diff --git a/.github/workflows/gh-aw-downstream-updates-needed.md b/.github/workflows/gh-aw-downstream-updates-needed.md new file mode 100644 index 00000000..d44c64f7 --- /dev/null +++ b/.github/workflows/gh-aw-downstream-updates-needed.md @@ -0,0 +1,145 @@ +--- +description: "Check downstream users for required workflow ref updates and report by repository" +imports: + - gh-aw-fragments/elastic-tools.md + - gh-aw-fragments/runtime-setup.md + - gh-aw-fragments/formatting.md + - gh-aw-fragments/rigor.md + - gh-aw-fragments/mcp-pagination.md + - gh-aw-fragments/messages-footer.md + - gh-aw-fragments/safe-output-create-issue.md + - gh-aw-fragments/scheduled-report.md +engine: + id: copilot + model: gpt-5.3-codex +on: + workflow_call: + inputs: + additional-instructions: + description: "Repo-specific instructions appended to the agent prompt" + type: string + required: false + default: "" + setup-commands: + description: "Shell commands to run before the agent starts (dependency install, build, etc.)" + type: string + required: false + default: "" + allowed-bot-users: + description: "Allowlisted bot actor usernames (comma-separated)" + type: string + required: false + default: "github-actions[bot]" + messages-footer: + description: "Footer appended to all agent comments and reviews" + type: string + required: false + default: "" + secrets: + COPILOT_GITHUB_TOKEN: + required: true + roles: [admin, maintainer, write] + bots: + - "${{ inputs.allowed-bot-users }}" +concurrency: + group: downstream-updates-needed + cancel-in-progress: true +permissions: + contents: read + issues: read + pull-requests: read +tools: + github: + toolsets: [repos, issues, pull_requests, search] + bash: true + web-fetch: +network: + allowed: + - defaults + - github + - go + - node + - python + - ruby +strict: false +safe-outputs: + noop: + create-issue: + max: 1 + title-prefix: "[downstream-updates] " + close-older-issues: true + expires: 7d +timeout-minutes: 30 +steps: + - name: Repo-specific setup + if: ${{ inputs.setup-commands != '' }} + env: + SETUP_COMMANDS: ${{ inputs.setup-commands }} + run: eval "$SETUP_COMMANDS" +--- + +Workflow for checking downstream users of these actions (in the `elastic` and `strawgate` orgs) and seeing if their workflows need updates. Post an issue with the repo-by-repo updates required. + +## Context + +- **Repository**: ${{ github.repository }} +- **Data file**: `data/downstream-users.json` + +## Step 1: Gather inputs + +1. Read `data/downstream-users.json`. +2. Keep only entries where `repo` starts with `elastic/` or `strawgate/`. +3. Fetch latest release for `elastic/ai-github-actions` and capture: + - `latest_version` (for example `v0.2.5`) + - `recommended_floating_major` (for example `v0`) +4. If no matching downstream repos exist, call `noop` with a clear message. + +## Step 2: Validate data model + +The expected schema for each workflow entry is: + +```json +{ + "workflow_file": ".github/workflows/example.yml", + "uses_target": "workflows/pr-review/rwx", + "ref": "v0" +} +``` + +If any downstream repo still has legacy string entries instead of objects, file an issue that explicitly says the downstream inventory must be regenerated with ref metadata before reliable update detection can run. + +## Step 3: Determine update status + +For each workflow entry, classify by `ref`: + +1. **Floating major** (`v`, e.g. `v0`) + - If equal to `recommended_floating_major`, mark as up to date. + - If different major, mark update needed to `recommended_floating_major`. + +2. **Pinned semver tag** (`vX.Y.Z`) + - Compare with `latest_version`. + - If older, mark update needed to `latest_version`. + +3. **Branch refs** (e.g. `main`, `master`, `release/*`) + - Mark as policy warning and recommend `recommended_floating_major` or `latest_version`. + +4. **SHA refs** (hex commit IDs) + - Mark as informational, no forced update, include recommendation to review manually. + +5. **Other refs** + - Mark as review needed and include the raw ref. + +## Step 4: Report + +Create one issue grouped by repo. For each repo with findings, include a table: + +- workflow file +- uses target +- current ref +- recommended ref +- reason + +If every entry is up to date and has no warnings, call `noop` with: +`Downstream updates check complete — no updates needed.