Skip to content

ci: check gh-aw workflow locks#90

Merged
mrjf merged 2 commits into
mainfrom
codex/agentic-workflow-recompile-instructions
May 27, 2026
Merged

ci: check gh-aw workflow locks#90
mrjf merged 2 commits into
mainfrom
codex/agentic-workflow-recompile-instructions

Conversation

@mrjf
Copy link
Copy Markdown
Contributor

@mrjf mrjf commented May 27, 2026
edited
Loading

ci: check gh-aw workflow locks

TL;DR

Adds a focused CI check that recompiles agentic workflow sources and fails if .github/workflows changes afterward. Also adds a short root AGENTS.md reminder so agents know to run gh aw compile when editing workflow markdown.

Problem

  • Agentic workflow edits can update .github/workflows/*.md without the matching generated .lock.yml.
  • Existing APM self-checks catch APM-generated integration drift, but they do not prove gh-aw lock parity.
  • Agents need a root-level pointer for this repo-specific gh-aw expectation.

Approach

File Change
.github/workflows/gh-aw-lock-check.yml Adds a pinned gh-aw v0.74.4 check that runs on PRs and pushes touching workflow sources or locks.
AGENTS.md Adds concise root guidance to run gh aw compile and include regenerated .lock.yml files with workflow source changes.

Implementation

The CI job checks out the repository, installs github/gh-aw-actions/setup-cli at v0.74.4, runs gh aw compile --no-check-update, then fails if git status --porcelain -- .github/workflows reports regenerated files. The root AGENTS.md note points agents at the same command and CI check.

flowchart LR
  A["Workflow source or lock changes"] --> B["CI runs gh aw compile"]
  B --> C{"Working tree changed?"}
  C -->|"No"| D["Pass"]
  C -->|"Yes"| E["Fail with stale-lock error"]
Loading

Trade-offs

  • Uses a standalone workflow rather than relying only on agent instructions, so humans and agents get the same enforcement.
  • Keeps AGENTS.md short and gh-aw-specific instead of reintroducing the generated instruction bundle.
  • Checks all of .github/workflows after compile to catch modified and untracked generated files.

Validation

  • /private/tmp/gh-aw-v0.74.4 compile --no-check-update
  • git diff --check
  • git diff --cached --check
  • ruby -e "require 'yaml'; YAML.load_file('.github/workflows/gh-aw-lock-check.yml'); puts 'yaml ok'"

How to test

  1. Edit .github/workflows/crane.md without committing the regenerated lock.
  2. Open a PR.
  3. Confirm gh-aw lock check / Verify gh-aw locks fails and asks for gh aw compile.

@mrjf mrjf force-pushed the codex/agentic-workflow-recompile-instructions branch from 878033c to 0dd9d54 Compare May 27, 2026 16:14
@mrjf mrjf changed the title docs: add agentic workflow recompile SOP ci: check gh-aw workflow locks May 27, 2026
@mrjf mrjf merged commit 8b87e58 into main May 27, 2026
8 checks passed
@mrjf mrjf deleted the codex/agentic-workflow-recompile-instructions branch May 27, 2026 16:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mrjf