> ## Documentation Index > Fetch the complete documentation index at: https://docs.jacobpevans.com/llms.txt > Use this file to discover all available pages before exploring further. # ai-workflows > Reusable GitHub Actions workflows and GH-AW imports that turn issues into draft PRs, fix CI failures automatically, gate merges, and keep docs current. > One repo of reusable workflows and imported agentic workflows. Consumer repos write thin callers; GH-AW wrappers compile to locked workflows. [`JacobPEvans/ai-workflows`](https://github.com/JacobPEvans/ai-workflows) ships reusable GitHub Actions workflows (`on: workflow_call:`) and GitHub Agentic Workflow wrappers (`.md` source compiled to `.lock.yml`). The AI orchestration, prompts, provider routing, and rate guards live upstream; consumers declare triggers and inherit secrets. ## Event-triggered workflows These run on GitHub events. Wire one caller per workflow you want. | Workflow | Trigger | What it does | | ---------------------------- | --------------------------------------------------------- | --------------------------------------------------------------------------- | | `issue-triage.yml` | `issues: [opened]` | Categorizes, deduplicates, labels new issues | | `issue-resolver.yml` | `issues: [opened]` | Creates a draft PR when the issue is well-scoped and not excluded by labels | | `ci-fix.yml` | `workflow_run` of your CI workflow, `conclusion: failure` | Reads the failed log, pushes a fix commit | | `final-pr-review.yml` | `pull_request_review: [submitted]` | Final merge-readiness gate before human merge | | `project-router.yml` | `issues/pull_request: [opened, labeled]` | Routes items to GitHub Projects with smart field assignment | | `post-merge-docs-review.yml` | `push: [main]` → dispatch | After merge, audits docs touched by the commit, creates fix PRs | | `post-merge-tests.yml` | `push: [main]` → dispatch | After merge, analyzes the code changes and drafts targeted tests | | `issue-linker.yml` | `pull_request: [opened, closed]` | Links open issues to PRs on open; closes resolved issues on merge | | `notify-ai-pr.yml` | `pull_request: [opened]` from a bot | Slack notification when an AI-authored PR opens | ## Scheduled workflows These run on cron — typically called with `schedule:` and a manual `workflow_dispatch:`. | Workflow | Default schedule | What it does | | -------------------------------------- | -------------------- | ---------------------------------------------------------------------------------------------------------- | | `code-simplifier.yml` | Daily 04:00 UTC | DRY enforcement, dead code removal, drafts PRs | | `best-practices.yml` | Weekly Wed 03:00 UTC | Audit creating actionable recommendations | | `next-steps.yml` | Daily 05:00 UTC | Analyzes merge momentum, suggests next logical action | | `issue-sweeper.yml` | Weekly Mon 06:00 UTC | Scans open issues, comments on progress, closes resolved | | `issue-hygiene.yml` | Weekly Mon 07:00 UTC | Detects duplicates, links merged PRs, flags stale issues | | `label-sync.yml` | Weekly Sun 05:00 UTC | Syncs canonical labels from the `.github` repo to consumers | | `repo-orchestrator.yml` | `workflow_dispatch` | Multi-repo hub-and-spoke dispatcher for ad-hoc operations | | `public-docs-updater.md` / `.lock.yml` | Daily | GH-AW import of GitHubNext `doc-updater.md`; scans `dryvist` public PR activity and updates this docs repo | ## What's deprecated or disabled | Workflow | Status | Replacement | | --------------------- | ------------------------------------------------------------ | ------------------------------------ | | `claude-review.yml` | DEPRECATED 2026-04-04. All jobs gated `if: false`. | External Gemini + Copilot PR reviews | | `pr-issue-linker.yml` | Auto-triggers explicitly disabled (`workflow_dispatch` only) | `issue-linker.yml` | Wiring a caller for a deprecated workflow is a no-op — the consumer caller runs, the upstream silently skips. Don't. ## How a reusable caller looks A reusable-workflow caller is the smallest YAML that declares a trigger, sets permissions, and forwards to the upstream: ```yaml theme={null} name: Issue Triage on: issues: types: [opened] permissions: contents: read id-token: write issues: write jobs: run: uses: JacobPEvans/ai-workflows/.github/workflows/issue-triage.yml@main secrets: inherit ``` Permission shape varies per workflow — `issue-resolver` needs `pull-requests: write`, `ci-fix` needs `actions: read`, `post-merge-*` needs `actions: write` for the re-dispatch. The [canonical caller templates](https://github.com/JacobPEvans/ai-workflows/blob/main/docs/GETTING_STARTED.md) list the exact permission block for each. ## How a GH-AW import looks GitHub Agentic Workflows are authored as Markdown and compiled: ```yaml theme={null} --- engine: copilot imports: - githubnext/agentics/workflows/doc-updater.md@main on: schedule: daily workflow_dispatch: --- ``` `public-docs-updater.md` imports the GitHubNext doc updater, then adds local rules: scan `dryvist` public repos, include merged plus open/draft PR titles and descriptions, treat open work as in-progress only, and create one PR against `docs`. ## Versioning Per the [CI/CD policy](/infrastructure/cicd/policy#dependency-versioning), JacobPEvans self-references use `@main` or a major tag like `@v0` — never minor/patch pins. The full SemVer tags exist (`@v0.15.1`) and are tracked by Renovate, but consumers should ride a moving ref so upstream improvements land without a Renovate PR per repo. ## Authentication Reusable `.yml` workflows call [`anthropics/claude-code-action@v1`](https://github.com/anthropics/claude-code-action) through a shared wrapper action. The runtime contract is AI-agnostic: * `secrets.AI_TOKEN` — provider credential * `vars.AI_PROVIDER` — defaults to `claude_oauth` * `vars.AI_BASE_URL` or `secrets.AI_BASE_URL` — required only for OpenRouter or another Anthropic-compatible router * `vars.AI_MODEL*` — defaults to Claude `sonnet` OpenRouter is still supported, but it is not hardcoded: set `AI_PROVIDER=openrouter`, put the key in `AI_TOKEN`, set `AI_BASE_URL`, and choose the model with `AI_MODEL`. GH-AW imports are different. The current `public-docs-updater` wrapper uses the Copilot engine because GH-AW Claude does not support Claude OAuth tokens on the pinned compiler path. The provider matrix and GH-AW caveats live in [AUTHENTICATION.md](https://github.com/JacobPEvans/ai-workflows/blob/main/docs/AUTHENTICATION.md). ## Commit signing Every PR-writing reusable workflow mints a `JacobPEvans-claude` GitHub App installation token immediately before calling the action, then hands it in as `github_token` with `use_commit_signing: true`. Commits land web-flow-signed and attributed to the bot. The App credentials (`GH_APP_CLAUDE_BOT_PRIVATE_KEY`, `GH_APP_CLAUDE_BOT_ID`) are distributed by `secrets-sync` to every repo in the `_github_app_repos` anchor. ## Where to go next Caller templates for every workflow, with the correct permission blocks. The post-merge dispatch pattern, bot guards, and other recurring shapes. `AI_TOKEN`, provider routing, model variables, and GH-AW engine caveats. The e2e runbook for checking a freshly-wired repo end to end. Exactly which six callers are wired on `JacobPEvans/docs` and why. How `AI_TOKEN` and the App credentials land on each consumer repo.