` + +${{ inputs.additional-instructions }} diff --git a/.github/workflows/gh-aw-downstream-users.md b/.github/workflows/gh-aw-downstream-users.md index dc262548..f1c3bd0e 100644 --- a/.github/workflows/gh-aw-downstream-users.md +++ b/.github/workflows/gh-aw-downstream-users.md @@ -1,5 +1,5 @@ --- -description: "Track downstream public repo usage of elastic/ai-github-actions and update data" +description: "Track downstream public repo usage of elastic/ai-github-actions and preserve refs" imports: - gh-aw-fragments/elastic-tools.md - gh-aw-fragments/runtime-setup.md @@ -75,7 +75,7 @@ steps: # Downstream Users Tracking -Maintain a canonical list of public downstream repositories using elastic/ai-github-actions, including which workflows they consume. +Maintain a canonical list of public downstream repositories using elastic/ai-github-actions, including workflow file paths and refs so downstream update checks are deterministic. ## Context @@ -106,8 +106,11 @@ Maintain a canonical list of public downstream repositories using elastic/ai-git 2. For each unique repo + path pair returned: - Fetch the workflow file using `github-get_file_contents`. - - Extract every `uses: elastic/ai-github-actions/...` line. - - Normalize each entry by removing the leading `elastic/ai-github-actions/` and any `@version` suffix. + - Extract every `uses: elastic/ai-github-actions/...@...` line. + - For each match, keep: + - `workflow_file`: relative path of the workflow file where the `uses:` entry was found. + - `uses_target`: text between `elastic/ai-github-actions/` and `@`. + - `ref`: text after `@` (tag, branch, or SHA). ## Step 3: Build the Data File @@ -124,7 +127,13 @@ Write `data/downstream-users.json` with this structure: "repos": [ { "repo": "owner/repo", - "workflows": ["workflows/mention-in-issue/rwxp", "..."] + "workflows": [ + { + "workflow_file": ".github/workflows/example.yml", + "uses_target": "workflows/pr-review/rwx", + "ref": "v0" + } + ] } ] } @@ -133,7 +142,8 @@ Write `data/downstream-users.json` with this structure: Guidelines: - Sort `repos` by `repo`. -- Sort each `workflows` list alphabetically. +- Sort each `workflows` list by `workflow_file`, then `uses_target`, then `ref`. +- Deduplicate exact duplicate workflow objects per repo. - Use UTC timestamps with a `Z` suffix. ## Step 4: Create the PR diff --git a/.github/workflows/trigger-downstream-updates-needed.yml b/.github/workflows/trigger-downstream-updates-needed.yml new file mode 100644 index 00000000..a557b726 --- /dev/null +++ b/.github/workflows/trigger-downstream-updates-needed.yml @@ -0,0 +1,16 @@ +name: Downstream Updates Needed +on: + schedule: + - cron: "0 11 * * 1-5" + workflow_dispatch: + +permissions: + contents: read + issues: write + pull-requests: read + +jobs: + run: + uses: ./.github/workflows/gh-aw-downstream-updates-needed.lock.yml + secrets: + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} diff --git a/DEVELOPING.md b/DEVELOPING.md index 12b09f38..e076148a 100644 --- a/DEVELOPING.md +++ b/DEVELOPING.md @@ -8,7 +8,7 @@ | `gh-agent-workflows/` | Per-workflow READMEs and `example.yml` triggers (examples + dogfood), consumer docs | [DEVELOPING.md](gh-agent-workflows/DEVELOPING.md) | | `claude-workflows/` | Composite actions wrapping Claude Code | [DEVELOPING.md](claude-workflows/DEVELOPING.md) | -Internal-only workflows (e.g., `gh-aw-upgrade-check.md`, `ci.yml`, `release.yml`) also live in `.github/workflows/`. See [gh-agent-workflows/DEVELOPING.md](gh-agent-workflows/DEVELOPING.md) for the full architecture. +Internal-only workflows (e.g., `gh-aw-upgrade-check.md`, `gh-aw-downstream-updates-needed.md`, `ci.yml`, `release.yml`) also live in `.github/workflows/`. See [gh-agent-workflows/DEVELOPING.md](gh-agent-workflows/DEVELOPING.md) for the full architecture. ## Quick Start diff --git a/gh-agent-workflows/DEVELOPING.md b/gh-agent-workflows/DEVELOPING.md index a54d1bf0..a75885f1 100644 --- a/gh-agent-workflows/DEVELOPING.md +++ b/gh-agent-workflows/DEVELOPING.md @@ -62,7 +62,7 @@ workflow (gh-aw-docs-drift.md) └── ... ``` -`gh-aw-upgrade-check` is an **internal-only** workflow — its shim lives directly in `.github/workflows/` (not in `gh-agent-workflows/`) so it is not installable via `gh aw add`. It runs on weekdays to check for new `gh-aw` releases and files issues tagged `[gh-aw-upgrade]`. +`gh-aw-upgrade-check` and `gh-aw-downstream-updates-needed` are **internal-only** workflows — their shims live directly in `.github/workflows/` (not in `gh-agent-workflows/`) so they are not installable via `gh aw add`. ### Shared fragments