elastic · strawgate · Feb 27, 2026 · Feb 26, 2026 · Feb 26, 2026 · Feb 26, 2026
diff --git a/.github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.lock.yml b/.github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.lock.yml
diff --git a/.github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.md b/.github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.md
@@ -0,0 +1,249 @@
+---
+inlined-imports: true
+description: "Daily detector for 'Resource not accessible by integration' across long-term branches"
+imports:
+  - gh-aw-fragments/elastic-tools.md
+  - gh-aw-fragments/runtime-setup.md
+  - gh-aw-fragments/formatting.md
+  - gh-aw-fragments/rigor.md
+  - gh-aw-fragments/mcp-pagination.md
+  - gh-aw-fragments/messages-footer.md
+  - gh-aw-fragments/safe-output-create-issue.md
+  - gh-aw-fragments/previous-findings.md
+  - gh-aw-fragments/network-ecosystems.md
+engine:
+  id: copilot
+  model: ${{ inputs.model }}
+on:
+  workflow_call:
+    inputs:
+      model:
+        description: "AI model to use"
+        type: string
+        required: false
+        default: "gpt-5.3-codex"
+      additional-instructions:
+        description: "Repo-specific instructions appended to the agent prompt"
+        type: string
+        required: false
+        default: ""
+      setup-commands:
+        description: "Shell commands to run before the agent starts (dependency install, build, etc.)"
+        type: string
+        required: false
+        default: ""
+      allowed-bot-users:
+        description: "Allowlisted bot actor usernames (comma-separated)"
+        type: string
+        required: false
+        default: "github-actions[bot]"
+      messages-footer:
+        description: "Footer appended to all agent comments and reviews"
+        type: string
+        required: false
+        default: ""
+      long-term-branches:
+        description: "Space-separated list of long-term branch names to scan in addition to the default branch (e.g. 'main 8.x 7.17')"
+        type: string
+        required: false
+        default: ""
+      look-back-days:
+        description: "Number of days to look back when scanning failed workflow runs"
+        type: number
+        required: false
+        default: 1
+      issue-title-prefix:
+        description: "Title prefix for created issue (e.g. '[resource-not-accessible-by-integration]')"
+        type: string
+        required: false
+        default: "[resource-not-accessible-by-integration]"
+    secrets:
+      COPILOT_GITHUB_TOKEN:
+        required: true
+  roles: [admin, maintainer, write]
+  bots:
+    - "${{ inputs.allowed-bot-users }}"
+concurrency:
+  group: resource-not-accessible-by-integration-fixer
+  cancel-in-progress: true
+permissions:
+  actions: read
+  contents: read
+  issues: read
+tools:
+  github:
+    toolsets: [repos, issues, search, actions]
+  bash: true
+  web-fetch:
+strict: false
+safe-outputs:
+  activation-comments: false
+  noop:
+  create-issue:
+    max: 1
+    title-prefix: "${{ inputs.issue-title-prefix }} "
+    close-older-issues: false
+    expires: 7d
+timeout-minutes: 90
+steps:
+  - name: Prescan failed runs for target error
+    env:
+      GH_TOKEN: ${{ github.token }}
+      LOOK_BACK_DAYS: ${{ inputs.look-back-days }}
+      LONG_TERM_BRANCHES: ${{ inputs.long-term-branches }}
+      DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+    run: |
+      set -euo pipefail
+      mkdir -p /tmp/gh-aw/agent
+
+      since="$(date -u -d "${LOOK_BACK_DAYS} days ago" '+%Y-%m-%dT%H:%M:%SZ' 2>/dev/null || date -u -v-"${LOOK_BACK_DAYS}"d '+%Y-%m-%dT%H:%M:%SZ')"
+      findings_file="/tmp/gh-aw/agent/resource-not-accessible-findings.tsv"
+      printf "workflow_path\tbranch\trun_id\trun_url\tcreated_at\tevidence\n" > "$findings_file"
+
+      branches=()
+      for branch in "$DEFAULT_BRANCH" $LONG_TERM_BRANCHES; do
+        [ -n "$branch" ] || continue
+        skip=false
+        for existing in "${branches[@]:-}"; do
+          if [ "$existing" = "$branch" ]; then
+            skip=true
+            break
+          fi
+        done
+        if [ "$skip" = false ]; then
+          branches+=("$branch")
+        fi
+      done
+
+      runs_file="/tmp/gh-aw/agent/resource-not-accessible-runs.tsv"
