Fix agentic workflow CI failures

.github/agents/agentic-workflows.agent.md

@@ -19,7 +19,6 @@ This is a **dispatcher agent** that routes your request to the appropriate speci
 - **Creating shared components**: Routes to `create-shared-agentic-workflow` prompt
 - **Fixing Dependabot PRs**: Routes to `dependabot` prompt — use this when Dependabot opens PRs that modify generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`). Never merge those PRs directly; instead update the source `.md` files and rerun `gh aw compile --dependabot` to bundle all fixes
 - **Analyzing test coverage**: Routes to `test-coverage` prompt — consult this whenever the workflow reads, analyzes, or reports on test coverage data from PRs or CI runs
-- **CLI commands and triggering workflows**: Routes to `cli-commands` guide — consult this whenever the user asks how to run, compile, debug, or manage workflows from the command line, or when they need the MCP tool equivalent of a `gh aw` command
 
 Workflows may optionally include:
 
@@ -130,17 +129,6 @@ When you interact with this agent, it will:
 - "Analyze coverage trends over time"
 - "Add a coverage gate that blocks PRs below a threshold"
 
-### CLI Commands Reference
-**Load when**: The user asks how to run, compile, debug, or manage workflows from the command line; needs the MCP tool equivalent of a `gh aw` command; or is in a restricted environment (e.g., Copilot Cloud) without direct CLI access.
-
-**Reference file**: https://github.com/github/gh-aw/blob/main/.github/aw/cli-commands.md
-
-**Use cases**:
-- "How do I trigger workflow X on the main branch?"
-- "What's the MCP equivalent of `gh aw logs`?"
-- "I'm in Copilot Cloud — how do I compile a workflow?"
-- "Show me all available gh aw commands"
-
 ## Instructions
 
 When a user interacts with you:
@@ -159,10 +147,6 @@ gh aw init
 # Generate the lock file for a workflow
 gh aw compile [workflow-name]
 
-# Trigger a workflow on demand (preferred over gh workflow run)
-gh aw run <workflow-name>             # interactive input collection
-gh aw run <workflow-name> --ref main  # run on a specific branch
-
 # Debug workflow runs
 gh aw logs [workflow-name]
 gh aw audit <run-id>
@@ -190,7 +174,4 @@ gh aw compile --validate
 - Workflows must be compiled to `.lock.yml` files before running in GitHub Actions
 - **Bash tools are enabled by default** - Don't restrict bash commands unnecessarily since workflows are sandboxed by the AWF
 - Follow security best practices: minimal permissions, explicit network access, no template injection
-- **Network configuration**: Use ecosystem identifiers (`node`, `python`, `go`, etc.) or explicit FQDNs in `network.allowed`. Bare shorthands like `npm` or `pypi` are **not** valid. See https://github.com/github/gh-aw/blob/main/.github/aw/network.md for the full list of valid ecosystem identifiers and domain patterns.
 - **Single-file output**: When creating a workflow, produce exactly **one** workflow `.md` file. Do not create separate documentation files (architecture docs, runbooks, usage guides, etc.). If documentation is needed, add a brief `## Usage` section inside the workflow file itself.
-- **Triggering runs**: Always use `gh aw run <workflow-name>` to trigger a workflow on demand — not `gh workflow run <file>.lock.yml`. `gh aw run` handles workflow resolution by short name, input parsing and validation, and correct run-tracking for agentic workflows. Use `--ref <branch>` to run on a specific branch.
-- **CLI commands reference**: For a complete guide on all `gh aw` commands and their MCP tool equivalents (for restricted environments), see https://github.com/github/gh-aw/blob/main/.github/aw/cli-commands.md

.github/instructions/agentic-workflows.instructions.md

@@ -0,0 +1,16 @@
+---
+description: "Agentic workflow recompilation: always recompile after changing workflow files"
+---
+
+# Agentic Workflows
+
+After modifying any `.md` workflow file under `.github/workflows/`, always
+recompile both agentic workflows and APM integration files before committing:
+
+```bash
+gh aw compile
+apm compile
+```
+
+Commit the regenerated `.lock.yml` and integration files together with your
+changes. The CI `APM Self-Check` job will fail if generated files are stale.

.github/workflows/agentics-maintenance.yml

@@ -104,7 +104,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Scripts
-        uses: ./actions/setup
+        uses: github/gh-aw/actions/setup@4a32129491598c66908107001a88d8e5cad631c8 # v0.72.1
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -149,7 +149,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Scripts
-        uses: ./actions/setup
+        uses: github/gh-aw/actions/setup@4a32129491598c66908107001a88d8e5cad631c8 # v0.72.1
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -178,7 +178,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Scripts
-        uses: ./actions/setup
+        uses: github/gh-aw/actions/setup@4a32129491598c66908107001a88d8e5cad631c8 # v0.72.1
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -192,21 +192,17 @@ jobs:
             const { main } = require('${{ runner.temp }}/gh-aw/actions/check_team_member.cjs');
             await main();
 
