Skip to main content
One repo of reusable workflows and imported agentic workflows. Consumer repos write thin callers; GH-AW wrappers compile to locked workflows.
JacobPEvans/ai-workflows ships reusable GitHub Actions workflows (on: workflow_call:) and GitHub Agentic Workflow wrappers (.md source compiled to .lock.yml). The AI orchestration, prompts, provider routing, and rate guards live upstream; consumers declare triggers and inherit secrets.

Event-triggered workflows

These run on GitHub events. Wire one caller per workflow you want.
WorkflowTriggerWhat it does
issue-triage.ymlissues: [opened]Categorizes, deduplicates, labels new issues
issue-resolver.ymlissues: [opened]Creates a draft PR when the issue is well-scoped and not excluded by labels
ci-fix.ymlworkflow_run of your CI workflow, conclusion: failureReads the failed log, pushes a fix commit
final-pr-review.ymlpull_request_review: [submitted]Final merge-readiness gate before human merge
project-router.ymlissues/pull_request: [opened, labeled]Routes items to GitHub Projects with smart field assignment
post-merge-docs-review.ymlpush: [main] → dispatchAfter merge, audits docs touched by the commit, creates fix PRs
post-merge-tests.ymlpush: [main] → dispatchAfter merge, analyzes the code changes and drafts targeted tests
issue-linker.ymlpull_request: [opened, closed]Links open issues to PRs on open; closes resolved issues on merge
notify-ai-pr.ymlpull_request: [opened] from a botSlack notification when an AI-authored PR opens

Scheduled workflows

These run on cron — typically called with schedule: and a manual workflow_dispatch:.
WorkflowDefault scheduleWhat it does
code-simplifier.ymlDaily 04:00 UTCDRY enforcement, dead code removal, drafts PRs
best-practices.ymlWeekly Wed 03:00 UTCAudit creating actionable recommendations
next-steps.ymlDaily 05:00 UTCAnalyzes merge momentum, suggests next logical action
issue-sweeper.ymlWeekly Mon 06:00 UTCScans open issues, comments on progress, closes resolved
issue-hygiene.ymlWeekly Mon 07:00 UTCDetects duplicates, links merged PRs, flags stale issues
label-sync.ymlWeekly Sun 05:00 UTCSyncs canonical labels from the .github repo to consumers
repo-orchestrator.ymlworkflow_dispatchMulti-repo hub-and-spoke dispatcher for ad-hoc operations
public-docs-updater.md / .lock.ymlDailyGH-AW import of GitHubNext doc-updater.md; scans dryvist public PR activity and updates this docs repo

What’s deprecated or disabled

WorkflowStatusReplacement
claude-review.ymlDEPRECATED 2026-04-04. All jobs gated if: false.External Gemini + Copilot PR reviews
pr-issue-linker.ymlAuto-triggers explicitly disabled (workflow_dispatch only)issue-linker.yml
Wiring a caller for a deprecated workflow is a no-op — the consumer caller runs, the upstream silently skips. Don’t.

How a reusable caller looks

A reusable-workflow caller is the smallest YAML that declares a trigger, sets permissions, and forwards to the upstream: 
name: Issue Triage
on:
  issues:
    types: [opened]
permissions:
  contents: read
  id-token: write
  issues: write
jobs:
  run:
    uses: JacobPEvans/ai-workflows/.github/workflows/issue-triage.yml@main
    secrets: inherit
Permission shape varies per workflow — issue-resolver needs pull-requests: write, ci-fix needs actions: read, post-merge-* needs actions: write for the re-dispatch. The canonical caller templates list the exact permission block for each.

How a GH-AW import looks

GitHub Agentic Workflows are authored as Markdown and compiled: 
---
engine: copilot
imports:
  - githubnext/agentics/workflows/doc-updater.md@main
on:
  schedule: daily
  workflow_dispatch:
---
public-docs-updater.md imports the GitHubNext doc updater, then adds local rules: scan dryvist public repos, include merged plus open/draft PR titles and descriptions, treat open work as in-progress only, and create one PR against docs.

Versioning

Per the CI/CD policy, JacobPEvans self-references use @main or a major tag like @v0 — never minor/patch pins. The full SemVer tags exist (@v0.15.1) and are tracked by Renovate, but consumers should ride a moving ref so upstream improvements land without a Renovate PR per repo.

Authentication

Reusable .yml workflows call anthropics/claude-code-action@v1 through a shared wrapper action. The runtime contract is AI-agnostic:
  • secrets.AI_TOKEN — provider credential
  • vars.AI_PROVIDER — defaults to claude_oauth
  • vars.AI_BASE_URL or secrets.AI_BASE_URL — required only for OpenRouter or another Anthropic-compatible router
  • vars.AI_MODEL* — defaults to Claude sonnet
OpenRouter is still supported, but it is not hardcoded: set AI_PROVIDER=openrouter, put the key in AI_TOKEN, set AI_BASE_URL, and choose the model with AI_MODEL. GH-AW imports are different. The current public-docs-updater wrapper uses the Copilot engine because GH-AW Claude does not support Claude OAuth tokens on the pinned compiler path. The provider matrix and GH-AW caveats live in AUTHENTICATION.md.

Commit signing

Every PR-writing reusable workflow mints a JacobPEvans-claude GitHub App installation token immediately before calling the action, then hands it in as github_token with use_commit_signing: true. Commits land web-flow-signed and attributed to the bot. The App credentials (GH_APP_CLAUDE_BOT_PRIVATE_KEY, GH_APP_CLAUDE_BOT_ID) are distributed by secrets-sync to every repo in the _github_app_repos anchor.

Where to go next

Getting started

Caller templates for every workflow, with the correct permission blocks.

Patterns

The post-merge dispatch pattern, bot guards, and other recurring shapes.

Authentication

AI_TOKEN, provider routing, model variables, and GH-AW engine caveats.

Verification

The e2e runbook for checking a freshly-wired repo end to end.

Issue → PR pipeline on this repo

Exactly which six callers are wired on JacobPEvans/docs and why.

Secret distribution

How AI_TOKEN and the App credentials land on each consumer repo.