+      : > "$runs_file"
+      for branch in "${branches[@]}"; do
+        gh api "repos/$GITHUB_REPOSITORY/actions/runs" \
+          --method GET \
+          -f branch="$branch" \
+          -f status=failure \
+          -f created=">=${since}" \
+          --paginate \
+          --jq '.workflow_runs[] | [.id, .html_url, .path, .head_branch, .created_at] | @tsv' \
+          >> "$runs_file" || true
+      done
+
+      while IFS=$'\t' read -r run_id run_url workflow_path head_branch created_at; do
+        [ -n "${run_id:-}" ] || continue
+        zip_file="/tmp/gh-aw/agent/workflow-logs-${run_id}.zip"
+        log_dir="/tmp/gh-aw/agent/workflow-logs-${run_id}"
+
+        if ! gh api "repos/$GITHUB_REPOSITORY/actions/runs/${run_id}/logs" -H "Accept: application/vnd.github+json" > "$zip_file" 2>/dev/null; then
+          continue
+        fi
+        rm -rf "$log_dir"
+        if ! unzip -o "$zip_file" -d "$log_dir" >/dev/null 2>&1; then
+          continue
+        fi
+
+        match="$(grep -R -n -m 1 "Resource not accessible by integration" "$log_dir" 2>/dev/null || true)"
+        if [ -n "$match" ]; then
+          evidence="${match//$'\t'/ }"
+          printf "%s\t%s\t%s\t%s\t%s\t%s\n" "$workflow_path" "$head_branch" "$run_id" "$run_url" "$created_at" "$evidence" >> "$findings_file"
+        fi
+        rm -rf "$log_dir" "$zip_file"
+      done < "$runs_file"
+
+      matches="$(tail -n +2 "$findings_file" | wc -l | tr -d ' ')"
+      workflows="$(tail -n +2 "$findings_file" | cut -f1 | sort -u | wc -l | tr -d ' ')"
+      {
+        echo "since=${since}"
+        echo "look_back_days=${LOOK_BACK_DAYS}"
+        echo "matched_runs=${matches}"
+        echo "matched_workflows=${workflows}"
+        echo "findings_file=${findings_file}"
+      } > /tmp/gh-aw/agent/resource-not-accessible-summary.txt
+  - name: Repo-specific setup
+    if: ${{ inputs.setup-commands != '' }}
+    env:
+      SETUP_COMMANDS: ${{ inputs.setup-commands }}
+    run: eval "$SETUP_COMMANDS"
+---
+
+# Resource Not Accessible By Integration Detector
+
+Use the prescan output to investigate only workflows that already matched `Resource not accessible by integration`, then create a single tracking issue with the combined analysis.
+
+## Context
+
+- **Repository**: ${{ github.repository }}
+- **Default Branch**: ${{ github.event.repository.default_branch }}
+- **Additional long-term branches**: ${{ inputs.long-term-branches }}
+- **Look-back days**: ${{ inputs.look-back-days }}
+- **Error pattern**: `Resource not accessible by integration`
+- **Prescan summary**: `/tmp/gh-aw/agent/resource-not-accessible-summary.txt`
+- **Prescan findings**: `/tmp/gh-aw/agent/resource-not-accessible-findings.tsv`
+- **Remediation instructions URL**: `https://raw.githubusercontent.com/elastic/observability-cicd/main/github-actions/actionable/alerts/app/prompts/accessible-by-integration.txt`
+
+## Constraints
+
+- **CAN**: Read files, search code, run commands, create one issue.
+- **CANNOT**: Push changes or open PRs in this workflow.
+- Only investigate workflows listed in `/tmp/gh-aw/agent/resource-not-accessible-findings.tsv`.
+- Do not file a duplicate issue if an open `${{ inputs.issue-title-prefix }}` issue already tracks the same workflows and failure pattern.
+
+## Step 1: Gather context
+
+1. Call `generate_agents_md` to get repository conventions (if it fails, continue).
+2. Read `/tmp/gh-aw/agent/resource-not-accessible-summary.txt`.
+3. Read `/tmp/gh-aw/agent/resource-not-accessible-findings.tsv`.
+4. Fetch remediation instructions at runtime:
+   ````
+   https://raw.githubusercontent.com/elastic/observability-cicd/main/github-actions/actionable/alerts/app/prompts/accessible-by-integration.txt
+   ````
+   If fetch fails, fall back to minimum-permissions guidance.
+
+## Step 2: Decide whether to noop
+
+- If the findings file has no data rows, call `noop` with:
+  `No 'Resource not accessible by integration' failures found in the configured look-back window — nothing to report`.
+- Check open issues for `${{ inputs.issue-title-prefix }}` in the title and compare workflow paths/evidence.
+- If an existing open issue already tracks the same findings, call `noop` and reference the existing issue number.
