The workflows: write permission in the YAML permissions block is not
valid for GITHUB_TOKEN, which prevented the workflow from starting.
Pushing files under .github/workflows/ requires a PAT with the
workflows scope. The workflow now uses a GH_PAT secret (falling back
to GITHUB_TOKEN) for checkout and push. To set this up:
Create a fine-grained PAT with Contents + Workflows read/write,
then: gh secret set GH_PAT --body "<your-pat>"
https://claude.ai/code/session_01JTYNSeJrGzdW6wfAUbdjjw
The GITHUB_TOKEN needs the workflows permission to push changes to
files under .github/workflows/. Also add || true to git add glob
in case no lock files exist yet on first compile.
https://claude.ai/code/session_01JTYNSeJrGzdW6wfAUbdjjw
Instead of just failing when lock files are outdated, the workflow now
compiles the agentic workflow markdown files and commits+pushes the
resulting lock files back. On PRs, checks out the head branch directly
(not the merge ref) so it can push back to the PR.
https://claude.ai/code/session_01JTYNSeJrGzdW6wfAUbdjjw
Runs on both PRs and pushes to main. Compiles all agentic workflow
markdown files and fails if the resulting lock files differ from what's
committed. This ensures contributors run `gh aw compile` before merging.
https://claude.ai/code/session_01JTYNSeJrGzdW6wfAUbdjjw
Triggers on pushes to main that touch .github/workflows/*.md files.
Installs gh-aw, compiles all agentic workflow markdown files, and
commits the resulting .lock.yml files back to the repo.
https://claude.ai/code/session_01JTYNSeJrGzdW6wfAUbdjjw