Fix issue-to-PR handoff when created issue output is empty

.github/workflows/trigger-docs-patrol.yml

@@ -11,14 +11,35 @@ permissions:
   issues: write
   pull-requests: write
 
+  actions: read
 jobs:
   run:
     uses: ./.github/workflows/gh-aw-docs-patrol.lock.yml
     secrets:
       COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
 
-  create_pr_from_issue:
+  resolve_created_issue:
     needs: run
+    runs-on: ubuntu-slim
+    outputs:
+      created_issue_url: ${{ steps.resolve.outputs.created_issue_url }}
+    steps:
+      - name: Resolve created issue number
+        id: resolve
+        env:
+          CREATED_ISSUE_NUMBER: ${{ needs.run.outputs.created_issue_number }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPOSITORY: ${{ github.repository }}
+        run: |
+          number="$CREATED_ISSUE_NUMBER"
+          url=""
+          if [ -n "$number" ]; then
+            url="$(gh issue view "$number" --repo "$REPOSITORY" --json url --jq '.url')"
+          fi
+          echo "created_issue_url=$url" >> "$GITHUB_OUTPUT"
+
+  create_pr_from_issue:
+    needs: [run, resolve_created_issue]
     if: ${{ needs.run.outputs.created_issue_number != '' }}
     uses: ./.github/workflows/gh-aw-create-pr-from-issue.lock.yml
     with:

.github/workflows/trigger-framework-best-practices.yml

@@ -11,14 +11,35 @@ permissions:
   issues: write
   pull-requests: write
 
+  actions: read
 jobs:
   run:
     uses: ./.github/workflows/gh-aw-framework-best-practices.lock.yml
     secrets:
       COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
 
-  create_pr_from_issue:
+  resolve_created_issue:
     needs: run
+    runs-on: ubuntu-slim
+    outputs:
+      created_issue_url: ${{ steps.resolve.outputs.created_issue_url }}
+    steps:
+      - name: Resolve created issue number
+        id: resolve
+        env:
+          CREATED_ISSUE_NUMBER: ${{ needs.run.outputs.created_issue_number }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPOSITORY: ${{ github.repository }}
+        run: |
+          number="$CREATED_ISSUE_NUMBER"
+          url=""
+          if [ -n "$number" ]; then
+            url="$(gh issue view "$number" --repo "$REPOSITORY" --json url --jq '.url')"
+          fi
+          echo "created_issue_url=$url" >> "$GITHUB_OUTPUT"
+
+  create_pr_from_issue:
+    needs: [run, resolve_created_issue]
     if: ${{ needs.run.outputs.created_issue_number != '' }}
     uses: ./.github/workflows/gh-aw-create-pr-from-issue.lock.yml
     with:

.github/workflows/trigger-text-auditor.yml

@@ -11,6 +11,7 @@ permissions:
   issues: write
   pull-requests: write
 
+  actions: read
 jobs:
   run:
     uses: ./.github/workflows/gh-aw-text-auditor.lock.yml
@@ -23,8 +24,28 @@ jobs:
     secrets:
       COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
 
-  create_pr_from_issue:
+  resolve_created_issue:
     needs: run
+    runs-on: ubuntu-slim
+    outputs:
+      created_issue_url: ${{ steps.resolve.outputs.created_issue_url }}
+    steps:
+      - name: Resolve created issue number
+        id: resolve
+        env:
+          CREATED_ISSUE_NUMBER: ${{ needs.run.outputs.created_issue_number }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPOSITORY: ${{ github.repository }}
+        run: |
+          number="$CREATED_ISSUE_NUMBER"
+          url=""
+          if [ -n "$number" ]; then
+            url="$(gh issue view "$number" --repo "$REPOSITORY" --json url --jq '.url')"
+          fi
+          echo "created_issue_url=$url" >> "$GITHUB_OUTPUT"
+
+  create_pr_from_issue:
+    needs: [run, resolve_created_issue]
     if: ${{ needs.run.outputs.created_issue_number != '' }}
     uses: ./.github/workflows/gh-aw-create-pr-from-issue.lock.yml
     with:

scripts/dogfood.sh

@@ -110,13 +110,53 @@ for f in gh-agent-workflows/*/example.yml; do
     [[ "$dir" == "$remediation" ]] && add_remediation=true && break
   done
   if [[ "$add_remediation" == "true" ]]; then
-    # Ensure permissions allow downstream PR creation job.
-    sed -E 's/^([[:space:]]*contents: )read$/\1write/; s/^([[:space:]]*pull-requests: )read$/\1write/' "$target" > "$target.tmp" && mv "$target.tmp" "$target"
+    # Ensure permissions allow downstream PR creation job and artifact reads.
+    awk '
+      BEGIN { in_permissions=0; have_actions=0 }
+      /^permissions:/ { in_permissions=1; print; next }
+      in_permissions {
+        if (/^jobs:/) {
+          if (!have_actions) print "  actions: read"
+          in_permissions=0
+          print
+          next
+        }
+        if ($0 ~ /^  contents: /) sub(/read$/, "write")
+        if ($0 ~ /^  pull-requests: /) sub(/read$/, "write")
+        if ($0 ~ /^  actions: /) {
+          if ($0 ~ /none$/) sub(/none$/, "read")
+          have_actions=1
+        }
+        print
+        next
+      }
+      { print }
+    ' "$target" > "$target.tmp" && mv "$target.tmp" "$target"
 
     cat >> "$target" <<'EOF'
 
-  create_pr_from_issue:
+  resolve_created_issue:
     needs: run
+    runs-on: ubuntu-slim
+    outputs:
+      created_issue_url: ${{ steps.resolve.outputs.created_issue_url }}
+    steps:
+      - name: Resolve created issue number
+        id: resolve
+        env:
+          CREATED_ISSUE_NUMBER: ${{ needs.run.outputs.created_issue_number }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPOSITORY: ${{ github.repository }}
+        run: |
+          number="$CREATED_ISSUE_NUMBER"
+          url=""
+          if [ -n "$number" ]; then
+            url="$(gh issue view "$number" --repo "$REPOSITORY" --json url --jq '.url')"
+          fi
+          echo "created_issue_url=$url" >> "$GITHUB_OUTPUT"
+
+  create_pr_from_issue:
+    needs: [run, resolve_created_issue]
     if: ${{ needs.run.outputs.created_issue_number != '' }}
     uses: ./.github/workflows/gh-aw-create-pr-from-issue.lock.yml
     with: