Skip to content

Add workflow for daily documentation updates#132

Merged
ewega merged 3 commits into
mainfrom
copilot/create-daily-doc-update-workflow
Mar 11, 2026
Merged

Add workflow for daily documentation updates#132
ewega merged 3 commits into
mainfrom
copilot/create-daily-doc-update-workflow

Conversation

Copilot AI commented Mar 5, 2026

Copy link
Copy Markdown
Contributor

Adds a GitHub Agentic Workflow (gh-aw) that runs daily on weekdays to detect documentation drift in gh-devlake and open a single docs-only PR with fixes.

Changes

  • Workflow definition (.github/workflows/docs-sync.md): Defines the agent's docs-sync task — gathers recent code changes, compares against README.md and docs/, edits stale sections, and opens a PR via safe-outputs.
  • Compiled workflow (.github/workflows/docs-sync.lock.yml): Auto-generated GitHub Actions YAML that runs the Copilot CLI agent on a fuzzy weekday schedule and via manual dispatch.

Safety Configuration

  • Read-only permissions: contents: read, issues: read, pull-requests: read — all writes go through safe-outputs.create-pull-request.
  • Restricted bash commands: Only git, cat, grep, find, ls, head, tail, wc are allowed (no --allow-all-tools).
  • Path-restricted editing: engine.args injects --allow-paths "README.md,docs/**" to limit file edits to documentation targets only.
  • Protected files respected: AGENTS.md is excluded from editable targets since the compiler's protected_files list blocks modifications to it. The agent reads it as a reference and notes drift in the PR body instead.
  • Auto-expiring PRs: Created PRs expire after 7 days if not merged.

Notes

  • The edit: (null) syntax is the correct gh-aw format for enabling the edit tool — edit: true is rejected by the compiler schema (requires null or object, not boolean).
  • The compiler adds --allow-all-paths automatically for any safe-outputs.create-pull-request workflow; the --allow-paths flag from engine.args adds a more restrictive layer on top.

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

Creates a GitHub Agentic Workflow that runs daily on weekdays
to identify documentation files that have drifted from recent
code changes and opens a pull request with the necessary updates.

Uses Copilot engine with GitHub MCP tools, bash, and edit tools.
Read-only permissions with safe-outputs for PR creation.

Co-authored-by: ewega <26189114+ewega@users.noreply.github.com>
Copilot finished work on behalf of ewega March 5, 2026 17:48
@ewega ewega marked this pull request as ready for review March 11, 2026 15:41
Copilot AI review requested due to automatic review settings March 11, 2026 15:41

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a GitHub Advanced Workflows (gh-aw) agentic workflow to periodically detect documentation drift in gh-devlake and open a single docs-only PR with fixes.

Changes:

  • Added an agent prompt workflow (docs-sync.md) describing how to detect stale docs and what files to update.
  • Added the compiled GitHub Actions workflow (docs-sync.lock.yml) to run on a weekday schedule and via manual dispatch.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/docs-sync.md Defines the agent’s docs-sync task, constraints, and PR creation rules.
.github/workflows/docs-sync.lock.yml Compiled workflow that executes the Copilot CLI agent on a schedule and handles safe outputs/PR creation.

Comment thread .github/workflows/docs-sync.lock.yml Outdated
set -o pipefail
# shellcheck disable=SC1003
sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,go.dev,golang.org,goproxy.io,host.docker.internal,pkg.go.dev,proxy.golang.org,raw.githubusercontent.com,registry.npmjs.org,storage.googleapis.com,sum.golang.org,telemetry.enterprise.githubcopilot.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
-- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log

Copilot AI Mar 11, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Copilot CLI invocation uses --allow-all-tools --allow-all-paths, which doesn’t enforce the workflow’s “documentation-only / don’t modify Go source code” constraint. This increases the blast radius of a scheduled automation run (it can edit any repo file and run arbitrary tools). Consider restricting allowed tools/paths to docs-only targets (e.g., README.md, AGENTS.md, docs/**) so the workflow’s safety guarantee is enforced by configuration, not only by the prompt.

Suggested change
-- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
-- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tools filesystem,git,github,terminal --allow-paths "README.md,AGENTS.md,docs/**,.github/**" --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log

Copilot uses AI. Check for mistakes.
mode: remote
toolsets: [default]
bash: true
edit:

Copilot AI Mar 11, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tools.edit is declared but has no value (edit:). While valid YAML, it’s ambiguous whether the edit tool is intended to be enabled or configured (and future readers may assume it’s a mistake). Make this explicit (e.g., edit: true or provide the intended edit-tool configuration).

Suggested change
edit:
edit: true

Copilot uses AI. Check for mistakes.
@ewega

ewega commented Mar 11, 2026

Copy link
Copy Markdown
Contributor

@copilot Please address the two Copilot review comments before merge: 1) restrict the docs sync workflow so docs-only safety is enforced by configuration instead of --allow-all-tools --allow-all-paths; 2) make the edit tool declaration explicit in .github/workflows/docs-sync.md (for example edit: true) and regenerate the compiled lock file accordingly. After updating, ensure the PR checks remain green.

- Restrict bash to specific safe commands (git, cat, grep, find, ls,
  head, tail, wc) instead of bash: true — eliminates --allow-all-tools
- Add engine.args --allow-paths to restrict file edits to README.md
  and docs/** only
- Remove AGENTS.md from editable targets (compiler protects it)
- Update prompt to clarify AGENTS.md is read-only

Co-authored-by: ewega <26189114+ewega@users.noreply.github.com>

Copilot AI commented Mar 11, 2026

Copy link
Copy Markdown
Contributor Author

@copilot Please address the two Copilot review comments before merge: 1) restrict the docs sync workflow so docs-only safety is enforced by configuration instead of `--allow-all-tools --allow-all-path...

Addressed in e31f2ae:

  1. Tools restriction: Changed bash: truebash: ["git", "cat", "grep", "find", "ls", "head", "tail", "wc"]. The compiled lock file now uses individual --allow-tool 'shell(cmd)' entries instead of --allow-all-tools.

  2. Path restriction: Added engine.args: ["--allow-paths", "README.md,docs/**"] which injects --allow-paths into the compiled Copilot CLI invocation, restricting file edits to documentation targets only. Note: the compiler still adds --allow-all-paths for any safe-outputs.create-pull-request workflow — this is a compiler-level behavior that can't be overridden from the frontmatter.

  3. edit declaration: edit: true is rejected by the gh-aw compiler (schema requires null or object, not boolean). The edit: (null) syntax is the correct way to enable the edit tool — verified by compilation error when using edit: true.

Also removed AGENTS.md from editable targets since the compiler's protected_files list blocks modifications to it via safe-outputs.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • github.github.com
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.57.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.57.2 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title [WIP] Add workflow for daily documentation updates Add workflow for daily documentation updates Mar 11, 2026

@ewega ewega left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed after follow-up fixes; safe to merge.

@ewega ewega merged commit 6635973 into main Mar 11, 2026
4 checks passed
@ewega ewega deleted the copilot/create-daily-doc-update-workflow branch March 11, 2026 22:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants