Audit all gh-aw workflows against official documentation and samples

[microsasa]

Goal

Full audit of every gh-aw workflow in this repo against the official gh-aw documentation (https://github.github.com/gh-aw/) and samples in github.com/github/gh-aw. We have been learning gh-aw through trial and error and have hit multiple issues that could have been avoided by reading the docs first. This audit should catch any remaining misconfigurations before they bite us in production.

Scope

For each gh-aw workflow (.md + .lock.yml):

1. Triggers

• Is the trigger type the best fit for our use case?
• Are we using workflow_dispatch inputs correctly?
• Do we need if: frontmatter conditions? Are they correct?
• Are roles: and bots: configured properly (or omitted due to gh-aw#21098)?

2. Safe Outputs

• Is each safe output target value correct for the trigger type?
  • "triggering" for event-based triggers
  • ${{ inputs.pr_number }} for workflow_dispatch when the handler lacks a PR number field
  • "*" for workflow_dispatch when the handler has item_number/comment_id in its schema
• Are max limits appropriate?
• Are github-token values set where needed?
• Are we missing any useful safe outputs? (e.g., update-pull-request for Responder cannot update PR title/description — add update_pull_request safe output #165, resolve-pull-request-review-thread)
• Are footer, labels, protected-files configs optimal?

3. Permissions

• Are we requesting minimum necessary permissions?
• Any permissions we have that we dont need?
• Any permissions we need that we dont have?

4. Network

• Are network.allowed domains correct? (e.g., astral.sh keeps getting blocked for uv/ruff installs)
• Are we allowing too much?

5. Engine / Model

• Are we using the right model for each workflow?
• Is Opus overkill for any of these? Could Sonnet handle some?

6. Tools

• Are toolsets configured correctly?
• Are we using --allow-all-tools where we should/shouldnt?

7. Checkout / Fetch

• Do workflows that push code have fetch: ["*"] and fetch-depth: 0?
• Do read-only workflows unnecessarily fetch too much?

Workflows to audit

Workflow	File	Current trigger
Issue Implementer	issue-implementer.md	workflow_dispatch
Review Responder	review-responder.md	workflow_dispatch
CI Fixer	ci-fixer.md	workflow_dispatch
Quality Gate	quality-gate.md	workflow_dispatch
Code Health	code-health.md	TBD
Test Analysis	test-analysis.md	TBD
Pipeline Orchestrator	pipeline-orchestrator.yml	workflow_run / push / pull_request_review / workflow_dispatch

Reference

• gh-aw docs: https://github.github.com/gh-aw/
• Safe outputs reference: https://github.github.com/gh-aw/reference/safe-outputs/
• Samples: https://github.com/github/gh-aw (if accessible)
• Related issues: Responder cannot update PR title/description — add update_pull_request safe output #165 (missing update-pull-request), Quality gate never fires on clean PRs — orchestrator missing happy path #168 (quality gate dispatch)