Upgrade gh-aw compiler to v0.47.4 with inline prompts

[strawgate]

Summary

• Upgrade gh-aw compiler from v0.45.1 to v0.47.4 using the strawgate/gh-aw@feature/inline-prompt fork with --inline-prompt --action-mode release flags
• Move roles: from root level to under on: in all 31 workflow .md files (breaking change from v0.46.2)
• Move bots: from root level to under on: in 6 workflow .md files (duplicate-issue-detector, issue-triage, issue-triage-pr, pr-review, docs-pr-review, update-pr-body)
• Compile target switched to .bin/ directory with clone-and-build from fork (Go module path mismatch prevents go install)
• Recompiled all 31 workflows: 0 errors, 10 warnings (all expected experimental safe-inputs warnings)

Compiler changes picked up

• v0.46.0: Injection attack prevention — numeric context variables validated (new "Validate context variables" step)
• v0.46.2: roles/bots moved under on: (breaking), secret detection in env sections, expanded safe-output deny-lists
• v0.46.5: Safe output items manifest (audit trail uploaded as artifact), false positive numeric validation fix
• v0.47.1–v0.47.2: MCP SDK security patch, credential cleanup, persist-credentials validation, expanded ecosystem domains
• Inline prompts: Fragment content inlined at compile time rather than using runtime-import directives
• Version bumps: Copilot CLI 0.0.410→0.0.412, awf firewall 0.20.0→0.20.2, GitHub MCP Server v0.30.3→v0.31.0
• pull-requests: write removed from add-comment-only workflows (e.g., duplicate-issue-detector)
• Missing trigger files generated: trigger-docs-drift-external.yml and trigger-docs-new-contributor-review-external.yml now created by dogfood sync

Fixes #238
Fixes #212
Fixes #110

Test plan

• Verify make compile produces 0 errors
• Spot-check a lock file to confirm prompts are inlined (no {{#runtime-import}} directives)
• Trigger one workflow (e.g., duplicate-issue-detector on a test issue) to confirm end-to-end functionality
• Verify duplicate-issue-detector no longer requests pull-requests: write permission

Made with Cursor

Summary by CodeRabbit

• Chores

  • Upgraded GH-AW setup and tooling versions; bumped Copilot agent/AWF and related container images.
  • Expanded allowed domains and added token fallback logic for server authentication.
  • Moved role declarations to more granular workflow scopes; updated build/install invocation and added a local tools ignore rule.
  • Minor step/label renames for clarity.

• New Features

  • Added context-variable validation early in workflows.
  • Emit safe-output-items manifest artifacts and improved PR checkout handling.

[coderabbitai]

📝 Walkthrough

Walkthrough

Bumps GH‑AW tooling and images to v0.47.x across many workflows, adds context validation and safe‑output manifest uploads, moves roles/bots declarations under on/secrets, adds two trigger workflows, updates Makefile to build a local gh-aw binary, and updates lock entries for new setup action versions.

Changes

Cohort / File(s)	Summary
Infrastructure & Build \.github/aw/actions-lock.json, Makefile, .gitignore	Added lock entries for github/gh-aw/actions/setup@v0.47.2 and @v0.47.4; bumped GH_AW_VERSION and changed Makefile to build/use ./.bin/gh-aw from feature/inline-prompt; added .bin/ to .gitignore.
New trigger workflows \.github/workflows/trigger-docs-drift-external.yml, \.github/workflows/trigger-docs-new-contributor-review-external.yml	Added two scheduled / dispatch workflows that invoke corresponding reusable gh‑aw workflows and pass COPILOT_GITHUB_TOKEN as a secret.
Agentic workflows (bulk updates) \.github/workflows/gh-aw-*.lock.yml, \.github/workflows/gh-aw-*.md, \.github/workflows/agentics-maintenance.yml, \.github/workflows/ci.yml	Cross-cutting updates across 30+ agentic workflows: upgrade setup action refs to v0.47.x; bump agent/awf and container image tags; add Validate context variables step (actions/github-script); add Upload safe output items manifest artifact steps; expand GH_AW_ALLOWED_DOMAINS and token fallbacks (GITHUB_MCP_SERVER_TOKEN); rename log steps (Echo → Print); move roles/bots into on/on.secrets.

