> ## Documentation Index
> Fetch the complete documentation index at: https://docs.jacobpevans.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AI workflows

> Reusable GitHub Actions workflows and GH-AW imports that turn issues into draft PRs, fix CI failures automatically, gate merges, and keep docs current.

> One repo of reusable workflows and imported agentic workflows. Consumer repos write thin callers; GH-AW wrappers compile to locked workflows.

[`JacobPEvans/ai-workflows`](https://github.com/JacobPEvans/ai-workflows) ships reusable GitHub Actions workflows (`on: workflow_call:`) and GitHub Agentic Workflow wrappers (`.md` source compiled to `.lock.yml`). The AI orchestration, prompts, provider routing, and rate guards live upstream; consumers declare triggers and inherit secrets.

## Event-triggered workflows

These run on GitHub events. Wire one caller per workflow you want.

| Workflow                     | Trigger                                                   | What it does                                                                |
| ---------------------------- | --------------------------------------------------------- | --------------------------------------------------------------------------- |
| `issue-triage.yml`           | `issues: [opened]`                                        | Categorizes, deduplicates, labels new issues                                |
| `issue-resolver.yml`         | `issues: [opened]`                                        | Creates a draft PR when the issue is well-scoped and not excluded by labels |
| `ci-fix.yml`                 | `workflow_run` of your CI workflow, `conclusion: failure` | Reads the failed log, pushes a fix commit                                   |
| `project-router.yml`         | `issues/pull_request: [opened, labeled]`                  | Routes items to GitHub Projects with smart field assignment                 |
| `post-merge-docs-review.yml` | `push: [main]` → dispatch                                 | After merge, audits docs touched by the commit, creates fix PRs             |
| `post-merge-tests.yml`       | `push: [main]` → dispatch                                 | After merge, analyzes the code changes and drafts targeted tests            |
| `issue-linker.yml`           | `pull_request: [opened, closed]`                          | Links open issues to PRs on open; closes resolved issues on merge           |
| `notify-ai-pr.yml`           | `pull_request: [opened]` from a bot                       | Slack notification when an AI-authored PR opens                             |

## Scheduled workflows

These run on cron — typically called with `schedule:` and a manual `workflow_dispatch:`.

| Workflow                               | Default schedule     | What it does                                                                                               |
| -------------------------------------- | -------------------- | ---------------------------------------------------------------------------------------------------------- |
| `code-simplifier.yml`                  | Daily 04:00 UTC      | DRY enforcement, dead code removal, drafts PRs                                                             |
| `best-practices.yml`                   | Weekly Wed 03:00 UTC | Audit creating actionable recommendations                                                                  |
| `next-steps.yml`                       | Daily 05:00 UTC      | Analyzes merge momentum, suggests next logical action                                                      |
| `issue-sweeper.yml`                    | Weekly Mon 06:00 UTC | Scans open issues, comments on progress, closes resolved                                                   |
| `issue-hygiene.yml`                    | Weekly Mon 07:00 UTC | Detects duplicates, links merged PRs, flags stale issues                                                   |
| `label-sync.yml`                       | Weekly Sun 05:00 UTC | Syncs canonical labels from the `.github` repo to consumers                                                |
| `repo-orchestrator.yml`                | `workflow_dispatch`  | Multi-repo hub-and-spoke dispatcher for ad-hoc operations                                                  |
| `public-docs-updater.md` / `.lock.yml` | Daily                | GH-AW import of GitHubNext `doc-updater.md`; scans `dryvist` public PR activity and updates this docs repo |

## How a reusable caller looks

A reusable-workflow caller is the smallest YAML that declares a trigger, sets permissions, and forwards to the upstream:

```yaml theme={null}
name: Issue Triage
on:
  issues:
    types: [opened]
permissions:
  contents: read
  id-token: write
  issues: write
jobs:
  run:
    uses: JacobPEvans/ai-workflows/.github/workflows/issue-triage.yml@main
    secrets: inherit
```

Permission shape varies per workflow — `issue-resolver` needs `pull-requests: write`, `ci-fix` needs `actions: read`, `post-merge-*` needs `actions: write` for the re-dispatch. The [canonical caller templates](https://github.com/JacobPEvans/ai-workflows/blob/main/docs/GETTING_STARTED.md) list the exact permission block for each.

## How a GH-AW import looks

GitHub Agentic Workflows are authored as Markdown and compiled:

```yaml theme={null}
---
engine: copilot
imports:
  - githubnext/agentics/workflows/doc-updater.md@main
on:
  schedule: daily
  workflow_dispatch:
---
```

`public-docs-updater.md` imports the GitHubNext doc updater, then adds local rules: scan `dryvist` public repos, include merged plus open/draft PR titles and descriptions, treat open work as in-progress only, and create one PR against `docs`.

## Versioning

Per [Dependency automation](/infrastructure/cicd/dependency-automation#version-pinning), consumers pin `ai-workflows` — and every `dryvist/*` reusable workflow — at `@main`, never a SHA or version pin. The SemVer tags still exist (`@v0.15.1`) and release-please keeps bumping them for the changelog and the per-run resolved-SHA audit trail, but callers ride `@main` so upstream fixes land immediately with no per-repo Renovate PR (the first-party immediate-propagation model). Every org scanner is configured to allow `@main` — see [scanner posture](/infrastructure/cicd/policy#scanner-posture-for-self-references).

