Skip to main content
One repo of reusable workflows and imported agentic workflows. Consumer repos write thin callers; GH-AW wrappers compile to locked workflows.
JacobPEvans/ai-workflows ships reusable GitHub Actions workflows (on: workflow_call:) and GitHub Agentic Workflow wrappers (.md source compiled to .lock.yml). The AI orchestration, prompts, provider routing, and rate guards live upstream; consumers declare triggers and inherit secrets.

Event-triggered workflows

These run on GitHub events. Wire one caller per workflow you want.
WorkflowTriggerWhat it does
issue-triage.ymlissues: [opened]Categorizes, deduplicates, labels new issues
issue-resolver.ymlissues: [opened]Creates a draft PR when the issue is well-scoped and not excluded by labels
ci-fix.ymlworkflow_run of your CI workflow, conclusion: failureReads the failed log, pushes a fix commit
project-router.ymlissues/pull_request: [opened, labeled]Routes items to GitHub Projects with smart field assignment
post-merge-docs-review.ymlpush: [main] → dispatchAfter merge, audits docs touched by the commit, creates fix PRs
post-merge-tests.ymlpush: [main] → dispatchAfter merge, analyzes the code changes and drafts targeted tests
issue-linker.ymlpull_request: [opened, closed]Links open issues to PRs on open; closes resolved issues on merge
notify-ai-pr.ymlpull_request: [opened] from a botSlack notification when an AI-authored PR opens

Scheduled workflows

These run on cron — typically called with schedule: and a manual workflow_dispatch:.
WorkflowDefault scheduleWhat it does
code-simplifier.ymlDaily 04:00 UTCDRY enforcement, dead code removal, drafts PRs
best-practices.ymlWeekly Wed 03:00 UTCAudit creating actionable recommendations
next-steps.ymlDaily 05:00 UTCAnalyzes merge momentum, suggests next logical action
issue-sweeper.ymlWeekly Mon 06:00 UTCScans open issues, comments on progress, closes resolved
issue-hygiene.ymlWeekly Mon 07:00 UTCDetects duplicates, links merged PRs, flags stale issues
label-sync.ymlWeekly Sun 05:00 UTCSyncs canonical labels from the .github repo to consumers
repo-orchestrator.ymlworkflow_dispatchMulti-repo hub-and-spoke dispatcher for ad-hoc operations
public-docs-updater.md / .lock.ymlDailyGH-AW import of GitHubNext doc-updater.md; scans dryvist public PR activity and updates this docs repo

How a reusable caller looks

A reusable-workflow caller is the smallest YAML that declares a trigger, sets permissions, and forwards to the upstream:
name: Issue Triage
on:
  issues:
    types: [opened]
permissions:
  contents: read
  id-token: write
  issues: write
jobs:
  run:
    uses: JacobPEvans/ai-workflows/.github/workflows/issue-triage.yml@main
    secrets: inherit
Permission shape varies per workflow — issue-resolver needs pull-requests: write, ci-fix needs actions: read, post-merge-* needs actions: write for the re-dispatch. The canonical caller templates list the exact permission block for each.

How a GH-AW import looks

GitHub Agentic Workflows are authored as Markdown and compiled:
---
engine: copilot
imports:
  - githubnext/agentics/workflows/doc-updater.md@main
on:
  schedule: daily
  workflow_dispatch:
---
public-docs-updater.md imports the GitHubNext doc updater, then adds local rules: scan dryvist public repos, include merged plus open/draft PR titles and descriptions, treat open work as in-progress only, and create one PR against docs.

Versioning

Per Dependency automation, consumers pin ai-workflows — and every dryvist/* reusable workflow — at @main, never a SHA or version pin. The SemVer tags still exist (@v0.15.1) and release-please keeps bumping them for the changelog and the per-run resolved-SHA audit trail, but callers ride @main so upstream fixes land immediately with no per-repo Renovate PR (the first-party immediate-propagation model). Every org scanner is configured to allow @main — see scanner posture.

Authentication

Reusable .yml workflows use a provider-agnostic GH_ACTION_AI_* namespace so you can swap providers, endpoints, or models at the org level without editing any caller.
NameKindPurpose
GH_ACTION_AI_API_KEYSecretYour provider’s API key. Required by all workflows.
GH_ACTION_AI_BASE_URLVariableProvider endpoint. Leave empty for direct Anthropic.
GH_ACTION_AI_MODELVariableGlobal default model name.
GH_ACTION_AI_MODEL_CODEVariableCode-generation tier (falls back to GH_ACTION_AI_MODEL).
GH_ACTION_AI_MODEL_ISSUESVariableIssue-management tier (falls back to GH_ACTION_AI_MODEL).
GH_ACTION_AI_MODEL_PLANVariableDeep-planning tier (falls back to GH_ACTION_AI_MODEL).
Set them at org level with the GitHub CLI:
gh secret   set GH_ACTION_AI_API_KEY   --org <your-org>   # paste your key
gh variable set GH_ACTION_AI_BASE_URL  --org <your-org> -b ""                       # empty = direct Anthropic
gh variable set GH_ACTION_AI_MODEL     --org <your-org> -b "claude-sonnet-4-6"
The same workflows run unchanged against any provider — only the org-level values change:
ProviderGH_ACTION_AI_API_KEYGH_ACTION_AI_BASE_URLExample model
Direct Anthropicstandard API key(empty)claude-sonnet-4-6
OpenRouterOpenRouter keyhttps://openrouter.ai/api/v1anthropic/claude-sonnet-4
Chutes.aiChutes keyChutes endpointprovider-specific name
OAuth tokens are prohibited in unattended CI. A Claude Code subscription token (CLAUDE_CODE_OAUTH_TOKEN) used inside a GitHub Actions workflow violates the Claude Code Terms of Service and risks an account ban — the subscription is intended for interactive sessions only. Use a standard API key (GH_ACTION_AI_API_KEY) instead; it is purpose-built for programmatic access with no ToS concerns.
GH-AW imports use the Copilot engine (the current public-docs-updater wrapper). Provider details and model configuration live in AUTHENTICATION.md.

Commit signing

cc-ci-fix (the CI auto-fixer) uses GitHub’s createCommitOnBranch GraphQL mutation to push fix commits — no local clone, no custom signing script. The mutation runs as the Actions bot (${{ github.token }}), so every fix commit lands web-flow-signed and attributed to github-actions[bot]. This works without any App credential on the consumer repo, and is compatible with repos that enforce signed commits. Other PR-writing workflows (issue-resolver, code-simplifier, post-merge-*) mint a JacobPEvans-claude GitHub App installation token and rely on use_commit_signing: true in the action. The App credentials (GH_APP_CLAUDE_BOT_PRIVATE_KEY, GH_APP_CLAUDE_BOT_ID) are distributed by secrets-sync to every repo in the _github_app_repos anchor.

Where to go next

Getting started

Caller templates for every workflow, with the correct permission blocks.

Patterns

The post-merge dispatch pattern, bot guards, and other recurring shapes.

Authentication

Full GH_ACTION_AI_* reference, provider routing, model variables, and GH-AW engine caveats.

Verification

The e2e runbook for checking a freshly-wired repo end to end.

Issue → PR pipeline on this repo

Exactly which six callers are wired on JacobPEvans/docs and why.

Secret distribution

How GH_ACTION_AI_API_KEY and the App credentials land on each consumer repo.