+
+## Step 3: Produce combined analysis issue
+
+Call `create_issue` exactly once with:
+
+- **Title**: `Resource not accessible by integration across long-term branches`
+- **Body**:
+
+  ````
+  ## Scan Summary
+
+  - Look-back days: <value from summary file>
+  - Since: <value from summary file>
+  - Matched workflows: <count>
+  - Matched runs: <count>
+
+  ## Affected Workflows
+
+  | Workflow file | Branches | Runs |
+  | --- | --- | --- |
+  | <workflow path> | <comma-separated branches> | [<run-id>](<run_url>), ... |
+
+  ## Evidence
+
+  For each workflow include one or more verbatim evidence lines from the findings file.
+
+  ## Root Cause Assessment
+
+  Concisely explain why each workflow likely lacks required permissions/token scope.
+
+  ## Remediation Guidance
+
+  Provide concrete patch guidance per workflow using:
+  https://raw.githubusercontent.com/elastic/observability-cicd/main/github-actions/actionable/alerts/app/prompts/accessible-by-integration.txt
+
+  ## Next Steps
+
+  - Recommend either applying fixes manually or enabling a fixer workflow.
+  - Note: workflow-file edits must be made under `.github/workflows/`.
+  ````
+
+${{ inputs.additional-instructions }}
+
diff --git a/.github/workflows/trigger-resource-not-accessible-by-integration-fixer.yml b/.github/workflows/trigger-resource-not-accessible-by-integration-fixer.yml
@@ -0,0 +1,26 @@
+# This file is auto-generated by scripts/dogfood.sh. Do not edit directly.
+# Edit gh-agent-workflows/resource-not-accessible-by-integration-fixer/example.yml and run 'make compile' to regenerate.
+name: Trigger Resource Not Accessible By Integration Fixer
+on:
+  schedule:
+    - cron: "0 6 * * *"
+  workflow_dispatch:
+    inputs:
+      look-back-days:
+        description: "Number of look-back days for failed-run scan"
+        required: false
+        default: "1"
+
+permissions:
+  actions: read
+  issues: write
+  contents: read
+
+jobs:
+  run:
+    uses: ./.github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.lock.yml
+    with:
+      long-term-branches: ""
+      look-back-days: ${{ inputs.look-back-days || 1 }}
+    secrets:
+      COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
diff --git a/docs/workflows/gh-agent-workflows.md b/docs/workflows/gh-agent-workflows.md
@@ -26,7 +26,7 @@ Each workflow directory contains an `example.yml` starter and a README for trigg
 The quick setup script includes two opinionated sets:
 
 - **Starter repo operations set (default):** `pr-review`, `issue-triage`, `mention-in-issue`, `mention-in-pr`, `pr-actions-detective`
-- **Continuous improvement add-ons (`--continuous-improvement`):** `bug-hunter`, `bug-exterminator`, `code-simplifier`, `docs-patrol`, `newbie-contributor-patrol`, `small-problem-fixer`, `stale-issues`, `test-improver`, `breaking-change-detector`, `code-duplication-detector`, `update-pr-body`
+- **Continuous improvement add-ons (`--continuous-improvement`):** `bug-hunter`, `bug-exterminator`, `code-simplifier`, `docs-patrol`, `newbie-contributor-patrol`, `small-problem-fixer`, `stale-issues`, `test-improver`, `breaking-change-detector`, `code-duplication-detector`, `update-pr-body`, `resource-not-accessible-by-integration-fixer`
 
 ## Available workflows
 
@@ -97,6 +97,7 @@ Many scheduled workflows follow a **detector / fixer** pattern: the detector fin
 | [Product Manager Impersonator](gh-agent-workflows/product-manager-impersonator.md) | Weekday schedule | Propose feature ideas from a configurable persona and scope |
 | [Project Summary](gh-agent-workflows/project-summary.md) | Daily schedule | Summarize recent activity and priorities |
 | [Release Update Check](gh-agent-workflows/release-update.md) | Weekly schedule | Open a PR updating pinned ai-github-actions workflow SHAs and suggest workflow changes |
+| [Resource Not Accessible By Integration Detector](gh-agent-workflows/resource-not-accessible-by-integration-fixer.md) | Daily schedule | Detect `Resource not accessible by integration` CI errors and file one combined tracking issue |
 | [Small Problem Fixer](gh-agent-workflows/small-problem-fixer.md) | Weekday schedule | Fix small, related issues and open a focused PR |
 | [Stale Issues](gh-agent-workflows/stale-issues.md) | Weekday schedule | Find resolved issues that can be closed |
 | [Test Improver](gh-agent-workflows/test-improver.md) | Weekly schedule | Add targeted tests and clean up redundant coverage |

diff --git a/gh-agent-workflows/README.md b/gh-agent-workflows/README.md
@@ -31,6 +31,7 @@ Pre-built workflows with domain-specific prompts. These import the same base fra
 - [Product Manager Impersonator](product-manager-impersonator/) — propose well-researched new feature ideas
 - [Refactor Opportunist](refactor-opportunist/) — pitch proven refactors with partial implementations
 - [Stale Issues](stale-issues/) — detect stale issues
+- [Resource Not Accessible By Integration Detector](resource-not-accessible-by-integration-fixer/) — detect `Resource not accessible by integration` CI errors and file one combined tracking issue
 
 **Fixers** (create PRs):
 - [Bug Exterminator](bug-exterminator/) — fix bug-hunter issues
@@ -80,3 +81,4 @@ workflows, or `--repo OWNER/REPO` when auto-detection is not available.
