f6b499a9d4
## Summary This PR sets up GitHub Agentic Workflows (GH-AW) and installs shared PR review workflows in `pulumi/pulumi-docker-build`. ### Commands Executed - `gh-aw version` → `v0.56.2` (used as entrypoint) - `gh-aw init` → ran (`.github/aw/` was not present) - `gh-aw add pulumi-labs/gh-aw-internal/.github/workflows/gh-aw-pr-review.md@main --name docker-build-pr-review --force` - `gh-aw add pulumi-labs/gh-aw-internal/.github/workflows/gh-aw-pr-rereview.md@main --name docker-build-pr-rereview --force` - `gh-aw compile` - `gh-aw validate` ### Configuration | Property | Value | |---|---| | AW entrypoint | `gh-aw` (v0.56.2) | | Target base branch | `main` | | `prefix_stem` | `docker-build` | | `gh-aw init` | Ran (was not previously initialized) | ### Changed Files - `.gitattributes` — added `merge=ours` strategy for `.github/workflows/*.lock.yml` - `.github/agents/agentic-workflows.agent.md` — created by `gh-aw init` - `.github/workflows/copilot-setup-steps.yml` — generated dependency workflow - `.github/workflows/docker-build-pr-review.md` — shared PR review workflow source - `.github/workflows/docker-build-pr-review.lock.yml` — compiled lock file - `.github/workflows/docker-build-pr-rereview.md` — shared PR re-review workflow source - `.github/workflows/docker-build-pr-rereview.lock.yml` — compiled lock file - `.github/workflows/shared/review.md` — imported shared workflow - `.github/workflows/shared/plugins/code-review/code-review.md` — imported shared plugin ### Validation Output **compile:** ```` ⚠ Compiled 2 workflow(s): 0 error(s), 2 warning(s) ``` **validate:** ``` ⚠ Compiled 2 workflow(s): 0 error(s), 2 warning(s) ``` ### Validation Warnings Both workflows produced the same non-blocking warning: ``` warning: This workflow grants id-token: write permission OIDC tokens can authenticate to cloud providers (AWS, Azure, GCP). Ensure proper audience validation and trust policies are configured. ```` These warnings are expected for the shared review workflows which use OIDC for cloud authentication and are non-blocking. --- Rollout triggered by [provider-ops#41](https://github.com/pulumi/provider-ops/issues/41). > Generated by [Generic Rollout Worker](https://github.com/pulumi/provider-ops/actions/runs/23014445857) · [◷](https://github.com/search?q=repo%3Apulumi%2Fpulumi-docker-build+%22gh-aw-workflow-id%3A+gh-aw-workflow-rollout-worker%22&type=pullrequests) <!-- gh-aw-agentic-workflow: Generic Rollout Worker, engine: claude, id: 23014445857, workflow_id: gh-aw-workflow-rollout-worker, run: https://github.com/pulumi/provider-ops/actions/runs/23014445857 --> <!-- gh-aw-workflow-id: gh-aw-workflow-rollout-worker --> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
69 lines
3.1 KiB
Markdown
69 lines
3.1 KiB
Markdown
---
|
|
permissions:
|
|
contents: read
|
|
pull-requests: read
|
|
id-token: write
|
|
engine:
|
|
id: claude
|
|
env:
|
|
ANTHROPIC_API_KEY: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY || '__GH_AW_ACTIVATION_PLACEHOLDER__' }}
|
|
steps:
|
|
- env:
|
|
ESC_ACTION_ENVIRONMENT: imports/github-secrets
|
|
ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
|
|
ESC_ACTION_OIDC_AUTH: "true"
|
|
ESC_ACTION_OIDC_ORGANIZATION: pulumi
|
|
ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
|
|
id: esc-secrets
|
|
name: Fetch secrets from ESC
|
|
uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
|
|
- name: Validate ESC secret output
|
|
env:
|
|
ANTHROPIC_API_KEY_FROM_ESC: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
|
|
run: |
|
|
test -n "$ANTHROPIC_API_KEY_FROM_ESC" || {
|
|
echo "ESC did not return ANTHROPIC_API_KEY";
|
|
exit 1;
|
|
}
|
|
tools:
|
|
cache-memory: true
|
|
github:
|
|
lockdown: false
|
|
toolsets: [pull_requests, repos]
|
|
safe-outputs:
|
|
create-pull-request-review-comment:
|
|
max: 12
|
|
side: "RIGHT"
|
|
target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
|
|
target-repo: "${{ github.repository }}"
|
|
submit-pull-request-review:
|
|
max: 1
|
|
target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
|
|
noop:
|
|
max: 1
|
|
messages:
|
|
footer: "> Reviewed by [{workflow_name}]({run_url})"
|
|
run-started: "Started automated PR review for #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}."
|
|
run-success: "Finished automated PR review for #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}."
|
|
run-failure: "Automated PR review failed for #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }} ({status})."
|
|
---
|
|
|
|
|
|
Review pull request #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }} in repository `${{ github.repository }}`.
|
|
|
|
Workflow-specific rules:
|
|
- Use `${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}` as the authoritative PR target.
|
|
- Treat the imported review prompt as the source of the review procedure.
|
|
- Use only gh-aw safe outputs for side effects:
|
|
- `create-pull-request-review-comment` for actionable inline findings on changed lines
|
|
- `submit-pull-request-review` for the final review
|
|
- `noop` when the PR is not reviewable or required context is missing
|
|
- Submit exactly one final review:
|
|
- `REQUEST_CHANGES` when at least one blocking issue exists.
|
|
- `APPROVE` otherwise, including when only non-blocking observations exist.
|
|
- Do not submit `COMMENT` as the final review state.
|
|
- Do not post free-form issue comments outside safe outputs.
|
|
- Respect the configured inline comment limit and prioritize the highest-signal unique findings.
|
|
- Use cache-memory only as a best-effort continuity aid; live PR state and current review threads are authoritative.
|
|
- Ignore discovery steps intended for runs without PR context.
|