Skip to content

Enforce gh aw compile + lock-file regeneration for agentic workflows #4298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
priyankatiwari08 wants to merge 2 commits into
base: main
Choose a base branch
from
+81 −0
Open

Enforce gh aw compile + lock-file regeneration for agentic workflows #4298

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c32bbc1
Add gh-aw lock-file enforcement (instructions + CI guard)
priyankatiwari08 May 20, 2026
8beb72f
Address Copilot review comments on verify-aw-lock workflow
priyankatiwari08 May 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions .github/instructions/agentic-workflows.instructions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
applyTo: ".github/workflows/**/*.md"
description: Rules for editing gh-aw agentic workflow Markdown files.
---

# Agentic Workflow Edit Rules (`gh aw`)

This repository authors GitHub Actions agentic workflows in Markdown using
[`gh aw`](https://github.com/githubnext/gh-aw). Each workflow `.md` file under
`.github/workflows/` compiles to a sibling `.lock.yml`, and **only the
`.lock.yml` is executed by GitHub Actions at runtime.**

## Mandatory rule

Whenever you create, edit, rename, or delete a file matching
`.github/workflows/**/*.md`, you **MUST**, in the **same commit / PR**:

1. Run `gh aw compile` from the repository root.
2. Stage and commit the regenerated sibling `<name>.lock.yml`.
3. If you deleted a workflow `.md`, also delete its `.lock.yml`.

If the `.lock.yml` is stale or missing, the workflow fails at runtime
(see PR #4279 for the exact failure mode). The
`Verify gh aw lock files` CI check will block the PR in that case.

## How to verify locally

```bash
gh aw compile
git status # both the .md and .lock.yml should appear
gh aw compile # second run must be a no-op (clean diff)
```

## Code-review checklist

When reviewing a PR that touches `.github/workflows/**/*.md`:

- [ ] A matching `.lock.yml` is updated in the same PR.
- [ ] `gh aw compile` produces no further diff on top of the PR.
- [ ] If new tools, network endpoints, or permissions are added in the `.md`,
they are present in the regenerated `.lock.yml`.

## Out of scope

- Do **not** hand-edit `.lock.yml` files. They are generated; edit the `.md`
source and recompile.
- For deeper authoring guidance (creating, debugging, upgrading workflows),
invoke the `agentic-workflows` agent at
`.github/agents/agentic-workflows.agent.md`.
32 changes: 32 additions & 0 deletions .github/workflows/verify-aw-lock.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Verify gh aw lock files

on:
pull_request:
paths:
- '.github/workflows/**/*.md'
- '.github/workflows/**/*.lock.yml'

permissions:
contents: read

jobs:
verify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Install gh-aw extension
uses: github/gh-aw-actions/setup-cli@bc56a0cad2f450c562810785ef38649c04db812a # v0.72.1
with:
version: v0.72.1

- name: Recompile agentic workflows
run: gh aw compile

- name: Fail if any .lock.yml is out of date
run: |
if ! git diff --exit-code -- '.github/workflows/**/*.lock.yml'; then
echo "::error::One or more .github/workflows/**/*.lock.yml files are out of date relative to their .md source (running 'gh aw compile' produced a diff)."
echo "::error::Run 'gh aw compile' locally and commit the regenerated .lock.yml files in this PR."
exit 1
fi
Loading