 - `breaking-change-detector`
 - `code-duplication-detector`
 - `update-pr-body`
+- `resource-not-accessible-by-integration-fixer`
diff --git a/gh-agent-workflows/resource-not-accessible-by-integration-fixer/README.md b/gh-agent-workflows/resource-not-accessible-by-integration-fixer/README.md
@@ -0,0 +1,83 @@
+# Resource Not Accessible By Integration Detector
+
+Daily detector that scans for `Resource not accessible by integration` errors across long-term branches and opens one combined tracking issue.
+
+## How it works
+
+Runs once every 24 hours (or manually). A prescan script runs before the agent prompt: it queries failed workflow runs from the configured look-back window on the default branch and any configured long-term (release) branches, downloads logs, searches for the exact error text `Resource not accessible by integration`, and writes matches to `/tmp/gh-aw/agent/resource-not-accessible-findings.tsv`. The agent then analyzes only those prescanned workflows and opens **one combined issue** with the results. If no matching failures are found, the run ends with `noop`.
+
+The generated issue:
+- includes grouped workflow/run links plus verbatim evidence lines;
+- provides a root-cause assessment and remediation guidance;
+- avoids reposting when an equivalent open issue already exists.
+
+## Quick Install
+
+```bash
+mkdir -p .github/workflows && curl -sL \
+  https://raw.githubusercontent.com/elastic/ai-github-actions/v0/gh-agent-workflows/resource-not-accessible-by-integration-fixer/example.yml \
+  -o .github/workflows/resource-not-accessible-by-integration-fixer.yml
+```
+
+See [example.yml](example.yml) for the full workflow file.
+
+## Trigger
+
+| Event | Schedule |
+| --- | --- |
+| `schedule` | Daily (06:00 UTC) |
+| `workflow_dispatch` | Manual |
+
+## Inputs
+
+| Input | Description | Required | Default |
+| --- | --- | --- | --- |
+| `long-term-branches` | Space-separated list of long-term branch names to scan in addition to the default branch (e.g. `'8.x 7.17'`) | No | `""` |
+| `look-back-days` | Number of days to look back when scanning failed workflow runs | No | `1` |
+| `issue-title-prefix` | Title prefix used for the combined issue and dedup checks | No | `[resource-not-accessible-by-integration]` |
+| `additional-instructions` | Repo-specific instructions appended to the agent prompt | No | `""` |
+| `setup-commands` | Shell commands run before the agent starts | No | `""` |
+| `allowed-bot-users` | Allowlisted bot actor usernames (comma-separated) | No | `github-actions[bot]` |
+
+## Safe Outputs
+
+- `create-issue` — open one combined issue with analysis for all affected workflows
+- `noop` — emitted when no matching failures are found
+
+## Behavior details
+
+| Scenario | Outcome |
+| --- | --- |
+| No `Resource not accessible by integration` failures in look-back window | `noop` — no issue opened |
+| One workflow fails on one branch | Combined issue includes one workflow entry |
+| Same workflow fails on multiple branches | Combined issue includes all affected branches/runs under one workflow |
+| Multiple distinct workflows fail | Combined issue includes all workflows in one report |
+| Findings already tracked by an open prefixed issue | `noop` — avoid duplicate repost |
+
+## External remediation instructions
+
+The agent fetches remediation instructions at runtime from:
+
+```
+https://raw.githubusercontent.com/elastic/observability-cicd/main/github-actions/actionable/alerts/app/prompts/accessible-by-integration.txt
+```
+
+If the fetch fails the agent falls back to the general principle of adding the minimum required `permissions` block to the failing workflow jobs.
+
+## Similar behavior with base Scheduled Audit
+
+If you prefer a generic setup, you can get similar behavior with [Scheduled Audit](../scheduled-audit/) by:
+- setting an issue title prefix dedicated to this error class,
+- adding instructions to prescan recent failed runs/logs for `Resource not accessible by integration`,
+- emitting one combined issue and `noop` when no findings or already tracked findings exist.
+
+## Required permissions
+
+The caller workflow must grant:
+
+```yaml
+permissions:
+  actions: read
+  contents: read
+  issues: write
+```