name: Compile Agentic Workflows on: pull_request: branches: ["main"] paths: - ".github/workflows/*.md" jobs: compile: name: Compile runs-on: ubuntu-latest # Skip fork PRs: secrets are unavailable, and we should not compile # untrusted .md content from a fork and push it back. if: github.event.pull_request.head.repo.fork == false permissions: contents: read # checkout; push uses GH_PAT explicitly steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: ref: ${{ github.head_ref }} token: ${{ secrets.GH_PAT }} - name: Install gh-aw extension run: gh extension install github/gh-aw --version v0.50.7 env: GH_TOKEN: ${{ secrets.GH_PAT }} - name: Compile all agentic workflows run: gh aw compile .github/workflows/*.md env: GH_TOKEN: ${{ secrets.GH_PAT }} - name: Commit and push lock files if changed run: | git add .github/workflows/*.lock.yml || true if git diff --cached --quiet; then echo "Lock files are up to date." else git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" git commit -m "Recompile agentic workflow lock files" git push fi