From e7ac8cb43d4604f099f9d72c7ad79c8df9e6e0f6 Mon Sep 17 00:00:00 2001 From: JacobPEvans <20714140+JacobPEvans@users.noreply.github.com> Date: Sun, 24 May 2026 12:42:59 -0400 Subject: [PATCH] feat(ci): wire six ai-workflows callers for issue->mergeable-PR pipeline Adds the cloud-side automation pipeline so that opening an issue on this repo triggers automatic triage, draft PR creation, AI review (via the upstream Gemini/Copilot reviewers, not the deprecated claude-review), CI auto-fix on failure, and a final merge-readiness gate. Callers (all pinned @main per ci-cd-policy.md): - issue-triage.yml on issues: opened - categorize, label, dedup - issue-resolver.yml on issues: opened - draft PR for well-scoped issues - ci-fix.yml on workflow_run CI failure - push fix commit (max 2/PR, 5/day) - final-pr-review.yml on pull_request_review - merge-readiness gate - project-router.yml on issues/PR open|label - route to GitHub Projects - post-merge-docs-review.yml on push to main - audit + fix-PR via dispatch pattern Each caller's input shape (repo_context for issue-resolver and ci-fix) is tuned to this repo: Mintlify documentation site, MDX pages, mermaid diagrams using the canonical hand-drawn Reef Green theme, navigation in docs.json. Dropped from this wiring (will not be added): - claude-review.yml - DEPRECATED upstream 2026-04-04, jobs gated `if: false` - pr-issue-linker.yml - auto-triggers explicitly disabled upstream DEPENDS ON: JacobPEvans/secrets-sync #85 (adds `docs` to _all_repos and _github_app_repos anchors). Without secrets distributed, every caller fails at the first claude-code-action step. Merge order must be: 1. Merge secrets-sync #85 2. Add JacobPEvans/docs to the GH_PAT_SECRETS_SYNC_ACTION fine-grained PAT repository access list (manual UI step) 3. Confirm sync-secrets workflow ran on secrets-sync and that gh secret list --repo JacobPEvans/docs returns OPENROUTER_API_KEY 4. Merge this PR Validations passed locally: - yamllint -d relaxed (warnings resolved, no remaining) - actionlint (no errors) Assisted-by: Claude --- .github/workflows/ci-fix.yml | 38 ++++++++++++++++++ .github/workflows/final-pr-review.yml | 18 +++++++++ .github/workflows/issue-resolver.yml | 32 +++++++++++++++ .github/workflows/issue-triage.yml | 18 +++++++++ .github/workflows/post-merge-docs-review.yml | 41 ++++++++++++++++++++ .github/workflows/project-router.yml | 23 +++++++++++ 6 files changed, 170 insertions(+) create mode 100644 .github/workflows/ci-fix.yml create mode 100644 .github/workflows/final-pr-review.yml create mode 100644 .github/workflows/issue-resolver.yml create mode 100644 .github/workflows/issue-triage.yml create mode 100644 .github/workflows/post-merge-docs-review.yml create mode 100644 .github/workflows/project-router.yml diff --git a/.github/workflows/ci-fix.yml b/.github/workflows/ci-fix.yml new file mode 100644 index 0000000..a9b217b --- /dev/null +++ b/.github/workflows/ci-fix.yml @@ -0,0 +1,38 @@ +name: CI Fix + +on: + workflow_dispatch: + workflow_run: + workflows: ["CI"] + types: [completed] + +permissions: + actions: read + contents: write + id-token: write + issues: write + pull-requests: write + +concurrency: + group: ci-fix-${{ github.event.workflow_run.head_branch || github.run_id }} + cancel-in-progress: false + +jobs: + fix: + if: >- + github.event_name == 'workflow_dispatch' || + (github.event.workflow_run.conclusion == 'failure' && + github.event.workflow_run.head_branch != 'main') + uses: JacobPEvans/ai-workflows/.github/workflows/ci-fix.yml@main + secrets: inherit + with: + repo_context: >- + Mintlify documentation site for docs.jacobpevans.com. + MDX pages with YAML frontmatter, mermaid diagrams using the + canonical hand-drawn Reef Green theme, navigation in docs.json. + ci_structure: >- + ci.yml validates docs.json with jq, installs mint via npm, and runs + mint broken-links to check internal MDX links. osv-scan.yml is a + reusable vuln-scan callout. CI fixes usually mean: docs.json JSON + syntax error, a