Add manual-approval field to on section for environment-gated workflows

.github/workflows/test-manual-approval.md

@@ -0,0 +1,14 @@
+---
+on:
+  workflow_dispatch:
+  manual-approval: production
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
+engine: copilot
+---
+
+# Test Manual Approval Workflow
+
+This workflow tests the manual-approval field in the on section.

docs/src/content/docs/reference/frontmatter-full.md

@@ -533,6 +533,11 @@ on:
   # (optional)
   stop-after: "example-value"
 
+  # Environment name that requires manual approval before the workflow can run. Must
+  # match a valid environment configured in the repository settings.
+  # (optional)
+  manual-approval: "example-value"
+
   # AI reaction to add/remove on triggering item (one of: +1, -1, laugh, confused,
   # heart, hooray, rocket, eyes, none). Use 'none' to disable reactions. Defaults to
   # 'eyes' if not specified.
@@ -1239,7 +1244,6 @@ safe-outputs:
     # (optional)
     max: 1
 
-
     # Target repository in format 'owner/repo' for cross-repository issue creation.
     # Takes precedence over trial target repo settings.
     # (optional)
@@ -1269,10 +1273,6 @@ safe-outputs:
     # (optional)
     max: 1
 
-    # Minimum number of agent tasks to create (default: 0 - no requirement)
-    # (optional)
-    min: 1
-
     # Target repository in format 'owner/repo' for cross-repository agent task
     # creation. Takes precedence over trial target repo settings.
     # (optional)
@@ -1313,10 +1313,6 @@ safe-outputs:
     # (optional)
     max: 1
 
-    # Minimum number of discussions to create (default: 0 - no requirement)
-    # (optional)
-    min: 1
-
     # Target repository in format 'owner/repo' for cross-repository discussion
     # creation. Takes precedence over trial target repo settings.
     # (optional)
@@ -1340,10 +1336,6 @@ safe-outputs:
     # (optional)
     max: 1
 
-    # Minimum number of comments to create (default: 0 - no requirement)
-    # (optional)
-    min: 1
-
     # Target for comments: 'triggering' (default), '*' (any issue), or explicit issue
     # number
     # (optional)
@@ -1431,10 +1423,6 @@ safe-outputs:
     # (optional)
     max: 1
 
-    # Minimum number of review comments to create (default: 0 - no requirement)
-    # (optional)
-    min: 1
-
     # Side of the diff for comments: 'LEFT' or 'RIGHT' (default: 'RIGHT')
     # (optional)
     side: "LEFT"
@@ -1467,10 +1455,6 @@ safe-outputs:
     # (optional)
     max: 1
 
-    # Minimum number of security findings to include (default: 0 - no requirement)
-    # (optional)
-    min: 1
-
     # Driver name for SARIF tool.driver.name field (default: 'GitHub Agentic Workflows
     # Security Scanner')
     # (optional)
@@ -1504,10 +1488,6 @@ safe-outputs:
     # (optional)
     max: 1
 
-    # Minimum number of labels to add (default: 0 - no requirement)
-    # (optional)
-    min: 1
-
     # Target for labels: 'triggering' (default), '*' (any issue/PR), or explicit
     # issue/PR number
     # (optional)
@@ -1550,10 +1530,6 @@ safe-outputs:
     # (optional)
     max: 1
 
-    # Minimum number of issues to update (default: 0 - no requirement)
-    # (optional)
-    min: 1
-
     # Target repository in format 'owner/repo' for cross-repository issue updates.
     # Takes precedence over trial target repo settings.
     # (optional)
@@ -1621,10 +1597,6 @@ safe-outputs:
     # (optional)
     max: 1
 
-    # Minimum number of missing tool reports (default: 0 - no requirement)
-    # (optional)
-    min: 1
-
     # GitHub token to use for this specific output type. Overrides global github-token
     # if specified.
     # (optional)
@@ -1659,7 +1631,6 @@ safe-outputs:
     # (optional)
     max: 1
 
