Add agentic fix workflow for codegen build failures

[edburns]

Related to #93

Summary

Adds automated detection and repair of Java build failures caused by code generation changes. When @github/copilot is updated (e.g., via Dependabot PR #94) and the regenerated code breaks mvn verify, a gh-aw agentic workflow is triggered to fix the handwritten source code automatically.

Changes

New files

• .github/workflows/codegen-agentic-fix.md — gh-aw manifest for the agentic fix agent. Defines safe-outputs (push-to-pull-request-branch, add-comment, noop), network/tool constraints, and a structured 3-attempt fix loop.
• .github/workflows/codegen-agentic-fix.lock.yml — Compiled gh-aw lockfile with pinned action SHAs, container images, and secret declarations.

Modified files

• .github/workflows/codegen-check.yml — On PRs, regenerated files are now committed back to the PR branch. If mvn verify fails after regeneration, the agentic fix workflow is triggered. Push-to-main behavior is preserved as-is (fail if stale).
• .github/workflows/update-copilot-dependency.yml — After codegen and PR creation, mvn verify is run. On failure, the agentic fix workflow is triggered. Includes a polling loop that waits for the fix to complete and runs a final verification.

Design

The pipeline follows a two-workflow pattern:

1. Trigger workflows (codegen-check.yml, update-copilot-dependency.yml) detect failures and dispatch the agentic fix.
2. Fix workflow (codegen-agentic-fix.lock.yml) runs under gh-aw guardrails with scoped permissions, network firewall, and MCP gateway. It checks out the branch, reproduces the failure, applies fixes to handwritten code only, and pushes via push-to-pull-request-branch safe-output.

Key constraints enforced on the agent:

• Never modify src/generated/java/, pom.xml, scripts/codegen/, or .github/
• Maximum 3 fix attempts before escalating via PR comment
• Must run mvn spotless:apply before committing
• Only pushes if mvn verify passes

Testing

• All workflow files pass actionlint with zero errors
• The codegen-agentic-fix.lock.yml was successfully compiled by gh aw compile v0.68.3
• End-to-end testing will occur when this PR and Configure Dependabot to monitor @github/copilot npm updates #94 are both merged — Dependabot PR Bump @github/copilot from 1.0.24 to 1.0.36 in /scripts/codegen #99 (bump @github/copilot 1.0.24 → 1.0.35) already exists and its Codegen Check is failing as expected

[Copilot]

Pull request overview

Adds an “agentic fix” automation path to detect and repair Java build failures that occur after code generation updates (e.g., following @github/copilot schema bumps), by dispatching a constrained gh-aw workflow when mvn verify fails.

Changes:

• Add a new agentic workflow manifest + compiled lockfile for automated repair attempts.
• Update codegen-check to commit regenerated outputs on PRs and dispatch the agentic fix on mvn verify failure.
• Update update-copilot-dependency to run mvn verify post-codegen and dispatch/poll the agentic fix on failure.

Show a summary per file

File	Description
.github/workflows/update-copilot-dependency.yml	Runs mvn verify after codegen PR creation; dispatches and waits for the agentic fix workflow on failure.
.github/workflows/codegen-check.yml	On PRs, commits regenerated outputs back to the PR branch, runs mvn verify, and dispatches the agentic fix workflow on failure.
.github/workflows/codegen-agentic-fix.md	Defines the gh-aw agent prompt/guardrails and the 3-attempt fix loop.
.github/workflows/codegen-agentic-fix.lock.yml	Compiled gh-aw lockfile with pinned actions/images and safe-output wiring.

Copilot's findings

Comments suppressed due to low confidence (3)

.github/workflows/codegen-check.yml:154

• The polling loop always reads the most recent run for the workflow+branch (--limit=1). If there’s an existing completed run on the branch (or the new run hasn’t been created yet), this can incorrectly “complete” immediately and proceed without waiting for the newly-dispatched run. Consider capturing a timestamp before dispatch and selecting the first run with createdAt after that time, or otherwise correlating the specific run you triggered.

          for i in $(seq 1 60); do
            RUN_ID=$(gh run list \
              --workflow=codegen-agentic-fix.lock.yml \
              --branch="$BRANCH" \
              --limit=1 \
              --json databaseId,status \
              --jq '.[0].databaseId')

            STATUS=$(gh run list \
              --workflow=codegen-agentic-fix.lock.yml \
              --branch="$BRANCH" \
              --limit=1 \
              --json databaseId,status \
              --jq '.[0].status')

.github/workflows/update-copilot-dependency.yml:236

• The wait loop has the same correlation issue as codegen-check: it always polls --limit=1 for the workflow+branch, so it can pick up a previous completed run and stop early (or miss the newly triggered run until later). Capture a start timestamp and filter by createdAt, or otherwise ensure you’re waiting on the specific run that was just dispatched.

          for i in $(seq 1 60); do
            RUN_ID=$(gh run list \
              --workflow=codegen-agentic-fix.lock.yml \
              --branch="$BRANCH" \
              --limit=1 \
              --json databaseId,status \
              --jq '.[0].databaseId')

            STATUS=$(gh run list \
              --workflow=codegen-agentic-fix.lock.yml \
              --branch="$BRANCH" \
              --limit=1 \
              --json databaseId,status \
              --jq '.[0].status')

.github/workflows/codegen-agentic-fix.md:115

• Same truncation concern when verifying fixes (mvn verify 2>&1 | tail -100): if the remaining failure is earlier in the log, the agent may not see it and can loop unproductively. Keep the full Maven output available (e.g., tee to a file) and only tail for the step summary if needed.

4. **Verify the fix:**
   ```bash
   mvn verify 2>&1 | tail -100

</details>


- **Files reviewed:** 4/4 changed files
- **Comments generated:** 4