Add PR CI detective and fixer workflows

.github/workflows/gh-aw-pr-ci-detective.md

@@ -0,0 +1,114 @@
+---
+description: "Analyze failed PR checks and report findings"
+imports:
+  - gh-aw-fragments/elastic-tools.md
+  - gh-aw-fragments/runtime-setup.md
+  - gh-aw-fragments/formatting.md
+  - gh-aw-fragments/rigor.md
+  - gh-aw-fragments/mcp-pagination.md
+  - gh-aw-fragments/workflow-edit-guardrails.md
+  - gh-aw-fragments/messages-footer.md
+  - gh-aw-fragments/safe-output-add-comment.md
+engine:
+  id: copilot
+  model: gpt-5.2-codex
+on:
+  workflow_call:
+    inputs:
+      additional-instructions:
+        description: "Repo-specific instructions appended to the agent prompt"
+        type: string
+        required: false
+        default: ""
+      setup-commands:
+        description: "Shell commands to run before the agent starts (dependency install, build, etc.)"
+        type: string
+        required: false
+        default: ""
+      messages-footer:
+        description: "Footer appended to all agent comments and reviews"
+        type: string
+        required: false
+        default: ""
+    secrets:
+      COPILOT_GITHUB_TOKEN:
+        required: true
+concurrency:
+  group: pr-ci-detective-${{ github.event.workflow_run.id }}
+  cancel-in-progress: false
+permissions:
+  actions: read
+  contents: read
+  issues: read
+  pull-requests: read
+tools:
+  github:
+    toolsets: [repos, issues, pull_requests, search, actions]
+  bash: true
+  web-fetch:
+network:
+  allowed:
+    - defaults
+    - github
+strict: false
+roles: [admin, maintainer, write]
+timeout-minutes: 30
+steps:
+  - name: Repo-specific setup
+    if: ${{ inputs.setup-commands != '' }}
+    env:
+      SETUP_COMMANDS: ${{ inputs.setup-commands }}
+    run: eval "$SETUP_COMMANDS"
+---
+
+# PR CI Detective
+
+Assist with failed GitHub Actions checks for pull requests in ${{ github.repository }}. Analyze workflow run logs, explain failures, and recommend fixes. This workflow is read-only.
+
+## Context
+
+- **Repository**: ${{ github.repository }}
+- **Workflow Run ID**: ${{ github.event.workflow_run.id }}
+- **Conclusion**: ${{ github.event.workflow_run.conclusion }}
+
+## Constraints
+
+- **CAN**: Read files, search code, run tests and commands, comment on PRs
+- **CANNOT**: Push changes, merge PRs, or modify `.github/workflows/`
+
+## Instructions
+
+### Step 1: Gather Context
+
+1. Call `generate_agents_md` to get the repository's coding guidelines and conventions. If this fails, continue without it.
+2. Identify the PRs associated with the workflow run using `github.event.workflow_run.pull_requests`. If there are none, call `noop` with message "No pull request associated with workflow run; nothing to do" and stop.
+3. For each PR, call `pull_request_read` with method `get` to capture the author, branches, and fork status.
+4. Fetch workflow run details and logs with `bash` + `gh api`:
+   - List jobs and their conclusions:
+     ````bash
+     gh api repos/{owner}/{repo}/actions/runs/{run_id}/jobs \
+       --jq '.jobs[] | {id: .id, name: .name, conclusion: .conclusion, html_url: .html_url}'
+     ````
+   - Download logs to `/tmp/gh-aw/agent/` and inspect the failing step output:
+     ````bash
+     gh api repos/{owner}/{repo}/actions/runs/{run_id}/logs \
+       -H "Accept: application/vnd.github+json" \
+       > /tmp/gh-aw/agent/workflow-logs-{run_id}.zip
+     unzip -o /tmp/gh-aw/agent/workflow-logs-{run_id}.zip -d /tmp/gh-aw/agent/workflow-logs-{run_id}/
+     ````
+
+### Step 2: Analyze
+
+- Identify the failing job/step and summarize the root cause.
+- Propose a concrete, minimal fix or remediation plan.
+- If the logs are inconclusive, state what additional data is needed.
+
+### Step 3: Respond
+
+Call `add_comment` on the PR with:
+- A concise summary of the failure and root cause
+- The recommended fix or remediation plan
+- Tests run and their results (if any)
+- Any follow-up steps required
+
+${{ inputs.additional-instructions }}

