One repo of reusable workflows and imported agentic workflows. Consumer repos write thin callers; GH-AW wrappers compile to locked workflows.
JacobPEvans/ai-workflows ships reusable GitHub Actions workflows (on: workflow_call:) and GitHub Agentic Workflow wrappers (.md source compiled to .lock.yml). The AI orchestration, prompts, provider routing, and rate guards live upstream; consumers declare triggers and inherit secrets.
Event-triggered workflows
These run on GitHub events. Wire one caller per workflow you want.| Workflow | Trigger | What it does |
|---|---|---|
issue-triage.yml | issues: [opened] | Categorizes, deduplicates, labels new issues |
issue-resolver.yml | issues: [opened] | Creates a draft PR when the issue is well-scoped and not excluded by labels |
ci-fix.yml | workflow_run of your CI workflow, conclusion: failure | Reads the failed log, pushes a fix commit |
project-router.yml | issues/pull_request: [opened, labeled] | Routes items to GitHub Projects with smart field assignment |
post-merge-docs-review.yml | push: [main] → dispatch | After merge, audits docs touched by the commit, creates fix PRs |
post-merge-tests.yml | push: [main] → dispatch | After merge, analyzes the code changes and drafts targeted tests |
issue-linker.yml | pull_request: [opened, closed] | Links open issues to PRs on open; closes resolved issues on merge |
notify-ai-pr.yml | pull_request: [opened] from a bot | Slack notification when an AI-authored PR opens |
Scheduled workflows
These run on cron — typically called withschedule: and a manual workflow_dispatch:.
| Workflow | Default schedule | What it does |
|---|---|---|
code-simplifier.yml | Daily 04:00 UTC | DRY enforcement, dead code removal, drafts PRs |
best-practices.yml | Weekly Wed 03:00 UTC | Audit creating actionable recommendations |
next-steps.yml | Daily 05:00 UTC | Analyzes merge momentum, suggests next logical action |
issue-sweeper.yml | Weekly Mon 06:00 UTC | Scans open issues, comments on progress, closes resolved |
issue-hygiene.yml | Weekly Mon 07:00 UTC | Detects duplicates, links merged PRs, flags stale issues |
label-sync.yml | Weekly Sun 05:00 UTC | Syncs canonical labels from the .github repo to consumers |
repo-orchestrator.yml | workflow_dispatch | Multi-repo hub-and-spoke dispatcher for ad-hoc operations |
public-docs-updater.md / .lock.yml | Daily | GH-AW import of GitHubNext doc-updater.md; scans dryvist public PR activity and updates this docs repo |
How a reusable caller looks
A reusable-workflow caller is the smallest YAML that declares a trigger, sets permissions, and forwards to the upstream:issue-resolver needs pull-requests: write, ci-fix needs actions: read, post-merge-* needs actions: write for the re-dispatch. The canonical caller templates list the exact permission block for each.
How a GH-AW import looks
GitHub Agentic Workflows are authored as Markdown and compiled:public-docs-updater.md imports the GitHubNext doc updater, then adds local rules: scan dryvist public repos, include merged plus open/draft PR titles and descriptions, treat open work as in-progress only, and create one PR against docs.
Versioning
Per Dependency automation, consumers pinai-workflows — and every dryvist/* reusable workflow — at @main, never a SHA or version pin. The SemVer tags still exist (@v0.15.1) and release-please keeps bumping them for the changelog and the per-run resolved-SHA audit trail, but callers ride @main so upstream fixes land immediately with no per-repo Renovate PR (the first-party immediate-propagation model). Every org scanner is configured to allow @main — see scanner posture.
Authentication
Reusable.yml workflows use a provider-agnostic GH_ACTION_AI_* namespace so you can swap providers, endpoints, or models at the org level without editing any caller.
| Name | Kind | Purpose |
|---|---|---|
GH_ACTION_AI_API_KEY | Secret | Your provider’s API key. Required by all workflows. |
GH_ACTION_AI_BASE_URL | Variable | Provider endpoint. Leave empty for direct Anthropic. |
GH_ACTION_AI_MODEL | Variable | Global default model name. |
GH_ACTION_AI_MODEL_CODE | Variable | Code-generation tier (falls back to GH_ACTION_AI_MODEL). |
GH_ACTION_AI_MODEL_ISSUES | Variable | Issue-management tier (falls back to GH_ACTION_AI_MODEL). |
GH_ACTION_AI_MODEL_PLAN | Variable | Deep-planning tier (falls back to GH_ACTION_AI_MODEL). |
| Provider | GH_ACTION_AI_API_KEY | GH_ACTION_AI_BASE_URL | Example model |
|---|---|---|---|
| Direct Anthropic | standard API key | (empty) | claude-sonnet-4-6 |
| OpenRouter | OpenRouter key | https://openrouter.ai/api/v1 | anthropic/claude-sonnet-4 |
| Chutes.ai | Chutes key | Chutes endpoint | provider-specific name |
OAuth tokens are prohibited in unattended CI. A Claude Code subscription token (GH-AW imports use the Copilot engine (the currentCLAUDE_CODE_OAUTH_TOKEN) used inside a GitHub Actions workflow violates the Claude Code Terms of Service and risks an account ban — the subscription is intended for interactive sessions only. Use a standard API key (GH_ACTION_AI_API_KEY) instead; it is purpose-built for programmatic access with no ToS concerns.
public-docs-updater wrapper). Provider details and model configuration live in AUTHENTICATION.md.
Commit signing
cc-ci-fix (the CI auto-fixer) uses GitHub’s createCommitOnBranch GraphQL mutation to push fix commits — no local clone, no custom signing script. The mutation runs as the Actions bot (${{ github.token }}), so every fix commit lands web-flow-signed and attributed to github-actions[bot]. This works without any App credential on the consumer repo, and is compatible with repos that enforce signed commits.
Other PR-writing workflows (issue-resolver, code-simplifier, post-merge-*) mint a JacobPEvans-claude GitHub App installation token and rely on use_commit_signing: true in the action. The App credentials (GH_APP_CLAUDE_BOT_PRIVATE_KEY, GH_APP_CLAUDE_BOT_ID) are distributed by secrets-sync to every repo in the _github_app_repos anchor.
Where to go next
Getting started
Caller templates for every workflow, with the correct permission blocks.
Patterns
The post-merge dispatch pattern, bot guards, and other recurring shapes.
Authentication
Full
GH_ACTION_AI_* reference, provider routing, model variables, and GH-AW engine caveats.Verification
The e2e runbook for checking a freshly-wired repo end to end.
Issue → PR pipeline on this repo
Exactly which six callers are wired on
JacobPEvans/docs and why.Secret distribution
How
GH_ACTION_AI_API_KEY and the App credentials land on each consumer repo.