `issues: write` permission.
 - **`validate`**: Runs `gh aw compile --validate --no-emit --zizmor --actionlint --poutine --verbose`. If errors or warnings are found, creates or updates a GitHub issue titled `[aw] workflow validation findings` with the full output.
 - **`clean_cache_memories`**: Lists all caches with the `memory-` prefix, groups them by workflow, keeps the latest per group, and deletes older entries.
+- **`activity_report`**: Runs `gh aw logs --format markdown` for the last 24 hours, 7 days, and 30 days (up to 1000 runs each), then creates an issue titled `[aw] agentic status report` with all three time-range sections as collapsible `<details>` blocks. Downloaded logs are cached under `./.cache/gh-aw/activity-report-logs`. The job has a 2-hour timeout and skips the 30-day query when the GitHub API is rate-limited.
 
 ### Maintenance Configuration
 

diff --git a/docs/src/content/docs/guides/self-hosted-runners.md b/docs/src/content/docs/guides/self-hosted-runners.md
@@ -131,7 +131,7 @@ The generated `agentics-maintenance.yml` workflow defaults to `ubuntu-slim` for
 }
 ```
 
-This setting applies to every job in `agentics-maintenance.yml` (close-expired-entities, cleanup-cache-memory, run_operation, apply_safe_outputs, create_labels, and validate_workflows). Re-run `gh aw compile` after changing `aw.json` to regenerate the workflow.
+This setting applies to every job in `agentics-maintenance.yml` (close-expired-entities, cleanup-cache-memory, run_operation, apply_safe_outputs, create_labels, validate_workflows, and activity_report). Re-run `gh aw compile` after changing `aw.json` to regenerate the workflow.
 
 > [!NOTE]
 > `aw.json` is separate from individual workflow frontmatter. It provides repository-level settings for generated infrastructure workflows.

diff --git a/docs/src/content/docs/reference/safe-outputs-pull-requests.md b/docs/src/content/docs/reference/safe-outputs-pull-requests.md
@@ -121,6 +121,7 @@ safe-outputs:
   update-pull-request:
     title: true               # enable title updates (default: true)
     body: true                # enable body updates (default: true)
+    update-branch: false      # update PR branch with latest base before other updates (default: false)
     footer: false             # omit AI-generated footer from body updates (default: true)
     max: 1                    # max updates (default: 1)
     target: "*"               # "triggering" (default), "*", or number
@@ -130,6 +131,8 @@ safe-outputs:
 
 **Target**: `"triggering"` (requires PR event), `"*"` (any PR), or number (specific PR).
 
+When `update-branch: true` is set, the handler calls the GitHub REST `pulls.updateBranch` API to merge the latest base branch changes into the PR branch before applying title or body updates. This requires `contents: write` permission; without it only `contents: read` is needed. The field can also be used alone (with `title: false` and `body: false`) to update the branch without changing the PR description.
+
 When using `target: "*"`, the agent must provide `pull_request_number` in the output to identify which pull request to update.
 
 **Operation Types**: Same as `update-issue` (`append`, `prepend`, `replace`). Title updates always replace the existing title. Disable fields by setting to `false`.
@@ -234,7 +237,8 @@ safe-outputs:
       - "**/*.lock"
     github-token: ${{ secrets.SOME_CUSTOM_TOKEN }} # optional custom token for permissions
     github-token-for-extra-empty-commit: ${{ secrets.CI_TOKEN }} # optional token to push empty commit triggering CI
-    fallback-as-pull-request: true  # default: on non-fast-forward push failure, create fallback PR to original PR branch
+    fallback-as-pull-request: true        # on non-fast-forward failure, create fallback PR to original PR branch (default: true)
+    ignore-missing-branch-failure: false  # treat deleted/missing branch errors as skipped instead of failed (default: false)
     protected-files: fallback-to-issue  # create review issue if protected files modified
 ```
 
@@ -286,6 +290,8 @@ If `push-to-pull-request-branch` (or `create-pull-request`) fails, the safe-outp
 
 When `fallback-as-pull-request` is enabled (default), non-fast-forward push failures trigger a fallback pull request that targets the original PR branch. Set `fallback-as-pull-request: false` to disable this fallback behavior.
 
+When `ignore-missing-branch-failure: true` is set, push failures caused by a deleted or missing PR branch return `skipped: true` instead of a hard failure. This is useful when the PR branch may have been deleted before the safe-output job runs (for example, on auto-merged PRs). Without this flag, a missing branch is a terminal error.
+
 ## Protected Files
 
 Both `create-pull-request` and `push-to-pull-request-branch` enforce protected file protection by default. Patches that modify package manifests, agent instruction files, or repository security configuration are refused unless you explicitly configure a policy.