-
     # GitHub token to use for this specific output type. Overrides global github-token
     # if specified.
     # (optional)

docs/src/content/docs/status.mdx

@@ -16,13 +16,14 @@ Browse the [workflow source files](https://github.com/githubnext/gh-aw/tree/main
 | [Basic Research Agent](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/research.md) | copilot | [![Basic Research Agent](https://github.com/githubnext/gh-aw/actions/workflows/research.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/research.lock.yml) | - | - |
 | [Blog Auditor](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/blog-auditor.md) | claude | [![Blog Auditor](https://github.com/githubnext/gh-aw/actions/workflows/blog-auditor.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/blog-auditor.lock.yml) | `0 12 * * 3` | - |
 | [Brave Web Search Agent](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/brave.md) | copilot | [![Brave Web Search Agent](https://github.com/githubnext/gh-aw/actions/workflows/brave.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/brave.lock.yml) | - | `/brave` |
-| [Changeset Generator](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/changeset-generator.firewall.md) | copilot | [![Changeset Generator](https://github.com/githubnext/gh-aw/actions/workflows/changeset-generator.firewall.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/changeset-generator.firewall.lock.yml) | - | - |
+| [Changeset Generator](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/changeset.md) | copilot | [![Changeset Generator](https://github.com/githubnext/gh-aw/actions/workflows/changeset.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/changeset.lock.yml) | - | - |
 | [CI Failure Doctor](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/ci-doctor.md) | copilot | [![CI Failure Doctor](https://github.com/githubnext/gh-aw/actions/workflows/ci-doctor.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/ci-doctor.lock.yml) | - | - |
 | [CLI Version Checker](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/cli-version-checker.md) | copilot | [![CLI Version Checker](https://github.com/githubnext/gh-aw/actions/workflows/cli-version-checker.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/cli-version-checker.lock.yml) | `0 15 * * *` | - |
 | [Commit Changes Analyzer](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/commit-changes-analyzer.md) | claude | [![Commit Changes Analyzer](https://github.com/githubnext/gh-aw/actions/workflows/commit-changes-analyzer.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/commit-changes-analyzer.lock.yml) | - | - |
 | [Copilot Agent PR Analysis](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/copilot-agent-analysis.md) | claude | [![Copilot Agent PR Analysis](https://github.com/githubnext/gh-aw/actions/workflows/copilot-agent-analysis.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/copilot-agent-analysis.lock.yml) | `0 18 * * *` | - |
 | [Copilot Agent Prompt Clustering Analysis](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/prompt-clustering-analysis.md) | claude | [![Copilot Agent Prompt Clustering Analysis](https://github.com/githubnext/gh-aw/actions/workflows/prompt-clustering-analysis.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/prompt-clustering-analysis.lock.yml) | `0 19 * * *` | - |
 | [Copilot PR Prompt Pattern Analysis](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/copilot-pr-prompt-analysis.md) | copilot | [![Copilot PR Prompt Pattern Analysis](https://github.com/githubnext/gh-aw/actions/workflows/copilot-pr-prompt-analysis.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/copilot-pr-prompt-analysis.lock.yml) | `0 9 * * *` | - |
+| [Copilot Session Insights](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/copilot-session-insights.md) | claude | [![Copilot Session Insights](https://github.com/githubnext/gh-aw/actions/workflows/copilot-session-insights.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/copilot-session-insights.lock.yml) | `0 16 * * *` | - |
 | [Daily Documentation Updater](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/daily-doc-updater.md) | claude | [![Daily Documentation Updater](https://github.com/githubnext/gh-aw/actions/workflows/daily-doc-updater.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/daily-doc-updater.lock.yml) | `0 6 * * *` | - |
 | [Daily Firewall Logs Collector and Reporter](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/daily-firewall-report.md) | copilot | [![Daily Firewall Logs Collector and Reporter](https://github.com/githubnext/gh-aw/actions/workflows/daily-firewall-report.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/daily-firewall-report.lock.yml) | `0 10 * * *` | - |
 | [Daily News](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/daily-news.md) | copilot | [![Daily News](https://github.com/githubnext/gh-aw/actions/workflows/daily-news.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/daily-news.lock.yml) | `0 9 * * 1-5` | - |
@@ -47,6 +48,7 @@ Browse the [workflow source files](https://github.com/githubnext/gh-aw/tree/main
 | [Mergefest](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/mergefest.md) | copilot | [![Mergefest](https://github.com/githubnext/gh-aw/actions/workflows/mergefest.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/mergefest.lock.yml) | - | `/mergefest` |