Sequence Diagram(s)

sequenceDiagram
    actor GitHub_Workflow as Workflow
    participant Setup as gh-aw/setup
    participant Script as actions/github-script
    participant Runner as Copilot_Runner
    participant MCP as MCP_Server
    participant Artifacts as GitHub_Artifacts

    Workflow->>Setup: run Setup Scripts (v0.47.x or local ./actions/setup)
    Setup-->>Workflow: setup env, binaries
    Workflow->>Script: Execute setup_globals + validate_context_variables
    Script-->>Workflow: validated context (env, tokens)
    Workflow->>Runner: start Copilot agent (agent image, AWF)
    Runner->>MCP: communicate / authenticate (GITHUB_MCP_SERVER_TOKEN fallback)
    Runner-->>Workflow: produce safe outputs (/tmp/safe-output-items.jsonl)
    Workflow->>Artifacts: Upload artifact safe-output-items.jsonl
    Artifacts-->>Workflow: artifact stored

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I nibbled old v0.45,
Then hopped to v0.47 alive,
Checks validate the burrow's state,
Safe outputs stored on every crate,
A tiny rabbit cheers: build and thrive!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Upgrade gh-aw compiler to v0.47.4 with inline prompts' accurately summarizes the main change: upgrading the gh-aw compiler version and enabling inline prompt compilation.
Linked Issues check	✅ Passed	All code objectives from the three linked issues are met: #238's inline-prompt Makefile setup implemented, #212's gh-aw upgrade to v0.47.4 with roles/bots restructuring completed across 31 workflows, and #110's pull-requests:write removal applied to add-comment workflows.
Out of Scope Changes check	✅ Passed	Changes are tightly scoped to the linked objectives: compiler upgrade, workflow restructuring per v0.46.2 breaking changes, permission refinements, and new trigger workflow files generated by dogfood sync—all directly supporting the three linked issues.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bump-to-latest-compiler

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

CI failed in job Verify compiled workflows (job 64353908203), step Ensure lock files are up to date.

Root cause: after Compile workflows, git status --porcelain was still dirty and the check exited 1. The log shows these uncommitted generated files:

• .github/workflows/agentics-maintenance.yml
• .github/workflows/trigger-issue-triage.yml
• .github/workflows/trigger-mention-in-issue.yml
• .github/workflows/trigger-mention-in-pr.yml

Recommended fix (minimal): regenerate and commit the generated workflow outputs so make compile is clean in CI. Concretely, run the project’s compile flow locally (e.g. make compile), verify git status --porcelain is empty, and include those updated .yml files in the PR.

What I ran:

• Retrieved run/job metadata for run 22243994532
• Retrieved failed job logs and confirmed exact failing step + dirty files
• No additional local tests executed (read-only CI log triage).

---

What is this? | From workflow: PR CI Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

Requesting changes due to reproducibility and upgrade-path regressions in Makefile that can leave developers on stale compiler binaries and produce non-deterministic compiler behavior.

---

What is this? | From workflow: PR Review Agent

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. for issue #240

[github-actions]

CI failed only in Verify compiled workflows (job 64353908203) at step Ensure lock files are up to date because make compile left the working tree dirty.

Root cause from logs: after compile, these tracked generated workflow files changed and were not committed in the PR:

• .github/workflows/agentics-maintenance.yml
• .github/workflows/trigger-issue-triage.yml
• .github/workflows/trigger-mention-in-issue.yml
• .github/workflows/trigger-mention-in-pr.yml

Recommended fix: run make compile, commit those regenerated files, and rerun CI. The other CI jobs (Validate GitHub Actions workflows and Validate GitHub Actions composite actions) already passed.

---

What is this? | From workflow: PR Checks Fixer

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (4)

.github/workflows/gh-aw-pr-ci-fixer.lock.yml (1)

1280-1280: GH_AW_GROUP_REPORTS set to "false" — confirm this is intentional for PR CI Fixer.

This env var was added (or changed) to explicitly disable grouped reports. For a workflow that targets a single PR and run, this makes sense (each invocation is scoped to one CI failure). Worth confirming this matches expectations if other workflows have it set differently.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-pr-ci-fixer.lock.yml at line 1280, The workflow sets
GH_AW_GROUP_REPORTS: "false" which disables grouped reports; confirm whether PR
CI Fixer should produce grouped reports and if not leave as-is, otherwise change
the GH_AW_GROUP_REPORTS environment variable in the workflow to "true" (or
remove the override to inherit the repository default) and add a brief comment
near the GH_AW_GROUP_REPORTS entry explaining the intended scope for this
workflow so future reviewers know the choice was intentional.

.github/workflows/gh-aw-upgrade-check.md (1)

56-58: Prompt monitors github/gh-aw releases, but the installed binary comes from strawgate/gh-aw

The prompt's data-gathering step queries gh api repos/github/gh-aw/releases and fetches the CHANGELOG from github/gh-aw/main. After this PR, the actual compiler binary is installed from strawgate/gh-aw@feature/inline-prompt. If the inline-prompt feature branch hasn't been merged upstream to github/gh-aw, the upgrade-check workflow will compare the Makefile's GH_AW_VERSION against canonical upstream releases—potentially flagging version mismatches or missing upgrade notices that don't apply to the fork, and vice versa.

