diff --git a/docs/workflows/gh-aw-dependency-review.md b/docs/workflows/gh-aw-dependency-review.md index 08b7348..08aa9d4 100644 --- a/docs/workflows/gh-aw-dependency-review.md +++ b/docs/workflows/gh-aw-dependency-review.md @@ -24,6 +24,8 @@ Forwarded inputs include: - `classification-labels`: `oblt-aw/ai/merge-ready` - `additional-instructions`: Noop-when-not-applicable rules, CVE-focused and internal-change impact analysis instructions. +After `dependency-review`, the workflow runs `signal-dependency-review-followups`, which mints an ephemeral installation token and re-applies `oblt-aw/ai/merge-ready` (remove + add) when present. This emits a `labeled` event from the installation token so downstream follow-up workflows can run. + Noop semantics (in additional-instructions): - When the PR has no dependency updates to review (no version bumps, no lockfile changes indicating dependency updates, or changes outside supported ecosystems), the agent MUST call `noop` and must NOT add any comment to the PR. @@ -38,8 +40,8 @@ Labeling semantics (in additional-instructions): Permissions: - **Workflow:** `actions: read`, `contents: read`. -- **Job `mint-gh-aw-github-token`:** `contents: read`, `id-token: write` (OIDC for ephemeral `create-token`). - **Job `dependency-review`:** `actions: read`, `contents: read`, `issues: write`, `pull-requests: write`. +- **Job `signal-dependency-review-followups`:** `contents: read`, `id-token: write`, `pull-requests: write` (OIDC for ephemeral `create-token` and label re-apply signaling). ## API / Interface diff --git a/docs/workflows/gh-aw-resource-not-accessible-by-integration-triage.md b/docs/workflows/gh-aw-resource-not-accessible-by-integration-triage.md index ebb18ae..6e202a4 100644 --- a/docs/workflows/gh-aw-resource-not-accessible-by-integration-triage.md +++ b/docs/workflows/gh-aw-resource-not-accessible-by-integration-triage.md @@ -10,15 +10,14 @@ This reusable workflow triages issues that carry the detector label `oblt-aw/det - Triggered via `workflow_call`. - Required secret: `COPILOT_GITHUB_TOKEN`. -- **Job `mint-gh-aw-github-token`:** `contents: read`, `id-token: write` (OIDC for ephemeral `create-token` with no explicit `token-policy`; catalog-info auto role for this workflow file). ## Usage -The job `mint-gh-aw-github-token` mints an installation token via [`elastic/oblt-actions/github/create-token@v1`](https://github.com/elastic/oblt-actions/tree/v1/github/create-token). The job `res-not-accessible-integration-triage` calls: +The job `res-not-accessible-integration-triage` calls: - [elastic/ai-github-actions/.github/workflows/gh-aw-issue-triage.lock.yml@main](https://github.com/elastic/ai-github-actions/blob/main/.github/workflows/gh-aw-issue-triage.lock.yml) -The nested workflow receives **`GH_AW_GITHUB_TOKEN`** (mint output) and **`classification-labels`** for `oblt-aw/triage/res-not-accessible-by-integration`, `oblt-aw/triage/other`, `oblt-aw/triage/needs-info`, and `oblt-aw/ai/fix-ready`. +The nested workflow receives `COPILOT_GITHUB_TOKEN` and **`classification-labels`** for `oblt-aw/triage/res-not-accessible-by-integration`, `oblt-aw/triage/other`, `oblt-aw/triage/needs-info`, and `oblt-aw/ai/fix-ready`. Configured instructions define: @@ -27,13 +26,15 @@ Configured instructions define: - when to set `oblt-aw/ai/fix-ready` - required resolution plan structure +After triage, the workflow runs `signal-res-not-accessible-triage-followups`, which mints an ephemeral installation token and re-applies `oblt-aw/ai/fix-ready` (remove + add) only when both `oblt-aw/triage/res-not-accessible-by-integration` and `oblt-aw/ai/fix-ready` are present. This emits an installation-token `labeled` event so downstream fixer routing is triggered. + ## Configuration Permissions: - **Workflow default:** `actions: read`, `contents: read` -- **Job `mint-gh-aw-github-token`:** `contents: read`, `id-token: write` - **Job `res-not-accessible-integration-triage`:** `actions: read`, `contents: read`, `discussions: write`, `issues: write`, `pull-requests: write` +- **Job `signal-res-not-accessible-triage-followups`:** `contents: read`, `id-token: write`, `issues: write` (OIDC for ephemeral `create-token` and fix-ready label re-apply signaling) ## API / Interface diff --git a/docs/workflows/gh-aw-security-triage.md b/docs/workflows/gh-aw-security-triage.md index 22437d7..7bc4446 100644 --- a/docs/workflows/gh-aw-security-triage.md +++ b/docs/workflows/gh-aw-security-triage.md @@ -10,15 +10,14 @@ This reusable workflow triages newly opened security-related issues and prepares - Triggered via `workflow_call`. - Required secret: `COPILOT_GITHUB_TOKEN`. -- **Job `mint-gh-aw-github-token`:** `contents: read`, `id-token: write` (OIDC for ephemeral `create-token`). ## Usage -The job `mint-gh-aw-github-token` mints an installation token via [`elastic/oblt-actions/github/create-token@v1`](https://github.com/elastic/oblt-actions/tree/v1/github/create-token). The job `security-issue-triage` calls: +The job `security-issue-triage` calls: - [elastic/ai-github-actions/.github/workflows/gh-aw-issue-triage.lock.yml@main](https://github.com/elastic/ai-github-actions/blob/main/.github/workflows/gh-aw-issue-triage.lock.yml) -The nested workflow receives **`GH_AW_GITHUB_TOKEN`** (mint output) for GitHub API mutations and **`classification-labels`** matching the security triage allowlist below. +The nested workflow receives `COPILOT_GITHUB_TOKEN` and **`classification-labels`** matching the security triage allowlist below. Configured instructions define: @@ -27,13 +26,15 @@ Configured instructions define: - when to set `oblt-aw/ai/fix-ready` - required resolution plan structure: root cause, risk assessment, remediation steps, before/after examples +After triage, the workflow runs `signal-security-triage-followups`, which mints an ephemeral installation token and re-applies `oblt-aw/ai/fix-ready` (remove + add) only when `oblt-aw/ai/fix-ready` and one security classification label are present. This emits an installation-token `labeled` event so downstream fixer routing is triggered. + ## Configuration Permissions: - **Workflow default:** `actions: read`, `contents: read` -- **Job `mint-gh-aw-github-token`:** `contents: read`, `id-token: write` - **Job `security-issue-triage`:** `actions: read`, `contents: read`, `discussions: write`, `issues: write`, `pull-requests: write` +- **Job `signal-security-triage-followups`:** `contents: read`, `id-token: write`, `issues: write` (OIDC for ephemeral `create-token` and fix-ready label re-apply signaling) ## API / Interface