 | [Plan Command](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/plan.md) | copilot | [![Plan Command](https://github.com/githubnext/gh-aw/actions/workflows/plan.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/plan.lock.yml) | - | `/plan` |
 | [Poem Bot - A Creative Agentic Workflow](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/poem-bot.md) | copilot | [![Poem Bot - A Creative Agentic Workflow](https://github.com/githubnext/gh-aw/actions/workflows/poem-bot.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/poem-bot.lock.yml) | - | `/poem` |
+| [Python Data Visualization Generator](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/python-data-charts.md) | copilot | [![Python Data Visualization Generator](https://github.com/githubnext/gh-aw/actions/workflows/python-data-charts.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/python-data-charts.lock.yml) | - | - |
 | [Q](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/q.md) | copilot | [![Q](https://github.com/githubnext/gh-aw/actions/workflows/q.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/q.lock.yml) | - | `/q` |
 | [Repository Tree Map Generator](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/repo-tree-map.md) | copilot | [![Repository Tree Map Generator](https://github.com/githubnext/gh-aw/actions/workflows/repo-tree-map.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/repo-tree-map.lock.yml) | - | - |
 | [Resource Summarizer Agent](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/pdf-summary.md) | copilot | [![Resource Summarizer Agent](https://github.com/githubnext/gh-aw/actions/workflows/pdf-summary.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/pdf-summary.lock.yml) | - | `/summarize` |
@@ -63,10 +65,12 @@ Browse the [workflow source files](https://github.com/githubnext/gh-aw/tree/main
 | [Smoke OpenCode](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/smoke-opencode.md) | copilot | [![Smoke OpenCode](https://github.com/githubnext/gh-aw/actions/workflows/smoke-opencode.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/smoke-opencode.lock.yml) | `0 0,6,12,18 * * *` | - |
 | [Technical Doc Writer](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/technical-doc-writer.md) | copilot | [![Technical Doc Writer](https://github.com/githubnext/gh-aw/actions/workflows/technical-doc-writer.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/technical-doc-writer.lock.yml) | - | - |
 | [Test jqschema](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/test-jqschema.md) | copilot | [![Test jqschema](https://github.com/githubnext/gh-aw/actions/workflows/test-jqschema.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/test-jqschema.lock.yml) | - | - |
+| [Test Manual Approval Workflow](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/test-manual-approval.md) | copilot | [![Test Manual Approval Workflow](https://github.com/githubnext/gh-aw/actions/workflows/test-manual-approval.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/test-manual-approval.lock.yml) | - | - |
 | [Test Ollama Threat Scanning](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/test-ollama-threat-detection.md) | copilot | [![Test Ollama Threat Scanning](https://github.com/githubnext/gh-aw/actions/workflows/test-ollama-threat-detection.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/test-ollama-threat-detection.lock.yml) | - | - |
 | [Test Post-Steps Workflow](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/test-post-steps.md) | copilot | [![Test Post-Steps Workflow](https://github.com/githubnext/gh-aw/actions/workflows/test-post-steps.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/test-post-steps.lock.yml) | - | - |
 | [Test Secret Masking Workflow](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/test-secret-masking.md) | copilot | [![Test Secret Masking Workflow](https://github.com/githubnext/gh-aw/actions/workflows/test-secret-masking.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/test-secret-masking.lock.yml) | - | - |
 | [Test Svelte MCP](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/test-svelte.md) | copilot | [![Test Svelte MCP](https://github.com/githubnext/gh-aw/actions/workflows/test-svelte.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/test-svelte.lock.yml) | - | - |
+| [Test Workflow Timestamp Check](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/test-timestamp-js.md) | copilot | [![Test Workflow Timestamp Check](https://github.com/githubnext/gh-aw/actions/workflows/test-timestamp-js.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/test-timestamp-js.lock.yml) | - | - |
 | [The Daily Repository Chronicle](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/daily-repo-chronicle.md) | copilot | [![The Daily Repository Chronicle](https://github.com/githubnext/gh-aw/actions/workflows/daily-repo-chronicle.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/daily-repo-chronicle.lock.yml) | `0 16 * * 1-5` | - |
 | [Tidy](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/tidy.md) | copilot | [![Tidy](https://github.com/githubnext/gh-aw/actions/workflows/tidy.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/tidy.lock.yml) | - | - |
 | [Video Analysis Agent](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/video-analyzer.md) | copilot | [![Video Analysis Agent](https://github.com/githubnext/gh-aw/actions/workflows/video-analyzer.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/video-analyzer.lock.yml) | - | - |

pkg/parser/schemas/main_workflow_schema.json

@@ -860,6 +860,10 @@
               "type": "string",
               "description": "Time when workflow should stop running. Supports multiple formats: absolute dates (YYYY-MM-DD HH:MM:SS, June 1 2025, 1st June 2025, 06/01/2025, etc.) or relative time deltas (+25h, +3d, +1d12h30m)"
             },
+            "manual-approval": {
+              "type": "string",
+              "description": "Environment name that requires manual approval before the workflow can run. Must match a valid environment configured in the repository settings."
+            },
             "reaction": {
               "type": "string",
               "enum": ["+1", "-1", "laugh", "confused", "heart", "hooray", "rocket", "eyes", "none"],

pkg/workflow/compiler.go

@@ -170,6 +170,7 @@ type WorkflowData struct {
 	EngineConfig        *EngineConfig // Extended engine configuration
 	AgentFile           string        // Path to custom agent file (from imports)
 	StopTime            string
+	ManualApproval      string               // environment name for manual approval from on: section
 	Command             string               // for /command trigger support
 	CommandEvents       []string             // events where command should be active (nil = all events)
 	CommandOtherEvents  map[string]any       // for merging command with other events
@@ -1105,6 +1106,12 @@ func (c *Compiler) ParseWorkflowFile(markdownPath string) (*WorkflowData, error)
 		return nil, err
 	}
 
+	// Process manual-approval configuration from the on: section
+	err = c.processManualApprovalConfiguration(result.Frontmatter, workflowData)
+	if err != nil {
+		return nil, err
+	}
+
 	workflowData.Command, workflowData.CommandEvents = c.extractCommandConfig(result.Frontmatter)
 	workflowData.Jobs = c.extractJobsFromFrontmatter(result.Frontmatter)
 	workflowData.Roles = c.extractRoles(result.Frontmatter)

pkg/workflow/compiler_jobs.go

@@ -566,11 +566,18 @@ func (c *Compiler) buildActivationJob(data *WorkflowData, preActivationJobCreate
 		permissions = perms.RenderToYAML()
 	}
 
+	// Set environment if manual-approval is configured
+	var environment string
+	if data.ManualApproval != "" {
+		environment = fmt.Sprintf("environment: %s", data.ManualApproval)
+	}
+
 	job := &Job{
 		Name:        constants.ActivationJobName,
 		If:          activationCondition,
 		RunsOn:      c.formatSafeOutputsRunsOn(data.SafeOutputs),
 		Permissions: permissions,
+		Environment: environment,
 		Steps:       steps,
 		Outputs:     outputs,
 		Needs:       activationNeeds, // Depend on pre-activation job if it exists

pkg/workflow/compiler_yaml.go

@@ -83,6 +83,12 @@ func (c *Compiler) generateYAML(data *WorkflowData, markdownPath string) (string
 		yaml.WriteString(fmt.Sprintf("# Effective stop-time: %s\n", data.StopTime))
 	}
 
+	// Add manual-approval comment if configured
+	if data.ManualApproval != "" {
+		yaml.WriteString("#\n")
+		yaml.WriteString(fmt.Sprintf("# Manual approval required: environment '%s'\n", data.ManualApproval))
+	}
+
 	// Add Mermaid graph of job dependencies
 	mermaidGraph := c.jobManager.GenerateMermaidGraph()
 	if mermaidGraph != "" {