## Authentication

Reusable `.yml` workflows use a **provider-agnostic `GH_ACTION_AI_*` namespace** so you can swap providers, endpoints, or models at the org level without editing any caller.

| Name                        | Kind     | Purpose                                                     |
| --------------------------- | -------- | ----------------------------------------------------------- |
| `GH_ACTION_AI_API_KEY`      | Secret   | Your provider's API key. Required by all workflows.         |
| `GH_ACTION_AI_BASE_URL`     | Variable | Provider endpoint. Leave **empty** for direct Anthropic.    |
| `GH_ACTION_AI_MODEL`        | Variable | Global default model name.                                  |
| `GH_ACTION_AI_MODEL_CODE`   | Variable | Code-generation tier (falls back to `GH_ACTION_AI_MODEL`).  |
| `GH_ACTION_AI_MODEL_ISSUES` | Variable | Issue-management tier (falls back to `GH_ACTION_AI_MODEL`). |
| `GH_ACTION_AI_MODEL_PLAN`   | Variable | Deep-planning tier (falls back to `GH_ACTION_AI_MODEL`).    |

Set them at org level with the GitHub CLI:

```bash theme={null}
gh secret   set GH_ACTION_AI_API_KEY   --org <your-org>   # paste your key
gh variable set GH_ACTION_AI_BASE_URL  --org <your-org> -b ""                       # empty = direct Anthropic
gh variable set GH_ACTION_AI_MODEL     --org <your-org> -b "claude-sonnet-4-6"
```

The same workflows run unchanged against any provider — only the org-level values change:

| Provider         | `GH_ACTION_AI_API_KEY` | `GH_ACTION_AI_BASE_URL`        | Example model               |
| ---------------- | ---------------------- | ------------------------------ | --------------------------- |
| Direct Anthropic | standard API key       | *(empty)*                      | `claude-sonnet-4-6`         |
| OpenRouter       | OpenRouter key         | `https://openrouter.ai/api/v1` | `anthropic/claude-sonnet-4` |
| Chutes.ai        | Chutes key             | Chutes endpoint                | provider-specific name      |

> **OAuth tokens are prohibited in unattended CI.** A Claude Code subscription token (`CLAUDE_CODE_OAUTH_TOKEN`) used inside a GitHub Actions workflow violates the [Claude Code Terms of Service](https://www.anthropic.com/legal/terms) and risks an account ban — the subscription is intended for interactive sessions only. Use a standard API key (`GH_ACTION_AI_API_KEY`) instead; it is purpose-built for programmatic access with no ToS concerns.

GH-AW imports use the Copilot engine (the current `public-docs-updater` wrapper). Provider details and model configuration live in [AUTHENTICATION.md](https://github.com/JacobPEvans/ai-workflows/blob/main/docs/AUTHENTICATION.md).

## Commit signing

`cc-ci-fix` (the CI auto-fixer) uses GitHub's `createCommitOnBranch` GraphQL mutation to push fix commits — no local clone, no custom signing script. The mutation runs as the Actions bot (`${{ github.token }}`), so every fix commit lands web-flow-signed and attributed to `github-actions[bot]`. This works without any App credential on the consumer repo, and is compatible with repos that enforce signed commits.

Other PR-writing workflows (`issue-resolver`, `code-simplifier`, `post-merge-*`) mint a `JacobPEvans-claude` GitHub App installation token and rely on `use_commit_signing: true` in the action. The App credentials (`GH_APP_CLAUDE_BOT_PRIVATE_KEY`, `GH_APP_CLAUDE_BOT_ID`) are distributed by `secrets-sync` to every repo in the `_github_app_repos` anchor.

## Where to go next

<CardGroup cols={2}>
  <Card title="Getting started" icon="rocket" href="https://github.com/JacobPEvans/ai-workflows/blob/main/docs/GETTING_STARTED.md">
    Caller templates for every workflow, with the correct permission blocks.
  </Card>

  <Card title="Patterns" icon="puzzle-piece" href="https://github.com/JacobPEvans/ai-workflows/blob/main/docs/PATTERNS.md">
    The post-merge dispatch pattern, bot guards, and other recurring shapes.
  </Card>

  <Card title="Authentication" icon="key" href="https://github.com/JacobPEvans/ai-workflows/blob/main/docs/AUTHENTICATION.md">
    Full `GH_ACTION_AI_*` reference, provider routing, model variables, and GH-AW engine caveats.
  </Card>

  <Card title="Verification" icon="check-double" href="https://github.com/JacobPEvans/ai-workflows/blob/main/docs/VERIFICATION.md">
    The e2e runbook for checking a freshly-wired repo end to end.
  </Card>

  <Card title="Issue → PR pipeline on this repo" icon="route" href="/automation/issue-to-pr-pipeline">
    Exactly which six callers are wired on `JacobPEvans/docs` and why.
  </Card>

  <Card title="Secret distribution" icon="lock" href="/security/secrets-sync">
    How `GH_ACTION_AI_API_KEY` and the App credentials land on each consumer repo.
  </Card>
</CardGroup>