broken internal link from a renamed/moved page, or + a mermaid block with a non-canonical theme directive. diff --git a/.github/workflows/final-pr-review.yml b/.github/workflows/final-pr-review.yml new file mode 100644 index 0000000..8511406 --- /dev/null +++ b/.github/workflows/final-pr-review.yml @@ -0,0 +1,18 @@ +name: Final PR Review + +on: + workflow_dispatch: + pull_request_review: + types: [submitted] + +permissions: + checks: read + contents: read + id-token: write + issues: write + pull-requests: write + +jobs: + review: + uses: JacobPEvans/ai-workflows/.github/workflows/final-pr-review.yml@main + secrets: inherit diff --git a/.github/workflows/issue-resolver.yml b/.github/workflows/issue-resolver.yml new file mode 100644 index 0000000..c1cc817 --- /dev/null +++ b/.github/workflows/issue-resolver.yml @@ -0,0 +1,32 @@ +name: Issue Resolver + +on: + issues: + types: [opened] + +permissions: + contents: write + id-token: write + issues: write + pull-requests: write + +concurrency: + group: >- + issue-resolver-${{ github.repository }}-${{ + github.event.issue.number }} + cancel-in-progress: false + +jobs: + run: + uses: JacobPEvans/ai-workflows/.github/workflows/issue-resolver.yml@main + secrets: inherit + with: + repo_context: >- + Mintlify documentation site for docs.jacobpevans.com. + Pages are MDX with YAML frontmatter under topic directories + (architecture/, ai-development/, automation/, security/, + infrastructure/, observability/, configuration/, nix/, tools/, + about/). Navigation lives in docs.json. Mermaid diagrams use + the canonical hand-drawn Reef Green theme directive (see + AGENTS.md). Public content only - no real IPs, hostnames, + credentials, or references to private repos. diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml new file mode 100644 index 0000000..23754a6 --- /dev/null +++ b/.github/workflows/issue-triage.yml @@ -0,0 +1,18 @@ +name: Issue Triage + +on: + issues: + types: [opened] + +permissions: + contents: read + id-token: write + issues: write + +concurrency: + group: issue-triage-${{ github.repository }}-${{ github.event.issue.number }} + +jobs: + run: + uses: JacobPEvans/ai-workflows/.github/workflows/issue-triage.yml@main + secrets: inherit diff --git a/.github/workflows/post-merge-docs-review.yml b/.github/workflows/post-merge-docs-review.yml new file mode 100644 index 0000000..df69b67 --- /dev/null +++ b/.github/workflows/post-merge-docs-review.yml @@ -0,0 +1,41 @@ +name: Post-Merge Docs Review + +on: + push: + branches: [main] + workflow_dispatch: + inputs: + commit_sha: + description: "Commit SHA to review" + required: false + type: string + +permissions: + actions: write + contents: write + id-token: write + pull-requests: write + +jobs: + dispatch: + if: github.event_name == 'push' + runs-on: ubuntu-latest + env: + GH_TOKEN: ${{ github.token }} + WORKFLOW_NAME: ${{ github.workflow }} + REPO: ${{ github.repository }} + COMMIT_SHA: ${{ github.sha }} + steps: + - name: Re-trigger as workflow_dispatch + run: | + gh workflow run "$WORKFLOW_NAME" \ + --repo "$REPO" \ + --ref main \ + -f commit_sha="$COMMIT_SHA" + + review: + if: github.event_name == 'workflow_dispatch' + uses: JacobPEvans/ai-workflows/.github/workflows/post-merge-docs-review.yml@main + secrets: inherit + with: + commit_sha: ${{ inputs.commit_sha || github.sha }} diff --git a/.github/workflows/project-router.yml b/.github/workflows/project-router.yml new file mode 100644 index 0000000..7d282bc --- /dev/null +++ b/.github/workflows/project-router.yml @@ -0,0 +1,23 @@ +name: Project Router + +on: + issues: + types: [opened, labeled] + pull_request: + types: [opened, ready_for_review] + +permissions: + contents: read + id-token: write + issues: write + pull-requests: read + +concurrency: + group: >- + project-router-${{ github.repository }}-${{ + github.event.issue.number || github.event.pull_request.number }} + +jobs: + route: + uses: JacobPEvans/ai-workflows/.github/workflows/project-router.yml@main + secrets: inherit