Consider updating both URLs to point at strawgate/gh-aw (or adding a comment clarifying the intentional split) so the monitor stays accurate.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-upgrade-check.md around lines 56 - 58, The workflow
currently queries upstream release endpoints ('gh api
repos/github/gh-aw/releases?per_page=10') and fetches the upstream CHANGELOG
('https://raw.githubusercontent.com/github/gh-aw/main/CHANGELOG.md') while our
installed binary comes from the fork/branch
(strawgate/gh-aw@feature/inline-prompt) and the Makefile variable GH_AW_VERSION
reflects that; update the workflow to point to the forked repo by replacing
those two URLs with the strawgate equivalents (e.g., 'gh api
repos/strawgate/gh-aw/releases?per_page=10' and the raw CHANGELOG URL under
strawgate) or alternatively add a clear comment above the steps explaining the
intentional forked source and why the upstream check is skipped so the monitor's
checks align with GH_AW_VERSION.

.github/workflows/gh-aw-mention-in-issue.lock.yml (1)

91-93: Remove unused activation job outputs comment_id and comment_repo.

These outputs are never referenced by any downstream job in this workflow or by the calling trigger workflow (gh-agent-workflows/mention-in-issue/example.yml). They're hardcoded to empty strings and add unnecessary surface area. Since this file is auto-generated by the gh-aw compiler, update the corresponding .md source file and recompile to remove them.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-mention-in-issue.lock.yml around lines 91 - 93,
Remove the unused hardcoded outputs "comment_id" and "comment_repo" from the
activation job in the generated workflow; update the source markdown template
that generates this workflow (the .md used by the gh-aw compiler) to delete
these outputs from the activation job definition and then re-run the gh-aw
compiler to regenerate the .github/workflows/gh-aw-mention-in-issue.lock.yml so
the activation job no longer emits "outputs: comment_id" or "comment_repo".

.github/aw/actions-lock.json (1)

53-57: Remove unused v0.47.2 entry from actions-lock.json.

v0.47.2 is pinned in the lock file but is not referenced by any compiled workflow lock file in .github/workflows/. Only v0.47.4 (the declared upgrade target) is needed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/aw/actions-lock.json around lines 53 - 57, Remove the unused lock
entry "github/gh-aw/actions/setup@v0.47.2" from actions-lock.json: delete the
entire object keyed by that version so only the needed "v0.47.4" entry remains,
verify no compiled workflow in .github/workflows/ references v0.47.2, and then
regenerate/compile the workflow lock files so the lock file matches the actual
referenced actions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/agentics-maintenance.yml:
- Line 52: The workflow generator is emitting an old setup action version;
update the version string in the maintenance workflow generator so the emitted
line uses github/gh-aw/actions/setup@da463a765059a5eed4cc345a003ecfc71c45ec49
(v0.47.4). Locate the template or constant in
pkg/workflow/maintenance_workflow.go (search for "github/gh-aw/actions/setup" or
the current "@v0.45.7" literal) and replace it with the new tag/commit hash so
generated agentics-maintenance.yml matches the other regenerated workflows.

In `@Makefile`:
- Around line 119-126: The Makefile currently clones gh-aw using a mutable
branch name "feature/inline-prompt" which can change over time; update the
install steps (the recipe that sets TMPDIR, clones gh-aw and runs
GOBIN="$(CURDIR)/.bin" go install ./cmd/gh-aw) to pin to an explicit commit: add
a variable (e.g., GH_AW_COMMIT or reuse GH_AW_VERSION) and after cloning check
out that commit (or clone then git -C "$$TMPDIR/gh-aw" fetch && git -C
"$$TMPDIR/gh-aw" checkout "$$GH_AW_COMMIT") so the built binary matches the
committed lockfiles instead of following the mutable feature/inline-prompt
branch.

---

Nitpick comments:
In @.github/aw/actions-lock.json:
- Around line 53-57: Remove the unused lock entry
"github/gh-aw/actions/setup@v0.47.2" from actions-lock.json: delete the entire
object keyed by that version so only the needed "v0.47.4" entry remains, verify
no compiled workflow in .github/workflows/ references v0.47.2, and then
regenerate/compile the workflow lock files so the lock file matches the actual
referenced actions.