.github/workflows/gh-aw-pr-ci-fixer.md

@@ -0,0 +1,129 @@
+---
+description: "Analyze failed PR checks and optionally push fixes (opt-in)"
+imports:
+  - gh-aw-fragments/elastic-tools.md
+  - gh-aw-fragments/runtime-setup.md
+  - gh-aw-fragments/formatting.md
+  - gh-aw-fragments/rigor.md
+  - gh-aw-fragments/mcp-pagination.md
+  - gh-aw-fragments/workflow-edit-guardrails.md
+  - gh-aw-fragments/messages-footer.md
+  - gh-aw-fragments/safe-output-add-comment.md
+  - gh-aw-fragments/safe-output-push-to-pr.md
+engine:
+  id: copilot
+  model: gpt-5.2-codex
+on:
+  workflow_call:
+    inputs:
+      additional-instructions:
+        description: "Repo-specific instructions appended to the agent prompt"
+        type: string
+        required: false
+        default: ""
+      setup-commands:
+        description: "Shell commands to run before the agent starts (dependency install, build, etc.)"
+        type: string
+        required: false
+        default: ""
+      workflow-run-id:
+        description: "Workflow run ID to analyze"
+        type: string
+        required: true
+      messages-footer:
+        description: "Footer appended to all agent comments and reviews"
+        type: string
+        required: false
+        default: ""
+    secrets:
+      COPILOT_GITHUB_TOKEN:
+        required: true
+concurrency:
+  group: pr-ci-fixer-${{ inputs.workflow-run-id }}
+  cancel-in-progress: false
+permissions:
+  actions: read
+  contents: read
+  issues: read
+  pull-requests: read
+tools:
+  github:
+    toolsets: [repos, issues, pull_requests, search, actions]
+  bash: true
+  web-fetch:
+network:
+  allowed:
+    - defaults
+    - github
+strict: false
+roles: [admin, maintainer, write]
+timeout-minutes: 30
+steps:
+  - name: Repo-specific setup
+    if: ${{ inputs.setup-commands != '' }}
+    env:
+      SETUP_COMMANDS: ${{ inputs.setup-commands }}
+    run: eval "$SETUP_COMMANDS"
+---
+
+# PR CI Fixer
+
+Assist with failed GitHub Actions checks for pull requests in ${{ github.repository }}. This workflow is opt-in and uses a provided workflow run ID.
+
+## Context
+
+- **Repository**: ${{ github.repository }}
+- **Workflow Run ID**: ${{ inputs.workflow-run-id }}
+
+## Constraints
+
+- **CAN**: Read files, search code, modify files locally, run tests and commands, comment on PRs, push changes to same-repo PR branches
+- **CANNOT**: Push to fork PR branches, merge PRs, or modify `.github/workflows/`
+
+When pushing changes, the workspace already has the PR branch checked out. Make your changes, run tests, commit them locally, then use `push_to_pull_request_branch`.
+
+## Instructions
+
+### Step 1: Gather Context
+
+1. Call `generate_agents_md` to get the repository's coding guidelines and conventions. If this fails, continue without it.
+2. Fetch workflow run details using `inputs.workflow-run-id`:
+   ````bash
+   gh api repos/{owner}/{repo}/actions/runs/{run_id} \
+     --jq '{id: .id, html_url: .html_url, pull_requests: .pull_requests}'
+   ````
+3. Identify the PRs associated with the workflow run from the response. If there are none, call `noop` with message "No pull request associated with workflow run; nothing to do" and stop.
+4. For each PR, call `pull_request_read` with method `get` to capture the author, branches, and fork status.
+5. Fetch workflow run details and logs with `bash` + `gh api`:
+   - List jobs and their conclusions:
+     ````bash
+     gh api repos/{owner}/{repo}/actions/runs/{run_id}/jobs \
+       --jq '.jobs[] | {id: .id, name: .name, conclusion: .conclusion, html_url: .html_url}'
+     ````
+   - Download logs to `/tmp/gh-aw/agent/` and inspect the failing step output:
+     ````bash
+     gh api repos/{owner}/{repo}/actions/runs/{run_id}/logs \
+       -H "Accept: application/vnd.github+json" \
+       > /tmp/gh-aw/agent/workflow-logs-{run_id}.zip
+     unzip -o /tmp/gh-aw/agent/workflow-logs-{run_id}.zip -d /tmp/gh-aw/agent/workflow-logs-{run_id}/
+     ````
+
+### Step 2: Analyze and Fix
+
+- Identify the failing job/step and summarize the root cause.
+- If the fix is straightforward and safe, implement it locally, run tests, commit, and push to the PR branch.
+- If the fix is risky or requires broader refactoring, propose a concrete remediation plan instead of pushing.
+- If the PR is from a fork, do not push; provide patch guidance in the comment.
+
+### Step 3: Respond
+
+Call `add_comment` on the PR with:
+- A concise summary of the failure and root cause
+- The recommended fix (or the applied fix if you pushed changes)
+- Tests run and their results
+- Any follow-up steps required
+
+**Additional tools:**
+- `push_to_pull_request_branch` — push committed changes to the PR branch (same-repo PRs only)
+
+${{ inputs.additional-instructions }}

README.md

@@ -42,7 +42,8 @@ See the upstream [gh-aw auth docs](https://github.com/github/gh-aw/blob/main/doc
 | Issue Triage | New issues | Investigate and provide implementation plans |
 | Mention in Issue | `/ai` command | Answer questions, debug, create PRs |
 | Mention in PR | `/ai` command | Review, fix code, push changes |
-| PR Checks Fix | Failed PR checks | Analyze failures and optionally push fixes |
+| PR CI Detective | Failed PR checks | Diagnose failures and recommend fixes |
+| PR CI Fixer | Manual (workflow_dispatch) | Opt-in fixes for failed PR checks |
 | Small Problem Fixer | Weekday schedule | Fix a small, related issue set and open a focused PR |
 | Code Simplifier | Weekday schedule | Simplify overcomplicated code with high-confidence refactors |
 | Test Improvement | Weekly schedule | Add targeted tests and clean up redundant coverage |

gh-agent-workflows/README.md

@@ -10,7 +10,8 @@
 | [Issue Triage](issue-triage/) | New issues | Investigate and provide implementation plans |
 | [Mention in Issue](mention-in-issue/) | `/ai` in issues | Answer questions, debug, create PRs |
 | [Mention in PR](mention-in-pr/) | `/ai` in PRs | Review, fix code, push changes |
-| [PR Checks Fix](pr-checks-fix/) | Failed PR checks | Analyze failures and optionally push fixes |
+| [PR CI Detective](pr-ci-detective/) | Failed PR checks | Diagnose failures and recommend fixes |
+| [PR CI Fixer](pr-ci-fixer/) | Manual (workflow_dispatch) | Opt-in fixes for failed PR checks |
 | [Small Problem Fixer](small-problem-fixer/) | Weekday schedule | Fix small, related issues and open a focused PR |
 | [Code Simplifier](code-simplifier/) | Weekday schedule | Simplify overcomplicated code with high-confidence refactors |
 | [Test Improvement](test-improvement/) | Weekly schedule | Add targeted tests and clean up redundant coverage |

