Skip to content

fix(ci): harden daily-doc-updater workflow guardrails#220

Merged
YousefHadder merged 2 commits intomainfrom
yousefhadder/fix-daily-doc-updater-gaps
Mar 7, 2026
Merged

fix(ci): harden daily-doc-updater workflow guardrails#220
YousefHadder merged 2 commits intomainfrom
yousefhadder/fix-daily-doc-updater-gaps

Conversation

@YousefHadder
Copy link
Copy Markdown
Owner

@YousefHadder YousefHadder commented Mar 7, 2026
edited
Loading

Fixes several gaps in the daily-doc-updater agentic workflow that would cause it to fail or produce bad results.

  • Bash allowlist mismatch: The allowlist referenced docs/*.md and *.mdx but the repo uses doc/markdown-plus.txt (a .txt file). The agent literally couldn't read the vimdoc file it was supposed to update.
  • No CHANGELOG guard: Agent could edit CHANGELOG.md which is auto-generated by release-please — added explicit "never touch" rules.
  • Wiki unawareness: README is intentionally lightweight and links to the wiki. Added guidance so the agent doesn't bloat it with detailed config/keymap tables.
  • Auto-merge risk: Switched to draft: true / auto-merge: false so AI-generated vimdoc changes get human review before merging.
  • No commit format: Added conventional commit format requirement (docs(scope): description).
  • types.lua access: Added to allowlist so agent can read config schema when documenting new options.
  • Broken grep: grep -r '*' was shell-expanding the glob — replaced with grep -rn '' doc README.md.
  • Timeout: Reduced from 45m to 15m (doc updates shouldn't take that long).
  • New maintenance workflow: agentics-maintenance.yml is auto-generated by gh aw compile — it runs every 2 hours to close expired PRs/issues/discussions created by safe-outputs. Added to .gitattributes as linguist-generated.

Tested by running gh aw compile — compiles cleanly with 0 errors, 0 warnings.

@YousefHadder
fix(ci): harden daily-doc-updater workflow guardrails
0989344 
- Fix bash allowlist to reference actual repo paths (doc/*.txt not
  docs/*.md) so the agent can read the vimdoc file
- Add types.lua to allowlist for config schema awareness
- Add Critical Rules section with CHANGELOG guard, file scope limits,
  wiki-aware README guidance, and conventional commit format
- Switch PRs to draft with auto-merge disabled for human review
- Fix broken grep pattern and reduce timeout from 45m to 15m
- Include auto-generated agentics-maintenance workflow
Copilot AI review requested due to automatic review settings March 7, 2026 02:42
Copilot AI reviewed Mar 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the daily-doc-updater agentic workflow by fixing several gaps that caused it to reference wrong paths, potentially edit protected files, and auto-merge AI-generated changes without human review. The changes also produce a new auto-generated agentics-maintenance.yml workflow as a side effect of gh aw compile.

Changes:

  • Fixes the bash allowlist in daily-doc-updater.md to reference the correct paths (doc/ not docs/, *.txt not *.md/*.mdx), adds types.lua access, fixes the broken grep glob, reduces timeout from 45m to 15m, and switches PRs to draft/no-auto-merge
  • Adds guardrails in the agent prompt: CHANGELOG.md protection, README lightweight policy, conventional commit format, and wiki-linking guidance
  • Introduces auto-generated agentics-maintenance.yml workflow (produced by gh aw compile) and updates the compiled daily-doc-updater.lock.yml to reflect all source changes

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/daily-doc-updater.md Source workflow: fixes bash allowlist, adds critical rules (CHANGELOG, README, commit format), updates file routing guidance, switches to draft PRs
.github/workflows/daily-doc-updater.lock.yml Auto-generated compiled lockfile reflecting all changes from the .md source
.github/workflows/agentics-maintenance.yml New auto-generated maintenance workflow that closes expired PRs/issues/discussions on a schedule

@YousefHadder
fix(ci): mark agentics-maintenance.yml as linguist-generated
fc4596b 
Addresses review feedback — the auto-generated maintenance workflow
from gh-aw compile should get the same .gitattributes treatment as
the .lock.yml files to prevent merge conflicts and exclude it from
language statistics.
@YousefHadder YousefHadder merged commit 25c3f1a into main Mar 7, 2026
15 checks passed
@YousefHadder YousefHadder deleted the yousefhadder/fix-daily-doc-updater-gaps branch March 7, 2026 02:56
This was referenced Mar 7, 2026
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@YousefHadder