Skip to content

Enforce gh aw compile + lock-file regeneration for agentic workflows#4298

Open
priyankatiwari08 wants to merge 2 commits into
mainfrom
dev/prtiwar/enforce-gh-aw-compile
Open

Enforce gh aw compile + lock-file regeneration for agentic workflows#4298
priyankatiwari08 wants to merge 2 commits into
mainfrom
dev/prtiwar/enforce-gh-aw-compile

Conversation

@priyankatiwari08
Copy link
Copy Markdown
Contributor

@priyankatiwari08 priyankatiwari08 commented May 20, 2026
edited
Loading

What

Enforces that any edit to a gh aw agentic workflow (.github/workflows/**/*.md) is accompanied by its regenerated sibling .lock.yml in the same PR.

Two changes:

  1. New path-scoped instruction file.github/instructions/agentic-workflows.instructions.md

    • applyTo: ".github/workflows/**/*.md" so GitHub Copilot (chat, coding agent, PR review) auto-loads the rule whenever a workflow .md is being edited or reviewed.
    • Spells out the mandatory gh aw compile + commit-the-.lock.yml rule, local verification steps, and a reviewer checklist.

  2. New CI guard workflow.github/workflows/verify-aw-lock.yml

    • Triggers on PRs that touch .github/workflows/**/*.md or **/*.lock.yml.
    • Installs gh-aw, runs gh aw compile, and fails the PR if any .lock.yml is stale relative to its .md source.

Why

We hit a runtime failure in #4279 because a workflow .md was edited without regenerating its .lock.yml. Documentation alone is not enough — this PR adds both an AI-readable nudge (the instruction file) and a hard CI gate (the verify workflow) so the failure mode is prevented going forward.

How it works

Layer Mechanism Audience
.github/instructions/agentic-workflows.instructions.md Auto-loaded into Copilot's context whenever a matching file is edited/reviewed Copilot chat, coding agent, PR review
.github/workflows/verify-aw-lock.yml Required CI check that diffs against a fresh gh aw compile Everyone (humans + any agent)

Follow-ups (not in this PR)

  • Once this CI check is green and trusted, add it to branch protection on main as a required status check.

Validation

  • CI check runs and passes on this PR (since this PR does not modify any .md workflow).
  • Manually validated locally: editing a workflow .md without recompiling produces a non-zero diff in git diff --exit-code -- '.github/workflows/**/*.lock.yml' after running gh aw compile.

@priyankatiwari08
Add gh-aw lock-file enforcement (instructions + CI guard)
c32bbc1 
- Add path-scoped instruction file under .github/instructions/ that
  applies to .github/workflows/**/*.md, so Copilot and coding agents
  auto-load the rule: edits to a workflow .md MUST include the
  regenerated sibling .lock.yml in the same PR.
- Add verify-aw-lock CI workflow that runs `gh aw compile` and fails
  the PR if any .lock.yml is stale.

Follow-up to the runtime failure seen in PR #4279.
@priyankatiwari08 priyankatiwari08 requested a review from a team as a code owner May 20, 2026 10:56
Copilot AI review requested due to automatic review settings May 20, 2026 10:56
@github-project-automation github-project-automation Bot moved this to To triage in SqlClient Board May 20, 2026
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds safeguards to ensure gh-aw agentic workflow Markdown sources under .github/workflows/**/*.md are always kept in sync with their generated .lock.yml counterparts, preventing runtime failures caused by stale lock files.

Changes:

  • Adds a path-scoped Copilot instruction file that mandates running gh aw compile and committing the regenerated .lock.yml whenever workflow .md sources change.
  • Adds a PR CI guard workflow that recompiles agentic workflows and fails if generated .lock.yml files are stale.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/verify-aw-lock.yml New PR check that runs gh aw compile and verifies lock files are up to date.
.github/instructions/agentic-workflows.instructions.md New Copilot instruction file auto-loaded for workflow .md edits/reviews to enforce regeneration rules.

Comment thread .github/workflows/verify-aw-lock.yml Outdated
Comment on lines +18 to +21
- name: Install gh-aw extension
env:
GH_TOKEN: ${{ github.token }}
run: gh extension install githubnext/gh-aw
Comment thread .github/workflows/verify-aw-lock.yml Outdated
Comment on lines +29 to +30
echo "::error::A .github/workflows/**/*.md file changed but its .lock.yml is stale."
echo "::error::Run 'gh aw compile' locally and commit the regenerated .lock.yml in this PR."
@priyankatiwari08
Address Copilot review comments on verify-aw-lock workflow
8beb72f 
- Pin gh-aw to v0.72.1 via github/gh-aw-actions/setup-cli to match the
  version already used by .github/workflows/copilot-setup-steps.yml, so
  the CI compilation matches the repo's expected compiler version and
  avoids spurious diffs from version drift.
- Rewrite the failure message to describe the actual checked condition
  (lock files out of date relative to their compiled output). The
  previous wording wrongly implied only a .md change could trigger it,
  but the workflow also runs when a .lock.yml file is touched directly.
@priyankatiwari08 priyankatiwari08 added this to the 7.0.2 milestone May 21, 2026
@cheenamalhotra cheenamalhotra modified the milestones: 7.0.2, 7.1.0-preview2 May 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

SqlClient Board
Status: To triage

Milestone

7.1.0-preview2

Development

Successfully merging this pull request may close these issues.

3 participants

@priyankatiwari08 @cheenamalhotra