chore: sync workflow templates

[stranske]

Sync Summary

Files Updated

• agents-pr-health.yml: PR health scanner - periodic conflict resolution and failing check re-dispatch
• maint-76-claude-code-review.yml: Claude Code review (opt-in) - runs only on labeled PRs or manual dispatch

Files Skipped

• pr-00-gate.yml: File exists and sync_mode is create_only
• ci.yml: File exists and sync_mode is create_only
• dependabot.yml: File exists and sync_mode is create_only
• llm_slots.json: None

---

Review Checklist

• CI passes with updated workflows
• No repo-specific customizations were overwritten

Source: stranske/Workflows
Manifest: .github/sync-manifest.yml

[agents-workflows-bot]

⚠️ Action Required: Unable to determine source issue for PR #317. The PR title, branch name, or body must contain the issue number (e.g. #123, branch: issue-123, or the hidden marker ).

[stranske-keepalive]

🤖 Keepalive Loop Status

PR #317 | Agent: Codex | Iteration 0/5

Current State

Metric	Value
Iteration progress	[----------] 0/5
Action	wait (missing-agent-label)
Disposition	skipped (transient)
Gate	success
Tasks	0/6 complete
Timeout	45 min (default)
Timeout usage	7m elapsed (16%, 38m remaining)
Keepalive	❌ disabled
Autofix	❌ disabled

🔍 Failure Classification

| Error type | infrastructure |
| Error category | resource |
| Suggested recovery | Confirm the referenced resource exists (repo, PR, branch, workflow, or file). |

[stranske-keepalive]

Keepalive Work Log (click to expand)

#	Time (UTC)	Agent	Action	Result	Files	Tasks	Progress	Commit	Gate
0	2026-03-03 00:03:08	Codex	wait (missing-agent-label-transient)	skipped	—	0	0/6	—	—
0	2026-03-03 00:04:52	Codex	wait (missing-agent-label-transient)	skipped	—	0	0/6	—	cancelled
0	2026-03-03 00:07:46	Codex	wait (missing-agent-label-transient)	skipped	—	0	0/6	—	success

[Copilot]

Pull request overview

Syncs in updated GitHub Actions workflow templates from stranske/Workflows, adding an opt-in Claude Code review workflow and adjusting the PR health wrapper’s input passing to the reusable workflow.

Changes:

• Added .github/workflows/maint-76-claude-code-review.yml to run Claude Code review only when opted-in via label or manual dispatch.
• Updated .github/workflows/agents-pr-health.yml to pass reusable-workflow inputs using explicit 'true'/'false' string patterns and string defaults.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/maint-76-claude-code-review.yml	New opt-in Claude Code Review workflow with label/manual dispatch gating, secret detection, and an integrity guard.
.github/workflows/agents-pr-health.yml	Adjusts with: values passed into the reusable PR health workflow (notably boolean/string coercions and defaults).

[Copilot]

In the workflow-integrity guard, github.base_ref is empty for workflow_dispatch, so the step unconditionally sets workflow_unchanged=true and allows the secrets-gated jobs to run even when this workflow file was modified on the dispatched ref. This defeats the “workflow must match default branch to safely access secrets” intent for manual dispatch; consider comparing the file against the repository default branch for workflow_dispatch too (or failing closed unless github.ref_name is the default branch).

Suggested change

	echo "workflow_unchanged=true" >>"$GITHUB_OUTPUT"
	exit 0
	echo "github.base_ref is empty; resolving repository default branch from origin/HEAD"
	# Ensure we have the remote HEAD reference so we can determine the default branch.
	git fetch --no-tags origin '+HEAD:refs/remotes/origin/HEAD'
	# Resolve default branch name (strip the leading "origin/").
	default_remote_head="$(git symbolic-ref --short refs/remotes/origin/HEAD || true)"
	default_branch="${default_remote_head#origin/}"
	if [ -z "$default_branch" ]; then
	echo "Could not determine default branch; failing closed."
	echo "workflow_unchanged=false" >>"$GITHUB_OUTPUT"
	exit 0
	fi
	base_ref="$default_branch"
	echo "Using default branch '${base_ref}' for workflow integrity check."

[Copilot]

resolve-target skips draft PRs for manual dispatch, but the pull_request path doesn’t check pr.draft. As written, adding the claude-review label to a draft PR will run the review (and spend tokens) on labeled/synchronize/reopened events; if drafts should be excluded, add the same pr.draft guard in the PR-event branch.

Suggested change

	const labels = (pr.labels || []).map((label) => label.name);
	if (labels.includes("claude-review")) {
	shouldRun = "true";
	reason = "label_opt_in";
	if (pr.draft) {
	reason = "pr_is_draft";
	} else {
	const labels = (pr.labels || []).map((label) => label.name);
	if (labels.includes("claude-review")) {
	shouldRun = "true";
	reason = "label_opt_in";
	}

[Copilot]

max_prs is declared as a number input, but the expression ${{ inputs.max_prs || '10' }} returns a number when provided and a string when defaulting. If the called reusable workflow expects a consistent type (common when passing inputs across workflows), cast inputs.max_prs to string as well (or keep the value numeric by using a numeric default).