docs: Documentation analysis and improvement

docs/workflows/gh-aw-dependency-review.md

@@ -24,6 +24,8 @@ Forwarded inputs include:
 - `classification-labels`: `oblt-aw/ai/merge-ready`
 - `additional-instructions`: Noop-when-not-applicable rules, CVE-focused and internal-change impact analysis instructions.
 
+After `dependency-review`, the workflow runs `signal-dependency-review-followups`, which mints an ephemeral installation token and re-applies `oblt-aw/ai/merge-ready` (remove + add) when present. This emits a `labeled` event from the installation token so downstream follow-up workflows can run.
+
 Noop semantics (in additional-instructions):
 
 - When the PR has no dependency updates to review (no version bumps, no lockfile changes indicating dependency updates, or changes outside supported ecosystems), the agent MUST call `noop` and must NOT add any comment to the PR.
@@ -38,8 +40,8 @@ Labeling semantics (in additional-instructions):
 Permissions:
 
 - **Workflow:** `actions: read`, `contents: read`.
-- **Job `mint-gh-aw-github-token`:** `contents: read`, `id-token: write` (OIDC for ephemeral `create-token`).
 - **Job `dependency-review`:** `actions: read`, `contents: read`, `issues: write`, `pull-requests: write`.
+- **Job `signal-dependency-review-followups`:** `contents: read`, `id-token: write`, `pull-requests: write` (OIDC for ephemeral `create-token` and label re-apply signaling).
 
 ## API / Interface
 

docs/workflows/gh-aw-resource-not-accessible-by-integration-triage.md

@@ -10,15 +10,14 @@ This reusable workflow triages issues that carry the detector label `oblt-aw/det
 
 - Triggered via `workflow_call`.
 - Required secret: `COPILOT_GITHUB_TOKEN`.
-- **Job `mint-gh-aw-github-token`:** `contents: read`, `id-token: write` (OIDC for ephemeral `create-token` with no explicit `token-policy`; catalog-info auto role for this workflow file).
 
 ## Usage
 
-The job `mint-gh-aw-github-token` mints an installation token via [`elastic/oblt-actions/github/create-token@v1`](https://github.com/elastic/oblt-actions/tree/v1/github/create-token). The job `res-not-accessible-integration-triage` calls:
+The job `res-not-accessible-integration-triage` calls:
 
 - [elastic/ai-github-actions/.github/workflows/gh-aw-issue-triage.lock.yml@main](https://github.com/elastic/ai-github-actions/blob/main/.github/workflows/gh-aw-issue-triage.lock.yml)
 
-The nested workflow receives **`GH_AW_GITHUB_TOKEN`** (mint output) and **`classification-labels`** for `oblt-aw/triage/res-not-accessible-by-integration`, `oblt-aw/triage/other`, `oblt-aw/triage/needs-info`, and `oblt-aw/ai/fix-ready`.
+The nested workflow receives `COPILOT_GITHUB_TOKEN` and **`classification-labels`** for `oblt-aw/triage/res-not-accessible-by-integration`, `oblt-aw/triage/other`, `oblt-aw/triage/needs-info`, and `oblt-aw/ai/fix-ready`.
 
 Configured instructions define:
 
@@ -27,13 +26,15 @@ Configured instructions define:
 - when to set `oblt-aw/ai/fix-ready`
 - required resolution plan structure
 
+After triage, the workflow runs `signal-res-not-accessible-triage-followups`, which mints an ephemeral installation token and re-applies `oblt-aw/ai/fix-ready` (remove + add) only when both `oblt-aw/triage/res-not-accessible-by-integration` and `oblt-aw/ai/fix-ready` are present. This emits an installation-token `labeled` event so downstream fixer routing is triggered.
+
 ## Configuration
 
 Permissions:
 
 - **Workflow default:** `actions: read`, `contents: read`
-- **Job `mint-gh-aw-github-token`:** `contents: read`, `id-token: write`
 - **Job `res-not-accessible-integration-triage`:** `actions: read`, `contents: read`, `discussions: write`, `issues: write`, `pull-requests: write`
+- **Job `signal-res-not-accessible-triage-followups`:** `contents: read`, `id-token: write`, `issues: write` (OIDC for ephemeral `create-token` and fix-ready label re-apply signaling)
 
 ## API / Interface
 

docs/workflows/gh-aw-security-triage.md

@@ -10,15 +10,14 @@ This reusable workflow triages newly opened security-related issues and prepares
 
 - Triggered via `workflow_call`.
 - Required secret: `COPILOT_GITHUB_TOKEN`.
-- **Job `mint-gh-aw-github-token`:** `contents: read`, `id-token: write` (OIDC for ephemeral `create-token`).
 
 ## Usage
 
-The job `mint-gh-aw-github-token` mints an installation token via [`elastic/oblt-actions/github/create-token@v1`](https://github.com/elastic/oblt-actions/tree/v1/github/create-token). The job `security-issue-triage` calls:
+The job `security-issue-triage` calls:
 
 - [elastic/ai-github-actions/.github/workflows/gh-aw-issue-triage.lock.yml@main](https://github.com/elastic/ai-github-actions/blob/main/.github/workflows/gh-aw-issue-triage.lock.yml)
 
-The nested workflow receives **`GH_AW_GITHUB_TOKEN`** (mint output) for GitHub API mutations and **`classification-labels`** matching the security triage allowlist below.
+The nested workflow receives `COPILOT_GITHUB_TOKEN` and **`classification-labels`** matching the security triage allowlist below.
 
 Configured instructions define:
 
@@ -27,13 +26,15 @@ Configured instructions define:
 - when to set `oblt-aw/ai/fix-ready`
 - required resolution plan structure: root cause, risk assessment, remediation steps, before/after examples
 
+After triage, the workflow runs `signal-security-triage-followups`, which mints an ephemeral installation token and re-applies `oblt-aw/ai/fix-ready` (remove + add) only when `oblt-aw/ai/fix-ready` and one security classification label are present. This emits an installation-token `labeled` event so downstream fixer routing is triggered.
+
 ## Configuration
 
 Permissions:
 
 - **Workflow default:** `actions: read`, `contents: read`
-- **Job `mint-gh-aw-github-token`:** `contents: read`, `id-token: write`
 - **Job `security-issue-triage`:** `actions: read`, `contents: read`, `discussions: write`, `issues: write`, `pull-requests: write`
+- **Job `signal-security-triage-followups`:** `contents: read`, `id-token: write`, `issues: write` (OIDC for ephemeral `create-token` and fix-ready label re-apply signaling)
 
 ## API / Interface