Skip to content

Comments

Add internal workflow drift detector#261

Merged
strawgate merged 7 commits intomainfrom
copilot/add-workflow-drift-trigger
Feb 21, 2026
Merged

Add internal workflow drift detector#261
strawgate merged 7 commits intomainfrom
copilot/add-workflow-drift-trigger

Conversation

Copy link
Contributor

Copilot AI commented Feb 21, 2026

Adds an internal scheduled agent workflow to detect when one or more gh-aw-*.md workflows have drifted from a structural pattern that most of their peers follow — the typical scenario where a refactor lands across all workflows while a concurrent PR adds a new workflow that misses the refactor.

What's added

  • .github/workflows/gh-aw-workflow-drift.md — internal-only scheduled workflow (weekdays ~14:00) that reads all workflow sources, fragments, triggers, and examples, discovers majority conventions, and files a [workflow-drift] issue when outliers are found

Design

Discovery-driven, not prescriptive. Rather than hardcoding specific patterns to check (which would be better served by a linter), the agent reads all workflow files and fragments, determines what the majority conventions are across multiple structural dimensions, and flags deviations that exceed a 75% adoption threshold.

Structural dimensions examined include (but are not limited to):

  • Frontmatter fields (imports, inputs, secrets, roles, bots, permissions, tools, network allows, safe-outputs, steps)
  • Prompt structure and section ordering
  • Trigger/example file alignment
  • Naming conventions (concurrency groups, safe-output configs, file names)

Follows the gh-aw-upgrade-check internal-only pattern: schedule trigger embedded directly in the .md frontmatter rather than workflow_call, so it is not surfaced to or installable by external consumers.

Noop is the expected outcome most days — only files an issue when concrete drift is found.

Closes #257

Co-authored-by: strawgate <6384545+strawgate@users.noreply.github.com>
Copilot AI changed the title [WIP] Add internal trigger to detect workflow drift Add internal workflow drift detector Feb 21, 2026
Copilot AI requested a review from strawgate February 21, 2026 00:59
@strawgate strawgate marked this pull request as ready for review February 21, 2026 01:05
@github-actions
Copy link
Contributor

CI failure root cause identified and fixed: Verify compiled workflows failed because .github/workflows/gh-aw-workflow-drift.md included a literal workflow expression example if: $\{\{ inputs.setup-commands != '' }} in markdown, and the compiler’s expression validation rejects that expression in this scheduled workflow context.

I pushed a fix commit to the PR branch (29a6cb8) replacing that example line with a non-evaluated placeholder (if: (setup-commands input is not empty)), then regenerated and committed the compiled lock file (.github/workflows/gh-aw-workflow-drift.lock.yml) so source and lock stay in sync.

Validation run:

  • make compile
  • Result: Compiled 33 workflow(s): 0 error(s), 11 warning(s)

No further action is required unless you want to adjust wording in the documentation snippet.


What is this? | From workflow: PR Checks Fixer

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

strawgate and others added 4 commits February 20, 2026 19:18
Instead of hardcoding specific patterns to check (which would be
better served by a linter), instruct the agent to read all workflow
sources and fragments, discover what the majority conventions are,
and flag outliers. Also fixes the compiler error from literal
expressions in code blocks and adds the compiled lock file.

Co-authored-by: Cursor <cursoragent@cursor.com>
@strawgate strawgate merged commit 60c93ab into main Feb 21, 2026
6 of 7 checks passed
@strawgate strawgate deleted the copilot/add-workflow-drift-trigger branch February 21, 2026 01:23
@github-actions
Copy link
Contributor

The failure is caused by expression validation in Verify compiled workflows (job 64364461404): .github/workflows/gh-aw-workflow-drift.md contains inputs.* expressions in prompt code examples (if: $\{\{ inputs.setup-commands != '' }}), which are not allowed for this scheduled workflow type.

Evidence:

  • Job log: .github/workflows/gh-aw-workflow-drift.md:1:1: Validation failed for field 'expressions'
  • Disallowed expression listed: inputs.setup-commands != ''
  • File lines: .github/workflows/gh-aw-workflow-drift.md lines 113 and 115 (also 104) in the PR head content.

Recommended fix:

  • Replace literal $\{\{ inputs.* }} examples in this file’s prose/code blocks with non-expression placeholders (for example "(allowed-bot-users input)", if: [setup-commands is non-empty], SETUP_COMMANDS: (setup-commands input)), or escape the $\{\{ ... }} sequence so the compiler does not parse it as a real expression.

Commands/data reviewed:

  • Workflow run metadata (run 22247487198) and jobs list
  • Failed job logs (job 64364461404) including the compile step output
  • PR file content at refs/pull/261/head to map exact offending lines

I did not push a fix in this run.


What is this? | From workflow: PR Checks Fixer

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add workflow drift trigger

2 participants