-      - name: Setup Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - name: Install gh-aw
+        uses: github/gh-aw/actions/setup-cli@4a32129491598c66908107001a88d8e5cad631c8 # v0.72.1
         with:
-          go-version-file: go.mod
-          cache: true
-
-      - name: Build gh-aw
-        run: make build
+          version: v0.72.1
 
       - name: Run operation
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_AW_OPERATION: ${{ inputs.operation }}
-          GH_AW_CMD_PREFIX: ./gh-aw
+          GH_AW_CMD_PREFIX: gh aw
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -234,7 +230,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Scripts
-        uses: ./actions/setup
+        uses: github/gh-aw/actions/setup@4a32129491598c66908107001a88d8e5cad631c8 # v0.72.1
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -280,7 +276,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Scripts
-        uses: ./actions/setup
+        uses: github/gh-aw/actions/setup@4a32129491598c66908107001a88d8e5cad631c8 # v0.72.1
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -324,7 +320,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Scripts
-        uses: ./actions/setup
+        uses: github/gh-aw/actions/setup@4a32129491598c66908107001a88d8e5cad631c8 # v0.72.1
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -338,19 +334,15 @@ jobs:
             const { main } = require('${{ runner.temp }}/gh-aw/actions/check_team_member.cjs');
             await main();
 
-      - name: Setup Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - name: Install gh-aw
+        uses: github/gh-aw/actions/setup-cli@4a32129491598c66908107001a88d8e5cad631c8 # v0.72.1
         with:
-          go-version-file: go.mod
-          cache: true
-
-      - name: Build gh-aw
-        run: make build
+          version: v0.72.1
 
       - name: Create missing labels
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
-          GH_AW_CMD_PREFIX: ./gh-aw
+          GH_AW_CMD_PREFIX: gh aw
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -374,7 +366,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Scripts
-        uses: ./actions/setup
+        uses: github/gh-aw/actions/setup@4a32129491598c66908107001a88d8e5cad631c8 # v0.72.1
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -388,14 +380,10 @@ jobs:
             const { main } = require('${{ runner.temp }}/gh-aw/actions/check_team_member.cjs');
             await main();
 
-      - name: Setup Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - name: Install gh-aw
+        uses: github/gh-aw/actions/setup-cli@4a32129491598c66908107001a88d8e5cad631c8 # v0.72.1
         with:
-          go-version-file: go.mod
-          cache: true
-
-      - name: Build gh-aw
-        run: make build
+          version: v0.72.1
 
       - name: Restore activity report logs cache
         id: activity_report_logs_cache
@@ -411,7 +399,7 @@ jobs:
         shell: bash
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GH_AW_CMD_PREFIX: ./gh-aw
+          GH_AW_CMD_PREFIX: gh aw
         run: |
           ${GH_AW_CMD_PREFIX} logs \
             --repo "${{ github.repository }}" \
@@ -482,7 +470,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Scripts
-        uses: ./actions/setup
+        uses: github/gh-aw/actions/setup@4a32129491598c66908107001a88d8e5cad631c8 # v0.72.1
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -519,7 +507,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Scripts
-        uses: ./actions/setup
+        uses: github/gh-aw/actions/setup@4a32129491598c66908107001a88d8e5cad631c8 # v0.72.1
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -533,19 +521,15 @@ jobs:
             const { main } = require('${{ runner.temp }}/gh-aw/actions/check_team_member.cjs');
             await main();
 
-      - name: Setup Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - name: Install gh-aw
+        uses: github/gh-aw/actions/setup-cli@4a32129491598c66908107001a88d8e5cad631c8 # v0.72.1
         with:
-          go-version-file: go.mod
-          cache: true
-
-      - name: Build gh-aw
-        run: make build
+          version: v0.72.1
 
       - name: Validate workflows and file issue on findings
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
-          GH_AW_CMD_PREFIX: ./gh-aw
+          GH_AW_CMD_PREFIX: gh aw
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -569,22 +553,18 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Setup Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - name: Install gh-aw
+        uses: github/gh-aw/actions/setup-cli@4a32129491598c66908107001a88d8e5cad631c8 # v0.72.1
         with:
-          go-version-file: go.mod
-          cache: true
-
-      - name: Build gh-aw
-        run: make build
+          version: v0.72.1
 
       - name: Compile workflows
         run: |
-          ./gh-aw compile --validate --validate-images --verbose
+          gh aw compile --validate --validate-images --verbose
           echo "✓ All workflows compiled successfully"
 
       - name: Setup Scripts
-        uses: ./actions/setup
+        uses: github/gh-aw/actions/setup@4a32129491598c66908107001a88d8e5cad631c8 # v0.72.1
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -616,7 +596,7 @@ jobs:
           node-version: '22'
 
       - name: Setup Scripts
-        uses: ./actions/setup
+        uses: github/gh-aw/actions/setup@4a32129491598c66908107001a88d8e5cad631c8 # v0.72.1
         with:
           destination: ${{ runner.temp }}/gh-aw/actions