[rollout] Set up GH-AW and install shared PR review workflows (#794)

## Summary This PR sets up GitHub Agentic Workflows (GH-AW) and installs shared PR review workflows in `pulumi/pulumi-docker-build`. ### Commands Executed - `gh-aw version` → `v0.56.2` (used as entrypoint) - `gh-aw init` → ran (`.github/aw/` was not present) - `gh-aw add pulumi-labs/gh-aw-internal/.github/workflows/gh-aw-pr-review.md@main --name docker-build-pr-review --force` - `gh-aw add pulumi-labs/gh-aw-internal/.github/workflows/gh-aw-pr-rereview.md@main --name docker-build-pr-rereview --force` - `gh-aw compile` - `gh-aw validate` ### Configuration | Property | Value | |---|---| | AW entrypoint | `gh-aw` (v0.56.2) | | Target base branch | `main` | | `prefix_stem` | `docker-build` | | `gh-aw init` | Ran (was not previously initialized) | ### Changed Files - `.gitattributes` — added `merge=ours` strategy for `.github/workflows/*.lock.yml` - `.github/agents/agentic-workflows.agent.md` — created by `gh-aw init` - `.github/workflows/copilot-setup-steps.yml` — generated dependency workflow - `.github/workflows/docker-build-pr-review.md` — shared PR review workflow source - `.github/workflows/docker-build-pr-review.lock.yml` — compiled lock file - `.github/workflows/docker-build-pr-rereview.md` — shared PR re-review workflow source - `.github/workflows/docker-build-pr-rereview.lock.yml` — compiled lock file - `.github/workflows/shared/review.md` — imported shared workflow - `.github/workflows/shared/plugins/code-review/code-review.md` — imported shared plugin ### Validation Output **compile:** ```` ⚠ Compiled 2 workflow(s): 0 error(s), 2 warning(s) ``` **validate:** ``` ⚠ Compiled 2 workflow(s): 0 error(s), 2 warning(s) ``` ### Validation Warnings Both workflows produced the same non-blocking warning: ``` warning: This workflow grants id-token: write permission OIDC tokens can authenticate to cloud providers (AWS, Azure, GCP). Ensure proper audience validation and trust policies are configured. ```` These warnings are expected for the shared review workflows which use OIDC for cloud authentication and are non-blocking. --- Rollout triggered by [provider-ops#41](https://github.com/pulumi/provider-ops/issues/41). > Generated by [Generic Rollout Worker](https://github.com/pulumi/provider-ops/actions/runs/23014445857) · [◷](https://github.com/search?q=repo%3Apulumi%2Fpulumi-docker-build+%22gh-aw-workflow-id%3A+gh-aw-workflow-rollout-worker%22&type=pullrequests)   Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 19:25:04 +00:00
parent a8af1bfb5d
commit f6b499a9d4
9 changed files with 2899 additions and 0 deletions
--- a/.github/workflows/shared/review.md
+++ b/.github/workflows/shared/review.md
@@ -0,0 +1,68 @@
+---
+permissions:
+  contents: read
+  pull-requests: read
+  id-token: write
+engine:
+  id: claude
+  env:
+    ANTHROPIC_API_KEY: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY || '__GH_AW_ACTIVATION_PLACEHOLDER__' }}
+steps:
+  - env:
+      ESC_ACTION_ENVIRONMENT: imports/github-secrets
+      ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+      ESC_ACTION_OIDC_AUTH: "true"
+      ESC_ACTION_OIDC_ORGANIZATION: pulumi
+      ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+    id: esc-secrets
+    name: Fetch secrets from ESC
+    uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+  - name: Validate ESC secret output
+    env:
+      ANTHROPIC_API_KEY_FROM_ESC: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
+    run: |
+      test -n "$ANTHROPIC_API_KEY_FROM_ESC" || {
+        echo "ESC did not return ANTHROPIC_API_KEY";
+        exit 1;
+      }
+tools:
+  cache-memory: true
+  github:
+    lockdown: false
+    toolsets: [pull_requests, repos]
+safe-outputs:
+  create-pull-request-review-comment:
+    max: 12
+    side: "RIGHT"
+    target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
+    target-repo: "${{ github.repository }}"
+  submit-pull-request-review:
+    max: 1
+    target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
+  noop:
+    max: 1
+  messages:
+    footer: "> Reviewed by [{workflow_name}]({run_url})"
+    run-started: "Started automated PR review for #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}."
+    run-success: "Finished automated PR review for #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}."
+    run-failure: "Automated PR review failed for #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }} ({status})."
+---
+
+
+Review pull request #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }} in repository `${{ github.repository }}`.
+
+Workflow-specific rules:
+- Use `${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}` as the authoritative PR target.
+- Treat the imported review prompt as the source of the review procedure.
+- Use only gh-aw safe outputs for side effects:
+  - `create-pull-request-review-comment` for actionable inline findings on changed lines
+  - `submit-pull-request-review` for the final review
+  - `noop` when the PR is not reviewable or required context is missing
+- Submit exactly one final review:
+  - `REQUEST_CHANGES` when at least one blocking issue exists.
+  - `APPROVE` otherwise, including when only non-blocking observations exist.
+  - Do not submit `COMMENT` as the final review state.
+- Do not post free-form issue comments outside safe outputs.
+- Respect the configured inline comment limit and prioritize the highest-signal unique findings.
+- Use cache-memory only as a best-effort continuity aid; live PR state and current review threads are authoritative.
+- Ignore discovery steps intended for runs without PR context.