In @.github/workflows/gh-aw-mention-in-issue.lock.yml:
- Around line 91-93: Remove the unused hardcoded outputs "comment_id" and
"comment_repo" from the activation job in the generated workflow; update the
source markdown template that generates this workflow (the .md used by the gh-aw
compiler) to delete these outputs from the activation job definition and then
re-run the gh-aw compiler to regenerate the
.github/workflows/gh-aw-mention-in-issue.lock.yml so the activation job no
longer emits "outputs: comment_id" or "comment_repo".

In @.github/workflows/gh-aw-pr-ci-fixer.lock.yml:
- Line 1280: The workflow sets GH_AW_GROUP_REPORTS: "false" which disables
grouped reports; confirm whether PR CI Fixer should produce grouped reports and
if not leave as-is, otherwise change the GH_AW_GROUP_REPORTS environment
variable in the workflow to "true" (or remove the override to inherit the
repository default) and add a brief comment near the GH_AW_GROUP_REPORTS entry
explaining the intended scope for this workflow so future reviewers know the
choice was intentional.

In @.github/workflows/gh-aw-upgrade-check.md:
- Around line 56-58: The workflow currently queries upstream release endpoints
('gh api repos/github/gh-aw/releases?per_page=10') and fetches the upstream
CHANGELOG ('https://raw.githubusercontent.com/github/gh-aw/main/CHANGELOG.md')
while our installed binary comes from the fork/branch
(strawgate/gh-aw@feature/inline-prompt) and the Makefile variable GH_AW_VERSION
reflects that; update the workflow to point to the forked repo by replacing
those two URLs with the strawgate equivalents (e.g., 'gh api
repos/strawgate/gh-aw/releases?per_page=10' and the raw CHANGELOG URL under
strawgate) or alternatively add a clear comment above the steps explaining the
intentional forked source and why the upstream check is skipped so the monitor's
checks align with GH_AW_VERSION.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/ci.yml (1)

39-46: ⚠️ Potential issue | 🟠 Major

Document or resolve the undocumented exemption of agentics-maintenance.yml from the compile-freshness check

The new git checkout -- line hard-resets .github/workflows/agentics-maintenance.yml (an auto-generated file) immediately before the git status --porcelain dirty-tree check. This silently exempts that file from the freshness assertion without explanation.

Since agentics-maintenance.yml is auto-generated by gh-aw compile and tracked in git, any divergence after compilation will go undetected. This defeats the purpose of the "Ensure lock files are up to date" check for this file.

Add an inline comment explaining the exemption and linking to any tracking issue, or fix the root cause in the compiler to ensure idempotent output:

Suggested explicit approach

       - name: Ensure lock files are up to date
         run: |
+          # TODO: agentics-maintenance.yml is non-idempotent under `make compile`
+          # due to <reason / link to tracking issue>. Reset it before the dirty check
+          # until the root cause is resolved.
           git checkout -- .github/workflows/agentics-maintenance.yml
           if [ -n "$(git status --porcelain)" ]; then

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 39 - 46, The CI step named "Ensure
lock files are up to date" currently runs a hard reset via the command "git
checkout -- .github/workflows/agentics-maintenance.yml", which silently exempts
that auto-generated file from the freshness check; either remove that git
checkout and fix the generator (gh-aw compile) so agentics-maintenance.yml is
idempotent, or if you need a short-term exemption, replace the hard reset with
an explicit inline comment explaining why the file is exempt and link to the
tracking issue/PR; locate the "Ensure lock files are up to date" step and the
"git checkout -- .github/workflows/agentics-maintenance.yml" invocation to apply
the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 39-46: The CI step named "Ensure lock files are up to date"
currently runs a hard reset via the command "git checkout --
.github/workflows/agentics-maintenance.yml", which silently exempts that
auto-generated file from the freshness check; either remove that git checkout
and fix the generator (gh-aw compile) so agentics-maintenance.yml is idempotent,
or if you need a short-term exemption, replace the hard reset with an explicit
inline comment explaining why the file is exempt and link to the tracking
issue/PR; locate the "Ensure lock files are up to date" step and the "git
checkout -- .github/workflows/agentics-maintenance.yml" invocation to apply the
change.

[github-actions]

Requesting changes: make compile currently skips source sync, which can generate lockfiles from stale workflow inputs.

---

What is this? | From workflow: PR Review Agent

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. for issue #240

[github-actions]

[HIGH] make compile no longer syncs workflow sources before compilation

Dropping sync from the compile target means edits under gh-agent-workflows/ and related fragments are no longer copied into .github/workflows/ before gh-aw compile runs. A concrete failure case is updating a source workflow markdown file and running make compile: lock files are generated from stale copied inputs, so compiled outputs can silently miss the latest source changes.

Suggested change

	compile: setup-gh-aw
	compile: setup-gh-aw sync