gh-agent-workflows/pr-ci-detective/README.md

@@ -0,0 +1,30 @@
+# PR CI Detective
+
+Analyze failed PR checks and report findings (read-only).
+
+## Quick Install
+
+````bash
+mkdir -p .github/workflows && curl -sL \
+  https://raw.githubusercontent.com/elastic/ai-github-actions/v0/gh-agent-workflows/pr-ci-detective/example.yml \
+  -o .github/workflows/pr-ci-detective.yml
+````
+
+See [example.yml](example.yml) for the full workflow file.
+
+## Trigger
+
+| Event | Types | Condition |
+| --- | --- | --- |
+| `workflow_run` | `completed` | CI workflow failed and the run is associated with a PR |
+
+## Inputs
+
+| Input | Description | Required | Default |
+| --- | --- | --- | --- |
+| `additional-instructions` | Repo-specific instructions appended to the agent prompt | No | `""` |
+| `setup-commands` | Shell commands run before the agent starts | No | `""` |
+
+## Safe Outputs
+
+- `add-comment` — post a comment explaining the failure (max 3)

gh-agent-workflows/pr-ci-detective/example.yml

@@ -0,0 +1,21 @@
+name: PR CI Detective
+on:
+  workflow_run:
+    workflows: ["CI", "Build", "Test"]
+    types: [completed]
+
+permissions:
+  actions: read
+  contents: read
+  discussions: write
+  issues: write
+  pull-requests: write  # required by gh-aw compiler for add-comment (github/gh-aw#16673)
+
+jobs:
+  run:
+    if: >-
+      github.event.workflow_run.conclusion == 'failure' &&
+      toJSON(github.event.workflow_run.pull_requests) != '[]'
+    uses: elastic/ai-github-actions/.github/workflows/gh-aw-pr-ci-detective.lock.yml@v0
+    secrets:
+      COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}

gh-agent-workflows/pr-ci-fixer/README.md

@@ -0,0 +1,32 @@
+# PR CI Fixer
+
+Opt-in fixer for failed PR checks that can push safe, targeted changes.
+
+## Quick Install
+
+````bash
+mkdir -p .github/workflows && curl -sL \
+  https://raw.githubusercontent.com/elastic/ai-github-actions/v0/gh-agent-workflows/pr-ci-fixer/example.yml \
+  -o .github/workflows/pr-ci-fixer.yml
+````
+
+See [example.yml](example.yml) for the full workflow file.
+
+## Trigger
+
+| Event | Description |
+| --- | --- |
+| `workflow_dispatch` | Manual (requires a workflow run ID) |
+
+## Inputs
+
+| Input | Description | Required | Default |
+| --- | --- | --- | --- |
+| `workflow-run-id` | Failed workflow run ID to analyze | Yes | — |
+| `additional-instructions` | Repo-specific instructions appended to the agent prompt | No | `""` |
+| `setup-commands` | Shell commands run before the agent starts | No | `""` |
+
+## Safe Outputs
+
+- `add-comment` — post a comment explaining the failure (max 3)
+- `push-to-pull-request-branch` — push a fix to the PR branch

gh-agent-workflows/pr-ci-fixer/example.yml

@@ -0,0 +1,23 @@
+name: PR CI Fixer
+on:
+  workflow_dispatch:
+    inputs:
+      workflow-run-id:
+        description: "Failed workflow run ID to analyze"
+        required: true
+        type: string
+
+permissions:
+  actions: read
+  contents: write
+  discussions: write
+  issues: write
+  pull-requests: write  # required by gh-aw compiler for add-comment (github/gh-aw#16673)
+
+jobs:
+  run:
+    uses: elastic/ai-github-actions/.github/workflows/gh-aw-pr-ci-fixer.lock.yml@v0
+    with:
+      workflow-run-id: ${{ inputs.workflow-run-id }}
+    secrets:
+      COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}