Add internal workflow drift detector

[Copilot]

Adds an internal scheduled agent workflow to detect when one or more gh-aw-*.md workflows have drifted from a structural pattern that most of their peers follow — the typical scenario where a refactor lands across all workflows while a concurrent PR adds a new workflow that misses the refactor.

What's added

• .github/workflows/gh-aw-workflow-drift.md — internal-only scheduled workflow (weekdays ~14:00) that reads all workflow sources, fragments, triggers, and examples, discovers majority conventions, and files a [workflow-drift] issue when outliers are found

Design

Discovery-driven, not prescriptive. Rather than hardcoding specific patterns to check (which would be better served by a linter), the agent reads all workflow files and fragments, determines what the majority conventions are across multiple structural dimensions, and flags deviations that exceed a 75% adoption threshold.

Structural dimensions examined include (but are not limited to):

• Frontmatter fields (imports, inputs, secrets, roles, bots, permissions, tools, network allows, safe-outputs, steps)
• Prompt structure and section ordering
• Trigger/example file alignment
• Naming conventions (concurrency groups, safe-output configs, file names)

Follows the gh-aw-upgrade-check internal-only pattern: schedule trigger embedded directly in the .md frontmatter rather than workflow_call, so it is not surfaced to or installable by external consumers.

Noop is the expected outcome most days — only files an issue when concrete drift is found.

Closes #257

[github-actions]

CI failure root cause identified and fixed: Verify compiled workflows failed because .github/workflows/gh-aw-workflow-drift.md included a literal workflow expression example if: $\{\{ inputs.setup-commands != '' }} in markdown, and the compiler’s expression validation rejects that expression in this scheduled workflow context.

I pushed a fix commit to the PR branch (29a6cb8) replacing that example line with a non-evaluated placeholder (if: (setup-commands input is not empty)), then regenerated and committed the compiled lock file (.github/workflows/gh-aw-workflow-drift.lock.yml) so source and lock stay in sync.

Validation run:

• make compile ✅
• Result: Compiled 33 workflow(s): 0 error(s), 11 warning(s)

No further action is required unless you want to adjust wording in the documentation snippet.

---

What is this? | From workflow: PR Checks Fixer

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

The failure is caused by expression validation in Verify compiled workflows (job 64364461404): .github/workflows/gh-aw-workflow-drift.md contains inputs.* expressions in prompt code examples (if: $\{\{ inputs.setup-commands != '' }}), which are not allowed for this scheduled workflow type.

Evidence:

• Job log: .github/workflows/gh-aw-workflow-drift.md:1:1: Validation failed for field 'expressions'
• Disallowed expression listed: inputs.setup-commands != ''
• File lines: .github/workflows/gh-aw-workflow-drift.md lines 113 and 115 (also 104) in the PR head content.

Recommended fix:

• Replace literal $\{\{ inputs.* }} examples in this file’s prose/code blocks with non-expression placeholders (for example "(allowed-bot-users input)", if: [setup-commands is non-empty], SETUP_COMMANDS: (setup-commands input)), or escape the $\{\{ ... }} sequence so the compiler does not parse it as a real expression.

Commands/data reviewed:

• Workflow run metadata (run 22247487198) and jobs list
• Failed job logs (job 64364461404) including the compile step output
• PR file content at refs/pull/261/head to map exact offending lines

I did not push a fix in this run.

---

What is this? | From workflow: PR Checks Fixer

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.